DNS servers around here not working for days. dig works. fix?

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

DNS servers around here not working for days. dig works. fix?

Chris Bennett
This happens here in Mexico and also in Guatemala.
But it has been about five days now. Enough!

dig works fine, locally and using the server my USA website uses.
I tried adding that to /etc/resolv.conf and .tail but no help.
whois fails.
Digging every site I want to use is a pain and many won't work from IP.

I am coming through wifi with NAT that I do not control.

Any fixes to this problem.

Thanks,
Chris Bennett

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Dmitrij D. Czarkoff-2
Chris Bennett said:

> This happens here in Mexico and also in Guatemala.
> But it has been about five days now. Enough!
>
> dig works fine, locally and using the server my USA website uses.
> I tried adding that to /etc/resolv.conf and .tail but no help.
> whois fails.
> Digging every site I want to use is a pain and many won't work from IP.
>
> I am coming through wifi with NAT that I do not control.
>
> Any fixes to this problem.

echo -e "1i\nnameserver 8.8.8.8\n.\nwq" | doas ed /etc/resolv.conf.tail

--
Dmitrij D. Czarkoff

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Chris Bennett
Neither 8.8.8.8 or 8.8.4.4 works.
After netstart, no. After reboot, no.

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Indunil Jayasooriya
both 8.8.8.8 and 8.8..4.4 work for me.



On Tue, Jun 14, 2016 at 8:26 PM, Chris Bennett <
[hidden email]> wrote:

> Neither 8.8.8.8 or 8.8.4.4 works.
> After netstart, no. After reboot, no.
>
>


--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
Fonts

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

lists-2
In reply to this post by Chris Bennett
I don't know if this will be usable for your case, here at home the aDSL
modem tries to be the resolver.  The trouble is with the ISP: their DNS
servers are quite frequently unreliable and unstable.  They even affect
the PPP connection sate, as the modem firmware uses that to trigger self
induced reboots, while link is present and working.  You can imagine how
frustrating this can be for users not realising what's going on in fact.

To solve this, multiple times with various different locations, I ended
up setting up local resolving DNS server, recently this became Unbound,
on the gateway OpenBSD system, and it does resolution directly querying
root DNS servers.  I think this solved it for me ultimately many times.
For this ISP, this is the solution here, I believe this can help others.

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Chris Bennett
In reply to this post by Indunil Jayasooriya
They both work for me also, with dig @8.8.8.8, etc.
Whois fails, lynx, elinks, firefox cannot connect outside

Could this problem be because of my being behind the wifi NAT?

Chris Bennett

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Chris Bennett
In reply to this post by lists-2
On Tue, Jun 14, 2016 at 06:50:53PM +0300, [hidden email] wrote:
> I don't know if this will be usable for your case, here at home the aDSL
> modem tries to be the resolver.  The trouble is with the ISP: their DNS
> servers are quite frequently unreliable and unstable.  They even affect
> the PPP connection sate, as the modem firmware uses that to trigger self
> induced reboots, while link is present and working.  You can imagine how
> frustrating this can be for users not realising what's going on in fact.

Yes, I agree completely. It is very frustrating. And of course, I want
to use sites that must have DNS working right now.
I could use my phone as a hotspot, but I need to use that money for
something else more important. One time, both systems for DNS went down!

>
> To solve this, multiple times with various different locations, I ended
> up setting up local resolving DNS server, recently this became Unbound,
> on the gateway OpenBSD system, and it does resolution directly querying
> root DNS servers.  I think this solved it for me ultimately many times.
> For this ISP, this is the solution here, I believe this can help others.

Well, in any case, I should learn how to use Unbound. Hopefully that can
help. And if not right here, maybe other spots with that problem. I've
had this problem with my laptop in many places with free wifi.

Thanks,
Chris

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

lists-2
Tue, 14 Jun 2016 11:08:17 -0500 Chris Bennett
<[hidden email]>

> On Tue, Jun 14, 2016 at 06:50:53PM +0300, [hidden email] wrote:
> > I don't know if this will be usable for your case, here at home the aDSL
> > modem tries to be the resolver.  The trouble is with the ISP: their DNS
> > servers are quite frequently unreliable and unstable.  They even affect
> > the PPP connection sate, as the modem firmware uses that to trigger self
> > induced reboots, while link is present and working.  You can imagine how
> > frustrating this can be for users not realising what's going on in fact.  
>
> Yes, I agree completely. It is very frustrating. And of course, I want
> to use sites that must have DNS working right now.
> I could use my phone as a hotspot, but I need to use that money for
> something else more important. One time, both systems for DNS went down!

I've had this many many times, the DSL service is more than 12 years active
and this trick went into production on the first day it came in service ;-)

> > To solve this, multiple times with various different locations, I ended
> > up setting up local resolving DNS server, recently this became Unbound,
> > on the gateway OpenBSD system, and it does resolution directly querying
> > root DNS servers.  I think this solved it for me ultimately many times.
> > For this ISP, this is the solution here, I believe this can help others.  
>
> Well, in any case, I should learn how to use Unbound. Hopefully that can
> help. And if not right here, maybe other spots with that problem. I've
> had this problem with my laptop in many places with free wifi.

It will.  If the ISP you're going through does capture all outgoing DNS
traffic and force redirects it through their name serverice, another go
at it is to optionally tunnel out (ssh, or anything else) and use DNS
service via the tunnelled connection.  Either set Unbound, or another
recursive resolver there and use it for your resolver, or simply pass
your DNS traffic for your own resolving name server through the tunnel.
The Unbound DNS resolver is in base, let me know if you need any tech
details with this in direct message and I'll add more specific details.

> Thanks,
> Chris

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Indunil Jayasooriya
In reply to this post by Chris Bennett
dig mx bsd.org @8.8.4.4

dig mx bsd.org @8.8.8.8

both work for me



On Tue, Jun 14, 2016 at 9:27 PM, Chris Bennett <
[hidden email]> wrote:

> They both work for me also, with dig @8.8.8.8, etc.
> Whois fails, lynx, elinks, firefox cannot connect outside
>
> Could this problem be because of my being behind the wifi NAT?
>
> Chris Bennett
>
>


--
cat /etc/motd

Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
Fonts

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Dmitrij D. Czarkoff-2
In reply to this post by Chris Bennett
Chris Bennett said:
> Neither 8.8.8.8 or 8.8.4.4 works.

What does that mean, precisely?  Can you ping them?

--
Dmitrij D. Czarkoff

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Stuart Henderson
In reply to this post by Chris Bennett
On 2016-06-14, Chris Bennett <[hidden email]> wrote:

> This happens here in Mexico and also in Guatemala.
> But it has been about five days now. Enough!
>
> dig works fine, locally and using the server my USA website uses.
> I tried adding that to /etc/resolv.conf and .tail but no help.
> whois fails.
> Digging every site I want to use is a pain and many won't work from IP.
>
> I am coming through wifi with NAT that I do not control.
>
> Any fixes to this problem.

You could try "options tcp". If some DNS mitm is involved that may
bypass it. Or you could try dnscrypt-proxy, or some ssh port-forwarding
arrangement.

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Bruno Ferreira
In reply to this post by Chris Bennett
Hi Chris,
Does your network works fine, can you reach icmp at 8.8.8.8 for example?
Try the flag +trace with dig and see where it ends.
like: dig whatever.com @8.8.8.8 +trace

Best Regards,

2016-06-14 11:12 GMT-03:00 Chris Bennett <
[hidden email]>:

> This happens here in Mexico and also in Guatemala.
> But it has been about five days now. Enough!
>
> dig works fine, locally and using the server my USA website uses.
> I tried adding that to /etc/resolv.conf and .tail but no help.
> whois fails.
> Digging every site I want to use is a pain and many won't work from IP.
>
> I am coming through wifi with NAT that I do not control.
>
> Any fixes to this problem.
>
> Thanks,
> Chris Bennett
>
>


--
Atenciosamente,
Bruno Ferreira.

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Chris Bennett
$ dig  bsd.org @8.8.4.4 +trace  

; <<>> DiG 9.4.2-P2 <<>> bsd.org @8.8.4.4 +trace
;; global options:  printcmd
.                       7197    IN      NS      a.root-servers.net.
.                       7197    IN      NS      b.root-servers.net.
.                       7197    IN      NS      c.root-servers.net.
.                       7197    IN      NS      d.root-servers.net.
.                       7197    IN      NS      e.root-servers.net.
.                       7197    IN      NS      f.root-servers.net.
.                       7197    IN      NS      g.root-servers.net.
.                       7197    IN      NS      h.root-servers.net.
.                       7197    IN      NS      i.root-servers.net.
.                       7197    IN      NS      j.root-servers.net.
.                       7197    IN      NS      k.root-servers.net.
.                       7197    IN      NS      l.root-servers.net.
.                       7197    IN      NS      m.root-servers.net.
;; Received 228 bytes from 8.8.4.4#53(8.8.4.4) in 43 ms

dig: couldn't get address for 'm.root-servers.net': not found
pass ~ $ dig  bsd.org @8.8.8.8 +trace

; <<>> DiG 9.4.2-P2 <<>> bsd.org @8.8.8.8 +trace
;; global options:  printcmd
.                       7157    IN      NS      l.root-servers.net.
.                       7157    IN      NS      j.root-servers.net.
.                       7157    IN      NS      b.root-servers.net.
.                       7157    IN      NS      h.root-servers.net.
.                       7157    IN      NS      i.root-servers.net.
.                       7157    IN      NS      d.root-servers.net.
.                       7157    IN      NS      k.root-servers.net.
.                       7157    IN      NS      g.root-servers.net.
.                       7157    IN      NS      a.root-servers.net.
.                       7157    IN      NS      e.root-servers.net.
.                       7157    IN      NS      m.root-servers.net.
.                       7157    IN      NS      f.root-servers.net.
.                       7157    IN      NS      c.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 44 ms

dig: couldn't get address for 'i.root-servers.net': not found

Chris Bennett

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

OpenBSD lists
Chris Bennett wrote:

> $ dig  bsd.org @8.8.4.4 +trace
>
> ; <<>> DiG 9.4.2-P2 <<>> bsd.org @8.8.4.4 +trace
> ;; global options:  printcmd
> .                       7197    IN      NS      a.root-servers.net.
> .                       7197    IN      NS      b.root-servers.net.
> .                       7197    IN      NS      c.root-servers.net.
> .                       7197    IN      NS      d.root-servers.net.
> .                       7197    IN      NS      e.root-servers.net.
> .                       7197    IN      NS      f.root-servers.net.
> .                       7197    IN      NS      g.root-servers.net.
> .                       7197    IN      NS      h.root-servers.net.
> .                       7197    IN      NS      i.root-servers.net.
> .                       7197    IN      NS      j.root-servers.net.
> .                       7197    IN      NS      k.root-servers.net.
> .                       7197    IN      NS      l.root-servers.net.
> .                       7197    IN      NS      m.root-servers.net.
> ;; Received 228 bytes from 8.8.4.4#53(8.8.4.4) in 43 ms
>
> dig: couldn't get address for 'm.root-servers.net': not found
> pass ~ $ dig  bsd.org @8.8.8.8 +trace
>
> ; <<>> DiG 9.4.2-P2 <<>> bsd.org @8.8.8.8 +trace
> ;; global options:  printcmd
> .                       7157    IN      NS      l.root-servers.net.
> .                       7157    IN      NS      j.root-servers.net.
> .                       7157    IN      NS      b.root-servers.net.
> .                       7157    IN      NS      h.root-servers.net.
> .                       7157    IN      NS      i.root-servers.net.
> .                       7157    IN      NS      d.root-servers.net.
> .                       7157    IN      NS      k.root-servers.net.
> .                       7157    IN      NS      g.root-servers.net.
> .                       7157    IN      NS      a.root-servers.net.
> .                       7157    IN      NS      e.root-servers.net.
> .                       7157    IN      NS      m.root-servers.net.
> .                       7157    IN      NS      f.root-servers.net.
> .                       7157    IN      NS      c.root-servers.net.
> ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 44 ms
>
> dig: couldn't get address for 'i.root-servers.net': not found
>
> Chris Bennett
>

Something is molesting your port 53 traffic.  I'd recommend using ssh to
tunnel your DNS traffic elsewhere (Set sshd to listen on port 53 on your
local machine and redirect that traffic to a trusted machine, then set
resolvers to 127.0.0.1).  A better solution might be to use unbound and
have its traffic pushed through the ssh tunnel so you can use the root
servers directly and not have to trust a DNS server owned by an
advertising company / obvious collaborator with corrupt governments
(8.8.x.x are Google's IPs).

It sounds to me like someone is trying, and failing, to do transparent
DPI on your traffic for some reason (Advertising, surveillance,
misguided attempts to 'optimize' their networks, or any number of other
possibilities).

-CA

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Stuart Henderson
In reply to this post by Chris Bennett
On 2016-06-14, Chris Bennett <[hidden email]> wrote:
> They both work for me also, with dig @8.8.8.8, etc.
> Whois fails, lynx, elinks, firefox cannot connect outside
>
> Could this problem be because of my being behind the wifi NAT?

Compare the full output from resolving there with dig with the same
thing ssh'd to another host (or post it here so someone else can compare).

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

lists-2
In reply to this post by Chris Bennett
Tue, 14 Jun 2016 11:46:39 -0500 Chris Bennett
<[hidden email]>
> $ dig  bsd.org @8.8.4.4 +trace  
> dig: couldn't get address for 'm.root-servers.net': not found
>
> pass ~ $ dig  bsd.org @8.8.8.8 +trace
> dig: couldn't get address for 'i.root-servers.net': not found

You know I'm thinking you may be behind captive DNS, while still not
into tunnelling mode (of solving the problem), you could try another
group of public DNS servers.  Just search online for some others too.

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

OpenBSD lists
[hidden email] wrote:

> Tue, 14 Jun 2016 11:46:39 -0500 Chris Bennett
> <[hidden email]>
>> $ dig  bsd.org @8.8.4.4 +trace
>> dig: couldn't get address for 'm.root-servers.net': not found
>>
>> pass ~ $ dig  bsd.org @8.8.8.8 +trace
>> dig: couldn't get address for 'i.root-servers.net': not found
>
> You know I'm thinking you may be behind captive DNS, while still not
> into tunnelling mode (of solving the problem), you could try another
> group of public DNS servers.  Just search online for some others too.
>
4.2.2.2 - 4.2.2.6 are pretty reliable.

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

Chris Bennett
In reply to this post by Stuart Henderson
On Tue, Jun 14, 2016 at 05:28:48PM +0000, Stuart Henderson wrote:
> On 2016-06-14, Chris Bennett <[hidden email]> wrote:
> > They both work for me also, with dig @8.8.8.8, etc.
> > Whois fails, lynx, elinks, firefox cannot connect outside
> >
> > Could this problem be because of my being behind the wifi NAT?
>
> Compare the full output from resolving there with dig with the same
> thing ssh'd to another host (or post it here so someone else can compare).
>

from OK server:

dig bsd.org @8.8.8.8 +trace

; <<>> DiG 9.4.2-P2 <<>> bsd.org @8.8.8.8 +trace
;; global options:  printcmd
.                       7126    IN      NS      l.root-servers.net.
.                       7126    IN      NS      c.root-servers.net.
.                       7126    IN      NS      a.root-servers.net.
.                       7126    IN      NS      h.root-servers.net.
.                       7126    IN      NS      i.root-servers.net.
.                       7126    IN      NS      d.root-servers.net.
.                       7126    IN      NS      e.root-servers.net.
.                       7126    IN      NS      f.root-servers.net.
.                       7126    IN      NS      b.root-servers.net.
.                       7126    IN      NS      m.root-servers.net.
.                       7126    IN      NS      k.root-servers.net.
.                       7126    IN      NS      g.root-servers.net.
.                       7126    IN      NS      j.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 28 ms

org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
;; Received 427 bytes from 198.97.190.53#53(h.root-servers.net) in 26 ms

bsd.org.                86400   IN      NS      ns1.tfm.com.
bsd.org.                86400   IN      NS      ns2.tfm.com.
bsd.org.                86400   IN      NS      ns.tfm.com.
;; Received 85 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 182 ms

bsd.org.                86400   IN      A       192.231.225.11
bsd.org.                86400   IN      NS      ns2.tfm.com.
bsd.org.                86400   IN      NS      ns.tfm.com.
bsd.org.                86400   IN      NS      ns1.tfm.com.
;; Received 149 bytes from 66.180.173.221#53(ns1.tfm.com) in 27 ms


From problem computer:

dig bsd.org @8.8.8.8 +trace

; <<>> DiG 9.4.2-P2 <<>> bsd.org @8.8.8.8 +trace
;; global options:  printcmd
.                       24      IN      NS      l.root-servers.net.
.                       24      IN      NS      j.root-servers.net.
.                       24      IN      NS      b.root-servers.net.
.                       24      IN      NS      h.root-servers.net.
.                       24      IN      NS      i.root-servers.net.
.                       24      IN      NS      d.root-servers.net.
.                       24      IN      NS      k.root-servers.net.
.                       24      IN      NS      g.root-servers.net.
.                       24      IN      NS      a.root-servers.net.
.                       24      IN      NS      e.root-servers.net.
.                       24      IN      NS      m.root-servers.net.
.                       24      IN      NS      f.root-servers.net.
.                       24      IN      NS      c.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 46 ms

dig: couldn't get address for 'c.root-servers.net': not found

Every dig here gives a different letter with problem.
j.root-servers.net or m.root-servers.net, etc


Should I send more info?

Chris Bennett

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

lists-2
In reply to this post by OpenBSD lists
Tue, 14 Jun 2016 11:38:03 -0700 Christopher Ahrens
<[hidden email]>

> [hidden email] wrote:
> > Tue, 14 Jun 2016 11:46:39 -0500 Chris Bennett
> > <[hidden email]>  
> >> $ dig  bsd.org @8.8.4.4 +trace
> >> dig: couldn't get address for 'm.root-servers.net': not found
> >>
> >> pass ~ $ dig  bsd.org @8.8.8.8 +trace
> >> dig: couldn't get address for 'i.root-servers.net': not found  
> >
> > You know I'm thinking you may be behind captive DNS, while still not
> > into tunnelling mode (of solving the problem), you could try another
> > group of public DNS servers.  Just search online for some others too.
>
> 4.2.2.2 - 4.2.2.6 are pretty reliable.

Yes, moreover this varies geographically, for other parts of the world
other public DNS servers could be close.  Large network operators have
free public DNS service, with the downside of marketing and/or censure.
I would second the proposed solution to get independent DNS resolution.

Reply | Threaded
Open this post in threaded view
|

Re: DNS servers around here not working for days. dig works. fix?

lists-2
In reply to this post by Chris Bennett
Tue, 14 Jun 2016 13:48:56 -0500 Chris Bennett
<[hidden email]>
> > > They both work for me also, with dig @8.8.8.8, etc.
> > > Whois fails, lynx, elinks, firefox cannot connect outside
> > >
> > > Could this problem be because of my being behind the wifi NAT?  

Could you trip the power to the wifi translating network segment?

> > Compare the full output from resolving there with dig with the same
> > thing ssh'd to another host (or post it here so someone else can compare).
>
> from OK server:
>
> dig bsd.org @8.8.8.8 +trace
> ;; Received 149 bytes from 66.180.173.221#53(ns1.tfm.com) in 27 ms
>
> From problem computer:
>
> dig bsd.org @8.8.8.8 +trace
> dig: couldn't get address for 'c.root-servers.net': not found
>
> Every dig here gives a different letter with problem.
> j.root-servers.net or m.root-servers.net, etc
>
> Should I send more info?

If you want, test with another set of public DNS servers, but it
appears that you can't get anything back from your DNS requests
going out to remote destination port 53 over UDP.  You may want
to test with TCP on remote port 53 as suggested by Stuart, just
to confirm whether it's UDP specific or totally port 53 related.

12