DNS Resolver not resolving AWS domain [SOLVED]

jahonix

does not work here

MBP:~ jahonix$ ping locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
ping: cannot resolve locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com: Unknown host

MBP:~ jahonix$ nslookup locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
Server: 192.168.2.3
Address: 192.168.2.3#53

Non-authoritative answer:
*** Can't find locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com: No answer

MBP:~ jahonix$ dig locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com

; <<>> DiG 9.8.3-P1 <<>> locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39637
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com. IN A

;; AUTHORITY SECTION:
eu-west-1.rds.amazonaws.com. 1196 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 1196 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 1196 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 1196 IN NS ns-572.awsdns-07.net.

;; Query time: 35 msec
;; SERVER: 192.168.2.3#53(192.168.2.3)
;; WHEN: Thu Mar  2 00:33:22 2017
;; MSG SIZE  rcvd: 208

geo location or regional DNS server differences? I resolve from Germany.

jahonix

The site  www.ping.eu  (datacenter in Germany) can resolve to 172.22.28.208 but is not able to ping it.

Derelict

You do realize that AWS has been doing a Chernobyl over the last day right?

$ dig +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com

; <<>> DiG 9.8.3-P1 <<>> +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
;; global options: +cmd
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; Received 228 bytes from 2600:8801:580:5b01:208:a2ff:fe09:99ad#53(2600:8801:580:5b01:208:a2ff:fe09:99ad) in 521 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 511 bytes from 2001:500:1::53#53(2001:500:1::53) in 533 ms

amazonaws.com. 172800 IN NS u1.amazonaws.com.
amazonaws.com. 172800 IN NS u2.amazonaws.com.
amazonaws.com. 172800 IN NS r1.amazonaws.com.
amazonaws.com. 172800 IN NS r2.amazonaws.com.
;; Received 203 bytes from 192.41.162.30#53(192.41.162.30) in 255 ms

eu-west-1.rds.amazonaws.com. 300 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-572.awsdns-07.net.
;; Received 208 bytes from 205.251.195.199#53(205.251.195.199) in 192 ms

locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com. 5 IN A 172.22.28.208
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-572.awsdns-07.net.
;; Received 224 bytes from 2600:9000:5300:ba00::1#53(2600:9000:5300:ba00::1) in 60 ms

$ dig -4 +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com

; <<>> DiG 9.8.3-P1 <<>> -4 +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
;; global options: +cmd
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; Received 228 bytes from 192.168.223.1#53(192.168.223.1) in 36 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 503 bytes from 198.97.190.53#53(198.97.190.53) in 89 ms

amazonaws.com. 172800 IN NS u1.amazonaws.com.
amazonaws.com. 172800 IN NS u2.amazonaws.com.
amazonaws.com. 172800 IN NS r1.amazonaws.com.
amazonaws.com. 172800 IN NS r2.amazonaws.com.
;; Received 203 bytes from 192.26.92.30#53(192.26.92.30) in 130 ms

eu-west-1.rds.amazonaws.com. 300 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-572.awsdns-07.net.
;; Received 208 bytes from 205.251.192.27#53(205.251.192.27) in 52 ms

locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com. 5 IN A 172.22.28.208
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-572.awsdns-07.net.
;; Received 224 bytes from 205.251.199.100#53(205.251.199.100) in 40 ms

Derelict

Of course it can't ping it. It is an RFC1918 address.

Which is also why unbound is refusing the answer.

jahonix

@Derelict:

It is an RFC1918 address.

Sure, yes ::)  Time to go to bed…

dragoangel

@Derelict:

You do realize that AWS has been doing a Chernobyl over the last day right?

What do you mean?
But about RFC1918 I understand this but don't saw it by myself, :(
And yep: DNS Rebind Check
When this is unchecked, the system is protected against DNS Rebinding attacks. This blocks private IP responses from the configured DNS servers. Check this box to disable this protection if it interferes with webConfigurator access or name resolution in the environment.
The question closed. Thx everybody.

Derelict

You can also add:

server:
private-domain: "cy5eym4polgk.eu-west-1.rds.amazonaws.com"

To the custom options box in unbound and keep rebinding protection enabled globally.

dragoangel

Thx, big guru ^__^

johnpoz

why would it resolve to rfc1918?  Public resolve should not return public - this is why unbound blocks it even.. So your fix was to tell unbound that its private?  Curious why it resolves rfc1918 in the first place?  And how exactly would you get there anyway?  So you have a vpn connection to aws?

dragoangel

@johnpoz:

why would it resolve to rfc1918?  Public resolve should not return public - this is why unbound blocks it even.. So your fix was to tell unbound that its private?  Curious why it resolves rfc1918 in the first place?  And how exactly would you get there anyway?  So you have a vpn connection to aws?

Yes my coworkers haves vpn, and it resolving in private address only. I'm to really confused that they use public domains for resolving private networks IPs…  :-
I deal with it like Derelict told me:
@Derelict:

You can also add:

server:
private-domain: "cy5eym4polgk.eu-west-1.rds.amazonaws.com"

To the custom options box in unbound and keep rebinding protection enabled globally.