• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS Resolver not resolving AWS domain [SOLVED]

Scheduled Pinned Locked Moved DHCP and DNS
13 Posts 5 Posters 3.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    doktornotor Banned
    last edited by Mar 1, 2017, 10:48 PM

    WFM.

    
    [2.3.3-RELEASE][root@gw.test.lan]/root: # nslookup locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com 127.0.0.1
    Server:         127.0.0.1
    Address:        127.0.0.1#53
    
    Non-authoritative answer:
    Name:   locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
    Address: 172.22.28.208
    
    
    1 Reply Last reply Reply Quote 0
    • D
      dragoangel
      last edited by Mar 1, 2017, 11:34 PM Mar 1, 2017, 11:23 PM

      Ok, have any ideas how to troubleshoot this stuff?  :-\ Because it happened same way on two different clean systems…

      Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
      Unifi AP-AC-LR with EAP RADIUS, US-24

      1 Reply Last reply Reply Quote 0
      • J
        jahonix
        last edited by Mar 1, 2017, 11:48 PM

        does not work here

        MBP:~ jahonix$ ping locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
        ping: cannot resolve locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com: Unknown host

        MBP:~ jahonix$ nslookup locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
        Server: 192.168.2.3
        Address: 192.168.2.3#53

        Non-authoritative answer:
        *** Can't find locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com: No answer

        MBP:~ jahonix$ dig locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com

        ; <<>> DiG 9.8.3-P1 <<>> locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39637
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 0

        ;; QUESTION SECTION:
        ;locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com. IN A

        ;; AUTHORITY SECTION:
        eu-west-1.rds.amazonaws.com. 1196 IN NS ns-1507.awsdns-60.org.
        eu-west-1.rds.amazonaws.com. 1196 IN NS ns-186.awsdns-23.com.
        eu-west-1.rds.amazonaws.com. 1196 IN NS ns-1892.awsdns-44.co.uk.
        eu-west-1.rds.amazonaws.com. 1196 IN NS ns-572.awsdns-07.net.

        ;; Query time: 35 msec
        ;; SERVER: 192.168.2.3#53(192.168.2.3)
        ;; WHEN: Thu Mar  2 00:33:22 2017
        ;; MSG SIZE  rcvd: 208

        geo location or regional DNS server differences? I resolve from Germany.

        1 Reply Last reply Reply Quote 0
        • J
          jahonix
          last edited by Mar 1, 2017, 11:55 PM

          The site  www.ping.eu  (datacenter in Germany) can resolve to 172.22.28.208 but is not able to ping it.

          1 Reply Last reply Reply Quote 0
          • D
            Derelict LAYER 8 Netgate
            last edited by Mar 2, 2017, 12:00 AM Mar 1, 2017, 11:57 PM

            You do realize that AWS has been doing a Chernobyl over the last day right?

            $ dig +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com

            ; <<>> DiG 9.8.3-P1 <<>> +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
            ;; global options: +cmd
            . 518400 IN NS a.root-servers.net.
            . 518400 IN NS b.root-servers.net.
            . 518400 IN NS c.root-servers.net.
            . 518400 IN NS d.root-servers.net.
            . 518400 IN NS e.root-servers.net.
            . 518400 IN NS f.root-servers.net.
            . 518400 IN NS g.root-servers.net.
            . 518400 IN NS h.root-servers.net.
            . 518400 IN NS i.root-servers.net.
            . 518400 IN NS j.root-servers.net.
            . 518400 IN NS k.root-servers.net.
            . 518400 IN NS l.root-servers.net.
            . 518400 IN NS m.root-servers.net.
            ;; Received 228 bytes from 2600:8801:580:5b01:208:a2ff:fe09:99ad#53(2600:8801:580:5b01:208:a2ff:fe09:99ad) in 521 ms

            com. 172800 IN NS a.gtld-servers.net.
            com. 172800 IN NS b.gtld-servers.net.
            com. 172800 IN NS c.gtld-servers.net.
            com. 172800 IN NS d.gtld-servers.net.
            com. 172800 IN NS e.gtld-servers.net.
            com. 172800 IN NS f.gtld-servers.net.
            com. 172800 IN NS g.gtld-servers.net.
            com. 172800 IN NS h.gtld-servers.net.
            com. 172800 IN NS i.gtld-servers.net.
            com. 172800 IN NS j.gtld-servers.net.
            com. 172800 IN NS k.gtld-servers.net.
            com. 172800 IN NS l.gtld-servers.net.
            com. 172800 IN NS m.gtld-servers.net.
            ;; Received 511 bytes from 2001:500:1::53#53(2001:500:1::53) in 533 ms

            amazonaws.com. 172800 IN NS u1.amazonaws.com.
            amazonaws.com. 172800 IN NS u2.amazonaws.com.
            amazonaws.com. 172800 IN NS r1.amazonaws.com.
            amazonaws.com. 172800 IN NS r2.amazonaws.com.
            ;; Received 203 bytes from 192.41.162.30#53(192.41.162.30) in 255 ms

            eu-west-1.rds.amazonaws.com. 300 IN NS ns-1507.awsdns-60.org.
            eu-west-1.rds.amazonaws.com. 300 IN NS ns-186.awsdns-23.com.
            eu-west-1.rds.amazonaws.com. 300 IN NS ns-1892.awsdns-44.co.uk.
            eu-west-1.rds.amazonaws.com. 300 IN NS ns-572.awsdns-07.net.
            ;; Received 208 bytes from 205.251.195.199#53(205.251.195.199) in 192 ms

            locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com. 5 IN A 172.22.28.208
            eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1507.awsdns-60.org.
            eu-west-1.rds.amazonaws.com. 1800 IN NS ns-186.awsdns-23.com.
            eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1892.awsdns-44.co.uk.
            eu-west-1.rds.amazonaws.com. 1800 IN NS ns-572.awsdns-07.net.
            ;; Received 224 bytes from 2600:9000:5300:ba00::1#53(2600:9000:5300:ba00::1) in 60 ms

            $ dig -4 +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com

            ; <<>> DiG 9.8.3-P1 <<>> -4 +trace locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com
            ;; global options: +cmd
            . 518400 IN NS a.root-servers.net.
            . 518400 IN NS b.root-servers.net.
            . 518400 IN NS c.root-servers.net.
            . 518400 IN NS d.root-servers.net.
            . 518400 IN NS e.root-servers.net.
            . 518400 IN NS f.root-servers.net.
            . 518400 IN NS g.root-servers.net.
            . 518400 IN NS h.root-servers.net.
            . 518400 IN NS i.root-servers.net.
            . 518400 IN NS j.root-servers.net.
            . 518400 IN NS k.root-servers.net.
            . 518400 IN NS l.root-servers.net.
            . 518400 IN NS m.root-servers.net.
            ;; Received 228 bytes from 192.168.223.1#53(192.168.223.1) in 36 ms

            com. 172800 IN NS a.gtld-servers.net.
            com. 172800 IN NS b.gtld-servers.net.
            com. 172800 IN NS c.gtld-servers.net.
            com. 172800 IN NS d.gtld-servers.net.
            com. 172800 IN NS e.gtld-servers.net.
            com. 172800 IN NS f.gtld-servers.net.
            com. 172800 IN NS g.gtld-servers.net.
            com. 172800 IN NS h.gtld-servers.net.
            com. 172800 IN NS i.gtld-servers.net.
            com. 172800 IN NS j.gtld-servers.net.
            com. 172800 IN NS k.gtld-servers.net.
            com. 172800 IN NS l.gtld-servers.net.
            com. 172800 IN NS m.gtld-servers.net.
            ;; Received 503 bytes from 198.97.190.53#53(198.97.190.53) in 89 ms

            amazonaws.com. 172800 IN NS u1.amazonaws.com.
            amazonaws.com. 172800 IN NS u2.amazonaws.com.
            amazonaws.com. 172800 IN NS r1.amazonaws.com.
            amazonaws.com. 172800 IN NS r2.amazonaws.com.
            ;; Received 203 bytes from 192.26.92.30#53(192.26.92.30) in 130 ms

            eu-west-1.rds.amazonaws.com. 300 IN NS ns-1507.awsdns-60.org.
            eu-west-1.rds.amazonaws.com. 300 IN NS ns-186.awsdns-23.com.
            eu-west-1.rds.amazonaws.com. 300 IN NS ns-1892.awsdns-44.co.uk.
            eu-west-1.rds.amazonaws.com. 300 IN NS ns-572.awsdns-07.net.
            ;; Received 208 bytes from 205.251.192.27#53(205.251.192.27) in 52 ms

            locationperf.cy5eym4polgk.eu-west-1.rds.amazonaws.com. 5 IN A 172.22.28.208
            eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1507.awsdns-60.org.
            eu-west-1.rds.amazonaws.com. 1800 IN NS ns-186.awsdns-23.com.
            eu-west-1.rds.amazonaws.com. 1800 IN NS ns-1892.awsdns-44.co.uk.
            eu-west-1.rds.amazonaws.com. 1800 IN NS ns-572.awsdns-07.net.
            ;; Received 224 bytes from 205.251.199.100#53(205.251.199.100) in 40 ms

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Mar 2, 2017, 12:03 AM Mar 1, 2017, 11:57 PM

              Of course it can't ping it. It is an RFC1918 address.

              Which is also why unbound is refusing the answer.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • J
                jahonix
                last edited by Mar 2, 2017, 12:12 AM

                @Derelict:

                It is an RFC1918 address.

                Sure, yes ::)  Time to go to bed…

                1 Reply Last reply Reply Quote 0
                • D
                  dragoangel
                  last edited by Mar 2, 2017, 12:44 AM Mar 2, 2017, 12:23 AM

                  @Derelict:

                  You do realize that AWS has been doing a Chernobyl over the last day right?

                  What do you mean?
                  But about RFC1918 I understand this but don't saw it by myself, :(
                  And yep: DNS Rebind Check
                  When this is unchecked, the system is protected against DNS Rebinding attacks. This blocks private IP responses from the configured DNS servers. Check this box to disable this protection if it interferes with webConfigurator access or name resolution in the environment.
                  The question closed. Thx everybody.

                  Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                  Unifi AP-AC-LR with EAP RADIUS, US-24

                  1 Reply Last reply Reply Quote 0
                  • D
                    Derelict LAYER 8 Netgate
                    last edited by Mar 2, 2017, 12:52 AM

                    You can also add:

                    server:
                    private-domain: "cy5eym4polgk.eu-west-1.rds.amazonaws.com"
                    
                    

                    To the custom options box in unbound and keep rebinding protection enabled globally.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • D
                      dragoangel
                      last edited by Mar 2, 2017, 12:54 AM

                      Thx, big guru ^__^

                      Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                      Unifi AP-AC-LR with EAP RADIUS, US-24

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by Mar 2, 2017, 1:34 PM

                        why would it resolve to rfc1918?  Public resolve should not return public - this is why unbound blocks it even.. So your fix was to tell unbound that its private?  Curious why it resolves rfc1918 in the first place?  And how exactly would you get there anyway?  So you have a vpn connection to aws?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • D
                          dragoangel
                          last edited by Mar 2, 2017, 5:26 PM Mar 2, 2017, 5:22 PM

                          @johnpoz:

                          why would it resolve to rfc1918?  Public resolve should not return public - this is why unbound blocks it even.. So your fix was to tell unbound that its private?  Curious why it resolves rfc1918 in the first place?  And how exactly would you get there anyway?  So you have a vpn connection to aws?

                          Yes my coworkers haves vpn, and it resolving in private address only. I'm to really confused that they use public domains for resolving private networks IPs…  :-
                          I deal with it like Derelict told me:
                          @Derelict:

                          You can also add:

                          server:
                          private-domain: "cy5eym4polgk.eu-west-1.rds.amazonaws.com"
                          
                          

                          To the custom options box in unbound and keep rebinding protection enabled globally.

                          Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
                          Unifi AP-AC-LR with EAP RADIUS, US-24

                          1 Reply Last reply Reply Quote 0
                          11 out of 13
                          • First post
                            11/13
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                            This community forum collects and processes your personal information.
                            consent.not_received