[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[public-dns-discuss] Re: Failing to resolve seacom.mu domain from google public dns .



wka... wrote:
ns3 and ns4 do not resolve to the same IP addresses. Please  notice that one is .126. and the other is .127. Please check and confirm this.

Yes, you're right. This was an oversight on my part, but doesn't affect the problem.

Secondly, can you do a  traceroute to our authoritative name servers to show us where packets could be getting filtered, if at all?  do this both on IPv4 and IPv6.

I can ping all four addresses from Google networks (but cannot easily test from the specific IP addresses used for querying authoritative servers—https://developers.google.com/speed/public-dns/faq#locations):

$ sudo ping -4 -qc 3 ns3.seacomnet.com
PING ns3.seacomnet.com (41.87.126.253) 56(84) bytes of data.
--- ns3.seacomnet.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 103.637/103.735/103.817/0.379 ms

$ sudo ping -4 -qc 3 ns4.seacomnet.com
PING ns4.seacomnet.com (41.87.127.253) 56(84) bytes of data.
--- ns4.seacomnet.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 103.581/105.329/108.689/2.391 ms

$ sudo ping -6 -qc 3 ns3.seacomnet.com
PING ns3.seacomnet.com(ns3-6.seacomnet.com (2c0f:feb0::3)) 56 data bytes
--- ns3.seacomnet.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 106.298/110.134/112.293/2.719 ms

$ sudo ping -6 -qc 3 ns4.seacomnet.com
PING ns4.seacomnet.com(2c0f:feb0::4) 56 data bytes
--- ns4.seacomnet.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5205ms
rtt min/avg/max/mdev = 106.503/106.566/106.652/0.062 ms

Running traceroute -U (by default this sends UDP/53 packets that are not actually DNS requests, rather than ICMP packets sent with -I) shows that traffic is reaching your name server IP addresses:

$ sudo traceroute -nU ns3.seacomnet.com | sed 2,12d
traceroute to ns3.seacomnet.com (41.87.126.253), 30 hops max, 60 byte packets
12  105.16.6.5  105.135 ms  103.759 ms  103.549 ms
13  105.16.33.6  103.750 ms 105.16.32.6  103.353 ms 105.16.33.7  103.366 ms
14  41.87.126.253  103.729 ms  104.100 ms  104.080 ms

$ sudo traceroute -nU ns4.seacomnet.com | sed 2,12d
traceroute to ns4.seacomnet.com (41.87.127.253), 30 hops max, 60 byte packets
12  105.16.6.5  103.756 ms  103.668 ms  103.559 ms
13  105.16.33.6  103.494 ms  103.752 ms 105.16.32.6  103.340 ms
14  41.87.127.253  103.597 ms  103.943 ms  103.787 ms

$ sudo traceroute6 -nU ns3.seacomnet.com | sed 2,10d
traceroute to ns3.seacomnet.com (2c0f:feb0::3), 30 hops max, 80 byte packets
10  2001:4860::9:4001:c35  184.923 ms 2001:4860::9:4001:c34  103.110 ms  103.415 ms
11  2001:4860:0:12e0::7  103.635 ms  103.402 ms 2c0f:feb0:1:1::5  103.391 ms
12  2c0f:feb0:1:1::5  103.764 ms  103.675 ms  103.626 ms
13  2c0f:feb0::3  108.129 ms 2c0f:feb0:d::1:6  106.139 ms 2c0f:feb0::3  108.244 ms

$ sudo traceroute6 -nU ns4.seacomnet.com | sed 2,10d
traceroute to ns4.seacomnet.com (2c0f:feb0::4), 30 hops max, 80 byte packets
10  2001:4860::9:4001:c35  103.433 ms 2001:4860::9:4001:c34  103.081 ms 2001:4860::9:4001:c35  103.517 ms
11  2c0f:feb0:1:1::5  103.855 ms  104.214 ms  104.063 ms
12  2c0f:feb0:1:1::5  104.114 ms  104.027 ms 2c0f:feb0:d::7  106.209 ms
13  2c0f:feb0:d::7  106.580 ms 2c0f:feb0:d::6  108.061 ms 2c0f:feb0::4  106.778 ms

When I used the Google Public DNS query site (https://dns.google.com/query?name=seacom.mu&type=A&dnssec=true) I got a successful answer, with the following comment:

Response from 41.87.126.253; 3312ms resolution time exceeds 2 seconds; some clients may time out.

Disabling DNSSEC validation (https://dns.google.com/query?name=seacom.mu&type=A&dnssec=false) eliminates that warning.
The problem seems to be the fact that when Google Public DNS queries your name servers with DNSSEC_OK (DO) in EDNS, it never receives the response, presumably because the response is too large and IP fragmentation takes place, and firewalls on your network are blocking both IPv4 and IPv6 fragments. Google Public DNS initially sends queries with DNSSEC OK set, but will retry without EDNS after a while if no response is received).

$ dig +dnssec +norec seacom.mu @ns3.seacomnet.com
; <<>> DiG 9.11.2-P1-1-Debian <<>> +dnssec +norec seacom.mu @ns3.seacomnet.com
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig -6 +dnssec +norec seacom.mu @ns4.seacomnet.com
; <<>> DiG 9.11.2-P1-1-Debian <<>> -6 +dnssec +norec seacom.mu @ns4.seacomnet.com
;; global options: +cmd
;; connection timed out; no servers could be reached

$ kdig +nocrypto +tcp +dnssec +norec seacom.mu @ns3.seacomnet.com
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 28503
;; Flags: qr aa; QUERY: 1; ANSWER: 2; AUTHORITY: 3; ADDITIONAL: 9

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; seacom.mu.                   IN      A

;; ANSWER SECTION:
seacom.mu.              14400   IN      A       105.16.115.2
seacom.mu.              14400   IN      RRSIG   A 7 2 14400 20180617230001 20180518230001 41447 seacom.mu. [omitted]

;; AUTHORITY SECTION:
seacom.mu.              14400   IN      NS      ns4.seacomnet.com.
seacom.mu.              14400   IN      NS      ns3.seacomnet.com.
seacom.mu.              14400   IN      RRSIG   NS 7 2 14400 20180617230001 20180518230001 41447 seacom.mu. [omitted]

;; ADDITIONAL SECTION:
ns3.seacomnet.com.      14400   IN      AAAA    2c0f:feb0::3
ns4.seacomnet.com.      14400   IN      AAAA    2c0f:feb0::4
ns3.seacomnet.com.      14400   IN      A       41.87.126.253
ns4.seacomnet.com.      14400   IN      A       41.87.127.253
ns3.seacomnet.com.      14400   IN      RRSIG   A 7 3 14400 20180617230000 20180518230000 51497 seacomnet.com. [omitted]
ns3.seacomnet.com.      14400   IN      RRSIG   AAAA 7 3 14400 20180617230000 20180518230000 51497 seacomnet.com. [omitted]
ns4.seacomnet.com.      14400   IN      RRSIG   A 7 3 14400 20180617230000 20180518230000 51497 seacomnet.com. [omitted]
ns4.seacomnet.com.      14400   IN      RRSIG   AAAA 7 3 14400 20180617230000 20180518230000 51497 seacomnet.com. [omitted]

;; Received 3013 B
;; Time 2018-05-20 16:51:09 EDT
;; From 2c0f:feb0::3@53(TCP) in 106.6 ms

Note that the DNSSEC signatures in the response aren't (currently) useful since your domain does not have a corresponding DS record in the parent .MU TLD zone that would enable DNSSEC validation.

You could improve the performance of your domain by either
However, Google Public DNS does seem to be resolving your domain, as long as you wait a bit longer than 3 seconds to get an answer.


--
--
========================================================
You received this message because you are subscribed to the Google
Groups "public-dns-discuss" group.
To post to this group, send email to public-dns-discuss AT googlegroups.com
To unsubscribe from this group, send email to
public-dns-discuss+unsubscribe AT googlegroups.com
For more options, visit this group at
http://groups.google.com/group/public-dns-discuss
For more information on Google Public DNS, please visit
http://developers.google.com/speed/public-dns
========================================================
---
You received this message because you are subscribed to the Google Groups "public-dns-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public-dns-discuss+unsubscribe AT googlegroups.com.
For more options, visit https://groups.google.com/d/optout.