Unable to resolve www.funfile.org

dns

#1

Set up 1.1.1.1 and it does not find funfile site. I switched back to Google DNS and it works to resolve.

Nslookup returns

*** 1dot1dot1dot1.cloudflare-dns.com can’t find www.funfile.org: Non-existent domain

I was able to get a result at one point, but this was after reverting my DNS back to Google and flushing cache. At that point, queries to Google and 1.1.1.1 both returned the same results and I was able to access the site and saw the following nslookup results.

I tried flipping back to 1.1.1.1 but it still fails to resolve so I’ve moved back to Google. Any ideas?


#2

It seems to be resolving okay, but the authoritative servers seem to do some geo-steering. Can you tell me which location are you hitting?

dig @1.1.1.1 id.server ch txt

#3

I can reproduce it in ATL sometimes.

$ digd www.funfile.org @1dot1dot1dot1.cloudflare-dns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec www.funfile.org @1dot1dot1dot1.cloudflare-dns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62115
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1536
;; QUESTION SECTION:
;www.funfile.org.               IN      A

;; ANSWER SECTION:
www.funfile.org.        3600    IN      RRSIG   CNAME 13 3 3600 20180419000000 20180329000000 32268 funfile.org. wlAF54JJYvqnHb2MrVD/9YrZ3jS2fxzwN4ra17kcMbpnJwtIV2h2a5w2 ZfyFFfCo0XnBrygpeMOA6iK6xrshlw==
www.funfile.org.        3600    IN      CNAME   www.geo.funfile.org.

;; AUTHORITY SECTION:
funfile.org.            33      IN      SOA     ns1.funfile.org. postmaster.funfile.org. 2018040401 10800 3600 604800 7200
funfile.org.            33      IN      RRSIG   SOA 13 2 7200 20180419000000 20180329000000 32268 funfile.org. To7vA5kVFOJiMPHSr3LzjLVtuLSRDasYpeHfg6cU24jUbHnzj1ePZUL3 hJaM2SRgiSECrEqTAaXk/hjIYqRiaA==
funfile.org.            33      IN      NSEC    funfile.org. A NS SOA MX TXT RRSIG NSEC DNSKEY CAA
funfile.org.            33      IN      RRSIG   NSEC 13 2 7200 20180419000000 20180329000000 32268 funfile.org. n8IgkNPjGYhSN7HCqZq0W4arotqLZauPOiVVfyPEIgTEYKxg9P4xLAu7 qmbyJDVl0AmYuKv8TCIYGSY3jN6uoQ==

;; Query time: 207 msec
;; SERVER: 2606:4700:4700::1111#53(2606:4700:4700::1111)
;; WHEN: Thu Apr 05 05:20:46 UTC 2018
;; MSG SIZE  rcvd: 475

$ digd www.funfile.org @1dot1dot1dot1.cloudflare-dns.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> +dnssec www.funfile.org @1dot1dot1dot1.cloudflare-dns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29111
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1536
;; QUESTION SECTION:
;www.funfile.org.               IN      A

;; ANSWER SECTION:
www.funfile.org.        3600    IN      RRSIG   CNAME 13 3 3600 20180419000000 20180329000000 32268 funfile.org. wlAF54JJYvqnHb2MrVD/9YrZ3jS2fxzwN4ra17kcMbpnJwtIV2h2a5w2 ZfyFFfCo0XnBrygpeMOA6iK6xrshlw==
www.funfile.org.        3600    IN      CNAME   www.geo.funfile.org.
www.geo.funfile.org.    893     IN      CNAME   pool.funfile.org.
www.geo.funfile.org.    893     IN      RRSIG   CNAME 13 4 900 20180419000000 20180329000000 65434 geo.funfile.org. IzFVT+wR+s3NxrIS7nMw57GlvdJkXgBdsgPQ/kO5Z8evuTkWyJgg1Kri 1xyG4+0Vmkim7g8E8Osf/uksmLJNsQ==
pool.funfile.org.       293     IN      A       51.255.37.171
pool.funfile.org.       293     IN      RRSIG   A 13 3 300 20180419000000 20180329000000 32268 funfile.org. O7UjG4hVtM8irLZF1zIizx6jkGx2FUjIQLrjAybm/j577KSkorAvPzEq lN4anDQYNfU4I6kfMBJLEl7Zm343AQ==

;; Query time: 56 msec
;; SERVER: 2606:4700:4700::1111#53(2606:4700:4700::1111)
;; WHEN: Thu Apr 05 05:20:53 UTC 2018
;; MSG SIZE  rcvd: 439

DNSViz shows different responses – A and CNAME – but not NXDOMAIN:

http://dnsviz.net/d/www.funfile.org/WsWwuQ/dnssec/


#4

Thanks, I managed to trace it in ATL. The issue here is that half of the nameservers have a CNAME for www.geo.funfile.org and half don’t, which doesn’t play well with aggressive NSEC caching (depending on which nameserver answers, the resolver may remember the non-existence answer). Mixing CNAME and other types isn’t allowed, so I’m not sure how to best tackle this.


#5

:frowning: Thanks for the reply, and thanks @mnordhoff for jumping in. Sounds like you have enough detail on it, is there anything else you need to see?


#6

Thanks, I think I have all the information I need. There isn’t any good solution to this, I’ll try to contact the owner and add an override to disable one half of the NS set so at least it’s consistent.


#7

This topic was automatically closed after 14 days. New replies are no longer allowed.