DNS problem: NXDOMAIN looking up A for


#1

Hello, here are information for the topic:

My domain is: 88.168.18.109.rev.sfr.net

I ran this command: certbot renew --agree-tos

It produced this output:

The following errors were reported by the server:
Domain: 88.168.18.109.rev.sfr.net
Type: None
Detail: DNS problem: NXDOMAIN looking up A for
88.168.18.109.rev.sfr.net

The operating system my web server runs on : Linux

I can login to a root shell on my machine: yes

authenticator : webroot

I can modify DNS entry: no

I have checked my domain with several free DNS:
CloudFlare 1.1.1.1
Google 8.8.8.8
Hurricane Electric 74.82.42.42

All are working, here is the last test:

dig 88.168.18.109.rev.sfr.net @74.82.42.42
;; ANSWER SECTION:
88.168.18.109.rev.sfr.net. 43200 IN A 109.18.168.88
;; SERVER: 74.82.42.42#53(74.82.42.42)
;; WHEN: mer. nov. 28 21:03:37 CET 2018

So what is the problem with Let’s Encrypt DNS query ?


#2

Hi @SCOTT-435418

I don’t know if this is the problem. But trying to check your name server I have a timeout:

D:\temp>nslookup 88.168.18.109.rev.sfr.net.
Name: 88.168.18.109.rev.sfr.net
Address: 109.18.168.88

D:\temp>nslookup -type=NS 88.168.18.109.rev.sfr.net.
DNS request timed out.
timeout was 2 seconds.

Now, 30 seconds later, I have an answer.

rev.sfr.net
primary name server = nsrevprov.dns.sfr.net
responsible mail addr = support.dns.sfr.net
serial = 2013072601
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 1814400 (21 days)
default TTL = 86400 (1 day)


Edit: But your name server doesn’t know your domain:

D:\temp>nslookup 88.168.18.109.rev.sfr.net. nsrevprov.dns.sfr.net.
Server: UnKnown
Address: 109.0.74.133

*** 88.168.18.109.rev.sfr.net. wurde von UnKnown nicht gefunden: Non-existent domain.


#3

That’s a reverse DNS address…

It’s intended to use as RDNS… Not a hostname…

Thank you


#4

I wonder whether this is another QNAME minimization bug in Unbound.

When I debug using the unbound-host tool, the final query before Unbound gives up is for the incomplete QNAME (168.18.109.rev.sfr.net., missing the leading 88.):

[1543437228] libunbound[21783:0] info: response for 88.168.18.109.rev.sfr.net. A IN
[1543437228] libunbound[21783:0] info: reply from <rev.sfr.net.> 109.0.66.8#53
[1543437228] libunbound[21783:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 0
;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
168.18.109.rev.sfr.net. IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
rev.sfr.net.    0       IN      SOA     nsrevprov.dns.sfr.net. support.dns.sfr.net. 2013072601 10800 3600 1814400 86400

;; ADDITIONAL SECTION:
;; MSG SIZE  rcvd: 98

[1543437228] libunbound[21783:0] info: query response was NXDOMAIN ANSWER
Host 88.168.18.109.rev.sfr.net not found: 3(NXDOMAIN). (insecure)

Edit: Nevermind. The problem isn’t QNAME minimisation, it’s 0x20 case randomization.

The nameserver that hosts your reverse DNS zone is case-sensitive.

e.g.

$ dig @109.0.66.18 88.168.18.109.rEv.sfr.nEt

; <<>> DiG 9.11.4-3ubuntu5-Ubuntu <<>> @109.0.66.18 88.168.18.109.rEv.sfr.nEt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35063
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1680
;; QUESTION SECTION:
;88.168.18.109.rEv.sfr.nEt.     IN      A

;; AUTHORITY SECTION:
rEv.sfr.nEt.            86400   IN      SOA     nsrevprov.dns.sfr.nEt. support.dns.sfr.nEt. 2013072601 10800 3600 1814400 86400

;; Query time: 330 msec
;; SERVER: 109.0.66.18#53(109.0.66.18)
;; WHEN: Thu Nov 29 07:39:13 AEDT 2018
;; MSG SIZE  rcvd: 112

You should get a real domain and better nameservers.


#5

Thanks for your sleuthing @_az!

We have left QNAME minimization disabled since the initial bug you found & got fixed with upstream (thanks for that too! :heart:). It isn’t likely something we will re-enable.


#6

Oh, of course! It was never added to https://github.com/jsha/unboundtest/blob/master/unbound.conf to begin with so it didn’t quite register. I’ll get rid of it from letsdebug as well.


#7

Totally unrelated, but sfr.net's nameservers (which are dfifferent from rev.sfr.net's nameservers) also mishandle EDNS.


#8

3 posts were split to a new topic: DNS names that resolve to an IP address in the name


#10

So here is what I have understand with your contribution and additional test:

  • the first problem come from DNS server ns1.9services.com which does not handle correctly EDNS0 DNS protocol evolution (Thanks to [mnordhoff])
  • the second problem comes from nsrev00.dns.sfr.net which is case sensitive and is then not compliant with DNS protocol. That arise because Let’s Encrypt DNS resolver use experimental dns-0x20 protocol to protect against DNS cache poisoning attack (Thanks from [_az])

Am I right?
Well it is obvious I could not have understand all that things without your help.

Now I just have to find a way to get a fixed IP where I can control the rDNS record because I am self hosting my e-mail server at home and I need FCrDNS as pointed out by [rg305].


#11

I feel that the easier thing to try would be:

  • Purchase a domain name, use external nameservers to point it to your IP
  • Ask your ISP to set a reverse DNS mapping to that domain name (which they may or may not be wiling to do, maybe email them first)

This way, Let’s Encrypt can resolve your domain (forward DNS) and you will have reverse DNS for your mail server (which will still fail 0x20 but it won’t matter to Let’s Encrypt).

If you go for a different fixed IP, your ISP would have to delegate you an IP from a range that has its in-addr.arpa zone hosted on non-broken nameservers, which seems much harder to achieve.


#12

True, you’ll need reverse DNS setup to the IP address and that must match the servers outgoing hostname.

But you could just setup the hostname to be your domain name / mail server address, and you will need to contact your ISP (they might chagre you) to setup PTR record and static IP.

You shouldn’t use the PTR address for server name or website because that one is unstable(ISP might stop it at anytime) and aren’t intented to use as a regular domain. (Some ISPs even prohibit this act)

Thank you