DNS can't find web site
-
I have a Netgate 4100 22.05. My DNS servers are 8.8.8.8 and 8.8.4.4. PCs can get to any web site as expected except one. All PCs are using DHCP form the 4100. We can't get to vsp.virginia.gov. If I change network config on a Windows 10 PC and set the DNS server to 8.8.8.8, it works. I can get to vsp.virginia.gov from PCs on other non-related networks. So its not the web site.
In Services->DNS Resolver->General Setting->Custom Options, I added
server:
log-queries: yesThat gives me this...
Oct 28 15:01:25 unbound 78267 [78267:1] info: 192.168.7.7 www.vsp.virginia.gov. AAAA IN
Oct 28 15:01:25 unbound 78267 [78267:0] info: 192.168.7.7 www.vsp.virginia.gov. A IN....looks the same as other entries that resolve just fine.
I tried Diagnostics->DNS Lookup
DNS Lookup
Hostname vsp.virginia.govResult Record type
107.162.141.33 A
Name server Query time
127.0.0.1 164 msec
8.8.8.8 33 msec
8.8.4.4 45 msecIt looks like it finds it to me. So why does just this one (that I know of) URL not resolve for a PC?
I have not restarted the DNS cache yet (Status->Services->unbound->restart). I didn't want to do that during work hours.
Thanks for any help,
David -
@zinder said in DNS can't find web site:
www.vsp.virginia.gov
clearly your dns is finding the fqdn.. its at 107.162.141.33 that it doesn't load in your browser, not pfsense dns issue.
You sure your browser actually using pfsense for its dns, and not doh?
That redirects to here.. https://vsp.virginia.gov/
Loads up fine for me..
-
@zinder FYI on Windows you can use nslookup to specify a DNS server, e.g.:
nslookup vsp.virginia.gov 8.8.8.8What does that show when run against your pfSense LAN IP?
In the DNS Resolver settings is "Enable Forwarding Mode" checked? If not then unbound looks up the name itself via the root DNS servers.
Windows has a DNS cache also (empty with ipconfig /flushdns).
-
From a RHEL server on that network....
$ nslookup vsp.virginia.gov
Server: 192.168.7.1
Address: 192.168.7.1#53** server can't find vsp.virginia.gov: SERVFAIL
$ nslookup vsp.virginia.gov 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53Non-authoritative answer:
Name: vsp.virginia.gov
Address: 107.162.141.33 -
@zinder said in DNS can't find web site:
** server can't find vsp.virginia.gov: SERVFAIL
Well their dnssec is pretty broken.
https://dnsviz.net/d/vsp.virginia.gov/dnssec/
From what you were posting, sure looks like your doing forwarding on pfsense. If your forwarding you should prob turn off dnssec.
their servers look broke if you ask me. Or they are for sure having issues.
$ dig @199.101.220.20 vsp.virginia.gov ; <<>> DiG 9.16.32 <<>> @199.101.220.20 vsp.virginia.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48423 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 414979123f7fe71d7e8fe0be635c388dee647210df109640 (good) ;; QUESTION SECTION: ;vsp.virginia.gov. IN A ;; ANSWER SECTION: vsp.virginia.gov. 60 IN A 107.162.141.33 ;; AUTHORITY SECTION: vsp.virginia.gov. 60 IN NS nsb.vsp.virginia.gov. vsp.virginia.gov. 60 IN NS nsd.vsp.virginia.gov. vsp.virginia.gov. 60 IN NS nsc.vsp.virginia.gov. vsp.virginia.gov. 60 IN NS nsa.vsp.virginia.gov. ;; ADDITIONAL SECTION: nsa.vsp.virginia.gov. 60 IN A 199.101.220.20 nsb.vsp.virginia.gov. 60 IN A 199.101.220.22 nsc.vsp.virginia.gov. 60 IN A 199.101.222.20 nsd.vsp.virginia.gov. 60 IN A 199.101.222.22 ;; Query time: 44 msec ;; SERVER: 199.101.220.20#53(199.101.220.20) ;; WHEN: Fri Oct 28 15:16:14 Central Daylight Time 2022 ;; MSG SIZE rcvd: 225
But a few seconds before that.
$ dig @199.101.222.20 vsp.virginia.gov ; <<>> DiG 9.16.32 <<>> @199.101.222.20 vsp.virginia.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58086 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 7683443ebcf9ea9126d5c327635c3834cbf0963d7c04a982 (good) ;; QUESTION SECTION: ;vsp.virginia.gov. IN A ;; Query time: 45 msec ;; SERVER: 199.101.222.20#53(199.101.222.20) ;; WHEN: Fri Oct 28 15:14:44 Central Daylight Time 2022 ;; MSG SIZE rcvd: 73
-
I turned off (unchecked) Services->DNS Resolver->General Setting->Enable DNSSEC Support, but it still doesn't work. If its a web site problem, there isn't much I can do. The problem is fairly recent. Didn't have a problem last week. I'll see if my customer has a contact for the VSP to look into it.
Thanks for the help
-
@zinder a 60 second TTL on their nameservers.. That is nuts!!! And then you can see doing a directed query to the server at 1 point works, and then another time fails with the server responding with error for its own domain its authoritative for.
Maybe they are working through a problem? But as you can see from that link, even when working their dnssec has issues.. If you know someone that manages that dns for them.. Yeah have them check out that link..
If your not going to do dnssec correctly - then you shouldn't be doing it..
edit: just checked on this - both of their NS are failing right now. 10/29 5:45 CDT