DNS resolve not working for myqnapcloud.com / BAD (HORIZONTAL) REFERRAL / DNS_PROBE_FINISHED_NXDOMAIN

2malH

Hi there,
generally speaking pfSense is working beautifully with DNS resolve set up having 127.0.0.1 as the DNS server. And I wouldn't be here if it wasn't for my new QNAP NAS which has let me to believe that pfSense does resolve everything correctly but myqnapcloud.com. For whatever reason that website just doesn't load for me. As soon as I bypass pfSense (e.g. viao NordVPN connection) the website loads.

I then started to dig deeper into the problem with the command prompt:

; <<>> DiG 9.12.2-P1 <<>> myqnapcloud.com +trace
;; global options: +cmd
.			10613	IN	NS	e.root-servers.net.
.			10613	IN	NS	f.root-servers.net.
.			10613	IN	NS	g.root-servers.net.
.			10613	IN	NS	h.root-servers.net.
.			10613	IN	NS	i.root-servers.net.
.			10613	IN	NS	j.root-servers.net.
.			10613	IN	NS	k.root-servers.net.
.			10613	IN	NS	l.root-servers.net.
.			10613	IN	NS	m.root-servers.net.
.			10613	IN	NS	a.root-servers.net.
.			10613	IN	NS	b.root-servers.net.
.			10613	IN	NS	c.root-servers.net.
.			10613	IN	NS	d.root-servers.net.
.			10613	IN	RRSIG	NS 8 0 518400 20190513170000 20190430160000 25266 . SWF8vw5Xn/CSH2JCijdb+QY50wM379pp9U8eZ2WlxvALVa181Ct8aqD/ 1UyOkTRy1997mQOM3+m12BU+UMy7nDcLPnrjI68AGdvEm0//D8vSkk8M i1v9JDcpeW5XbrFOhcN38GtMKbHuYOSF1c/p80tkAgonTQqYR+ZqRcar Unqs46aSN83nBlJUAiRDRtn2JBVGfNoSPsj/mrCGIh9N7WEwFARyYo+k EPudcz74WOQOFseDXhD0vL1mx0AdxuQWLoBAcprnqfljCfXcKyWQL4Q5 Pe9xWy5/gMu5tuK9CgHjSdZDdg6UBwS3OF7l0268FQBsfPccJKhbgiTI /diJKg==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 352 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2001:503:ba3e::2:30#53(a.root-servers.net) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 134.119.234.146#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 6 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-251.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
;; Received 199 bytes from 2a00:1158:2d:300::92#53(FWDR-210.FWDR-16.FWDR-95.FWDR-176) in 5 ms

.			3600	IN	NS	FWDR-210.FWDR-16.FWDR-95.FWDR-176.
.			3600	IN	NS	FWDR-251.FWDR-16.FWDR-95.FWDR-176.
;; BAD (HORIZONTAL) REFERRAL
dig: too many lookups

Does anyone have a clue what might cause this prob?

Weird part for me is that the DNS lookup shows this for myqnapcloud.com

Results
Result	Record type
134.119.234.146	A
2a00:1158:2d:300::92	AAAA
Timings
Name server	Query time
127.0.0.1	408 msec

So everything seems to be fine - except for the very slow lookup...

Any idea on how to get this working? Or is it my ISP that blocks this very single domain? Again - everything else seems to be working just fine...

Thanks!

johnpoz

@2malH said in DNS resolve not working for myqnapcloud.com / BAD (HORIZONTAL) REFERRAL / DNS_PROBE_FINISHED_NXDOMAIN:

BAD (HORIZONTAL) REFERRAL

That is your problem right there... their dns is Messed up!!

Tell them to fix it.

2malH

@johnpoz said in DNS resolve not working for myqnapcloud.com / BAD (HORIZONTAL) REFERRAL / DNS_PROBE_FINISHED_NXDOMAIN:

That is your problem right there... their dns is Messed up!!
Tell them to fix it.

Ok, but how come that probably everyone of you can access the website normally? Even I don't have a problem as soon as I use a VPN or some other internet connection (e. g. at work)? Shouldn't be the problem more consistent and affect a lot of you?

Can you give it a try and dig myqnapcloud.com? Do you get the same error?

Best

johnpoz

Because they have more than just the 1 NS that is bad.. Look up what BAD (HORIZONTAL) REFERRAL is, and you will understand why it takes long to resolve. So at somepoint you will ask one that is not messed up - you hope ;)

I am not showing the bad referral currently - maybe they fixed it.

$ dig myqnapcloud.com +trace

; <<>> DiG 9.14.1 <<>> myqnapcloud.com +trace
;; global options: +cmd
.                       513331  IN      NS      a.root-servers.net.
.                       513331  IN      NS      b.root-servers.net.
.                       513331  IN      NS      c.root-servers.net.
.                       513331  IN      NS      d.root-servers.net.
.                       513331  IN      NS      e.root-servers.net.
.                       513331  IN      NS      f.root-servers.net.
.                       513331  IN      NS      g.root-servers.net.
.                       513331  IN      NS      h.root-servers.net.
.                       513331  IN      NS      i.root-servers.net.
.                       513331  IN      NS      j.root-servers.net.
.                       513331  IN      NS      k.root-servers.net.
.                       513331  IN      NS      l.root-servers.net.
.                       513331  IN      NS      m.root-servers.net.
.                       513331  IN      RRSIG   NS 8 0 518400 20190514050000 20190501040000 25266 . gWLhIIlCXy2zjctMKEaq6yMW5qqybxOyfITJyiGeIqe5JwBOpikWxAr2 UkHOt62FKx95+6NE3MAfio1TATbJBuEp8jk6efpaSzg3L67w7R2lkmuw +7v3jXMUacSneyAoPYpvYGKrFEAJYPNkMq5wC2JItrlrcdDo0gRUkqsa dX/OlLffdIqprGiA9u3vIbYHqr9d2w1N/c9OCAtya9Q47RVRvfuqLF3b HcvrxMKErUBxU/XT9vZEpB7pNjuqBtExSiXJfXGSW/UG1FPvKvFXuna0 Xsysn4ng9rdqaAo9l6Gy1csjiSewFkOE8/mbAH+JSdIz+Vl4eaPcIshH vZZ9Vw==
;; Received 525 bytes from 192.168.3.10#53(192.168.3.10) in 4 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20190514050000 20190501040000 25266 . hqntIonG1oYwh0IBiyFMEBxXcoM4nT50RKYipJEY4Y+3choMpTTvRooM 7qjfO9Mg7igNSpDbkEkFsE5wqQVJoWAJQoaPKsLRpd/m2k4e13SGwnBj D41XnV/cuPJM7NGLkDPmXTND2Mb4LFlDfHXs/uZHMMKGq6zQ0QuTuTEu d1//gYJAjeKXg1+FA2bbVb+8XyuRuPELRLMsW8ee0mOZ6ep51rkDTz8C 8eieHg61l0mzvi5TAgSXxIm4n9yuZm3zxRfzF6Wm1gS+t2+/2/xzn1m7 0z1PFrYghjfCeCWRE1a5vuknZZf+kX8+vL/w/6zU99TQO58fo3vHXNxN PGDSgg==
;; Received 1175 bytes from 198.97.190.53#53(h.root-servers.net) in 37 ms

myqnapcloud.com.        172800  IN      NS      ns1.myqnapcloud.com.
myqnapcloud.com.        172800  IN      NS      ns2.myqnapcloud.com.
myqnapcloud.com.        172800  IN      NS      ns3.myqnapcloud.com.
myqnapcloud.com.        172800  IN      NS      ns4.myqnapcloud.com.
myqnapcloud.com.        172800  IN      NS      ns5.myqnapcloud.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190507044623 20190430033623 3800 com. ZWSnZB06wOOR3wRuwQ2TxRtYLRqLVO6n8OHM7LrFAsD9DK9jt5fdQaqw IZpPVvpANnrD/9y62Bm3P2JDmkWg3LZejd+qLusIz1va1cnNOa9aP+Qt 8xQuvGfGuCQpHC0nK41HIXCywVwA2PYA5K4VFFKKywbIt5Up+LVruXiu dDM=
SM01VTTAG5UUJ0SMNI2D1KV26CS81TJP.com. 86400 IN NSEC3 1 1 0 - SM0437O8K1FEEAHCU7OJAO1DOPMKQFBS NS DS RRSIG
SM01VTTAG5UUJ0SMNI2D1KV26CS81TJP.com. 86400 IN RRSIG NSEC3 8 2 86400 20190505044344 20190428033344 3800 com. cIqEiKJZPinfkrpJcgBFv4jFGYq9eDdBtsfRHjxc80Rg609GVDcrZDok Lqzw1uWM80TYZH1glYV/vvqLpA5/DklbRuAkxIpnjtlgxqB97B6DHT+6 jwETBE/xHD+1Kbdorgbs58x33jdDAf9CXb52Zf+J7jqTui0dxWGUcaOU 50E=
;; Received 699 bytes from 192.42.93.30#53(g.gtld-servers.net) in 34 ms

myqnapcloud.com.        3600    IN      CNAME   qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com.
;; Received 112 bytes from 96.126.116.73#53(ns5.myqnapcloud.com) in 38 ms

Here is the trace to the cname

$ dig qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com +trace

; <<>> DiG 9.14.1 <<>> qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com +trace
;; global options: +cmd
.                       513218  IN      NS      a.root-servers.net.
.                       513218  IN      NS      b.root-servers.net.
.                       513218  IN      NS      c.root-servers.net.
.                       513218  IN      NS      d.root-servers.net.
.                       513218  IN      NS      e.root-servers.net.
.                       513218  IN      NS      f.root-servers.net.
.                       513218  IN      NS      g.root-servers.net.
.                       513218  IN      NS      h.root-servers.net.
.                       513218  IN      NS      i.root-servers.net.
.                       513218  IN      NS      j.root-servers.net.
.                       513218  IN      NS      k.root-servers.net.
.                       513218  IN      NS      l.root-servers.net.
.                       513218  IN      NS      m.root-servers.net.
.                       513218  IN      RRSIG   NS 8 0 518400 20190514050000 20190501040000 25266 . gWLhIIlCXy2zjctMKEaq6yMW5qqybxOyfITJyiGeIqe5JwBOpikWxAr2 UkHOt62FKx95+6NE3MAfio1TATbJBuEp8jk6efpaSzg3L67w7R2lkmuw +7v3jXMUacSneyAoPYpvYGKrFEAJYPNkMq5wC2JItrlrcdDo0gRUkqsa dX/OlLffdIqprGiA9u3vIbYHqr9d2w1N/c9OCAtya9Q47RVRvfuqLF3b HcvrxMKErUBxU/XT9vZEpB7pNjuqBtExSiXJfXGSW/UG1FPvKvFXuna0 Xsysn4ng9rdqaAo9l6Gy1csjiSewFkOE8/mbAH+JSdIz+Vl4eaPcIshH vZZ9Vw==
;; Received 525 bytes from 192.168.3.10#53(192.168.3.10) in 2 ms

com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20190514050000 20190501040000 25266 . hqntIonG1oYwh0IBiyFMEBxXcoM4nT50RKYipJEY4Y+3choMpTTvRooM 7qjfO9Mg7igNSpDbkEkFsE5wqQVJoWAJQoaPKsLRpd/m2k4e13SGwnBj D41XnV/cuPJM7NGLkDPmXTND2Mb4LFlDfHXs/uZHMMKGq6zQ0QuTuTEu d1//gYJAjeKXg1+FA2bbVb+8XyuRuPELRLMsW8ee0mOZ6ep51rkDTz8C 8eieHg61l0mzvi5TAgSXxIm4n9yuZm3zxRfzF6Wm1gS+t2+/2/xzn1m7 0z1PFrYghjfCeCWRE1a5vuknZZf+kX8+vL/w/6zU99TQO58fo3vHXNxN PGDSgg==
;; Received 1217 bytes from 192.5.5.241#53(f.root-servers.net) in 50 ms

amazonaws.com.          172800  IN      NS      u1.amazonaws.com.
amazonaws.com.          172800  IN      NS      u2.amazonaws.com.
amazonaws.com.          172800  IN      NS      r1.amazonaws.com.
amazonaws.com.          172800  IN      NS      r2.amazonaws.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190507044623 20190430033623 3800 com. ZWSnZB06wOOR3wRuwQ2TxRtYLRqLVO6n8OHM7LrFAsD9DK9jt5fdQaqw IZpPVvpANnrD/9y62Bm3P2JDmkWg3LZejd+qLusIz1va1cnNOa9aP+Qt 8xQuvGfGuCQpHC0nK41HIXCywVwA2PYA5K4VFFKKywbIt5Up+LVruXiu dDM=
F1RGNA383QHEJVT6VN8TMLODBHCA40FL.com. 86400 IN NSEC3 1 1 0 - F1RIDHD6MF1BTTPJS3NHNL72GAFL9FKA NS DS RRSIG
F1RGNA383QHEJVT6VN8TMLODBHCA40FL.com. 86400 IN RRSIG NSEC3 8 2 86400 20190507044108 20190430033108 3800 com. NFNZJL1CsYYFz60PS2FxG/WhyZBl7K1NJqxuDn+WOoEf50XhKL5YMXcA TXQ/5wrGbiTov7+ruJJdltVFcqVerzDN0Jd4X/LDJC5ly2z0Y0AfUrNR IPOaNoF1MlX0swbTGNY23I4O0JWxDcutrNliG/DMKeYKcSoelve+U5MN 9G0=
;; Received 815 bytes from 192.42.93.30#53(g.gtld-servers.net) in 31 ms

us-east-1.elb.amazonaws.com. 300 IN     NS      ns-1119.awsdns-11.org.
us-east-1.elb.amazonaws.com. 300 IN     NS      ns-934.awsdns-52.net.
us-east-1.elb.amazonaws.com. 300 IN     NS      ns-235.awsdns-29.com.
us-east-1.elb.amazonaws.com. 300 IN     NS      ns-1793.awsdns-32.co.uk.
;; Received 223 bytes from 156.154.65.10#53(u2.amazonaws.com) in 40 ms

qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com. 60 IN A 54.88.158.19
qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com. 60 IN A 34.199.119.250
qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com. 60 IN A 52.72.143.22
qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com. 60 IN A 52.87.45.75
qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com. 60 IN A 18.235.66.78
qcloud-pr-frontend-1025300009.us-east-1.elb.amazonaws.com. 60 IN A 54.88.230.244
us-east-1.elb.amazonaws.com. 1800 IN    NS      ns-1119.awsdns-11.org.
us-east-1.elb.amazonaws.com. 1800 IN    NS      ns-1793.awsdns-32.co.uk.
us-east-1.elb.amazonaws.com. 1800 IN    NS      ns-235.awsdns-29.com.
us-east-1.elb.amazonaws.com. 1800 IN    NS      ns-934.awsdns-52.net.
;; Received 319 bytes from 205.251.199.1#53(ns-1793.awsdns-32.co.uk) in 12 ms

2malH

@johnpoz said in DNS resolve not working for myqnapcloud.com / BAD (HORIZONTAL) REFERRAL / DNS_PROBE_FINISHED_NXDOMAIN:

Because they have more than just the 1 NS that is bad.. Look up what BAD (HORIZONTAL) REFERRAL is, and you will understand why it takes long to resolve. So at somepoint you will ask one that is not messed up - you hope ;)

Last week I was working from a different office with the QNAP connected to the internet perfectly. Didn't have any problem at all. Yesterday I moved back to my office and things went back to normal - as it still couldn't connect to myqnapcloud.com ...

I've tried a couple of things: To deactivate pfBlockerNG, activated DNS forward and cloudflare / 1.1.1.1 as DNS server but had no luck. However the DNS lookup in pfSense seemed to work fine:

Result	Record type
134.119.234.146	A
2a00:1158:2d:300::92	AAAA

Timings
Name server	Query time
127.0.0.1	0 msec

A quick dig +trace request for myqnapcloud.com showed that the server now should be accessible ...

; <<>> DiG 9.12.2-P1 <<>> myqnapcloud.com +trace
;; global options: +cmd
.			4110	IN	NS	b.root-servers.net.
.			4110	IN	NS	c.root-servers.net.
.			4110	IN	NS	d.root-servers.net.
.			4110	IN	NS	e.root-servers.net.
.			4110	IN	NS	f.root-servers.net.
.			4110	IN	NS	g.root-servers.net.
.			4110	IN	NS	h.root-servers.net.
.			4110	IN	NS	i.root-servers.net.
.			4110	IN	NS	j.root-servers.net.
.			4110	IN	NS	k.root-servers.net.
.			4110	IN	NS	l.root-servers.net.
.			4110	IN	NS	m.root-servers.net.
.			4110	IN	NS	a.root-servers.net.
.			4110	IN	RRSIG	NS 8 0 518400 20190524050000 20190511040000 25266 . leL+o85B8ut1GEnW7WDNVsfXCu2IxLascTfkIgOGlUCwYhG/+/7SBcRq uMuJzmwu9b0OhI8qtXBqekl3JlgcL1b+ZcgHj856044HIa9xfhE2dTHq Zjgs5/mj9ya6PAScO1m56FTydsR2iB1PAAbqzOMB/XF/gADfl2R4ZKby TaXFh/YV29K4jJwRXVIGJxCLEERRkE0i8JCWc365Ttp1atxDbnwiCdfC 3I64tcIjq8b/cdLVaAL71U4ajNh8JoclKrIa3cebtvwSSriMoFffe5QD rqQsZXL+XZQ4x2KUHy8CVn29W9rf6wjn1wjrf+gzxWl6kqhq04fpKm/G RcePJw==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

;; Received 33 bytes from 2001:503:ba3e::2:30#53(a.root-servers.net) in 0 ms

But I still couldn't access it. So I looked up "RRSIG" and read some thing about DNSSEC. I then deactivated the DNSSEC support in the DNS Resolver. Now it's working but I don't really know if I like the fact that I've had to disable it. Is there any way around it? Or maybe some kind of setting that helps me to enable it for all the other websites but myqnapcloud.com?

And by the way: This is in my custom options:

server:
ssl-upstream: yes
do-tcp: yes
forward-zone:
    name: "." 
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    forward-addr: 2606:4700:4700::1111@853
    forward-addr: 2606:4700:4700::1001@853
server:include: /var/unbound/pfb_dnsbl.*conf
log-queries: yes

I can't recall if 1.1.1.1 and 1.0.0.1 were in there before or if it changed while searching for an alternative approach to make it work. Basically I just want to have pfSense to resolve DNS, thus using localhost/127.0.0.1 - should I remove the forward-zone part?

Thanks a ton!

johnpoz

Dude your using tls, you can not resolve if your going to use tls

That domain is still all jacked up - its a MESS..

They got rid of the horizontal - but they still have delegation problems

amazonaws.com to us-east-1.elb.amazonaws.com: The server(s) for the parent zone (amazonaws.com) responded with a referral instead of answering authoritatively for the DS RR type. (205.251.192.27, 205.251.195.199, 2600:9000:5300:1b00::1, 2600:9000:5303:c700::1, UDP_-_EDNS0_4096_D_K)

And they have AAAA for their NS, but no glue for them.

They are still resolving and having no issues with dnssec enabled on them.. But in your setup you posted your forwarding over tls for everything. If you "forward" having dnssec enabled it is pointless.. If you forward - where you forward to is either doing dnssec or they are not, having it enabled in unbound would just cause extra queries and provide nothing.

having dnssec enabled only makes sense when you resolve..

2malH

@johnpoz said in DNS resolve not working for myqnapcloud.com / BAD (HORIZONTAL) REFERRAL / DNS_PROBE_FINISHED_NXDOMAIN:

They are still resolving and having no issues with dnssec enabled on them.. But in your setup you posted your forwarding over tls for everything. If you "forward" having dnssec enabled it is pointless.. If you forward - where you forward to is either doing dnssec or they are not, having it enabled in unbound would just cause extra queries and provide nothing.
having dnssec enabled only makes sense when you resolve..

Hey Johnpoz,

thanks for getting back to me. Just to get this right: I didn't mean to forward everything over TLS. I just tried everything to get the domain myqnapcloud.com to work. I now hope to have the resolver back in place and working. But I'm really unsure about the "forward-zones" part in custom options. Do you mean that? Should I just delete it? Or is there anything else I have to switch to have the DNS resolver working like it should be?

Thanks!

johnpoz

You should remove everything from options - and why exactly are you using pfblocker? Remove that until you are sure resolving is working how it should... Default of the box setting are fine.

If if you have 1 bad domain that you have issues to resolve - you could always just do a domain override for that specific domain..