Score:0

Server

75.75.75.75 (Comcast DNS) not resolving ironpawsllc.com

user3482229

6/2/23, 11:32 PM

IronPawsLLC.com is not pingable, gives an NXDOMAIN, and results in 0 answers when dig @75.75.75.75 ironpawsllc.com is used. So far, all the other DNS servers that I've tested against resolve. IronPawsLLC.com is a HostGator VPS4000 running CPanel, Centos7, and PowerDNS authoritative. CPanel and HostGator have repeatedly looked at it. Comcast says they don't know what's going on.

IronPawsLLC.com's IP, 162.240.41.15 is not on any blocklists, including Comcasts. If it is of any consequence, the server was migrated from 108.179.251.79.

For brevity and as a starting point, I am just listing a few DNS configuration tidbits.

The DNS zones are:

162-240-41-15.www.hostgator.com
41.240.162.in-addr.arpa
cloud-ci.unifiedlayer.com
ironpawsllc.com

The DNS glue is:

ironpawsllc.com.    3600    SOA 
Serial: 2022020103
Mname: ns1.ironpawsllc.com
Retry: 1800
Refresh: 3600
Expire: 1209600
Rname: [email protected]

ironpawsllc.com.    3600    NS  ns1.ironpawsllc.com
ironpawsllc.com.    3600    NS  ns2.ironpawsllc.com
ironpawsllc.com.    3600    A   162.240.41.15
ns1.ironpawsllc.com.    3600    A   162.240.41.15
ns2.ironpawsllc.com.    3600    A   162.240.41.68
5594881.ironpawsllc.com.    14400   A 162.240.41.15

I am still new to server administration, any insights are appreciated.

0 + 0

domain-name-system

centos

dns-zone

powerdns

joeqwerty

6/2/23, 11:59 PM

This is a Comcast problem. What are you looking for here? We can't advise you on how to fix a problem which isn't within your control nor purview to fix.

user3482229

6/3/23, 4:53 AM

I was looking for some PowerDNS setting to work around this problem. But if not, then I'll move on.

dave_thompson_085

6/3/23, 5:21 AM

I don't get NXDOMAIN; I get SERVFAIL from 75.75.75.75 and also 75.75.76.76 (the two main Comcast servers) using either dig or nslookup. That isn't outright wrong like NXDOMAIN would be, but it is still unhelpful. I happen to be a Comcast resi customer, although that shouldn't make any difference.

Patrick Mevzek

6/3/23, 10:13 AM

@dave_thompson_085 Lots of ISPs allow use of their recursive nameservers only internally from their network and not by everyone on the Internet, which makes sense and should be standard default practice.

Patrick Mevzek

6/3/23, 10:24 AM

@joeqwerty "This is a Comcast problem." No it is not, see my answer, the domain is DNSSEC broken any valid proper DNSSEC validating resolver will mark the domain as SERVFAIL which will block all resolution. The fact it happens with Comcast just shows they are doing a **GOOD** job here as they validating DNSSEC but this specific domain is broken (not configured correctly).

Score:2

Server

Patrick Mevzek

6/3/23, 10:22 AM

Your domain is not configured correctly, you have a DNSSEC problem, so the problem is not on the recursive resolver you use, no matter which, but on the domain itself, and you need to fix it.

See DNSViz analysis at https://dnsviz.net/d/ironpawsllc.com/YfurFA/dnssec/ (you have 9 errors to fix) but it is also easy to prove by using any validating resolver and comparing the answer with the default "DNSSEC validation" enabled and then explicitely disabling it:

$ dig @9.9.9.9 ironpawsllc.com NS

; <<>> DiG 9.16.25 <<>> @9.9.9.9 ironpawsllc.com NS
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58418
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5c89ab72fd28093b
;; QUESTION SECTION:
;ironpawsllc.com.   IN NS

;; QUERY SIZE: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58418

SERVFAIL can be many things but is also the case for any DNSSEC problem, and if disabling DNSSEC validation (the +cd flag):

$ dig @9.9.9.9 ironpawsllc.com NS +cd

; <<>> DiG 9.16.25 <<>> @9.9.9.9 ironpawsllc.com NS +cd
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2142
;; flags: rd ad cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4c56f2c5e1caa672
;; QUESTION SECTION:
;ironpawsllc.com.   IN NS

;; QUERY SIZE: 56

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2142
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 9 (DNSKEY Missing)
;; QUESTION SECTION:
;ironpawsllc.com.   IN NS

;; ANSWER SECTION:
ironpawsllc.com.    1h IN NS ns1.ironpawsllc.com.
ironpawsllc.com.    1h IN NS ns2.ironpawsllc.com.

;; Query time: 366 msec
;; SERVER: 9.9.9.9#53(9.9.9.9)
;; WHEN: Thu Feb 03 11:17:07 CET 2022
;; MSG SIZE  rcvd: 86

The fact that for the same query on the same validating resolver works with +cd (checking disabled) but doesn't work without it, is a sign at 99.99% level of probability that DNSSEC is broken on the domain, and this is nicely shown and explained on above DNSViz page, for which I attach the resulting graph here:

NB: you even get above in dig output an "EDE" for Extended DNS Error, a recent addition in DNS land not yet supported by all nameservers, but here it tells you of a DNSSEC problem immediately: EDE: 9 (DNSKEY Missing)

As for

I am still new to server administration, any insights are appreciated.

If you are new to DNS and specially to DNS troubleshooting, it is better to stay away from DNSSEC completely, or let some external provider handle your DNS completely without you having to do anything. Here and now you have either to remove DNSSEC completely, or set up proper keys and digests. In both cases you need to go through your registrar to remove/update DS data that the registry will then later publish. Your DNS provider should help you with that.

0 + 0

Greg Askew

6/3/23, 12:13 PM

`If you are new to DNS and specially to DNS troubleshooting, it is better to stay away from DNSSEC completely`. +1. Also, since the zone probably isn't working (unless DNSSEC isn't being used), testing without DNSSEC would have helped.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: 75.75.75.75 (Comcast DNS) not resolving ironpawsllc.com

TH: 75.75.75.75 (Comcast DNS) ไม่สามารถแก้ไข ironpawsllc.com

RO: 75.75.75.75 (Comcast DNS) nu rezolvă ironpawsllc.com

RU: 75.75.75.75 (Comcast DNS) не разрешает ironpawsllc.com

VI: 75.75.75.75 (Comcast DNS) không phân giải được ironpawsllc.com

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.