Use Domain Override to have a site resolve with google instead of Unbound?


  • Banned

    I use Unbound in resolver mode.

    I've had trouble getting a few sites to work and the forum told me it was the DNS servers from those sites.

    In particular I'm having trouble with aviationweather.gov, they apparently have awful DNS servers because it is pretty common for them to time out. If I switch to say, google DNS (on my router or by just switching to cell on my phone), then it works.

    So I'm not sure if it even works this way, but I wanted to try to redirect DNS resolution to public DNS for that site.

    So I added a Domain Override

    Domain: aviationweather.gov
    IP Address: 8.8.8.8

    But I'm still getting localhost as the Name server.

    Does it just not work this way?

    Is there any way that I can work around a crappy DNS server while continuing to use resolver mode?




  • You need to use advanced custom options for this. Add a forward-zone clause like this:

    
    forward-zone:
      name: "aviationweather.gov"
      forward-addr: 8.8.8.8
      forward-addr: 8.8.4.4
    
    

    HTH


  • Banned

    @kpa:

    You need to use advanced custom options for this. Add a forward-zone clause like this:

    No. That's the same thing that the domain override does.

    @OP: When you query localhost, you get answer from localhost. Tells nothing about what resolved the query.


  • Rebel Alliance Global Moderator

    8.8.8.8 is not the authoritative name server for actionweather.gov

    When you do a domain override it suppose to forward to the authoritative server for that domain..

    If your having issues resolving actionweather.gov - just put in a host override for the IP you want it to resolve too.

    your going to cache the record in unbound, and yeah if you ask unbound its going to show that as the server that gave you the answer.



  • Right, I forgot that domain override is the same as forward-zone…

    Dok is right, your DNS query tool is not going report how the query was resolved unless you turn on trace.


  • Banned

    More precisely, use dig +trace from somewhere else than pfSense itself (or you'll have to set up an "allow snoop" ACL for localhost).


  • Banned

    Thank you to everyone for the help!

    I ran dig SOA +trace

    
    x@x-TPadT420:~$ dig SOA +trace aviationweather.gov
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> SOA +trace aviationweather.gov
    ;; global options: +cmd
    .			38440	IN	NS	j.root-servers.net.
    .			38440	IN	NS	k.root-servers.net.
    .			38440	IN	NS	l.root-servers.net.
    .			38440	IN	NS	m.root-servers.net.
    .			38440	IN	NS	a.root-servers.net.
    .			38440	IN	NS	b.root-servers.net.
    .			38440	IN	NS	c.root-servers.net.
    .			38440	IN	NS	d.root-servers.net.
    .			38440	IN	NS	e.root-servers.net.
    .			38440	IN	NS	f.root-servers.net.
    .			38440	IN	NS	g.root-servers.net.
    .			38440	IN	NS	h.root-servers.net.
    .			38440	IN	NS	i.root-servers.net.
    ;; Received 239 bytes from 127.0.1.1#53(127.0.1.1) in 158 ms
    
    gov.			172800	IN	NS	a.gov-servers.net.
    gov.			172800	IN	NS	b.gov-servers.net.
    gov.			86400	IN	DS	7698 8 2 6BC949E638442EAD0BDAF0935763C8D003760384FF15EBBD5CE86BB5 559561F0
    gov.			86400	IN	DS	7698 8 1 6F109B46A80CEA9613DC86D5A3E065520505AAFE
    gov.			86400	IN	RRSIG	DS 8 1 86400 20170330170000 20170317160000 61045 . iHnGx0kKdbPE0k8KJRzK27SItqr07Xk0CyXjad3aPgHsYdSI6OqQzaM4 UGKWxhTIfeVntgXhRy/MtKETHF5NUmChx9EwYXPBe3243+CrLhJUKd/s 7mMAZb/duIv3nhZbeqXOO5gs+R6J4jgFJzqbMVbyW1zM58yuMiRtrOnI yrEcFTAicOVahdU+Pg/3E0M7/aSbqo/GgKblcBzs/84ZQOurwaqGvsTa Ljz4z1Yc7XrUki68puIChzCDPX7Dmqt82AG9i20338aZoBILXoiAgaVj dDc8Bmihfz+7HuQPJ7Vq4dCfwbjPiMPluiviqjsnV55EDLUqjFi7qVOm nyWBzg==
    ;; Received 526 bytes from 202.12.27.33#53(m.root-servers.net) in 184 ms
    
    aviationweather.gov.	86400	IN	NS	ns-e.noaa.gov.
    aviationweather.gov.	86400	IN	NS	ns-mw.noaa.gov.
    aviationweather.gov.	86400	IN	NS	ns-nw.noaa.gov.
    aviationweather.gov.	3600	IN	DS	9013 5 1 DB5C73EB503656C8A826C77D9F6AAF33BBAE4B33
    aviationweather.gov.	3600	IN	DS	9013 5 2 D4A51BDCBE4BFC940BCDA16CF391D04493D1F9A517D21D077EA9AE2C E8488578
    aviationweather.gov.	3600	IN	RRSIG	DS 8 2 3600 20170324161015 20170317161015 28127 gov. mSHmrvIk2/41V10Bz4ZjMUGEnj1H37+LffXjgYdRvAU25BFOSME5J5J0 B+ESKnap5338fZgz22EWmlZYGHOXkrkUkvJ33Phms+YDrtE37RfbNiWn w++FohUr5tkn//MuqkvXykYssN8P3zTPJLh1WnzK1IN/9k+bfDpMmUtc sGY=
    ;; Received 491 bytes from 69.36.157.30#53(a.gov-servers.net) in 23 ms
    
    aviationweather.gov.	120	IN	SOA	dns02.woc.noaa.gov. hostmaster.noaa.gov. 2016051271 10800 3600 604800 86400
    aviationweather.gov.	120	IN	RRSIG	SOA 5 2 120 20170324161129 20170317161129 9837 aviationweather.gov. spvlUjoVjEiTfEgs/9aHrHKJyZb704/LOGr65wY0NT821I8s5pqgpybH sni2ocHm1ruv7a55Y1/N0mhAnw7/vihtCtxQ557Xx7cVXB72NTXYx3DB cMgDso+rqDRhzarpjLmflT3oPwHPZqnpkNQdb+d0QHzzxChqF9J+AqTf qPVNxxuG6Yd7EtA7AAvIjrp3Y36Sl/rs03wwx8ohAmDVifoZwVWy9wDF B33RJp3pBuE4/GzaTYzC3wHFCIVXm/e9WTQsZpy3/P+686P1HzwBG1lQ 3hegf1+W6/1reAM49RUut8kN3ZPv+C+8hZUi9hHsE0tNESf4asPc1iiQ 5T6H/A==
    aviationweather.gov.	120	IN	NS	ns-nw.noaa.gov.
    aviationweather.gov.	120	IN	NS	ns-e.noaa.gov.
    aviationweather.gov.	120	IN	NS	ns-mw.noaa.gov.
    aviationweather.gov.	120	IN	RRSIG	NS 5 2 120 20170324161129 20170317161129 9837 aviationweather.gov. oquQzHQFdPym0QAFUGgRcMy8KZd4Bp6Z4BTU8cEOnfE8kO+gBGk47RFA OMUeJQmTFtg/CP9vEk1ZgAq+PQ1+IVJd/xGMEmWp22jztAuYvWCl4Hes 3JziKkWfyOS7f0004lwiBDYbZINowqxNnUTrkZESOZhp50YiYFK0Y8kh /pLx1CDU0LMjduuCnU6SnudtZu7IdRaBZBc+fsD3sl+WE00lW2+4nf7n PU7SBGxSu3G7aEVMKehP4GRHoGU/gPiRje7nBNTX72xygH+SjGxO25Y5 BAAhbzeY4E76KU+0tbmLBG7j8dEbb72T47UewVVD1itrCwAY5+kUHkk5 pP6Wbg==
    ;; Received 2691 bytes from 140.90.33.237#53(ns-e.noaa.gov) in 103 ms
    
    

    So i put 140.90.33.237 as the IP for domain overrides for aviationweather.gov & www.aviationweather.gov

    just aviationweather.gov works but www.aviationweather.gov doesn't?

    I obviously don't really know what I'm doing here but am hoping I picked out the right IP from the dig SOA +trace results?


  • Netgate

    www.aviationweather.gov is not a domain. It is an FQDN. Remove the domain override for it and try again.


  • Banned

    OK, thanks!

    So is there no way to override for something along the lines of:

    www.aviationweather.gov/things

    Or do I just have to type in only :

    aviationweather.gov/things

    I ask because right now it works if I type in the address, but if I do a google search and click a link, it times out unless I erase the "www." and try again.

    It would be great if the government wouldn't have such shit DNS servers. I haven't run into this anywhere else.


  • Rebel Alliance Global Moderator

    "aviationweather.gov/things"

    that is not a fqdn either..

    The domain would be aviationweather.gov

    That is it!  They seem to only have problem with the ipv6 NS

    aviationweather.gov/A: No response was received from the server over UDP (tried 8 times). (2610:20:8000:8c00::237,

    put in a domain override to only their ipv4 addresses
    140.172.17.237
    140.90.33.237
    161.55.32.2

    All 3 of them respond when I query them.

    dig @ns-mw.noaa.gov www.aviationweather.gov

    ; <<>> DiG 9.11.0-P3 <<>> @ns-mw.noaa.gov www.aviationweather.gov
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61812
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 7
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.aviationweather.gov.      IN      A

    ;; ANSWER SECTION:
    www.aviationweather.gov. 120    IN      CNAME  aviationweather.ncep.noaa.gov.
    aviationweather.ncep.noaa.gov. 300 IN  CNAME  aviationweather.cp.ncep.noaa.gov.
    aviationweather.cp.ncep.noaa.gov. 86400 IN A    140.90.101.207

    ;; AUTHORITY SECTION:
    ncep.noaa.gov.          86400  IN      NS      ns-mw.noaa.gov.
    ncep.noaa.gov.          86400  IN      NS      ns-e.noaa.gov.
    ncep.noaa.gov.          86400  IN      NS      ns-nw.noaa.gov.

    ;; ADDITIONAL SECTION:
    ns-e.noaa.gov.          86400  IN      A      140.90.33.237
    ns-e.noaa.gov.          86400  IN      AAAA    2610:20:8000:8c00::237
    ns-mw.noaa.gov.        86400  IN      A      140.172.17.237
    ns-mw.noaa.gov.        86400  IN      AAAA    2610:20:8800:8c00::237
    ns-nw.noaa.gov.        86400  IN      A      161.55.32.2
    ns-nw.noaa.gov.        86400  IN      AAAA    2610:20:8c00:8c00::2

    ;; Query time: 33 msec
    ;; SERVER: 140.172.17.237#53(140.172.17.237)
    ;; WHEN: Sat Mar 18 04:30:37 Central Daylight Time 2017
    ;; MSG SIZE  rcvd: 332

    Their ipv6 dns is what seems to be having an issue..

    Their dns only seems shitty via ipv6..


  • Banned

    In the domain override it is only aviationweather.gov
    I was just saying I can type in anything behind our it works, but with a www. In front on didn't

    That's weird, I don't have ipv6 configured.


  • Rebel Alliance Global Moderator

    Just because you do not have it configured doesn't mean pfsense is not using it.. Does your isp hand you an ipv6 address on your wan?

    Do simple query to their ns direct via dig or nslookup.. What is your response time?  Do you get an answer.. keep in mind that www.aviationweather.gov is cname that points to

    ;; ANSWER SECTION:
    www.aviationweather.gov. 120    IN      CNAME  aviationweather.ncep.noaa.gov.
    aviationweather.ncep.noaa.gov. 300 IN  CNAME  aviationweather.cp.ncep.noaa.gov.
    aviationweather.cp.ncep.noaa.gov. 86400 IN A    140.90.101.207


  • Banned

    @johnpoz:

    Does your isp hand you an ipv6 address on your wan?

    Yes, if I turn on DHCP6 on WAN I get issued an ipv6 address, I had thought that if that was set to none that I wouldn't be using ipv6 over the internet?

    @johnpoz:

    Do simple query to their ns direct via dig or nslookup.. What is your response time?

    Looks like ~77ms

    
    [2.4.0-BETA][admin@netbox.netdomain]/root: dig 140.90.33.237
    
    ; <<>> DiG 9.11.0-P3 <<>> 140.90.33.237
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42083
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;140.90.33.237.                 IN      A
    
    ;; AUTHORITY SECTION:
    .                       2213    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2017031801 1800 900 604800 86400
    
    ;; Query time: 78 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Sat Mar 18 10:56:30 PDT 2017
    ;; MSG SIZE  rcvd: 117
    
    [2.4.0-BETA][admin@netbox.netdomain]/root: dig aviationweather.gov @140.90.33.237
    
    ; <<>> DiG 9.11.0-P3 <<>> aviationweather.gov @140.90.33.237
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54013
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 7
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;aviationweather.gov.           IN      A
    
    ;; ANSWER SECTION:
    aviationweather.gov.    120     IN      A       140.90.101.207
    
    ;; AUTHORITY SECTION:
    aviationweather.gov.    120     IN      NS      ns-nw.noaa.gov.
    aviationweather.gov.    120     IN      NS      ns-mw.noaa.gov.
    aviationweather.gov.    120     IN      NS      ns-e.noaa.gov.
    
    ;; ADDITIONAL SECTION:
    ns-e.noaa.gov.          86400   IN      A       140.90.33.237
    ns-e.noaa.gov.          86400   IN      AAAA    2610:20:8000:8c00::237
    ns-mw.noaa.gov.         86400   IN      A       140.172.17.237
    ns-mw.noaa.gov.         86400   IN      AAAA    2610:20:8800:8c00::237
    ns-nw.noaa.gov.         86400   IN      A       161.55.32.2
    ns-nw.noaa.gov.         86400   IN      AAAA    2610:20:8c00:8c00::2
    
    ;; Query time: 76 msec
    ;; SERVER: 140.90.33.237#53(140.90.33.237)
    ;; WHEN: Sat Mar 18 10:56:50 PDT 2017
    ;; MSG SIZE  rcvd: 260
    
    

  • Rebel Alliance Global Moderator

    so that sure looks like it works to me.. So just make sure pfsense is not using ipv6 and you shouldn't have any issues.  Set your wan to none.

    Not sure why you think you need to do overrrides.  Query that for www.avaiationweather.gov  do you get an answer?


  • Banned

    It was set to none and is now, I just turned it on so I could answer your question as to whether my ISP is providing an ipv6 address or not. My pfsense box had never used ipv6 though.

    
    x@x-TPadT420:~$ dig aviationweather.gov
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> aviationweather.gov
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48639
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;aviationweather.gov.		IN	A
    
    ;; ANSWER SECTION:
    aviationweather.gov.	68	IN	A	140.90.101.207
    
    ;; Query time: 1 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Sat Mar 18 14:03:33 PDT 2017
    ;; MSG SIZE  rcvd: 64
    
    x@x-TPadT420:~$ dig www.aviationweather.gov
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.aviationweather.gov
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    

  • Rebel Alliance Global Moderator

    ";; SERVER: 127.0.1.1#53(127.0.1.1)"

    That sure and the hell is not pfsense..

    Query your pfsense directly..  You got a caching dnsmasq running on that box.. That is asking what???  Have no idea what its forwarding too..

    Do a query to your pfsense directly - with your domain overrides removed!!!

    like this..

    dig @192.168.9.253 www.aviationweather.gov

    ; <<>> DiG 9.11.0-P3 <<>> @192.168.9.253 www.aviationweather.gov
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5562
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.aviationweather.gov.      IN      A

    ;; ANSWER SECTION:
    www.aviationweather.gov. 120    IN      CNAME  aviationweather.ncep.noaa.gov.
    aviationweather.ncep.noaa.gov. 300 IN  CNAME  aviationweather.cp.ncep.noaa.gov.
    aviationweather.cp.ncep.noaa.gov. 67481 IN A    140.90.101.207

    ;; AUTHORITY SECTION:
    ncep.noaa.gov.          67481  IN      NS      ns-e.noaa.gov.
    ncep.noaa.gov.          67481  IN      NS      ns-mw.noaa.gov.
    ncep.noaa.gov.          67481  IN      NS      ns-nw.noaa.gov.

    ;; Query time: 156 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Sat Mar 18 16:29:42 Central Daylight Time 2017
    ;; MSG SIZE  rcvd: 200

    replace that 192.168.9.253 with whatever pfsense IP is on your lan/network your on..


  • Banned

    
    x@x-TPadT420:~$ dig @192.168.1.1 www.aviationweather.gov
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.1.1 www.aviationweather.gov
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    x@x-TPadT420:~$ dig @192.168.1.1 aviationweather.gov
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.1.1 aviationweather.gov
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    x@x-TPadT420:~$ dig @192.168.1.1 www.google.com
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.1.1 www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32878
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.google.com.			IN	A
    
    ;; ANSWER SECTION:
    www.google.com.		3600	IN	A	216.239.38.120
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sat Mar 18 14:37:34 PDT 2017
    ;; MSG SIZE  rcvd: 59
    
    

  • Rebel Alliance Global Moderator

    And did you clear out the domain overrides you were messing with??

    Can you talk to their NS directly - you did that previous.. So you got something else going on if you can still talk to them..

    Troubleshooting.. What is your unbound log showing you when you up its verbosity?  What is simple sniff on your wan showing you when you try and resolve this fqdn?  I am having zero issues resolving this domain and that www record.

    Its quite possible your having issues talking to their NS via something wrong with your isp, or your path to those networks..  Tracking that down is simple enough..

    So what happens when you try and resolve it via pfsense diag, dns lookup?



  • Banned

    @johnpoz:

    And did you clear out the domain overrides you were messing with??

    Can you talk to their NS directly - you did that previous.. So you got something else going on if you can still talk to them..

    Yes, I deleted the domain override.

    Here's an output that includes the NS:

    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.aviation.gov
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 60388
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.aviation.gov.              IN      A
    
    ;; AUTHORITY SECTION:
    gov.                    3312    IN      SOA     a.gov-servers.net. nstld.verisign-grs.com. 1489943401 3600 900 1814400 86400
    
    ;; Query time: 0 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sun Mar 19 10:47:21 DST 2017
    ;; MSG SIZE  rcvd: 120
    
    bash@DESKTOP:~$ dig aviation.gov
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> aviation.gov
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 397
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;aviation.gov.                  IN      A
    
    ;; AUTHORITY SECTION:
    gov.                    3308    IN      SOA     a.gov-servers.net. nstld.verisign-grs.com. 1489943401 3600 900 1814400 86400
    
    ;; Query time: 0 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sun Mar 19 10:47:25 DST 2017
    ;; MSG SIZE  rcvd: 116
    
    bash@DESKTOP:~$ dig 140.90.33.237
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> 140.90.33.237
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10308
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;140.90.33.237.                 IN      A
    
    ;; AUTHORITY SECTION:
    .                       1751    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2017031901 1800 900 604800 86400
    
    ;; Query time: 15 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sun Mar 19 10:47:29 DST 2017
    ;; MSG SIZE  rcvd: 117
    
    bash@DESKTOP:~$ dig a.root-servers.net
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> a.root-servers.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54421
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 26
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;a.root-servers.net.            IN      A
    
    ;; ANSWER SECTION:
    a.root-servers.net.     3599961 IN      A       198.41.0.4
    
    ;; AUTHORITY SECTION:
    root-servers.net.       3599961 IN      NS      b.root-servers.net.
    root-servers.net.       3599961 IN      NS      f.root-servers.net.
    root-servers.net.       3599961 IN      NS      i.root-servers.net.
    root-servers.net.       3599961 IN      NS      a.root-servers.net.
    root-servers.net.       3599961 IN      NS      e.root-servers.net.
    root-servers.net.       3599961 IN      NS      g.root-servers.net.
    root-servers.net.       3599961 IN      NS      l.root-servers.net.
    root-servers.net.       3599961 IN      NS      m.root-servers.net.
    root-servers.net.       3599961 IN      NS      d.root-servers.net.
    root-servers.net.       3599961 IN      NS      c.root-servers.net.
    root-servers.net.       3599961 IN      NS      h.root-servers.net.
    root-servers.net.       3599961 IN      NS      j.root-servers.net.
    root-servers.net.       3599961 IN      NS      k.root-servers.net.
    
    ;; ADDITIONAL SECTION:
    b.root-servers.net.     516543  IN      A       192.228.79.201
    c.root-servers.net.     516543  IN      A       192.33.4.12
    d.root-servers.net.     516543  IN      A       199.7.91.13
    e.root-servers.net.     516543  IN      A       192.203.230.10
    f.root-servers.net.     516543  IN      A       192.5.5.241
    g.root-servers.net.     516543  IN      A       192.112.36.4
    h.root-servers.net.     516543  IN      A       198.97.190.53
    i.root-servers.net.     516543  IN      A       192.36.148.17
    j.root-servers.net.     516543  IN      A       192.58.128.30
    k.root-servers.net.     516543  IN      A       193.0.14.129
    l.root-servers.net.     516543  IN      A       199.7.83.42
    m.root-servers.net.     516543  IN      A       202.12.27.33
    a.root-servers.net.     516543  IN      AAAA    2001:503:ba3e::2:30
    b.root-servers.net.     516543  IN      AAAA    2001:500:84::b
    c.root-servers.net.     516543  IN      AAAA    2001:500:2::c
    d.root-servers.net.     516543  IN      AAAA    2001:500:2d::d
    e.root-servers.net.     516543  IN      AAAA    2001:500:a8::e
    f.root-servers.net.     516543  IN      AAAA    2001:500:2f::f
    g.root-servers.net.     516543  IN      AAAA    2001:500:12::d0d
    h.root-servers.net.     516543  IN      AAAA    2001:500:1::53
    i.root-servers.net.     516543  IN      AAAA    2001:7fe::53
    j.root-servers.net.     516543  IN      AAAA    2001:503:c27::2:30
    k.root-servers.net.     516543  IN      AAAA    2001:7fd::1
    l.root-servers.net.     516543  IN      AAAA    2001:500:9f::42
    m.root-servers.net.     516543  IN      AAAA    2001:dc3::35
    
    ;; Query time: 46 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sun Mar 19 10:47:35 DST 2017
    ;; MSG SIZE  rcvd: 825
    

    I attached a screen of the pfsense diag lookup output.

    @johnpoz:

    Troubleshooting.. What is your unbound log showing you when you up its verbosity?  What is simple sniff on your wan showing you when you try and resolve this fqdn?  I am having zero issues resolving this domain and that www record.

    Verb=5 was outputting a ton of stuff and filling up the 500 entries in less than a second.

    I thought I'd be clever and clear out the resolver.log file so that I could just post the relevant stuff for you. (Diag>Edit File>Select All>Delete>Save)

    Apparently that's not smart to do because now it doesn't put anything in there…  :o

    I tried restarting Resolver, rebooting, updating to latest BETA build, rm /var/log/resolver.log && touch /var/log/resolver.log
    It still isn't logging anything.

    Way to go me.



  • Netgate

    Try this at a shell prompt:

    rm /var/log/resolver.log

    ls -l /var/log

    Get the size of the other logs default is 511488

    clog -i -s 511488 /var/log/resolver.log

    chmod 600 /var/log/resolver.log

    bounce unbound


  • Banned

    @Derelict:

    Try this at a shell prompt:

    rm /var/log/resolver.log

    ls -l /var/log

    Get the size of the other logs default is 511488

    clog -i -s 511488 /var/log/resolver.log

    chmod 600 /var/log/resolver.log

    bounce unbound

    Thanks! That did the trick! I had assumed that they were just ordinary text files but that makes a lot more sense haha.

    Strangely enough….. now my DNS query return is different AND www.aviationweather.gov loads immediately with no problems...  :o

    The only thing I did different than the last post is accidentally screw up my resolver.log and then get it back up with Derelicts instruction.

    Why would a log have any effect at all? Assuming it must have been something else but I can't imagine what? I had already restarted Unbound & rebooted the system a couple of times so that wasn't new.

    dig is different now too:

    bash@DESKTOP:~$ dig www.aviationweather.gov
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.aviationweather.gov
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26880
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.aviationweather.gov.       IN      A
    
    ;; ANSWER SECTION:
    www.aviationweather.gov. 120    IN      CNAME   aviationweather.ncep.noaa.gov.
    aviationweather.ncep.noaa.gov. 7 IN     CNAME   aviationweather.cp.ncep.noaa.gov.
    aviationweather.cp.ncep.noaa.gov. 86107 IN A    140.90.101.207
    
    ;; AUTHORITY SECTION:
    ncep.noaa.gov.          86107   IN      NS      ns-e.noaa.gov.
    ncep.noaa.gov.          86107   IN      NS      ns-mw.noaa.gov.
    ncep.noaa.gov.          86107   IN      NS      ns-nw.noaa.gov.
    
    ;; Query time: 115 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sun Mar 19 12:26:55 DST 2017
    ;; MSG SIZE  rcvd: 200
    
    bash@DESKTOP:~$ dig ns-e.noaa.gov
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> ns-e.noaa.gov
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44300
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 6
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;ns-e.noaa.gov.                 IN      A
    
    ;; ANSWER SECTION:
    ns-e.noaa.gov.          86079   IN      A       140.90.33.237
    
    ;; AUTHORITY SECTION:
    noaa.gov.               86400   IN      NS      ns-e.noaa.gov.
    noaa.gov.               86400   IN      NS      ns-mw.noaa.gov.
    noaa.gov.               86400   IN      NS      ns-nw.noaa.gov.
    
    ;; ADDITIONAL SECTION:
    ns-e.noaa.gov.          86079   IN      AAAA    2610:20:8000:8c00::237
    ns-mw.noaa.gov.         86079   IN      A       140.172.17.237
    ns-mw.noaa.gov.         86079   IN      AAAA    2610:20:8800:8c00::237
    ns-nw.noaa.gov.         86079   IN      A       161.55.32.2
    ns-nw.noaa.gov.         86079   IN      AAAA    2610:20:8c00:8c00::2
    
    ;; Query time: 74 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Sun Mar 19 12:27:23 DST 2017
    ;; MSG SIZE  rcvd: 228
    



  • Netgate

    It wasn't the log. It is probably just resolving for you now.


  • Rebel Alliance Global Moderator

    May never know what what going on, since you can not seem to grasp how to do a directed query.. In all the nonsense you posted.. Not one of them was a query to one of the NS authoritative for that domain…

    Just like you query @yourpfsenseIP

    Do you query direct to one of their NS.. as I did in my example..  And why and the F are you doing a query for "www.aviation.gov"

    Glad its working for you - since troubleshooting to where the problem actual is with what your posting would be fruitless..


  • Banned

    @johnpoz:

    May never know what what going on, since you can not seem to grasp how to do a directed query.. In all the nonsense you posted.. Not one of them was a query to one of the NS authoritative for that domain…

    Just like you query @yourpfsenseIP

    Do you query direct to one of their NS.. as I did in my example..  And why and the F are you doing a query for "www.aviation.gov"

    Glad its working for you - since troubleshooting to where the problem actual is with what your posting would be fruitless..

    Eh, yeah. I have literally zero background in IT or anything computer or networking related. If I haven't read it for fun or been told something, I don't know it. So it doesn't surprise me I got it wrong, I do apologize though, I appreciate that you've taken your time out to help me.

    I was querying aviationweather.gov because it's the only site that I've ever had trouble with, and the reason I started this thread.
    EDIT: reading back I see you mean why i mistyped "aviation.gov" instead of "aviationweather.gov" and posted that output, that was totally unintentional, I was tired!

    I thought that the following was the Name Server for aviationweather.gov (which is what I assumed you meant by NS?)since it was listed in the return for aviationweather.gov, and start with "ns".

    bash@DESKTOP:~$ dig ns-e.noaa.gov
    

    I don't even know what you mean by this?

    Just like you query @yourpfsenseIP

    I think the only IP i queried was:

    bash@DESKTOP:~$ dig 140.90.33.237
    

    Network information
    IP address 140.90.33.237
    Reverse DNS (PTR record) ns-e.noaa.gov

    Is that what you mean?

    I'd be happy to learn if you're willing to educate me, but I also totally understand if you're no longer interested.
    Either way, thank you for taking your time and I apologize for the frustration.


  • Rebel Alliance Global Moderator

    "dig 140.90.33.237"

    All that did was query you default dns for that IP..

    Thee are 3 NS listed for this domain.. If you want to ask them directly then you would use the @

    So

    dig @140.90.33.237 then what you want to ask it..

    so

    dig @140.90.33.237 www.aviationweather.gov

    dig @140.90.33.237 www.aviationweather.gov

    ; <<>> DiG 9.11.0-P3 <<>> @140.90.33.237 www.aviationweather.gov
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9718
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 7
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.aviationweather.gov.      IN      A

    ;; ANSWER SECTION:
    www.aviationweather.gov. 120    IN      CNAME  aviationweather.ncep.noaa.gov.
    aviationweather.ncep.noaa.gov. 300 IN  CNAME  aviationweather.cp.ncep.noaa.gov.
    aviationweather.cp.ncep.noaa.gov. 86400 IN A    140.90.101.207

    ;; AUTHORITY SECTION:
    ncep.noaa.gov.          86400  IN      NS      ns-mw.noaa.gov.
    ncep.noaa.gov.          86400  IN      NS      ns-nw.noaa.gov.
    ncep.noaa.gov.          86400  IN      NS      ns-e.noaa.gov.

    ;; ADDITIONAL SECTION:
    ns-e.noaa.gov.          86400  IN      A      140.90.33.237
    ns-e.noaa.gov.          86400  IN      AAAA    2610:20:8000:8c00::237
    ns-mw.noaa.gov.        86400  IN      A      140.172.17.237
    ns-mw.noaa.gov.        86400  IN      AAAA    2610:20:8800:8c00::237
    ns-nw.noaa.gov.        86400  IN      A      161.55.32.2
    ns-nw.noaa.gov.        86400  IN      AAAA    2610:20:8c00:8c00::2

    ;; Query time: 35 msec
    ;; SERVER: 140.90.33.237#53(140.90.33.237)
    ;; WHEN: Mon Mar 20 05:19:59 Central Daylight Time 2017
    ;; MSG SIZE  rcvd: 332


  • Banned

    OK, thank you! It is once again not working for me.

    
    bash@DESKTOP:~$ dig @140.90.33.237 www.aviationweather.gov
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @140.90.33.237 www.aviationweather.gov
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    

    I also attached the resolver log.

    [dns resolver log.zip](/public/imported_attachments/1/dns resolver log.zip)


  • Rebel Alliance Global Moderator

    Well that dig command says you could not reach that NS

    "connection timed out; no servers could be reached"

    So its either down, or your isp is having issues talking to that network.  I do not show any problems talking to any of them.. Try one of the 2 others ones..

    ns-e.noaa.gov.          86400  IN      A      140.90.33.237
    ns-mw.noaa.gov.        86400  IN      A      140.172.17.237
    ns-nw.noaa.gov.        86400  IN      A      161.55.32.2

    dig @140.90.33.237 www.aviationweather.gov +short
    aviationweather.ncep.noaa.gov.
    aviationweather.cp.ncep.noaa.gov.
    140.90.101.207

    dig @140.172.17.237 www.aviationweather.gov +short
    aviationweather.ncep.noaa.gov.
    aviationweather.cp.ncep.noaa.gov.
    140.90.101.207

    dig @161.55.32.2 www.aviationweather.gov +short
    aviationweather.ncep.noaa.gov.
    aviationweather.cp.ncep.noaa.gov.
    140.90.101.207

    Simple solution would be prob to just put in a host override for www.aviationweather.gov to point to the IP 140.90.101.207, while they have a really short ttl 120 seconds, and then 300 seconds for that cname the IP has not changed since this thread has started 140.90.101.207..

    edit:  BTW I don't see anything in that log for aviationweather.gov

    If you queried it directly unbound would not have any knowledge of that or log that..


  • Banned

    Yeah it's down for me again. I don't get why I can't get to those DNS servers?

    bash@DESKTOP:~$ dig @140.90.33.237
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @140.90.33.237
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3772
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;.                              IN      NS
    
    ;; ANSWER SECTION:
    .                       77610   IN      NS      e.root-servers.net.
    .                       77610   IN      NS      k.root-servers.net.
    .                       77610   IN      NS      l.root-servers.net.
    .                       77610   IN      NS      g.root-servers.net.
    .                       77610   IN      NS      c.root-servers.net.
    .                       77610   IN      NS      i.root-servers.net.
    .                       77610   IN      NS      f.root-servers.net.
    .                       77610   IN      NS      h.root-servers.net.
    .                       77610   IN      NS      j.root-servers.net.
    .                       77610   IN      NS      d.root-servers.net.
    .                       77610   IN      NS      m.root-servers.net.
    .                       77610   IN      NS      b.root-servers.net.
    .                       77610   IN      NS      a.root-servers.net.
    
    ;; Query time: 0 msec
    ;; SERVER: 140.90.33.237#53(140.90.33.237)
    ;; WHEN: Tue Mar 21 10:55:07 DST 2017
    ;; MSG SIZE  rcvd: 239
    
    bash@DESKTOP:~$ dig @140.172.17.237
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @140.172.17.237
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41634
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;.                              IN      NS
    
    ;; ANSWER SECTION:
    .                       77590   IN      NS      e.root-servers.net.
    .                       77590   IN      NS      k.root-servers.net.
    .                       77590   IN      NS      l.root-servers.net.
    .                       77590   IN      NS      g.root-servers.net.
    .                       77590   IN      NS      c.root-servers.net.
    .                       77590   IN      NS      i.root-servers.net.
    .                       77590   IN      NS      f.root-servers.net.
    .                       77590   IN      NS      h.root-servers.net.
    .                       77590   IN      NS      j.root-servers.net.
    .                       77590   IN      NS      d.root-servers.net.
    .                       77590   IN      NS      m.root-servers.net.
    .                       77590   IN      NS      b.root-servers.net.
    .                       77590   IN      NS      a.root-servers.net.
    
    ;; Query time: 15 msec
    ;; SERVER: 140.172.17.237#53(140.172.17.237)
    ;; WHEN: Tue Mar 21 10:55:27 DST 2017
    ;; MSG SIZE  rcvd: 239
    
    bash@DESKTOP:~$ dig @161.55.32.2
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @161.55.32.2
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51936
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;.                              IN      NS
    
    ;; ANSWER SECTION:
    .                       77571   IN      NS      e.root-servers.net.
    .                       77571   IN      NS      k.root-servers.net.
    .                       77571   IN      NS      l.root-servers.net.
    .                       77571   IN      NS      g.root-servers.net.
    .                       77571   IN      NS      c.root-servers.net.
    .                       77571   IN      NS      i.root-servers.net.
    .                       77571   IN      NS      f.root-servers.net.
    .                       77571   IN      NS      h.root-servers.net.
    .                       77571   IN      NS      j.root-servers.net.
    .                       77571   IN      NS      d.root-servers.net.
    .                       77571   IN      NS      m.root-servers.net.
    .                       77571   IN      NS      b.root-servers.net.
    .                       77571   IN      NS      a.root-servers.net.
    
    ;; Query time: 15 msec
    ;; SERVER: 161.55.32.2#53(161.55.32.2)
    ;; WHEN: Tue Mar 21 10:55:46 DST 2017
    ;; MSG SIZE  rcvd: 239
    
    bash@DESKTOP:~$ dig @140.90.33.237 www.aviationweather.gov +short
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @140.90.33.237 www.aviationweather.gov +short
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    bash@DESKTOP:~$ dig @140.172.17.237 www.aviationweather.gov +short
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @140.172.17.237 www.aviationweather.gov +short
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    bash@DESKTOP:~$ dig @161.55.32.2 www.aviationweather.gov +short
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @161.55.32.2 www.aviationweather.gov +short
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    bash@DESKTOP:~$ dig 140.90.101.207
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> 140.90.101.207
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22888
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;140.90.101.207.                        IN      A
    
    ;; AUTHORITY SECTION:
    .                       3287    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2017032102 1800 900 604800 86400
    
    ;; Query time: 31 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Tue Mar 21 10:57:50 DST 2017
    ;; MSG SIZE  rcvd: 118
    

  • Rebel Alliance Global Moderator

    If you can not get to those servers then yeah your not going to be able to resolve records they are authoritative for.  And since the ttl they have on them are very short..  This problem is going to come up all the time..

    Can you ping them??


  • Banned

    No, I cannot ping them.

    >ping 140.90.33.237
    
    Pinging 140.90.33.237 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 140.90.33.237:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    
    >ping 140.172.17.237
    
    Pinging 140.172.17.237 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 140.172.17.237:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    
    >ping 161.55.32.2
    
    Pinging 161.55.32.2 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 161.55.32.2:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    
    >ping 140.90.101.207
    
    Pinging 140.90.101.207 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    
    Ping statistics for 140.90.101.207:
        Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    
    >ping 139.130.4.5
    
    Pinging 139.130.4.5 with 32 bytes of data:
    Reply from 139.130.4.5: bytes=32 time=169ms TTL=114
    Reply from 139.130.4.5: bytes=32 time=171ms TTL=114
    Reply from 139.130.4.5: bytes=32 time=168ms TTL=114
    Reply from 139.130.4.5: bytes=32 time=169ms TTL=114
    
    Ping statistics for 139.130.4.5:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 168ms, Maximum = 171ms, Average = 169ms
    
    >ping 8.8.8.8
    
    Pinging 8.8.8.8 with 32 bytes of data:
    Reply from 8.8.8.8: bytes=32 time=48ms TTL=60
    Reply from 8.8.8.8: bytes=32 time=47ms TTL=60
    Reply from 8.8.8.8: bytes=32 time=47ms TTL=60
    Reply from 8.8.8.8: bytes=32 time=47ms TTL=60
    
    Ping statistics for 8.8.8.8:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 47ms, Maximum = 48ms, Average = 47ms
    
    >ping 4.2.2.2
    
    Pinging 4.2.2.2 with 32 bytes of data:
    Reply from 4.2.2.2: bytes=32 time=15ms TTL=55
    Reply from 4.2.2.2: bytes=32 time=14ms TTL=55
    Reply from 4.2.2.2: bytes=32 time=14ms TTL=55
    Reply from 4.2.2.2: bytes=32 time=13ms TTL=55
    
    Ping statistics for 4.2.2.2:
        Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 13ms, Maximum = 15ms, Average = 14ms
    

  • Rebel Alliance Global Moderator

    well that is a bad test - I should of tried pinging them first before suggesting that.. they don't seem to answer ping..  But not having any problems doing dns queries to them..


  • Banned

    Weird, it's in and out for me. I also have no issues with them when not using the resolver. I'll do the override and deal with it I suppose.

    Thank you again for taking your time to help me out!


  • Netgate

    But you can plainly see using proper DNS diagnostic tools like dig that the problem is not in the resolver, but in the ability to reach their authoritative servers.

    Maybe their name servers are overloaded because of the short-ass TTLs they're using.

    It used to be bad form to use such short TTLs.

    Still is, IMHO, for most anything but DDNS (which could be debated is no solution at all) and in advance of known, pending changes.


  • Rebel Alliance Global Moderator

    I would think such a site gets quite a bit of traffic.. Using 120 second ttl has got to just be crazy for the amount dns queries their servers are taking.. which then points to another cname - that has a ttl of 300.. Really freaking stupid if you ask me!!

    And to top it all off that ending IP has not changed..

    And then to top of that one of their IPv6 is just down..

    Whoever is running their dns seems to be a sleep at the wheel..

    You could try sending them a message here
    https://www.aviationweather.gov/contact


  • Banned

    I was assuming that it worked when I don't use the resolver because public DNS has the IP cached already? Seems like doing a host override is basically doing the same thing until their IP changes?

    Thanks, I will send them a message!


  • Rebel Alliance Global Moderator

    Yes using the forwarder would have you just get what they have cached..  But its going to have to be asking them ever 120 seconds as well ;)

    Your going to get something shorter as your answer because it will come from their cache..  So see when I ask googledns the ttls on the records are something shorter then what the authoritative servers set them too.  While if I ask one of the authoritative servers I get the full ttl to cache.

    I don't see that site changing.. might as well just put in a override for it vs some domain override to ask google or opendns.. Since your just going to be asking them over and over again just like your doing with the authoritative servers your having problem talking too.  While if you put in an override you can set the ttl to whatever you want so that clients just ask pfsense very X seconds..

    I think the default host overrides are 3600 seconds.  But you can always put in whatever ttl you want if you use the custome/advanced box to put in the record.



  • Very short TTLs are used for certain sites like akamai where they are used for additional load balancing and redundancy. On this type of site it's lunacy though, it's only going to bog down the authoritative servers that are most likely not very beefy this being a US government site.


  • Rebel Alliance Global Moderator

    Sure a CDN with thousands of servers and sites that point to multiple IPs in a round robin, etc. etc.  They have a network to support such short ttls..

    Look at the # of NS for just their parent domain

    ;; QUESTION SECTION:
    ;akamai.net.                    IN      NS

    ;; ANSWER SECTION:
    akamai.net.            89805  IN      NS      zb.akamaitech.net.
    akamai.net.            89805  IN      NS      ns3-193.akamaitech.net.
    akamai.net.            89805  IN      NS      a12-193.akamaitech.net.
    akamai.net.            89805  IN      NS      a22-193.akamaitech.net.
    akamai.net.            89805  IN      NS      ns4-193.akamaitech.net.
    akamai.net.            89805  IN      NS      a3-193.akamaitech.net.
    akamai.net.            89805  IN      NS      zd.akamaitech.net.
    akamai.net.            89805  IN      NS      a6-193.akamaitech.net.
    akamai.net.            89805  IN      NS      a5-193.akamaitech.net.
    akamai.net.            89805  IN      NS      zc.akamaitech.net.
    akamai.net.            89805  IN      NS      ns2-193.akamaitech.net.
    akamai.net.            89805  IN      NS      a1-193.akamaitech.net.
    akamai.net.            89805  IN      NS      ns5-193.akamaitech.net.

    Here are the NS for just 1 subdomain

    ;; QUESTION SECTION:
    ;g.akamai.net.                  IN      NS

    ;; ANSWER SECTION:
    g.akamai.net.          1000    IN      NS      n0g.akamai.net.
    g.akamai.net.          1000    IN      NS      n1g.akamai.net.
    g.akamai.net.          1000    IN      NS      n2g.akamai.net.
    g.akamai.net.          1000    IN      NS      n3g.akamai.net.
    g.akamai.net.          1000    IN      NS      n4g.akamai.net.
    g.akamai.net.          1000    IN      NS      n5g.akamai.net.
    g.akamai.net.          1000    IN      NS      n6g.akamai.net.
    g.akamai.net.          1000    IN      NS      n7g.akamai.net.

    They know what they are doing ;)  And I am quite sure they have tweaked and configured for optimal ttls and bandwidth for people looking up the shit they host on their networks, etc..


  • Banned

    Thanks, I put in the override and all is well!

    I also sent them a message and got a very quick response! It didn't make much sense to me but then I don't know what I'm talking about.

    NCEP AWCWEB - NOAA Service Account ncep.awcweb@noaa.govOne key issue … is that the "www" is required to be properly resolved in the current WEB Farm.
    http://www.aviationweather.gov/

    I am passing this along the the developers as well.

    Meteorologist/WEB Development team
    Aviation Weather Center
    http://www.aviationweather.gov/

    You received feedback from:

    Subject: Issues Accessing Website due to your DNS Server Settings
    Message

    I am having issues accessing www.aviationweather.gov and I believe that it is due to your DNS servers setup.
    Specifically your DNS servers TTL is abnormally short, resulting in for more queries to your server than are necessary.
    As a result my queries often time out and I cannot access aviationweather.gov to check weather for my flights.
    You can see discussion and network testing of your DNS servers here: https://forum.pfsense.org/index.php?topic=127400.0
    Please forward this to the relevant people and ask them to adjust your DNS server settings to be more efficient and reliable, thank you!/ncep.awcweb@noaa.gov


  • Rebel Alliance Global Moderator

    well just some idiot passing it on.. The developers prob have zero to do with the dns most likely.. And its a given in your email to them you were using the www ;)

    But hopefully it will work up the chain.