[DNS Resolver] Cannot resolve t.co



  • Hello,

    Since I use the DNS resolver of pfSense, I no longer have access to simplified url "t.co". Example, impossible to access to http://t.co/zLf5XQQPdn.

    C:\Users\Fab>nslookup co
    Serveur :   UnKnown
    Address:  10.0.0.1 (pfSense)
    
    *** UnKnown to find co : Non-existent domain
    

    What do you do?

    There are not any root DNS servers in pfSense?

    Thanks :-)


  • Banned

    You don't resolve TLDs. t.co resolves just fine.



  • @doktornotor:

    You don't resolve TLDs. t.co resolves just fine.

    No, impossible to resolve t.co. By using DNS Forwarder, no problem

    C:\Users\Fab>nslookup t.co
    Serveur :   UnKnown
    Address:  10.0.0.1
    
    DNS request timed out.
        timeout was 2 seconds.
    

  • Banned

    Yeah, your DNS configuration is broken. No information provided to debug anything here.



  • @doktornotor:

    Yeah, your DNS configuration is broken. No information provided to debug anything here.

    Configuration :

    General settings:
    ------------------
    
    Enable : checked
    Listen port : empty
    Network Interfaces : LAN
    Outgoing Network Interfaces : WAN
    DNSSEC : checked
    DNS Query Forwarding : unchecked
    DHCP Registration : checked
    Static DHCP : checked
    TXT Comment Support : checked
    
    On the other tabs, everything is default
    
    

    Interfaces configuration:

    
    LAN : Static IPv4 Configuation : 10.0.0.1/24
    WAN : PPPoE Internet Access
    
    

    Nothing to report in the log of resolver. And no problem to solve other TLDs that "co"

    What I can provide such other information?

    thanks :)


  • Banned

    
    nslookup - 10.0.0.1
    set querytype=soa
    co.
    
    

    Post the output of the above. This is what I get:

    
    Non-authoritative answer:
    co
            primary name server = ns1.cctld.co
            responsible mail addr = hostmaster.neustar.biz
            serial  = 2018084018
            refresh = 900 (15 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)
    
    co      nameserver = ns5.cctld.co
    co      nameserver = ns4.cctld.co
    co      nameserver = ns2.cctld.co
    co      nameserver = ns6.cctld.co
    co      nameserver = ns1.cctld.co
    co      nameserver = ns3.cctld.co
    ns1.cctld.co    internet address = 156.154.100.25
    ns1.cctld.co    AAAA IPv6 address = 2001:502:2eda::21
    ns2.cctld.co    internet address = 156.154.101.25
    ns2.cctld.co    AAAA IPv6 address = 2001:502:ad09::21
    ns3.cctld.co    internet address = 156.154.102.25
    ns3.cctld.co    AAAA IPv6 address = 2610:a1:1009::21
    ns4.cctld.co    internet address = 156.154.103.25
    ns4.cctld.co    AAAA IPv6 address = 2610:a1:1010::21
    ns5.cctld.co    internet address = 156.154.104.25
    ns5.cctld.co    AAAA IPv6 address = 2610:a1:1011::21
    ns6.cctld.co    internet address = 156.154.105.25
    ns6.cctld.co    AAAA IPv6 address = 2610:a1:1012::21
    
    


  • @doktornotor:

    
    nslookup - 10.0.0.1
    set querytype=soa
    co.
    
    

    nslookup co

    C:\Users\Fab>nslookup
    Address:  10.0.0.1
    > set type=soa
    > co.
    Server :   UnKnown
    Address:  10.0.0.1
    
    *** UnKnown ne parvient pas à trouver co. : Server failed
    
    

    For .com, it's work :

    C:\Users\Fab>nslookup
    Address:  10.0.0.1
    > set type=soa
    > com.
    Serveur :   UnKnown
    Address:  10.0.0.1
    
    Réponse ne faisant pas autorité :
    com
            primary name server = a.gtld-servers.net
            responsible mail addr = nstld.verisign-grs.com
            serial  = 1423413582
            refresh = 1800 (30 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)
    
    com     nameserver = a.gtld-servers.net
    com     nameserver = b.gtld-servers.net
    com     nameserver = m.gtld-servers.net
    com     nameserver = g.gtld-servers.net
    com     nameserver = k.gtld-servers.net
    com     nameserver = f.gtld-servers.net
    com     nameserver = c.gtld-servers.net
    com     nameserver = d.gtld-servers.net
    com     nameserver = j.gtld-servers.net
    com     nameserver = l.gtld-servers.net
    com     nameserver = h.gtld-servers.net
    com     nameserver = i.gtld-servers.net
    com     nameserver = e.gtld-servers.net
    

  • Banned

    What does

    
    set querytype=soa
    root
    co.
    
    

    produce?



  • @doktornotor:

    What does

    
    set querytype=soa
    root
    co.
    
    

    produce?

    C:\Users\Fab>nslookup
    Address:  10.0.0.1
    > set querytype=soa
    > root
    Default server :   A.ROOT-SERVERS.NET
    Addresses:  2001:503:ba3e::2:30
              198.41.0.4
    
    > co.
    Server :   A.ROOT-SERVERS.NET
    Addresses:  2001:503:ba3e::2:30
              198.41.0.4
    
    DNS request timed out.
        timeout was 2 seconds.
    *** Request time out A.ROOT-SERVERS.NET.
    

  • Banned

    Talk to your ISP about what they are doing with DNS.

    
    Default Server:  A.ROOT-SERVERS.NET
    Addresses:  2001:503:ba3e::2:30
              198.41.0.4
    
    > co.
    Server:  A.ROOT-SERVERS.NET
    Addresses:  2001:503:ba3e::2:30
              198.41.0.4
    
    co      nameserver = ns1.cctld.co
    co      nameserver = ns2.cctld.co
    co      nameserver = ns3.cctld.co
    co      nameserver = ns4.cctld.co
    co      nameserver = ns5.cctld.co
    co      nameserver = ns6.cctld.co
    ns1.cctld.co    internet address = 156.154.100.25
    ns2.cctld.co    internet address = 156.154.101.25
    ns3.cctld.co    internet address = 156.154.102.25
    ns4.cctld.co    internet address = 156.154.103.25
    ns5.cctld.co    internet address = 156.154.104.25
    ns6.cctld.co    internet address = 156.154.105.25
    ns1.cctld.co    AAAA IPv6 address = 2001:502:2eda::21
    ns2.cctld.co    AAAA IPv6 address = 2001:502:ad09::21
    ns3.cctld.co    AAAA IPv6 address = 2610:a1:1009::21
    ns4.cctld.co    AAAA IPv6 address = 2610:a1:1010::21
    ns5.cctld.co    AAAA IPv6 address = 2610:a1:1011::21
    ns6.cctld.co    AAAA IPv6 address = 2610:a1:1012::21
    
    


  • @doktornotor:

    Talk to your ISP about what they are doing with DNS.

    Why would my ISP be the problem?
    If I use the DNS Forwarder it works


  • Banned

    @fab1330:

    Why would my ISP be the problem?

    Because it's clearly blocking/hijacking UDP/53 DNS traffic. When you cannot talk to root servers, you've got a problem.



  • @doktornotor:

    Because it's clearly blocking/hijacking UDP/53 DNS traffic. When you cannot talk to root servers, you've got a problem.

    It's strange, I haven't changed anything and now it works. Maybe it is a routing problem at my ISP?

    Now :

    C:\Users\Fab>nslookup t.co
    Address:  10.0.0.1
    
    Non-authoritative response :
    Name :    t.co
    Addresses:  199.16.156.11
              199.16.156.75
    

    I monitor in the coming days. thank you


  • Banned

    Well if it breaks again… check you can resolve stuff via root nameservers. Unbound cannot work without those unless forwarding is enabled. Also, extremely weird why it'd be limited to .co TLD



  • @doktornotor:

    Well if it breaks again… check you can resolve stuff via root nameservers. Unbound cannot work without those unless forwarding is enabled. Also, extremely weird why it'd be limited to .co TLD

    The problem comes back randomly :-(

    And I have changed ISP meantime. So this is not an ISP problem.

    C:\Users\Fab>dig t.co
    
    ; <<>> DiG 9.10.1-P1 <<>> t.co
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    C:\Users\Fab>dig co
    
    ; <<>> DiG 9.10.1-P1 <<>> co
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    C:\Users\Fab>dig co. NS
    
    ; <<>> DiG 9.10.1-P1 <<>> co. NS
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    C:\Users\Fab>dig co. SOA
    
    ; <<>> DiG 9.10.1-P1 <<>> co. SOA
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    
    C:\Users\Fab>nslookup
    Address:  10.0.0.1
    
    > set querytype=soa
    > root
    Default server :   A.ROOT-SERVERS.NET
    Addresses:  2001:503:ba3e::2:30
              198.41.0.4
    
    > co.
    Serveur :   A.ROOT-SERVERS.NET
    Addresses:  2001:503:ba3e::2:30
              198.41.0.4
    
    co      nameserver = ns1.cctld.co
    co      nameserver = ns2.cctld.co
    co      nameserver = ns3.cctld.co
    co      nameserver = ns4.cctld.co
    co      nameserver = ns5.cctld.co
    co      nameserver = ns6.cctld.co
    ns1.cctld.co    internet address = 156.154.100.25
    ns2.cctld.co    internet address = 156.154.101.25
    ns3.cctld.co    internet address = 156.154.102.25
    ns4.cctld.co    internet address = 156.154.103.25
    ns5.cctld.co    internet address = 156.154.104.25
    ns6.cctld.co    internet address = 156.154.105.25
    ns1.cctld.co    AAAA IPv6 address = 2001:502:2eda::21
    ns2.cctld.co    AAAA IPv6 address = 2001:502:ad09::21
    ns3.cctld.co    AAAA IPv6 address = 2610:a1:1009::21
    ns4.cctld.co    AAAA IPv6 address = 2610:a1:1010::21
    ns5.cctld.co    AAAA IPv6 address = 2610:a1:1011::21
    ns6.cctld.co    AAAA IPv6 address = 2610:a1:1012::21
    

    Any idea?

    thanks :)



  • Make sure you have "harden glue" enabled on the Advanced tab. If you don't, it might be possible for some malicious query reply to break a TLD.



  • @cmb:

    Make sure you have "harden glue" enabled on the Advanced tab. If you don't, it might be possible for some malicious query reply to break a TLD.

    I just activate "harden glue", and it works:-) Thanks!
    But I do not understand what is this option. You can tell me more?