[DNS Resolver] Cannot resolve t.co

fab1330

Hello,

Since I use the DNS resolver of pfSense, I no longer have access to simplified url "t.co". Example, impossible to access to http://t.co/zLf5XQQPdn.

C:\Users\Fab>nslookup co
Serveur :   UnKnown
Address:  10.0.0.1 (pfSense)

*** UnKnown to find co : Non-existent domain

What do you do?

There are not any root DNS servers in pfSense?

Thanks :-)

doktornotor

You don't resolve TLDs. t.co resolves just fine.

fab1330

@doktornotor:

You don't resolve TLDs. t.co resolves just fine.

No, impossible to resolve t.co. By using DNS Forwarder, no problem

C:\Users\Fab>nslookup t.co
Serveur :   UnKnown
Address:  10.0.0.1

DNS request timed out.
    timeout was 2 seconds.

doktornotor

Yeah, your DNS configuration is broken. No information provided to debug anything here.

fab1330

@doktornotor:

Yeah, your DNS configuration is broken. No information provided to debug anything here.

Configuration :

General settings:
------------------

Enable : checked
Listen port : empty
Network Interfaces : LAN
Outgoing Network Interfaces : WAN
DNSSEC : checked
DNS Query Forwarding : unchecked
DHCP Registration : checked
Static DHCP : checked
TXT Comment Support : checked

On the other tabs, everything is default

Interfaces configuration:

LAN : Static IPv4 Configuation : 10.0.0.1/24
WAN : PPPoE Internet Access

Nothing to report in the log of resolver. And no problem to solve other TLDs that "co"

What I can provide such other information?

thanks :)

doktornotor

nslookup - 10.0.0.1
set querytype=soa
co.

Post the output of the above. This is what I get:

Non-authoritative answer:
co
        primary name server = ns1.cctld.co
        responsible mail addr = hostmaster.neustar.biz
        serial  = 2018084018
        refresh = 900 (15 mins)
        retry   = 900 (15 mins)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

co      nameserver = ns5.cctld.co
co      nameserver = ns4.cctld.co
co      nameserver = ns2.cctld.co
co      nameserver = ns6.cctld.co
co      nameserver = ns1.cctld.co
co      nameserver = ns3.cctld.co
ns1.cctld.co    internet address = 156.154.100.25
ns1.cctld.co    AAAA IPv6 address = 2001:502:2eda::21
ns2.cctld.co    internet address = 156.154.101.25
ns2.cctld.co    AAAA IPv6 address = 2001:502:ad09::21
ns3.cctld.co    internet address = 156.154.102.25
ns3.cctld.co    AAAA IPv6 address = 2610:a1:1009::21
ns4.cctld.co    internet address = 156.154.103.25
ns4.cctld.co    AAAA IPv6 address = 2610:a1:1010::21
ns5.cctld.co    internet address = 156.154.104.25
ns5.cctld.co    AAAA IPv6 address = 2610:a1:1011::21
ns6.cctld.co    internet address = 156.154.105.25
ns6.cctld.co    AAAA IPv6 address = 2610:a1:1012::21

fab1330

@doktornotor:

nslookup - 10.0.0.1
set querytype=soa
co.

nslookup co

C:\Users\Fab>nslookup
Address:  10.0.0.1
> set type=soa
> co.
Server :   UnKnown
Address:  10.0.0.1

*** UnKnown ne parvient pas à trouver co. : Server failed

For .com, it's work :

C:\Users\Fab>nslookup
Address:  10.0.0.1
> set type=soa
> com.
Serveur :   UnKnown
Address:  10.0.0.1

Réponse ne faisant pas autorité :
com
        primary name server = a.gtld-servers.net
        responsible mail addr = nstld.verisign-grs.com
        serial  = 1423413582
        refresh = 1800 (30 mins)
        retry   = 900 (15 mins)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

com     nameserver = a.gtld-servers.net
com     nameserver = b.gtld-servers.net
com     nameserver = m.gtld-servers.net
com     nameserver = g.gtld-servers.net
com     nameserver = k.gtld-servers.net
com     nameserver = f.gtld-servers.net
com     nameserver = c.gtld-servers.net
com     nameserver = d.gtld-servers.net
com     nameserver = j.gtld-servers.net
com     nameserver = l.gtld-servers.net
com     nameserver = h.gtld-servers.net
com     nameserver = i.gtld-servers.net
com     nameserver = e.gtld-servers.net

doktornotor

What does

set querytype=soa
root
co.

produce?

fab1330

@doktornotor:

What does

set querytype=soa
root
co.

produce?

C:\Users\Fab>nslookup
Address:  10.0.0.1
> set querytype=soa
> root
Default server :   A.ROOT-SERVERS.NET
Addresses:  2001:503:ba3e::2:30
          198.41.0.4

> co.
Server :   A.ROOT-SERVERS.NET
Addresses:  2001:503:ba3e::2:30
          198.41.0.4

DNS request timed out.
    timeout was 2 seconds.
*** Request time out A.ROOT-SERVERS.NET.

doktornotor

Talk to your ISP about what they are doing with DNS.

Default Server:  A.ROOT-SERVERS.NET
Addresses:  2001:503:ba3e::2:30
          198.41.0.4

> co.
Server:  A.ROOT-SERVERS.NET
Addresses:  2001:503:ba3e::2:30
          198.41.0.4

co      nameserver = ns1.cctld.co
co      nameserver = ns2.cctld.co
co      nameserver = ns3.cctld.co
co      nameserver = ns4.cctld.co
co      nameserver = ns5.cctld.co
co      nameserver = ns6.cctld.co
ns1.cctld.co    internet address = 156.154.100.25
ns2.cctld.co    internet address = 156.154.101.25
ns3.cctld.co    internet address = 156.154.102.25
ns4.cctld.co    internet address = 156.154.103.25
ns5.cctld.co    internet address = 156.154.104.25
ns6.cctld.co    internet address = 156.154.105.25
ns1.cctld.co    AAAA IPv6 address = 2001:502:2eda::21
ns2.cctld.co    AAAA IPv6 address = 2001:502:ad09::21
ns3.cctld.co    AAAA IPv6 address = 2610:a1:1009::21
ns4.cctld.co    AAAA IPv6 address = 2610:a1:1010::21
ns5.cctld.co    AAAA IPv6 address = 2610:a1:1011::21
ns6.cctld.co    AAAA IPv6 address = 2610:a1:1012::21

fab1330

@doktornotor:

Talk to your ISP about what they are doing with DNS.

Why would my ISP be the problem?
If I use the DNS Forwarder it works

doktornotor

@fab1330:

Why would my ISP be the problem?

Because it's clearly blocking/hijacking UDP/53 DNS traffic. When you cannot talk to root servers, you've got a problem.

fab1330

@doktornotor:

Because it's clearly blocking/hijacking UDP/53 DNS traffic. When you cannot talk to root servers, you've got a problem.

It's strange, I haven't changed anything and now it works. Maybe it is a routing problem at my ISP?

Now :

C:\Users\Fab>nslookup t.co
Address:  10.0.0.1

Non-authoritative response :
Name :    t.co
Addresses:  199.16.156.11
          199.16.156.75

I monitor in the coming days. thank you

doktornotor

Well if it breaks again… check you can resolve stuff via root nameservers. Unbound cannot work without those unless forwarding is enabled. Also, extremely weird why it'd be limited to .co TLD

fab1330

@doktornotor:

Well if it breaks again… check you can resolve stuff via root nameservers. Unbound cannot work without those unless forwarding is enabled. Also, extremely weird why it'd be limited to .co TLD

The problem comes back randomly :-(

And I have changed ISP meantime. So this is not an ISP problem.

C:\Users\Fab>dig t.co

; <<>> DiG 9.10.1-P1 <<>> t.co
;; global options: +cmd
;; connection timed out; no servers could be reached

C:\Users\Fab>dig co

; <<>> DiG 9.10.1-P1 <<>> co
;; global options: +cmd
;; connection timed out; no servers could be reached

C:\Users\Fab>dig co. NS

; <<>> DiG 9.10.1-P1 <<>> co. NS
;; global options: +cmd
;; connection timed out; no servers could be reached

C:\Users\Fab>dig co. SOA

; <<>> DiG 9.10.1-P1 <<>> co. SOA
;; global options: +cmd
;; connection timed out; no servers could be reached

C:\Users\Fab>nslookup
Address:  10.0.0.1

> set querytype=soa
> root
Default server :   A.ROOT-SERVERS.NET
Addresses:  2001:503:ba3e::2:30
          198.41.0.4

> co.
Serveur :   A.ROOT-SERVERS.NET
Addresses:  2001:503:ba3e::2:30
          198.41.0.4

co      nameserver = ns1.cctld.co
co      nameserver = ns2.cctld.co
co      nameserver = ns3.cctld.co
co      nameserver = ns4.cctld.co
co      nameserver = ns5.cctld.co
co      nameserver = ns6.cctld.co
ns1.cctld.co    internet address = 156.154.100.25
ns2.cctld.co    internet address = 156.154.101.25
ns3.cctld.co    internet address = 156.154.102.25
ns4.cctld.co    internet address = 156.154.103.25
ns5.cctld.co    internet address = 156.154.104.25
ns6.cctld.co    internet address = 156.154.105.25
ns1.cctld.co    AAAA IPv6 address = 2001:502:2eda::21
ns2.cctld.co    AAAA IPv6 address = 2001:502:ad09::21
ns3.cctld.co    AAAA IPv6 address = 2610:a1:1009::21
ns4.cctld.co    AAAA IPv6 address = 2610:a1:1010::21
ns5.cctld.co    AAAA IPv6 address = 2610:a1:1011::21
ns6.cctld.co    AAAA IPv6 address = 2610:a1:1012::21

Any idea?

thanks :)

cmb

Make sure you have "harden glue" enabled on the Advanced tab. If you don't, it might be possible for some malicious query reply to break a TLD.

fab1330

@cmb:

Make sure you have "harden glue" enabled on the Advanced tab. If you don't, it might be possible for some malicious query reply to break a TLD.

I just activate "harden glue", and it works:-) Thanks!
But I do not understand what is this option. You can tell me more?