Sunday, April 9, 2017

nameserver - Why are many DNS servers not returning the namservers for my domain correctly?



My website has become widely inaccessible and I don't know why.




Up until recently I have been serving my website through cloudflare, so was using their nameservers. Recently I started using Route 53, so I changed to Amazon's name servers using my registrar's control panel, and found that my site quickly became unavailable (I am in the UK).



I used https://www.whatsmydns.net and found that some DNS servers around the world were not returning any namservers for my website. It was the same locations every time I tried, including London, Sao Paolo, Germany, New Zealand and parts of the US. Most locations (around 3/4) were fine though.



I was using hover.com as my registrar at the time, and I thought that the problem might have been to do with them, so I switched registrars to Amazon. Once transferred to Amazon, I changed the nameservers back to Cloudflare's nameservers, waited for it to propagate, and checked again on whatsmydns.net. It was showing up green for all locations. Then I changed back to Amazon's nameservers. The problem was exactly the same as before, the nameservers were not returned by DNS queries in the same locations.



I have changed the DNS servers on my Mac laptop, and can access my website when using the following DNS servers:





  • Sky (my broadband provider) - 90.207.238.97 and 90.207.238.99

  • OpenDNS Home - 208.67.222.222 208.67.220.220



But my website is inaccessible when using the following DNS servers




  • Google - 8.8.8.8 and 8.8.4.4

  • Cloudflare - 1.1.1.1 and 1.0.0.1

  • Quad9 - 9.9.9.9 and 149.112.112.112


  • CleanBrowsing - 185.228.168.9 and 185.228.169.9

  • Adguard - 176.103.130.130 and 176.103.130.131

  • Verisign - 64.6.64.6 and 185.253.163.131



The nameservers I am trying to use are:




  • ns-1478.awsdns-56.org

  • ns-1953.awsdns-52.co.uk


  • ns-135.awsdns-16.com

  • ns-893.awsdns-47.net



I have read that some large ISPs have configured their DNS servers to violate rules, such as by indicating that a domain name does not exist just because one of its name servers does not respond. To try and diagnose if this was occurring, and there was a problem with one of the 4 nameservers, I changed yesterday to use just the first 2 nameservers in the list above, intending to then use just the second two if there was still a problem. However, even though this change has had ample time to propagate (EDIT: perhaps not, given the TTL, but it definitely seems slower than when I changed the nameservers between Amazon's and Cloudflare's and vice versa), whatsmydns.net is showing that the vast majority of DNS servers are still returning all 4 nameservers. I am not sure why that is happening.



What is going on! My website is https://www.markfisher.photo.


Answer



I had a quick look and the main problem with your zone seems to be that the delegation from the parent zone (photo) indicates that markfisher.photo is supposed to be signed (DS record present).




markfisher.photo however is not signed at all. The result of this is that any validating resolver will consider all answers bogus and discard them.



To my knowledge Route53 still does not support DNSSEC, which means that if you want to use that DNS service you need to remove any DS records from the delegation (done through your registrar).



Demonstration of the problem in two steps:



$ dig @ns1.uniregistry.net markfisher.photo +norec +dnssec

; <<>> DiG 9.11.13-RedHat-9.11.13-3.fc31 <<>> @ns1.uniregistry.net markfisher.photo +norec +dnssec
; (2 servers found)

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55361
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 60e53f6e7a4d79f37a0879a75e14e274510b02d97b10da1c (good)
;; QUESTION SECTION:
;markfisher.photo.              IN      A


;; AUTHORITY SECTION:
markfisher.photo.       900     IN      NS      ns-1478.awsdns-56.org.
markfisher.photo.       900     IN      NS      ns-1953.awsdns-52.co.uk.
markfisher.photo.       900     IN      DS      2371 13 2 B1FB8D1E60D7B54027829321A64B612251F95A41C0F10C912FA9FC6A 9EECEEA5
markfisher.photo.       900     IN      RRSIG   DS 5 2 900 20200206185213 20200107185213 21795 photo. AN2TWw41LL15uX55vfNaQlHvidlpngYb629gSlEyP+A3JiS77NHO5TvJ gI5QF4si5/haBEoABpuVU8opxxC0Jmv3aD09NkwjZXoqikxDqwjzO/PD wNlvHKOb25fgb1+gKj3JaGvqtAD8m+m2xotmxRo74xPmb2XOvEsGUS25 Cxc=

;; Query time: 94 msec
;; SERVER: 2620:57:4000:1::1#53(2620:57:4000:1::1)
;; WHEN: Tue Jan 07 19:56:36 UTC 2020

;; MSG SIZE  rcvd: 358

$


(referral with DS record, indicating that the markfisher.photo zone is signed with the matching key)



$ dig @ns-1478.awsdns-56.org markfisher.photo DNSKEY +norec +dnssec

; <<>> DiG 9.11.13-RedHat-9.11.13-3.fc31 <<>> @ns-1478.awsdns-56.org markfisher.photo DNSKEY +norec +dnssec

; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54714
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;markfisher.photo.              IN      DNSKEY


;; AUTHORITY SECTION:
markfisher.photo.       900     IN      SOA     ns-893.awsdns-47.net. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

;; Query time: 79 msec
;; SERVER: 2600:9000:5305:c600::1#53(2600:9000:5305:c600::1)
;; WHEN: Tue Jan 07 19:58:44 UTC 2020
;; MSG SIZE  rcvd: 129

$



(response from the authoritative server, showing that there are no DNSKEY records, nor are there any signatures)




For a quick overview of DNS delegation as well as DNSSEC health, I can recommend Dnsviz.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...