DNS Resolver not resolving AWS domain [SOLVED]

dragoangel · Mar 1, 2017, 8:55 PM

I have tested on separate clean-configured pfSense 2.3.3 (unbound 1.6.0) systems resolving of domain: locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com and it cannot be resolved by 127.0.0.1. Default DNS for systems are 8.8.8.8 and 8.8.4.4 that can resolve this domain. All other domains resolved ok. If I add "Host Overrides" it begin working, but its spike-nail. Can anybody confirm that he can resolve this domain over pfSense?

Answer from pfSense:
Shell Output - nslookup locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
*** Can't find locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com: No answer

Correct Answer:
Shell Output - nslookup locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
Address: 172.22.28.208

doktornotor · Mar 1, 2017, 10:48 PM

WFM.


[2.3.3-RELEASE][root@gw.test.lan]/root: # nslookup locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
Address: 172.22.28.208

dragoangel · Mar 1, 2017, 11:34 PM

Ok, have any ideas how to troubleshoot this stuff? :-\ Because it happened same way on two different clean systems…

jahonix · Mar 1, 2017, 11:48 PM

does not work here

MBP:~ jahonix$ ping locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
ping: cannot resolve locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com: Unknown host

MBP:~ jahonix$ nslookup locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
Server: 192.168.2.3
Address: 192.168.2.3#53

Non-authoritative answer:
*** Can't find locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com: No answer

MBP:~ jahonix$ dig locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com

; <<>> DiG 9.8.3-P1 <<>> locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39637
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com. IN A

;; AUTHORITY SECTION:
eu-west-1.rds.amazonaws.com. 1196 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 1196 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 1196 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 1196 IN NS ns-572.awsdns-07.net.

;; Query time: 35 msec
;; SERVER: 192.168.2.3#53(192.168.2.3)
;; WHEN: Thu Mar 2 00:33:22 2017
;; MSG SIZE rcvd: 208

geo location or regional DNS server differences? I resolve from Germany.

jahonix · Mar 1, 2017, 11:55 PM

The site www.ping.eu (datacenter in Germany) can resolve to 172.22.28.208 but is not able to ping it.

Derelict · Mar 2, 2017, 12:00 AM

You do realize that AWS has been doing a Chernobyl over the last day right?

$ dig +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com

; <<>> DiG 9.8.3-P1 <<>> +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
;; global options: +cmd
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; Received 228 bytes from 2600:8801:580:5b01:208:a2ff:fe09:99ad#53(2600:8801:580:5b01:208:a2ff:fe09:99ad) in 521 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 511 bytes from 2001:500:1::53#53(2001:500:1::53) in 533 ms

amazonaws.com. 172800 IN NS u1.amazonaws.com.
amazonaws.com. 172800 IN NS u2.amazonaws.com.
amazonaws.com. 172800 IN NS r1.amazonaws.com.
amazonaws.com. 172800 IN NS r2.amazonaws.com.
;; Received 203 bytes from 192.41.162.30#53(192.41.162.30) in 255 ms

eu-west-1.rds.amazonaws.com. 300 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-572.awsdns-07.net.
;; Received 208 bytes from 205.251.195.199#53(205.251.195.199) in 192 ms

locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com. 5 IN A 172.22.28.208
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-572.awsdns-07.net.
;; Received 224 bytes from 2600:9000:5300:ba00::1#53(2600:9000:5300:ba00::1) in 60 ms

$ dig -4 +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com

; <<>> DiG 9.8.3-P1 <<>> -4 +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
;; global options: +cmd
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; Received 228 bytes from 192.168.223.1#53(192.168.223.1) in 36 ms

com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 503 bytes from 198.97.190.53#53(198.97.190.53) in 89 ms

amazonaws.com. 172800 IN NS u1.amazonaws.com.
amazonaws.com. 172800 IN NS u2.amazonaws.com.
amazonaws.com. 172800 IN NS r1.amazonaws.com.
amazonaws.com. 172800 IN NS r2.amazonaws.com.
;; Received 203 bytes from 192.26.92.30#53(192.26.92.30) in 130 ms

eu-west-1.rds.amazonaws.com. 300 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 300 IN NS ns-572.awsdns-07.net.
;; Received 208 bytes from 205.251.192.27#53(205.251.192.27) in 52 ms

locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com. 5 IN A 172.22.28.208
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1507.awsdns-60.org.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-186.awsdns-23.com.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1892.awsdns-44.co.uk.
eu-west-1.rds.amazonaws.com. 1800 IN NS ns-572.awsdns-07.net.
;; Received 224 bytes from 205.251.199.100#53(205.251.199.100) in 40 ms

Derelict · Mar 2, 2017, 12:03 AM

Of course it can't ping it. It is an RFC1918 address.

Which is also why unbound is refusing the answer.

jahonix · Mar 2, 2017, 12:12 AM

@Derelict:

It is an RFC1918 address.

Sure, yes ::) Time to go to bed…

dragoangel · Mar 2, 2017, 12:44 AM

@Derelict:

You do realize that AWS has been doing a Chernobyl over the last day right?

What do you mean?
But about RFC1918 I understand this but don't saw it by myself, :(
And yep: DNS Rebind Check
When this is unchecked, the system is protected against DNS Rebinding attacks. This blocks private IP responses from the configured DNS servers. Check this box to disable this protection if it interferes with webConfigurator access or name resolution in the environment.
The question closed. Thx everybody.

Derelict · Mar 2, 2017, 12:52 AM

You can also add:

server:
private-domain: "cy5eym4polgk.eu-west-1.rds.amazonaws.com"

To the custom options box in unbound and keep rebinding protection enabled globally.

dragoangel · Mar 2, 2017, 12:54 AM

Thx, big guru ^__^

johnpoz · Mar 2, 2017, 1:34 PM

why would it resolve to rfc1918? Public resolve should not return public - this is why unbound blocks it even.. So your fix was to tell unbound that its private? Curious why it resolves rfc1918 in the first place? And how exactly would you get there anyway? So you have a vpn connection to aws?

dragoangel · Mar 2, 2017, 5:26 PM

@johnpoz:

why would it resolve to rfc1918? Public resolve should not return public - this is why unbound blocks it even.. So your fix was to tell unbound that its private? Curious why it resolves rfc1918 in the first place? And how exactly would you get there anyway? So you have a vpn connection to aws?

Yes my coworkers haves vpn, and it resolving in private address only. I'm to really confused that they use public domains for resolving private networks IPs… :-
I deal with it like Derelict told me:
@Derelict:

You can also add:
server:
private-domain: "cy5eym4polgk.eu-west-1.rds.amazonaws.com"
To the custom options box in unbound and keep rebinding protection enabled globally.