Need help - can't reach website by FQDN or the IP Address

butthurtmagoo

Have a pfSense router at a client location. They are trying to access this website -> https://sp5.servicept.com/YCHMIS/com.bowmansystems.sp5.core.ServicePoint/index.html which resolves to IP address 74.206.113.62

The client cannot reach the website. They are getting the DNS_PROBE_FINISHED_NXDOMAIN error. I have tried changing the DNS on the pfSense router to 1.1.1.1 and 8.8.8.8 and it still doesn't work. I have tried the ping interface on the pfSense router trying to ping sp5.servicept.com and 74.206.113.62 and they both come back with 100% packet loss and no response. However, I can access the website at my house (which is on Ubiquiti platform) and their other office that uses Ubiquiti has no problem. So the problem seems to be with the pfSense router in some way. Can anyone help me and point me in the right direction? Thanks!

michmoor

@butthurtmagoo
What DNS server is the client pointed too?
Are you doing any DNS sinkholing at the client site?

stephenw10

That FQDN appears to be broken:

[2.7.0-RC][root@m470-3.stevew.lan]/root: dig @8.8.8.8 sp5.servicept.com

; <<>> DiG 9.18.14 <<>> @8.8.8.8 sp5.servicept.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11221
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sp5.servicept.com.             IN      A

;; Query time: 4029 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Jun 27 22:52:33 BST 2023
;; MSG SIZE  rcvd: 46

I cannot resolve it here even using 8.8.8.8 dircetly. Or 1.1.1.1:

[2.7.0-RC][root@m470-3.stevew.lan]/root: dig @1.1.1.1 sp5.servicept.com
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out

; <<>> DiG 9.18.14 <<>> @1.1.1.1 sp5.servicept.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53905
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (at delegation servicept.com.)
;; QUESTION SECTION:
;sp5.servicept.com.             IN      A

;; Query time: 956 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Jun 27 22:55:43 BST 2023
;; MSG SIZE  rcvd: 80

michmoor

@stephenw10 said in Need help - can't reach website by FQDN or the IP Address:

That FQDN appears to be broken:

[2.7.0-RC][root@m470-3.stevew.lan]/root: dig @8.8.8.8 sp5.servicept.com

; <<>> DiG 9.18.14 <<>> @8.8.8.8 sp5.servicept.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 11221
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;sp5.servicept.com.             IN      A

;; Query time: 4029 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Tue Jun 27 22:52:33 BST 2023
;; MSG SIZE  rcvd: 46

I cannot resolve it here even using 8.8.8.8 dircetly. Or 1.1.1.1:

[2.7.0-RC][root@m470-3.stevew.lan]/root: dig @1.1.1.1 sp5.servicept.com
;; communications error to 1.1.1.1#53: timed out
;; communications error to 1.1.1.1#53: timed out

; <<>> DiG 9.18.14 <<>> @1.1.1.1 sp5.servicept.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53905
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (at delegation servicept.com.)
;; QUESTION SECTION:
;sp5.servicept.com.             IN      A

;; Query time: 956 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Jun 27 22:55:43 BST 2023
;; MSG SIZE  rcvd: 80

OP stated he is able to resolve the domain at home.
I am able to resolve the domain here at home (U.S. east coast).
I can visit the domain and get to the landing page.

stephenw10

Yup, something location specific maybe.

stephenw10

Bunch of failure here for example: https://dnschecker.org/#A/sp5.servicept.com

michmoor

@stephenw10

Yeah its not great but for all we know the client is still in the U.S. in which case this should still work.
Still need some questions answered from my first post tho.

edit: i have a domain thats not responding in Australia but everywhere else is fine. Its hosted in CF.

johnpoz

I can resolver here, in the US

;sp5.servicept.com.             IN      A

;; ANSWER SECTION:
sp5.servicept.com.      3600    IN      A       74.206.113.62

But I see a problem on that domain, they only have 1 NS.. there is a ns2 listed, but it has the same exact IP address as NS1.

;; ANSWER SECTION:
ns1.bowmansystems.com. 3600 IN A 74.206.113.67
ns2.bowmansystems.com. 3600 IN A 74.206.113.67

michmoor

@johnpoz could it be behind a GTM? I can see that but don’t know if that’s a typical design for NS?

johnpoz

@michmoor You should have 2 different IPs for NS, even if they are both anycast, etc.

Google for example 8.8.8.8 and 8.8.4.4 - you think those actually go to different servers or different anycast?

The could for sure being doing global traffic management, would be common in dns.. But you should still have 2 different IPs for your listed NS.. Even if they really don't mean much as far as where your actually going to get your DNS from do some global traffic steering, etc. Or anycast, etc.

I have no idea what that is suppose to be used for - but if me, they should have 2 different IPs if they are going to have 2 listed NS.. Even if they both just point to the same anycast network. Or are some how steered via GTM, etc.

The maps showing that it doesn't resolve globally shows they are filtering on something for sure.. Maybe that fqdn should only be used in the US? But seems like they resolve from EU and RU and AUS?

stephenw10

@johnpoz said in Need help - can't reach website by FQDN or the IP Address:

Maybe that fqdn should only be used in the US?

Yup, that seems possible.