Domains resolving intermittently only on dns.google
306 views
Skip to first unread message
Javan Batemyetto
Apr 21, 2022, 9:36:44 AM4/21/22
to public-dns-discuss
Hello,
For about two weeks now, domains under the DNS zone bou.or.ug are only resolving intermittently when using dns.google.
When I use https://dns.google, I keep getting NXDOMAIN results for DNS records that I know exist (the same thing when I use the dig or nslookup tools). For example, A records for webmail.bou.or.ug, mail.bou.or.ug, mta-sts.bou.or.ug, and others. This failure to resolve is intermittent, in that if I repeat the query a few times I eventually get results.
When I check my DNS setup via different online tools, I do not see any issues with the DNS setup. I have checked using the following:
I am not experiencing this issue with other DNS recursive servers.
My location is Uganda, so I'm not sure whether it is a geographical issue related to the nearest Google DNS Anycast server?
Any assistance with this issue will be much appreciated.
Regards,
Javan
Matt Nordhoff
Apr 21, 2022, 10:13:47 AM4/21/22
to public-dns-discuss
bou.or.ug has an incorrect NSEC record saying that no subdomains exist:
Any resolver that implements aggressive NSEC, such as Google Public DNS, Quad9, or most modern implementations, will inconsistently return NXDOMAIN for subdomains depending on what they have cached.
DNSViz can show this problem if you enable the denial of existence option:
It looks like the domain is using PowerDNS Authoritative Server as a signer but is failing to rectify zones when necessary. The operator needs to run "sudo pdnsutil rectify-all-zones" to fix the current records and make sure that zones are automatically rectified in the future, for example by running "sudo pdnsutil rectify-zone example.com" after adding or removing record sets from the database, or by ensuring that PowerDNS is set to rectify after changes are made through the API.
Javan Batemyetto
Apr 22, 2022, 2:04:10 PM4/22/22
to public-dn...@googlegroups.com
Hello Matt,
Thanks for your feedback. I'll take this up with my DNS operator and update with the results.
Regards,
Javan
--
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-disc...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/public-dns-discuss/ef4631bd-813c-4d74-8ff7-51b63b2e1a2cn%40googlegroups.com.
Anthony Somerset
Apr 22, 2022, 2:04:40 PM4/22/22
to public-dns-discuss
[7:23:56] (ssh) (SUDO) root@<HOSTNAME>:~ # pdnsutil rectify-zone bou.or.ug
Apr 22 07:24:00 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed
Adding NSEC ordering information
please try again :)
Apr 22 07:24:00 [bindbackend] Done parsing domains, 0 rejected, 0 new, 0 removed
Adding NSEC ordering information
please try again :)
Javan Batemyetto
Apr 25, 2022, 9:05:08 AM4/25/22
to public-dns-discuss
Hello,
This issue has been resolved. Thanks to Anthony for applying the solution, and to Matt for pointing us in the right direction.
Regards,
Javan
Reply all
Reply to author
Forward
0 new messages