DNS Resolver Issues
-
Hi there
There may be an obvious answer to this, but I've been going around in circles for the last few hours. It seems that the DNS Resolver is adamant to not push out DNS information for one particular public domain (nhs.uk). I'm unable to traceroute, ping, nslookup, etc. Everything returns a 'can't be found' error. However, if I DNS lookup through pfSense, I get the A record without any issues. If I change the DNS server addresses on my device to Google DNS directly (which my pfSense box is using) I can retrieve the record and visit the website without any issues! Any help would be gratefully received!
CMD console on network through pfSense
C:\Users\Administrator>nslookup nhs.uk
Server: pfSense.default
Address: 192.168.1.1DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to pfSense.default timed-outC:\Users\Administrator>ping nhs.uk
Ping request could not find host nhs.uk. Please check the name and try again.DNS Lookup in pfSense
Result Record type
94.245.104.73 A[2.3.2-RELEASE][admin@pfSense.default]/root: unbound-control -c /var/unbound/unbound.conf lookup nhs.uk
The following name servers are used for lookup of nhs.uk.
;rrset 86122 2 0 2 0
nhs.uk. 172522 IN NS nsa.nhs.uk.
nhs.uk. 172522 IN NS nsb.nhs.uk.
;rrset 85907 1 0 1 0
nsb.nhs.uk. 172307 IN A 80.2.101.230
;rrset 85907 1 0 1 0
nsa.nhs.uk. 172307 IN A 194.176.105.223
Delegation with 2 names, of which 2 can be examined to query further addresses.
It provides 2 IP addresses.
194.176.105.223 rto 120000 msec, ttl 407, ping 0 var 94 rtt 376, tA 3, tAAAA 3, tother 0, probedelay 2, EDNS 0 assumed.
80.2.101.230 rto 120000 msec, ttl 407, ping 0 var 94 rtt 376, tA 3, tAAAA 3, tother 0, probedelay 68, EDNS 0 assumed. -
resolver is working fine with that domain.
dig @192.168.9.253 nhs.uk ns
; <<>> DiG 9.11.0-P1 <<>> @192.168.9.253 nhs.uk ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13306
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nhs.uk. IN NS;; ANSWER SECTION:
nhs.uk. 86375 IN NS nsa.nhs.uk.
nhs.uk. 86375 IN NS nsb.nhs.uk.;; Query time: 1 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Mon Jan 02 04:28:33 Central Standard Time 2017
;; MSG SIZE rcvd: 71 -
Your timeout error is you couldn't talk to the resolver - sure it was listening on that IP?
-
Thanks for your reply. This is the reason why it's not making any sense! Below are nslookup responses - one going through pfSense, the other direct to Googles DNS Servers. It is definitely getting stuck at pfSense, but I have no idea why.
pfSense DNS
C:\Users\Administrator>nslookup google.co.uk
Server: pfSense.default
Address: 192.168.1.1Non-authoritative answer:
Name: google.co.uk
Addresses: 2a00:1450:4009:80d::2003
216.58.204.35C:\Users\Administrator>nslookup nhs.uk
Server: pfSense.default
Address: 192.168.1.1DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to pfSense.default timed-outGoogle DNS
C:\Users\Administrator>nslookup google.co.uk
Server: google-public-dns-a.google.com
Address: 8.8.8.8Non-authoritative answer:
Name: google.co.uk
Addresses: 2a00:1450:4009:808::2003
216.58.208.163C:\Users\Administrator>nslookup nhs.uk
Server: google-public-dns-a.google.com
Address: 8.8.8.8Non-authoritative answer:
Name: nhs.uk
Address: 94.245.104.73It also affects all devices on the network - iPhones, iPads, etc. so it's not just one device it's happening on.
-
You do understand how the resolver works right?? It walks down from roots to the authoritative server.. If it can not talk to the authoritative severs, or it takes to long then yeah it will have problems..
I am showing no issues with the resolving that fqdn.. You need to figure out where your having a network issue that is causing you a problem..
Do say a dig +trace or debug with nslookup to find out where you having an issue talking to NS in the resolve process..
see can resolve it down from roots without any issue.
dig nhs.uk +trace
; <<>> DiG 9.11.0-P1 <<>> nhs.uk +trace
;; global options: +cmd
. 501482 IN NS h.root-servers.net.
. 501482 IN NS e.root-servers.net.
. 501482 IN NS k.root-servers.net.
. 501482 IN NS m.root-servers.net.
. 501482 IN NS a.root-servers.net.
. 501482 IN NS c.root-servers.net.
. 501482 IN NS g.root-servers.net.
. 501482 IN NS f.root-servers.net.
. 501482 IN NS b.root-servers.net.
. 501482 IN NS i.root-servers.net.
. 501482 IN NS d.root-servers.net.
. 501482 IN NS j.root-servers.net.
. 501482 IN NS l.root-servers.net.
. 501482 IN RRSIG NS 8 0 518400 20170115050000 20170102040000 61045 . IPMIhhdfD4IDsgpJw1TGLp93u1E9eA1HiHd5LxQsXs0RohWm4nZQk984 k77Xzjjx3bnBttvMV+SVc+X7AxQDVYxNAQIeB3Qn4ZVKBSCj2gRC+hs9 YR0IcU0TnG6IuIu+BFk4AKT53kjxfYE3yJVxYcZM+hzOexXKfFwHjzbe XAyLD78M+oFX41IMlJob8uxcO3t3nnWLR/a3jxdWLG6IV6DMMAYdxAd5 JZbNATNxP+RNEYau3KsXkit5Pxm6iiRyMKiu/aonJzK5FAspww0TvHJk SwLdDPuOCCbKyjku6X6zHIOCruF9DQihpuwdrRHxIXr7+tcKrE9iveV4 Wq312Q==
;; Received 525 bytes from 192.168.3.10#53(192.168.3.10) in 4 msuk. 172800 IN NS dns2.nic.uk.
uk. 172800 IN NS dns1.nic.uk.
uk. 172800 IN NS nsc.nic.uk.
uk. 172800 IN NS nsd.nic.uk.
uk. 172800 IN NS dns3.nic.uk.
uk. 172800 IN NS nsa.nic.uk.
uk. 172800 IN NS dns4.nic.uk.
uk. 172800 IN NS nsb.nic.uk.
uk. 86400 IN DS 43876 8 2 A107ED2AC1BD14D924173BC7E827A1153582072394F9272BA37E2353 BC659603
uk. 86400 IN RRSIG DS 8 1 86400 20170115050000 20170102040000 61045 . HBsDVNwfRprjMNrJk6HD+RxOD+TVjyj88/hhwwyt47DJ+DdEmyxnBTNF IvhK7imOI85ahg7/FVnznZBwz28T/pswRowNMtAWrIKf1rQ8qEkQHvbt pP2p3TAINCTNsQ3DIA+QimgC216g+SsmulzLnnkL6Rvn7YDa4zdt8of2 iGDTrgPyRfsk7E8NPEoTxqxW4rffJaEYU9C0csAughFKmrb80B8iDNXX naUnwUOAULTfcGz84KoswRIn15Cdf4qi5MyayNw/sdVKWo5NEHgfDfEl 19p65HAnZDR57G9A0CZ79mFezRTqH8mVwodGa3Zt53Xjcrr7SeF9Pp7C UlpTDw==
;; Received 790 bytes from 192.36.148.17#53(i.root-servers.net) in 64 msnhs.uk. 172800 IN NS nsa.nhs.uk.
nhs.uk. 172800 IN NS nsb.nhs.uk.
U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10800 IN NSEC3 1 1 0 - U1LG7J6JO1NFSU55LON2UMGEUJO912TU NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534
U1FMKLFV3RDCNAMDC64SEKGCDP05BBIU.uk. 10800 IN RRSIG NSEC3 8 2 10800 20170116021546 20170102013947 43056 uk. Mm5vXay9NZ6Hxqga6cuTcGYJJgBgKCYKZUBhvMUPzRUv1w3JCKMmZTxq XBADATsAE+JfIBNIOiGufycbX3wTL3lnqWKOykXQ+XoUW4T65tumjgi3 Gw7oUPhAYJgLVcjhPH4g5+AZ7dO/2hEDoW1uFLOYUcFt81lubPC+fXCS R9c=
M1UA9SJ26NB3S6PJCVOKFGCI189MTH0H.uk. 10800 IN NSEC3 1 1 0 - M24EVKII04A4OCQ1QGOQ98FFTFUD4LPB NS DS RRSIG
M1UA9SJ26NB3S6PJCVOKFGCI189MTH0H.uk. 10800 IN RRSIG NSEC3 8 2 10800 20170115181727 20170101175145 43056 uk. lp0B4DM3n8+TVZYktyn8fmJRjq/EW7EfZOA9Li1zoUudSq9oQE/NL6xb NSqGhyM0pEKbIleEpSflFqGmj8GDbr1G/4AeR8Cup1iy6RA2xgAcCVDX +2WyCJf0HwwF32o7Nj3bZ1s2OzHVJzKq6laVXOvUlv9n/tbiqIjtCGXK WSM=
;; Received 620 bytes from 156.154.100.3#53(nsa.nic.uk) in 21 msnhs.uk. 300 IN A 94.245.104.73
;; Received 51 bytes from 80.2.101.230#53(nsb.nhs.uk) in 130 msYou can see in the trace - asked
Received 790 bytes from 192.36.148.17#53(i.root-servers.net) in 64 ms
Hey whats the NS for uk..
Then asked one of them
Received 620 bytes from 156.154.100.3#53(nsa.nic.uk)
Hey whats ns for nhs.uk
;; Received 51 bytes from 80.2.101.230#53(nsb.nhs.uk)Then when an asked it - and got the A record I was looking for..
Turn up the verbosity of unbound - what does the log show you when you try and query for that?
-
Thank you for your feedback - below are some dig responses. Looking at these I would initially put it down as a third party issue, but when changing the name servers to Google on a networked device, I get no issues at all!
[2.3.2-RELEASE][admin@pfSense.default]/var/log: dig nhs.uk trace
; <<>> DiG 9.10.4-P2 <<>> nhs.uk trace
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33396
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nhs.uk. IN A;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 02 19:01:20 GMT 2017
;; MSG SIZE rcvd: 35;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55914
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;trace. IN A;; AUTHORITY SECTION:
. 1479 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017010201 1800 900 604800 86400;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 02 19:01:20 GMT 2017
;; MSG SIZE rcvd: 109[2.3.2-RELEASE][admin@STEVE-pfSense.default]/var/log: dig nhs.uk trace
; <<>> DiG 9.10.4-P2 <<>> nhs.uk trace
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33396
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;nhs.uk. IN A;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 02 19:01:20 GMT 2017
;; MSG SIZE rcvd: 35;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55914
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;trace. IN A;; AUTHORITY SECTION:
. 1479 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017010201 1800 900 604800 86400;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jan 02 19:01:20 GMT 2017
;; MSG SIZE rcvd: 109It appears I'm getting a SERVFAIL. Every so often I will be able to obtain a A record from pfSense directly if I keep flushing nhs.uk out of unbound, but that never materialises to the networked machines.
Looking at the unbound logs too, right at the end of a very long query, these lines appeared.
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: No more query targets, attempting last resort
Jan 2 18:24:53 pfSense unbound: [44139:0] info: found in cache nsb.nhs.uk. A IN
Jan 2 18:24:53 pfSense unbound: [44139:0] info: found in cache nsa.nhs.uk. A IN
Jan 2 18:24:53 pfSense unbound: [44139:0] info: found parent-side nsb.nhs.uk. A IN
Jan 2 18:24:53 pfSense unbound: [44139:0] info: found parent-side nsb.nhs.uk. AAAA IN
Jan 2 18:24:53 pfSense unbound: [44139:0] info: found parent-side nsa.nhs.uk. A IN
Jan 2 18:24:53 pfSense unbound: [44139:0] info: found parent-side nsa.nhs.uk. AAAA IN
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: out of query targets – returning SERVFAIL
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: store error response in message cache
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: return error response SERVFAIL
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: mesh_run: iterator module exit state is module_finished
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
Jan 2 18:24:53 pfSense unbound: [44139:0] info: validator operate: query nhs.uk. A IN
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: validator: nextmodule returned
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: cannot validate non-answer, rcode SERVFAIL
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: mesh_run: validator module exit state is module_finished
Jan 2 18:24:53 pfSense unbound: [44139:0] info: send_udp over interface: 172.16.0.1
Jan 2 18:24:53 pfSense unbound: [44139:0] debug: query took 24.494277 sec -
"but when changing the name servers to Google on a networked device"
So again you don't understand how a resolver works ;) Nor how to use the trace command that I clearly posted.. Where is your **+**trace?? Your asking that server for the record trace in that format..
