Some websites are not found

Paul_Holland · January 10, 2017, 12:57pm

If I use my turris omnia and try to go to the http://www.nordicsemi.com/ website its not found. If I do try this with my normal router it is found !. Are there more people with this problem ?. I noticed that only some websites are not found, most are found give no problems.

SQBI · January 10, 2017, 1:01pm

Try DNS forwarding. You have to enable it in Foris.

vcunat · January 11, 2017, 10:09am

Yes, DNS forwarding should work around these problems (well, it depends where you forward to). There were some bugs in knot-resolver affecting “similar” domain names, though I’m currently unable to reproduce this particular failure.

vcunat · January 11, 2017, 10:49am

Actually, it might be the other way around. The problem is really that the authoritative servers are serving (slightly) incorrect DNS.

www.nordicsemi.com. 3600 IN CNAME nordicsemi.nord.aads1.net.

but nord.aads1.net. is answered as NXDOMAIN, meaning there should exist no *.nord.aads1.net at all, according to RFC 8020. At an explicit request for nordicsemi.nord.aads1.net. they return the address, but some resolvers might not ask for that (and rightly so).

So… I think disabling forwarding should make the resolution work in this case, or forwarding to some other resolver that’s liberal with respect to bogus NXDOMAIN on empty non-terminals.

vcunat · January 11, 2017, 1:06pm

Hmm, their domain actually has multiple problems, e.g. not responding over TCP http://dnsviz.net/d/www.nordicsemi.com/dnssec/ I notified them at their support forum https://devzone.nordicsemi.com/question/110569/bad-dns-of-nordicsemicom/

bortzmeyer · January 11, 2017, 4:03pm

Correct analysis, thanks.

Here, we ask one of the authoritative name servers of aads1.net: it incorrectly gives a NXDOMAIN for nord.aads1.net (a name that exists, since there is a nordicsemi.nord.aads1.net):

% dig @nsb1.aads1.net. A nord.aads1.net. 

; <<>> DiG 9.9.5-9+deb8u8-Debian <<>> @nsb1.aads1.net. A nord.aads1.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39039
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1408
;; QUESTION SECTION:
;nord.aads1.net.		IN A

;; AUTHORITY SECTION:
aads1.net.		60 IN SOA nsb1.aads1.net. hostmaster.corp.aryaka.com. (
				20537      ; serial
				3600       ; refresh (1 hour)
				600        ; retry (10 minutes)
				86400      ; expire (1 day)
				60         ; minimum (1 minute)
				)

;; Query time: 140 msec
;; SERVER: 192.158.243.3#53(192.158.243.3)
;; WHEN: Wed Jan 11 17:02:24 CET 2017
;; MSG SIZE  rcvd: 110


% dig @nsb1.aads1.net. A nordicsemi.nord.aads1.net.

; <<>> DiG 9.9.5-9+deb8u8-Debian <<>> @nsb1.aads1.net. A nordicsemi.nord.aads1.net.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22021
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1408
;; QUESTION SECTION:
;nordicsemi.nord.aads1.net. IN A

;; ANSWER SECTION:
nordicsemi.nord.aads1.net. 30 IN A 194.19.86.155

;; Query time: 140 msec
;; SERVER: 192.158.243.3#53(192.158.243.3)
;; WHEN: Wed Jan 11 17:02:20 CET 2017
;; MSG SIZE  rcvd: 70