DNS resolution issue

Web hosting discussion, programming, and shared and dedicated servers.

6 posts Page 1 of 1

DNS resolution issue

by frcinc » Sat Feb 04, 2017 10:28 pm

I am seeing a name resolution issue for the frcinc.biz domain, ns1.sonic.net is not resolving to the outside world reliably. See screenshot below:
$ nslookup
> server ns1.sonic.net
Default server: ns1.sonic.net
Address: 208.201.224.11#53
> http://www.frcinc.biz
Server: ns1.sonic.net
Address: 208.201.224.11#53

** server can't find http://www.frcinc.biz: REFUSED
> remote.frcinc.biz
Server: ns1.sonic.net
Address: 208.201.224.11#53

** server can't find remote.frcinc.biz: REFUSED
> server 75.75.75.75
Default server: 75.75.75.75
Address: 75.75.75.75#53
> http://www.frcinc.biz
Server: 75.75.75.75
Address: 75.75.75.75#53

Non-authoritative answer:
http://www.frcinc.biz canonical name = frcinc.biz.
Name: frcinc.biz
Address: 209.204.175.65
> remote.frcinc.biz
Server: 75.75.75.75
Address: 75.75.75.75#53

Non-authoritative answer:
Name: remote.frcinc.biz
Address: 74.95.12.189
>

Please look into this for us.

frcinc

by frcinc » Sun Feb 05, 2017 12:26 pm

quick note... the forum code altered the cut and paste of the text,
where the posted text shows http://www.frcinc.biz, hovering you will see the actual www dot frcinc dot biz.

Here is another nslookup test from one of my servers in my Florida data center. Same results:
Default Server: mail.cesnow.com
Address: xxx.xxx.xxx.xxx (obfuscated for security)

> www.frcinc.biz
Server: mail.cesnow.com
Address: xxx.xxx.xxx.xxx (obfuscated for security)

Name: frcinc.biz
Address: 209.204.175.65
Aliases: www.frcinc.biz

> remote.frcinc.biz
Server: mail.cesnow.com
Address: xxx.xxx.xxx.xxx (obfuscated for security)

Name: remote.frcinc.biz
Address: 74.95.12.189

> server ns1.sonic.net
Default Server: ns1.sonic.net
Address: 208.201.224.11

> www.frcinc.biz
Server: ns1.sonic.net
Address: 208.201.224.11

*** ns1.sonic.net can't find www.frcinc.biz: Query refused
> remote.frcinc.biz
Server: ns1.sonic.net
Address: 208.201.224.11

*** ns1.sonic.net can't find remote.frcinc.biz: Query refused
>

So... this is not my imagination.
ns1.sonic.net is listed in the SOA as the start of authority and yet it is refusing the lookup on this zone. Let's get it fixed.

frcinc

by joemuller » Mon Feb 13, 2017 1:11 pm

As of today, your domain appears to be resolving when I query against ns1.sonic.net. That said, I noticed you have an RRSIG record for DNSSEC configured, but the registrar doesn't have the corresponding DNSKEY info. (See: http://dnsviz.net/d/frcinc.biz/dnssec/) Please feel free to send me a private message or shoot an email over to support@sonic.net ATTN operations, and I can take a closer look.

joemuller

Posts: 396

Joined: Thu May 26, 2011 9:23 am

Location: Sonic.net

I'm a proud employee of Sonic.net!

by DNSSEC » Mon Feb 13, 2017 3:03 pm

I think the OP was trying to query ns1.sonic.net (semi-stealth?) outside of sonic network since it is listed as primary. Since ns1 isn't authoritative for that domain and is not set do to recursive lookups, it was/still is giving query refused error. However everything is still functional since the glue records are in place for the other 3 NS.

Anyways, I saw the part about the DNSSEC and was wondering if Sonic supports DNSSEC if you have hosting and if the registrar supports it?

joemuller wrote:As of today, your domain appears to be resolving when I query against ns1.sonic.net. That said, I noticed you have an RRSIG record for DNSSEC configured, but the registrar doesn't have the corresponding DNSKEY info. (See: http://dnsviz.net/d/frcinc.biz/dnssec/) Please feel free to send me a private message or shoot an email over to support@sonic.net ATTN operations, and I can take a closer look.

DNSSEC

by joemuller » Mon Feb 13, 2017 4:04 pm

Ah, now it makes much more sense. ns1/2.sonic.net are the names of our DNS resolvers, which are restricted to only within Sonic's IP space (i.e. dynamic/static IP for connectivity and VPN). If you attempt to do a lookup against either server (208.201.224.11/33) from "off-net", you will get the 'Query refused' result.

If Sonic is handling DNS for a domain, any of our 3 authoritative DNS servers will answer requests - they are:
a.auth-ns.sonic.net
b.auth-ns.sonic.net
c.auth-ns.sonic.net

I did take a look at the WHOIS information for frcinc.biz, and it correctly lists the above servers under the 'Name Server' section. Performing a lookup against a.auth-ns.sonic.net yields the following:

Code: Select all

# dig SOA frcinc.biz @a.auth-ns.sonic.net

; <<>> DiG 9.2.1 <<>> soa frcinc.biz @a.auth-ns.sonic.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13541
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;frcinc.biz.			IN	SOA

;; ANSWER SECTION:
frcinc.biz.		7200	IN	SOA	ns1.sonic.net. hostmaster.sonic.net. 2017020408 3600 300 1209600 3600

;; Query time: 1 msec
;; SERVER: 2001:5a8:0:3::1#53(a.auth-ns.sonic.net)
;; WHEN: Mon Feb 13 15:56:34 2017
;; MSG SIZE  rcvd: 88

---

To answer "DNSSEC", at the moment, there are no customer-facing tools for configuring DNSSEC for Sonic-hosted DNS, but we can push the appropriate keys upstream if you have a domain registered with us.

joemuller

Posts: 396

Joined: Thu May 26, 2011 9:23 am

Location: Sonic.net

I'm a proud employee of Sonic.net!

by DNSSEC » Mon Feb 13, 2017 5:18 pm

Awesome, that's good to know. Thanks!

joemuller wrote: To answer "DNSSEC", at the moment, there are no customer-facing tools for configuring DNSSEC for Sonic-hosted DNS, but we can push the appropriate keys upstream if you have a domain registered with us.

DNSSEC

Post a reply

6 posts Page 1 of 1

Return to “Hosting”

Who is online

In total there are 38 users online :: 0 registered, 0 hidden and 38 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 38 guests