DNS Resolver won't resolve georgesriver.nsw.gov.au

JohnKap

I am at an absolute loss on why this isn't working or how I go about fixing it. I'm unable to connect to http://georgesriver.nsw.gov.au and the root cause is the DNS resolver.

If you have a look the following nslookups, you can see that it fails when it hits the pfsense resolver, yet successfully resolves on 8.8.8.8 and 1.1.1.1. I've even tried a couple of other *.nsw.gov.au domains and the pfsense resolver works as expected.

When I use the DNS Diagnostic tool in pfsense, it resolves correctly.

0_1545262469728_DNS Lookup.jpg

I've restarted the DNS resolver, and even restarted pfsense without any luck.

Any ideas?

biggsy

@johnkap

Firefox is telling me "The connection was reset".

gjaltemba

@johnkap
Misery loves company. Same problem with www.canadiantire.ca

JohnKap

@gjaltemba said in DNS Resolver won't resolve georgesriver.nsw.gov.au:

@johnkap
Misery loves company. Same problem with www.canadiantire.ca

yet I can access www.canadiantire.ca without an issue

JKnott

@johnkap said in DNS Resolver won't resolve georgesriver.nsw.gov.au:

yet I can access www.canadiantire.ca without an issue

Me too.

gjaltemba

@jknott Do you mean that nslookup on www.canadiantire.ca timed out but can browse?

chpalmer

If you look here you can see that the resolver and the other DNS I have seem to agree. Otherwise the output from this page would disagree.

chpalmer

Try it this way instead.

http://www.georgesriver.nsw.gov.au/Home

The noaa site does this to us as well at a couple of links.

JohnKap

I've managed to get it working by allowing this option.

0_1545284212829_DNS Forwading.jpg

From the documention:

Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support.

I'm guessing some kind of error with my resolver querying the root server for this domain directly.
Anyone know how I can debug this?

gjaltemba

@johnkap I see enabling Forwarding Mode more as a workaround. Another workaround would be to enable DoH in my browser.

KOM

@johnkap Is there anything of note in Status - System Logs - System - DNS Resolver?

gjaltemba

Same results testing with Windows resolver.

johnpoz

@johnkap said in DNS Resolver won't resolve georgesriver.nsw.gov.au:

georgesriver.nsw.gov.au

resolves just fine..

C:\>dig georgesriver.nsw.gov.au

; <<>> DiG 9.12.3 <<>> georgesriver.nsw.gov.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52612
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;georgesriver.nsw.gov.au.       IN      A

;; ANSWER SECTION:
georgesriver.nsw.gov.au. 300    IN      A       116.66.224.48

;; Query time: 854 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Thu Dec 20 13:37:48 Central Standard Time 2018
;; MSG SIZE  rcvd: 68

If your having problems with something resolving - validate its not an issue with their dnssec setup
http://dnsviz.net/d/georgesriver.nsw.gov.au/dnssec/

Do a +trace with a real dns tool like dig so you can see where the resolving problem fails..

[2.4.4-RELEASE][root@sg4860.local.lan]/root: dig georgesriver.nsw.gov.au +trace             

; <<>> DiG 9.12.2-P1 <<>> georgesriver.nsw.gov.au +trace
;; global options: +cmd
.                       495350  IN      NS      a.root-servers.net.
.                       495350  IN      NS      b.root-servers.net.
.                       495350  IN      NS      c.root-servers.net.
.                       495350  IN      NS      d.root-servers.net.
.                       495350  IN      NS      e.root-servers.net.
.                       495350  IN      NS      f.root-servers.net.
.                       495350  IN      NS      g.root-servers.net.
.                       495350  IN      NS      h.root-servers.net.
.                       495350  IN      NS      i.root-servers.net.
.                       495350  IN      NS      j.root-servers.net.
.                       495350  IN      NS      k.root-servers.net.
.                       495350  IN      NS      l.root-servers.net.
.                       495350  IN      NS      m.root-servers.net.
.                       495350  IN      RRSIG   NS 8 0 518400 20190101170000 20181219160000 2134 . aH19ZbGE7PmNSMvdk6K+LjSXa29plcD3I8fuekxDGLi6kIBu/3fKsL6x ZrDdbh8MzPlDAbE3SOzmrsdV4uAt5nVaCM5+ukUCXawrFEIfstSogovq HNYx33OVRPd0Er+fM2BMCKzjnMQgTq3MOykvcKgSiKkZ6xYk9mQhb/HJ zYBbxQ04ASJA47915U/hSEqvw8pLmDHbLSRUDGFQibh9HIToswZIK/lE TIRPo9EQISIW++R0sVtPON1WgCn1hMuw8hfxika8YS+RrZZdoFFRvmye IkXrMnFooqAMplaI9stnqSweH/XQ4+WfU9FLWkC1mwfJbEx7Zff7UGdc sj3hvQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

au.                     172800  IN      NS      d.au.
au.                     172800  IN      NS      v.au.
au.                     172800  IN      NS      u.au.
au.                     172800  IN      NS      q.au.
au.                     172800  IN      NS      t.au.
au.                     172800  IN      NS      s.au.
au.                     172800  IN      NS      r.au.
au.                     172800  IN      NS      b.au.
au.                     172800  IN      NS      a.au.
au.                     172800  IN      NS      c.au.
au.                     86400   IN      DS      35197 8 1 DF3D2F347C04EAE8FFAD6EEA8BD52FD134088969
au.                     86400   IN      DS      35197 8 2 9EDA3EC27D09500AD52C510A86BCB1CD7C364444E3AB04B6EBB76378 378A5C87
au.                     86400   IN      DS      20647 8 1 A1C2F3602CD171CF3FBCDA25523C086867D29CC6
au.                     86400   IN      DS      20647 8 2 EFC7975FCA1FED2B5DF3624A7EFAB5ED20AF42DC83F5D9EC1D3B4C99 0B8E2B54
au.                     86400   IN      RRSIG   DS 8 1 86400 20190102170000 20181220160000 2134 . RD9Hjl0YUj/ZBrPFE7YNUdaJ94jE7tjiiabPKUM9qxJ2wLUdAbSHLdQR ez8T9JWoYwdTSVVCquQRx91nrEOWPp62r5DcC/G9d8h6gNaoPLG1F6jC NQOsAhG5qS/Z+wIHrhJjbVkaV9zebNCrtI1ogstr4ie2ujHR4JOBPOo/ 8hWoicb/fRY2/xvXKjqF2xyhCn03QwY87JHo6FmLusqVJtg21nUfn7zA AoE7+aWOXZN7yyD1233qdWbKLL/YUPFHfbZZMKP/tyXZO6OD5+PtqAOI KfLTEnzRx/N+c2NQOgkVpa6/W6gKSfukltFMd4RgcHVdNt0ip7RLkHj5 bIbuTQ==
;; Received 1079 bytes from 2001:503:ba3e::2:30#53(a.root-servers.net) in 37 ms

gov.au.                 86400   IN      NS      q.au.
gov.au.                 86400   IN      NS      s.au.
gov.au.                 86400   IN      NS      r.au.
gov.au.                 86400   IN      NS      t.au.
gov.au.                 43200   IN      NSEC    id.au. NS RRSIG NSEC
gov.au.                 43200   IN      RRSIG   NSEC 8 2 43200 20190320054007 20181220050932 43578 au. 3qC/PisGGsHIcKzVmBGJUlOt5/LqK4XVwU/7YcJyMzTiShWGYM+9Qa8B 0b8peRA93NqtwQ+5Nv0xZofEfznbUTJ9a/c2/VgCe7aIZ6N89uTDOtS0 n3lb7k9OUfxtzgssC8iAGSDU4MCYhW0izref2/MITLJLHzPyFMACK2rl RVhX/QnoF50FxduaV3E34bHQAT9sLnTyUOpZiXSWo/dKMg==
;; Received 2065 bytes from 58.65.253.73#53(b.au) in 88 ms

georgesriver.nsw.gov.au. 900    IN      NS      ns1.telstra.net.
georgesriver.nsw.gov.au. 900    IN      NS      ns0.telstra.net.
;; Received 99 bytes from 65.22.199.1#53(t.au) in 11 ms

georgesriver.nsw.gov.au. 300    IN      A       116.66.224.48
georgesriver.nsw.gov.au. 3600   IN      NS      ns0.telstra.net.
georgesriver.nsw.gov.au. 3600   IN      NS      ns1.telstra.net.
;; Received 131 bytes from 139.130.4.5#53(ns1.telstra.net) in 244 ms

[2.4.4-RELEASE][root@sg4860.local.lan]/root:

NogBadTheBad

It works with https.

They need to set up a redirect for http as well.

JohnKap

@johnpoz thanks for the +trace option on dig, wasn't aware of that.

Note the last line - connection timed out; no servers could be reached any idea what would be causing that?

; <<>> DiG 9.12.2-P1 <<>> georgesriver.nsw.gov.au +trace
;; global options: +cmd
.                       6059    IN      NS      l.root-servers.net.
.                       6059    IN      NS      m.root-servers.net.
.                       6059    IN      NS      a.root-servers.net.
.                       6059    IN      NS      b.root-servers.net.
.                       6059    IN      NS      c.root-servers.net.
.                       6059    IN      NS      d.root-servers.net.
.                       6059    IN      NS      e.root-servers.net.
.                       6059    IN      NS      f.root-servers.net.
.                       6059    IN      NS      g.root-servers.net.
.                       6059    IN      NS      h.root-servers.net.
.                       6059    IN      NS      i.root-servers.net.
.                       6059    IN      NS      j.root-servers.net.
.                       6059    IN      NS      k.root-servers.net.
.                       6059    IN      RRSIG   NS 8 0 518400 20190102170000 20181220160000 2134 . zMtnsqgslt5pHbn6xnLu96H+                                          sESJNaDD1ofk+Cdx2Ovc4BEHZ0KiYIWE FHOR/u90lYNAUqXKujkKRsK+T1DEZ4lRTcT7FaL+h30X44QXtgrxppvh hRulk8UoGiwDntpTqPfulqhsx2P/yaPDj                                          8MuQCbooi3ibbUFZidpnI/U sjUxC1WSLUoZz3SAgcQCcJ6odTaR/x/qLnRK3h08M81cBF9ABSQR82dM cknk4FVH9XpEsc7I8wYu6EvpKrhPUr8W9AXz+06VmS                                          bHp0BStxGgdm+C X7goky1xsHdVu6K6lGJ04Z4eaY0BNcxO+jUQpd68NKmEmna+Kug+Tc3P FIQGGg==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 12 ms

au.                     172800  IN      NS      q.au.
au.                     172800  IN      NS      u.au.
au.                     172800  IN      NS      b.au.
au.                     172800  IN      NS      c.au.
au.                     172800  IN      NS      d.au.
au.                     172800  IN      NS      t.au.
au.                     172800  IN      NS      s.au.
au.                     172800  IN      NS      v.au.
au.                     172800  IN      NS      r.au.
au.                     172800  IN      NS      a.au.
au.                     86400   IN      DS      35197 8 2 9EDA3EC27D09500AD52C510A86BCB1CD7C364444E3AB04B6EBB76378 378A5C87
au.                     86400   IN      DS      20647 8 1 A1C2F3602CD171CF3FBCDA25523C086867D29CC6
au.                     86400   IN      DS      20647 8 2 EFC7975FCA1FED2B5DF3624A7EFAB5ED20AF42DC83F5D9EC1D3B4C99 0B8E2B54
au.                     86400   IN      DS      35197 8 1 DF3D2F347C04EAE8FFAD6EEA8BD52FD134088969
au.                     86400   IN      RRSIG   DS 8 1 86400 20190102170000 20181220160000 2134 . RD9Hjl0YUj/ZBrPFE7YNUdaJ9                                          4jE7tjiiabPKUM9qxJ2wLUdAbSHLdQR ez8T9JWoYwdTSVVCquQRx91nrEOWPp62r5DcC/G9d8h6gNaoPLG1F6jC NQOsAhG5qS/Z+wIHrhJjbVkaV9zebNCrtI                                          1ogstr4ie2ujHR4JOBPOo/ 8hWoicb/fRY2/xvXKjqF2xyhCn03QwY87JHo6FmLusqVJtg21nUfn7zA AoE7+aWOXZN7yyD1233qdWbKLL/YUPFHfbZZMKP/tyX                                          ZO6OD5+PtqAOI KfLTEnzRx/N+c2NQOgkVpa6/W6gKSfukltFMd4RgcHVdNt0ip7RLkHj5 bIbuTQ==
;; Received 1107 bytes from 192.112.36.4#53(g.root-servers.net) in 131 ms

gov.au.                 86400   IN      NS      q.au.
gov.au.                 86400   IN      NS      s.au.
gov.au.                 86400   IN      NS      t.au.
gov.au.                 86400   IN      NS      r.au.
gov.au.                 43200   IN      NSEC    id.au. NS RRSIG NSEC
gov.au.                 43200   IN      RRSIG   NSEC 8 2 43200 20190320054007 20181220050932 43578 au. 3qC/PisGGsHIcKzVmBGJ                                          UlOt5/LqK4XVwU/7YcJyMzTiShWGYM+9Qa8B 0b8peRA93NqtwQ+5Nv0xZofEfznbUTJ9a/c2/VgCe7aIZ6N89uTDOtS0 n3lb7k9OUfxtzgssC8iAGSDU4MCYh                                          W0izref2/MITLJLHzPyFMACK2rl RVhX/QnoF50FxduaV3E34bHQAT9sLnTyUOpZiXSWo/dKMg==
;; Received 353 bytes from 162.159.24.179#53(c.au) in 23 ms

georgesriver.nsw.gov.au. 900    IN      NS      ns0.telstra.net.
georgesriver.nsw.gov.au. 900    IN      NS      ns1.telstra.net.
;; Received 127 bytes from 65.22.198.1#53(s.au) in 33 ms

;; connection timed out; no servers could be reached

JohnKap

@johnkap and no issue resolving or connecting to their name servers.

root: ping -c 3 ns0.telstra.net
PING ns0.telstra.net (139.130.204.47): 56 data bytes
64 bytes from 139.130.204.47: icmp_seq=0 ttl=250 time=9.366 ms
64 bytes from 139.130.204.47: icmp_seq=1 ttl=250 time=12.508 ms
64 bytes from 139.130.204.47: icmp_seq=2 ttl=250 time=12.452 ms

--- ns0.telstra.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.366/11.442/12.508/1.468 ms
root: ping -c 3 ns1.telstra.net
PING ns1.telstra.net (139.130.4.5): 56 data bytes
64 bytes from 139.130.4.5: icmp_seq=0 ttl=248 time=22.832 ms
64 bytes from 139.130.4.5: icmp_seq=1 ttl=248 time=29.352 ms
64 bytes from 139.130.4.5: icmp_seq=2 ttl=248 time=24.486 ms

--- ns1.telstra.net ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 22.832/25.557/29.352/2.767 ms

gjaltemba

@johnpoz said in DNS Resolver won't resolve georgesriver.nsw.gov.au:

georgesriver.nsw.gov.au

When I do dig with +trace I just get back. What to do?

;; global options: +cmd