DNS Problems on some pages

Software SW help
1

I started to have a problem with some pages. Chrome just refuses to connect due to the DNS issue. Example might be https://realflight.com.

image
image1376×856 83.4 KB

Doesn’t matter if I use ISP or CZ.NIC resolvers. Other android/windows clients suffer with the same issue. If I use Android phone as hotspot, I can reach the site without issues.

Strange thing is I can ping form commandline:

ping realflight.com
PING realflight.com (20.102.13.128): 56 data bytes
64 bytes from 20.102.13.128: icmp_seq=0 ttl=108 time=109.589 ms

or

Server:		192.168.33.1
Address:	192.168.33.1#53

Non-authoritative answer:
Name:	realflight.com
Address: 20.102.13.128

Can’t find out, why browsers are not happy.

I attached tcpdump -i any -s 65535 port 53 -w 53-3.dump while trying to refresh the page 3x. 53-3.dump - Disk Google

2

In my case, the mentioned website is available. So the inactive DNS forward and changing the DNSSEC settings doesn’t work for you ? What browsers have you tried ?

If the translation of the ISP’s address is not working you need to try querying it as well.

3

Based on the dumps, realflight.com would probably not show the issue; only www.realflight.com would as the error happens after the CNAME jump. It’s probably related to the one shown by DnsViz: www.realflight.com | DNSViz – with such a setup resolvers could correctly return NXDOMAIN. (here SERVFAIL happens)

However, right now I can’t even reproduce kresd returning an error here, be it without forwarding or with cz.nic forwarding. I believe the setup without forwarding is the least error prone, assuming that the ISP can be trusted not to intercept (DNS) packets.

EDIT: by which I mean that I don’t really understand why exactly that error happens in your case.

4

yes, you are right. Chrome is just hiding the redirect.

image
image3600×1510 381 KB

And simple nslookup is failing as well:

paci@Jans-MacBook-Pro ~ % nslookup realflight.com
Server:		192.168.33.1
Address:	192.168.33.1#53

Non-authoritative answer:
Name:	realflight.com
Address: 20.102.13.128

paci@Jans-MacBook-Pro ~ % nslookup www.realflight.com
Server:		192.168.33.1
Address:	192.168.33.1#53

** server can't find www.realflight.com: SERVFAIL

tried to increas loglevel of knot on my omnia and have a bit of logs:

Oct  1 22:02:09 turris kresd[23098]: [plan  ][00000.00] plan 'www.realflight.com.' type 'A' uid [22041.00]
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.00]   'www.realflight.com.' type 'A' new uid was assigned .01, parent uid .00
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.01]   => satisfied by exact CNAME: rank 030, new TTL 1646
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.01]   <= rcode: NOERROR
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.01]   <= cname chain, following
Oct  1 22:02:09 turris kresd[23098]: [plan  ][00000.00] plan 'commcloud.prod-bfbr-realflight-com.cc-ecdn.net.' type 'A' uid [22041.02]
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.02]   'commcloud.prod-bfbr-realflight-com.cc-ecdn.net.' type 'A' new uid was assigned .03, parent uid .00
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.03]   => satisfied by exact CNAME: rank 030, new TTL 146
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.03]   <= rcode: NOERROR
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.03]   <= cname chain, following
Oct  1 22:02:09 turris kresd[23098]: [plan  ][00000.00] plan 'commcloud.prod-bfbr-realflight-com.cc-ecdn.net.cdn.cloudflare.net.' type 'A' uid [22041.04]
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.04]   'commcloud.prod-bfbr-realflight-com.cc-ecdn.net.cdn.cloudflare.net.' type 'A' new uid was assigned .05, parent uid .00
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.05]   => trying zone: ., NSEC, hash 0
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.05]   => NSEC sname: range search miss (!covers)
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.05]   => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
Oct  1 22:02:09 turris kresd[23098]: [plan  ][22041.05]   plan '.' type 'DNSKEY' uid [22041.06]
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.06]     '.' type 'DNSKEY' new uid was assigned .07, parent uid .05
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.07]     => satisfied by exact RRset: rank 060, new TTL 1477
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.07]     <= rcode: NOERROR
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.07]     <= parent: updating DNSKEY
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.07]     <= answer valid, OK
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.05]   'commcloud.prod-bfbr-realflight-com.cc-ecdn.net.cdn.cloudflare.net.' type 'A' new uid was assigned .08, parent uid .00
Oct  1 22:02:09 turris kresd[23098]: [plan  ][22041.08]   plan 'net.' type 'DS' uid [22041.09]
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.09]     'net.' type 'DS' new uid was assigned .10, parent uid .08
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.10]     => satisfied by exact RRset: rank 060, new TTL 73840
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.10]     <= rcode: NOERROR
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.10]     <= DS: OK
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.10]     <= parent: updating DS
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.10]     <= answer valid, OK
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.08]   'commcloud.prod-bfbr-realflight-com.cc-ecdn.net.cdn.cloudflare.net.' type 'A' new uid was assigned .11, parent uid .00
Oct  1 22:02:09 turris kresd[23098]: [plan  ][22041.11]   plan 'net.' type 'DNSKEY' uid [22041.12]
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.12]     'net.' type 'DNSKEY' new uid was assigned .13, parent uid .11
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.13]     => satisfied by exact RRset: rank 060, new TTL 2954
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.13]     <= rcode: NOERROR
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.13]     <= parent: updating DNSKEY
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.13]     <= answer valid, OK
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.11]   'commcloud.prod-bfbr-realflight-com.cc-ecdn.net.cdn.cloudflare.net.' type 'A' new uid was assigned .14, parent uid .00
Oct  1 22:02:09 turris kresd[23098]: [plan  ][22041.14]   plan 'cloudflare.net.' type 'DS' uid [22041.15]
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.15]     'cloudflare.net.' type 'DS' new uid was assigned .16, parent uid .14
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.16]     => satisfied by exact RRset: rank 060, new TTL 8071
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.16]     <= rcode: NOERROR
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.16]     <= DS: OK
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.16]     <= parent: updating DS
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.16]     <= answer valid, OK
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.14]   'commcloud.prod-bfbr-realflight-com.cc-ecdn.net.cdn.cloudflare.net.' type 'A' new uid was assigned .17, parent uid .00
Oct  1 22:02:09 turris kresd[23098]: [plan  ][22041.17]   plan 'cloudflare.net.' type 'DNSKEY' uid [22041.18]
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.18]     'cloudflare.net.' type 'DNSKEY' new uid was assigned .19, parent uid .17
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.19]     => satisfied by exact RRset: rank 060, new TTL 2174
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.19]     <= rcode: NOERROR
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.19]     <= parent: updating DNSKEY
Oct  1 22:02:09 turris kresd[23098]: [valdtr][22041.19]     <= answer valid, OK
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.17]   'commcloud.prod-bfbr-realflight-com.cc-ecdn.net.cdn.cloudflare.net.' type 'A' new uid was assigned .20, parent uid .00
Oct  1 22:02:09 turris kresd[23098]: [plan  ][22041.20]   plan 'cdn.cloudflare.net.' type 'DS' uid [22041.21]
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.21]     'cdn.cloudflare.net.' type 'DS' new uid was assigned .22, parent uid .20
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.22]     => trying zone: ., NSEC, hash 0
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.22]     => NSEC sname: range search miss (!covers)
Oct  1 22:02:09 turris kresd[23098]: [cache ][22041.22]     => skipping zone: ., NSEC, hash 0;new TTL -123456789, ret -2
Oct  1 22:02:09 turris kresd[23098]: [resolv][22041.22]     => id: '60550' querying: '.'@'8.8.4.4#00853' zone cut: 'cloudflare.net.' qname: 'cdn.cloudflare.net.' qtype: 'DS' proto: 'tcp'
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x22bf910]: Preparing Packet Application Data(23) with length: 130 and min pad: 0
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x22bf910]: Sent Packet[137] Application Data(23) in epoch 2 and length: 152
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x22bf910]: SSL 3.3 Application Data packet received. Epoch 2, length: 487
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x22bf910]: Expected Packet Application Data(23)
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x22bf910]: Received Packet Application Data(23) with length: 487
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x22bf910]: Decrypted Packet[137] Application Data(23) with length: 470
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1776
Oct  1 22:02:09 turris kresd[23098]: [select][22041.22]     => id: '60550' updating: '.'@'8.8.4.4#00853' zone cut: 'cloudflare.net.' with rtt 36 to srtt: 38 and variance: 10 
Oct  1 22:02:09 turris kresd[23098]: [select][22041.22]     => id: '60550' noting selection error: '.'@'8.8.4.4#00853' zone cut: 'cloudflare.net.' error: 6 SERVFAIL
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.22]     <= rcode: SERVFAIL
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.22]     'cdn.cloudflare.net.' type 'DS' new uid was assigned .23, parent uid .20
Oct  1 22:02:09 turris kresd[23098]: [resolv][22041.23]     => id: '46899' querying: '.'@'8.8.8.8#00853' zone cut: 'cloudflare.net.' qname: 'cdn.cloudflare.net.' qtype: 'DS' proto: 'tcp'
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x239bb50]: Preparing Packet Application Data(23) with length: 130 and min pad: 0
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x239bb50]: Sent Packet[2] Application Data(23) in epoch 2 and length: 152
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x239bb50]: SSL 3.3 Application Data packet received. Epoch 2, length: 487
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x239bb50]: Expected Packet Application Data(23)
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x239bb50]: Received Packet Application Data(23) with length: 487
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x239bb50]: Decrypted Packet[2] Application Data(23) with length: 470
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (3) ASSERT: buffers.c[_gnutls_io_read_buffered]:589
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (3) ASSERT: record.c[_gnutls_recv_int]:1776
Oct  1 22:02:09 turris kresd[23098]: [select][22041.23]     => id: '46899' updating: '.'@'8.8.8.8#00853' zone cut: 'cloudflare.net.' with rtt 30 to srtt: 50 and variance: 32 
Oct  1 22:02:09 turris kresd[23098]: [select][22041.23]     => id: '46899' noting selection error: '.'@'8.8.8.8#00853' zone cut: 'cloudflare.net.' error: 6 SERVFAIL
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.23]     <= rcode: SERVFAIL
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.23]     'cdn.cloudflare.net.' type 'DS' new uid was assigned .24, parent uid .20
Oct  1 22:02:09 turris kresd[23098]: [resolv][22041.24]     => id: '05433' querying: '.'@'2001:4860:4860::8888#00853' zone cut: 'cloudflare.net.' qname: 'cdn.cloudflare.net.' qtype: 'DS' proto: 'tcp'
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x2450de0]: Allocating epoch #0
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (2) added 4 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
Oct  1 22:02:09 turris kresd[23098]: [tls_cl] set hostname, ret = 0
Oct  1 22:02:09 turris kresd[23098]: [worker][22041.24]     => connecting to: '2001:4860:4860::8888#00853'
Oct  1 22:02:09 turris kresd[23098]: [select][22041.24]     NO6: timed out, repeated prefix, timeouts 1/6
Oct  1 22:02:09 turris kresd[23098]: [select][22041.24]     => id: '05433' noting selection error: '.'@'2001:4860:4860::8888#00853' zone cut: 'cloudflare.net.' error: 3 TCP_CONNECT_FAILED
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.24]     'cdn.cloudflare.net.' type 'DS' new uid was assigned .25, parent uid .20
Oct  1 22:02:09 turris kresd[23098]: [resolv][22041.25]     => id: '41866' querying: '.'@'2001:4860:4860::8844#00853' zone cut: 'cloudflare.net.' qname: 'cdn.cloudflare.net.' qtype: 'DS' proto: 'tcp'
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x23e58f0]: Allocating epoch #0
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (2) added 4 protocols, 29 ciphersuites, 19 sig algos and 10 groups into priority list
Oct  1 22:02:09 turris kresd[23098]: [tls_cl] set hostname, ret = 0
Oct  1 22:02:09 turris kresd[23098]: [worker][22041.25]     => connecting to: '2001:4860:4860::8844#00853'
Oct  1 22:02:09 turris kresd[23098]: [select][22041.25]     NO6: timed out, repeated prefix, timeouts 1/6
Oct  1 22:02:09 turris kresd[23098]: [select][22041.25]     => id: '41866' noting selection error: '.'@'2001:4860:4860::8844#00853' zone cut: 'cloudflare.net.' error: 3 TCP_CONNECT_FAILED
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.25]     'cdn.cloudflare.net.' type 'DS' new uid was assigned .26, parent uid .20
Oct  1 22:02:09 turris kresd[23098]: [iterat][22041.26]     'cdn.cloudflare.net.' type 'DS' new uid was assigned .27, parent uid .20
Oct  1 22:02:09 turris kresd[23098]: [resolv][22041.27]     AD: request NOT classified as SECURE
Oct  1 22:02:09 turris kresd[23098]: [resolv][22041.20]   finished in state: 8, queries: 8, mempool: 32784 B
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x2450de0]: Start of epoch cleanup
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x2450de0]: End of epoch cleanup
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x2450de0]: Epoch #0 freed
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x23e58f0]: Start of epoch cleanup
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x23e58f0]: End of epoch cleanup
Oct  1 22:02:09 turris kresd[23098]: [gnutls] (5) REC[0x23e58f0]: Epoch #0 freed
5

That’s a case where 8.8.8.8 returns SERVFAIL already.

EDIT: that’s easy to retry e.g. by dig @8.8.8.8 cdn.cloudflare.net DS

6

It’s really great that you could get the logs. I’m trying to make Google fix this bug.

Others don’t seem affected by this bug, so perhaps you could get these logs for some other case? I didn’t try this domain with forwarding to Google before – I tried others (and also without forwarding) and those do work for me with this name.

7

Ah right, I forgot. More about the Google issue here:

8

Hi,

@vcunat, thank you for the support - I needed to learn a bit about resolver (yes, the luci settings for resolver are not having any effect), but part of internet was not available for me and I was not able to find why… :slight_smile:.

My original suspicion was, that our network provider removed 6rd support and those pages were incl. IPv6 hosting.

I had other problems with e.g. www.valg.no (taht was much more important), or www.power.no. But all of them are having cloudflare…

9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.