Join Log in
Score:2
forvas avatar Server

Why can't I reach a specific host using a specific DNS?

gh flag
forvas

I'm trying to send some info to www2.agenciatributaria.gob.es. I can do it from several hosts but one.

From this one I get the error Temporary failure in name resolution. However, from the same host I can reach many other servers though its default DNS (I can ping www.google.es, etc).

So I used dig to check what happens. If I execute dig www2.agenciatributaria.gob.es, the IP of the remote host is searched by the DNS on 127.0.0.53, and the results are wrong (nevertheless, results are successful if I dig on www.google.es):

; <<>> DiG 9.16.1-Ubuntu <<>> www2.agenciatributaria.gob.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58113
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www2.agenciatributaria.gob.es. IN      A

;; Query time: 7 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Sep 27 09:17:00 UTC 2021
;; MSG SIZE  rcvd: 58

On the other hand, If I execute dig +norecurse @8.8.8.8 www2.agenciatributaria.gob.es, to search the IP of the remote host with the DNS on 8.8.8.8, the results are successful:

; <<>> DiG 9.16.1-Ubuntu <<>> +norecurse @8.8.8.8 www2.agenciatributaria.gob.es
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31565
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www2.agenciatributaria.gob.es. IN      A

;; ANSWER SECTION:
www2.agenciatributaria.gob.es. 201 IN   A       195.77.198.18

;; Query time: 0 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Sep 27 09:16:28 UTC 2021
;; MSG SIZE  rcvd: 74

I'm not an expert on this subject. But I guess there is some problem with the DNS for only that domain. Can anyone help me here? How can I solve this problem or what should I check now?

resolvectl status

Global
       LLMNR setting: no                  
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
          DNSSEC NTA: 10.in-addr.arpa     
                      16.172.in-addr.arpa 
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa 
                      18.172.in-addr.arpa 
                      19.172.in-addr.arpa 
                      20.172.in-addr.arpa 
                      21.172.in-addr.arpa 
                      22.172.in-addr.arpa 
                      23.172.in-addr.arpa 
                      24.172.in-addr.arpa 
                      25.172.in-addr.arpa 
                      26.172.in-addr.arpa 
                      27.172.in-addr.arpa 
                      28.172.in-addr.arpa 
                      29.172.in-addr.arpa 
                      30.172.in-addr.arpa 
                      31.172.in-addr.arpa 
                      corp                
                      d.f.ip6.arpa        
                      home                
                      internal            
                      intranet            
                      lan                 
                      local               
                      private             
                      test                

Link 2 (ens3)
      Current Scopes: DNS           
DefaultRoute setting: yes           
       LLMNR setting: yes           
MulticastDNS setting: no            
  DNSOverTLS setting: no            
      DNSSEC setting: no            
    DNSSEC supported: no            
  Current DNS Server: 213.186.33.99 
         DNS Servers: 213.186.33.99 
          DNS Domain: openstacklocal
687
0 + 0
dig
Criggie avatar
in flag
Criggie
Aside - 127.0.0.53 is a localhost IP address used by systemd for a "caching DNS resolver" that runs on your local machine. In theory, it is only caching your lookups.
0
Reply
Score:7
Patrick Mevzek avatar Server
cn flag
Patrick Mevzek

Your domain is not configured correctly, see https://dnsviz.net/d/www2.agenciatributaria.gob.es/YVHoZA/dnssec/

You can ignore the DS warnings on es and gob.es as you won't be able to do anything about those and they won't block resolution.

However do read the warning about the NS set mismatch which means you are in a lame delegation situation. This has the direct effect that your results will depend on which nameserver you ask and can be wrong 50% of the time, or more.

Fix your DNS settings, by making sure your parents (gob.es) list the same servers as authoritative as you do:

$ dig gob.es NS +short
c.nic.es.
fnicdos.rediris.es.
n3ns.nic.es.
h.nic.es.
g.nic.es.
$ dig agenciatributaria.gob.es NS @c.nic.es +noall +auth
agenciatributaria.gob.es. 1d IN NS ns3chos01.telefonica-data.com.
agenciatributaria.gob.es. 1d IN NS nsjc8hos01.telefonica-data.com.
$ dig agenciatributaria.gob.es NS @nsjc8hos01.telefonica-data.com. +short
nsalchos01.telefonica-data.com.
nsjc8hos01.telefonica-data.com.

These 2 sets of NS records do not match and they MUST match for correct DNS resolutions.

0 + 0
forvas avatar
gh flag
forvas
So you mean that I can do nothing by myself, don't you? Since I do not have much idea about this, will this problem disappear if I start to use Google DNS servers? Apparently yes.
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
"So you mean that I can do nothing by myself, don't you?" This is not at all what I said. Please see the paragraph starting with "However do read the warning". You HAVE TO fix your delegation as it is wrong. Only the owner of `agenciatributaria.gob.es` can do that. "Since I do not have much idea about this, will this problem disappear if I start to use Google DNS servers?" Absolutely not (maybe you see it "fixed" but others will still have problems). If you are new to DNS it may be wise for now to let someone else run the DNS service for your domain and to learn more about it.
0
Reply
forvas avatar
gh flag
forvas
I've understood you that *agenciatributaria.gob.es* has a problem that they must fix. But I am not the owner of *agenciatributaria.gob.es*. That is an organisation which I depend on. And yeah, I'm a newbie on these DNS subjects.
0
Reply
Patrick Mevzek avatar
cn flag
Patrick Mevzek
"That is an organisation which I depend on." Ask them to fix their DNS configuration then. You can find workarounds that may work for a time and then break again, especially in the least favorable moment, so they should fix their delegation. Any DNS professional should understand the term "lame delegation" and be able to know what needs to be fixed, so let them know this, and the DNSViz link can give another view on the subject.
1
Reply
forvas avatar
gh flag
forvas
Ok, I understand, thank you @Patrick.
0
Reply
Score:2
Michael Hampton avatar Server
cz flag
Michael Hampton

Your local resolver is configured to forward DNS queries to 213.186.33.99, DNS server that OVH provides to its customers. Querying this server directly reveals that it is reporting a failure.

$ host www2.agenciatributaria.gob.es 213.186.33.99
Using domain server:
Name: 213.186.33.99
Address: 213.186.33.99#53
Aliases: 

Host www2.agenciatributaria.gob.es not found: 2(SERVFAIL)

Edit your /etc/resolv.conf to provide another set of nameservers and then try again. Keep in mind that the domain you're looking up still is broken, as described by Patrick Mevzek's answer, and so this is just a workaround.

0 + 0
forvas avatar
gh flag
forvas
Thank you! I can do that by `systemd-resolve --set-dns=8.8.8.8 --interface=ens3` command, but after rebooting server I get the problem again. How can I make it persistent?
0
Reply
Michael Hampton avatar
cz flag
Michael Hampton
@forvas See the last line of my answer.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.