Google Public DNS always returns NXDOMAIN for certain SLDs

[Krasimir Velkov]

Problem: Google's Public DNS returns NXDOMAIN for certain SLDs.

Proof of problem:

----------------------------------------------------------------------------------------------------------------------------

dig vpn.vegashoster.com @8.8.8.8

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Debian <<>> vpn.vegashoster.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8324
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vpn.vegashoster.com.        IN    A

;; AUTHORITY SECTION:
vegashoster.com.    1800    IN    SOA    ns1.vegashoster.com. root.vegashoster.com. 1675851775 28800 7200 604800 86400

;; Query time: 134 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Feb 09 09:52:06 EET 2023
;; MSG SIZE  rcvd: 93

----------------------------------------------------------------------------------------------------------------------------

as you can see the query status is NXDOMAIN. Asking the authoritative DNS server listed in the AUTHORITY section, however, points to a correct answer:

----------------------------------------------------------------------------------------------------------------------------

dig vpn.vegashoster.com @ns1.vegashoster.com

; <<>> DiG 9.11.5-P4-5.1+deb10u8-Debian <<>> vpn.vegashoster.com @ns1.vegashoster.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37073
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 600
;; QUESTION SECTION:
;vpn.vegashoster.com.        IN    A

;; ANSWER SECTION:
vpn.vegashoster.com.    3600    IN    A    208.67.1.122

;; Query time: 128 msec
;; SERVER: 198.23.54.133#53(198.23.54.133)
;; WHEN: Thu Feb 09 09:58:05 EET 2023
;; MSG SIZE  rcvd: 64

----------------------------------------------------------------------------------------------------------------------------

Other public DNS servers (opendns, cloudflare, etc) all resolve the SLD. dnsviz results here -> https://dnsviz.net/d/vpn.vegashoster.com/dnssec/

The authoritative DNS server is consistent in the responses:

----------------------------------------------------------------------------------------------------------------------------

for i in $(seq 1 30)

       do 

       query=$(dig +short us1.vpn.vegashoster.com @ns1.vegashoster.com)

     if [[ -z "$query" ]]

         then echo "NO ANSWER"

     else 

          echo "ANSWER"

     fi

     sleep 2

done | sort | uniq -c

30 ANSWER

----------------------------------------------------------------------------------------------------------------------------

I tried the following in two different tabs:

----------------------------------------------------------------------------------------------------------------------------

TAB1 client side // while true; do dig +short vpn.vegashoster.com @8.8.8.8; sleep 1; done

TAB2 server side // tcpdump -vvvvv -w /tmp/dns.pcap udp and port 53

TAB2 server side // tcpdump -n -t -r /tmp/dns.pcap | grep vpn

----------------------------------------------------------------------------------------------------------------------------

and tried to discern any IPs of the subnets listed here : https://developers.google.com/speed/public-dns/faq#locations_of_ip_address_ranges_google_public_dns_uses_to_send_queries

found none. How can I further debug this? Thanks for any forthcoming suggestions!

[Tianhao Chi]

We are seeing that the authoritative replying NXDOMAIN to the queries. The same thing happened with other resolvers. Please contact the authoritative server to fix this.