DNS lookup failing randomly

Help
1

DNS lookup for the following set of domains are failing randomly when checked from Let's Encrypt end resulting in Certificate purchase failures. Tried checking unbound results and it's randomly failing with SERVFAIL as it couldn't get info from sify.net. Can someone point out the exact reason for random failures?

Domains:

support.teamhgs.com

CAA:
https://unboundtest.com/m/AAAA/support.teamhgs.com/IBFXSRPY - This fails
https://unboundtest.com/m/CAA/support.teamhgs.com/7RKRDVOO - This works

A:
https://unboundtest.com/m/A/support.teamhgs.com/MQLTEWH2 - This fails
https://unboundtest.com/m/A/support.teamhgs.com/5MDG4EZT - This works

AAAA:

https://unboundtest.com/m/AAAA/support.teamhgs.com/RX6NA3B2 - This fails
https://unboundtest.com/m/AAAA/support.teamhgs.com/IBFXSRPY - This works

opendoor.teamhgs.com

CAA:
https://unboundtest.com/m/CAA/opendoor.teamhgs.com/IA5N7J52 - This fails
https://unboundtest.com/m/CAA/opendoor.teamhgs.com/JVCLP5QF - This works

A:
https://unboundtest.com/m/A/opendoor.teamhgs.com/O7VSQOTO - This fails
https://unboundtest.com/m/A/opendoor.teamhgs.com/5YKC66RR - This works

tecx.teamhgs.com

CAA:
https://unboundtest.com/m/CAA/tecx.teamhgs.com/GZVJK3P7 - This fails
https://unboundtest.com/m/CAA/tecx.teamhgs.com/LPF6WHYP - This works

A:
https://unboundtest.com/m/A/tecx.teamhgs.com/KX4TKRXH - This fails
https://unboundtest.com/m/A/tecx.teamhgs.com/C43M5KMY - This works

AAAA:
https://unboundtest.com/m/AAAA/tecx.teamhgs.com/NTROA6TF - This fails
https://unboundtest.com/m/AAAA/tecx.teamhgs.com/JY7GO26F - This works

2

Your DNS responses are being provided by a combintion of your own domain's DNS and that operated by Manage Engine. I can see there is a problem querying your DNS over TCP according to DNSviz but UDP is working:support.teamhgs.com | DNSViz

image
image381×979 49.7 KB

3 Likes
3

Thanks for your reply. Yes, the domain support.teamhgs.com is cnamed to manageengine domain. But sometimes A/AAAA lookup is failing at sify.net nameserver without being delegated to manageengine nameservers.

Is it due to TCP failures?

4

Sorry I don't know, the Unbound logs are quite difficult to interpret (to me). Ultimately the error seems to be "failed to get a delegation"

1 Like
5

Because I'm easily distracted I just published a log parser for Unbound:

It doesn't reveal an awful lot more in this case!

[this AI generated log viewer works for all sorts of logs, the magic of computers]

3 Likes
6

Yes, that is part of it. It must be fixed. In addition too, sometimes a lot of UDP grouped time-outs:

tumbleweed:~ # while :; do dig +tries=1 +short teamhgs.com SOA @202.144.63.4 ; sleep 1 ;done
...
pdns.sify.net. dnsadmin.satyam-infoway.com. 1433849332 10800 3600 604800 3600
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
pdns.sify.net. dnsadmin.satyam-infoway.com. 1433849332 10800 3600 604800 3600
pdns.sify.net. dnsadmin.satyam-infoway.com. 1433849332 10800 3600 604800 3600
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
pdns.sify.net. dnsadmin.satyam-infoway.com. 1433849332 10800 3600 604800 3600
pdns.sify.net. dnsadmin.satyam-infoway.com. 1433849332 10800 3600 604800 3600
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached
pdns.sify.net. dnsadmin.satyam-infoway.com. 1433849332 10800 3600 604800 3600
pdns.sify.net. dnsadmin.satyam-infoway.com. 1433849332 10800 3600 604800 3600
pdns.sify.net. dnsadmin.satyam-infoway.com. 1433849332 10800 3600 604800 3600
;; communications error to 202.144.63.4#53: timed out
;; no servers could be reached

And all the name servers names are having the same IP address (practically one nameserver only, 202.144.63.4 and 2001:e48:9584::a):

tumbleweed:~ # dig NS sify.net @202.144.63.4

; <<>> DiG 9.20.10 <<>> NS sify.net @202.144.63.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2234
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;sify.net.                      IN      NS

;; ANSWER SECTION:
sify.net.               1800    IN      NS      pdns.satyam.net.in.
sify.net.               1800    IN      NS      sdns.satyam.net.in.
sify.net.               600     IN      NS      sdns.sify.net.
sify.net.               600     IN      NS      pdns.sify.net.

;; ADDITIONAL SECTION:
pdns.satyam.net.in.     600     IN      A       202.144.63.4
sdns.satyam.net.in.     600     IN      A       202.144.63.4
sdns.sify.net.          600     IN      A       202.144.63.4
pdns.sify.net.          600     IN      A       202.144.63.4

;; Query time: 147 msec
;; SERVER: 202.144.63.4#53(202.144.63.4) (UDP)
;; WHEN: Wed Jul 02 11:05:57 UTC 2025
;; MSG SIZE  rcvd: 179

tumbleweed:~ #

Worst practice DNS configuration. :smile:

2 Likes