Page 1 of 2

Sonic DNS Servers are not resolving paypal.com

Posted: Wed Apr 24, 2019 11:36 am
by roughingit
This is an interesting problem I've run into. We have sonic.net VDSL service, with windows machines using our pfsense router for DNS queries, which get resolved to Sonic DNS servers: 208.201.224.11 and 208.201.224.33. Our workers have not been able to reach http://www.paypal.com for the last few days, on both our Windows machines and smartphones through wifi. Tried both Chrome and Firefox. Chome fails with this message: DNS_PROBE_FINISHED_NXDOMAIN. No problem reaching over mobile data.

In windows, if I set the DNS server explicitly to google (8.8.8.8), paypal resolves without a problem. On a linode server I host, I when I do nslookup to sonic dns servers, it responds with REFUSED, but is OK for other DNS servers (see attachment).

Re: Sonic DNS Servers are not resolving paypal.com

Posted: Wed Apr 24, 2019 12:04 pm
by drew.phillips
Are you still experiencing this issue? At the moment, I am seeing all of our DNS servers resolving paypal.com correctly.

Our DNS servers refuse queries from outside the network for domains we are not authoritative for. This means that you will not get an answer if you try to resolve paypal.com from Linode, or any other ISP.

On any of the Windows machines, does running "nslookup paypal.com 208.201.224.11" return an answer? If possible, try flushing the DNS cache on the pfSense router and see if that helps.

Re: Sonic DNS Servers are not resolving paypal.com

Posted: Wed Apr 24, 2019 12:58 pm
by roughingit
Hi thanks for that. Looks to be a pfsense / DNSSEC issue, and not sonic issue.

Re: Sonic DNS Servers are not resolving paypal.com

Posted: Wed Apr 24, 2019 1:03 pm
by drew.phillips
You're welcome! If we can help in any other way, don't hesitate to ask.

Re: Sonic DNS Servers are not resolving paypal.com

Posted: Wed Apr 24, 2019 1:11 pm
by roughingit
Actually, some more weirdness. When I set pfsense dns servers to google (8.8.8.8), pfsense resolves paypal without issue, running "nslookup http://www.paypal.com 192.168.1.2" (1.2 is pfsense router). When I switch back to sonic (208.201.224.11 and 33), it times out on both nameservers through pfsense. There is no problem resolving other domains, such as google/microsoft, and there is no problem resolving http://www.paypal.com directly to sonic dns, and not having pfsense attempt to resolve.

Re: Sonic DNS Servers are not resolving paypal.com

Posted: Wed Apr 24, 2019 1:23 pm
by drew.phillips
Would you mind trying these two things?

1. Test resolving verisign.com through our servers (they are also using DNSSEC)
2. SSH into pfSense and run "dig +trace paypal.com @208.201.224.11" and "dig +trace paypal.com @192.168.1.2" so we can compare and see if there are any differences

The TTL's were pretty low but just in case, I wiped the DNS cache for paypal.com on our resolvers and re-queried it on the chance that might help.

Re: Sonic DNS Servers are not resolving paypal.com

Posted: Wed Apr 24, 2019 1:42 pm
by roughingit
Hi Drew, it looks like paypal is now resolving correctly through pfsense, so all the tests you gave me are succeeding. If the problem comes up again, I will retry the tests again and post what I find. Thanks for your help.

Re: Sonic DNS Servers are not resolving paypal.com

Posted: Wed Apr 24, 2019 2:19 pm
by drew.phillips
Awesome, glad to hear it!

Re: Sonic DNS Servers are not resolving paypal.com

Posted: Thu May 30, 2019 8:34 pm
by phodient
Hi, sorry to jump in a month later, but I am seeing the same behavior, but for another domain (steamradiators.com). This domain was correctly resolving on May 8, but is currently not resolving with Sonic DNS. This is across multiple machines, including one that had never done a lookup on this domain until today.

Code: Select all

$ nslookup steamradiators.com 1.1.1.1
Server:      1.1.1.1
Address:   1.1.1.1#53

Non-authoritative answer:
Name:   steamradiators.com
Address: 216.25.8.73

$ nslookup steamradiators.com 208.201.224.11
Server:      208.201.224.11
Address:   208.201.224.11#53

** server can't find steamradiators.com: SERVFAIL

$ nslookup steamradiators.com 208.201.224.33
Server:      208.201.224.33
Address:   208.201.224.33#53

** server can't find steamradiators.com: SERVFAIL

Re: Sonic DNS Servers are not resolving paypal.com

Posted: Fri May 31, 2019 10:32 am
by cmeisel
what do you get when you run this:

nslookup steamradiators.com