DNS problem: query timed out looking up A for edwinchambilla.com


#1

We run a custom PHP script to install and renew certificates, using the Let’s Encrypt API.

Today was impossible to get the certificate for the domain “edwinchambilla.com”, we get the next message:

{"identifier":{"type":"dns","value":"edwinchambilla.com"},"status":"invalid","expires":"2019-01-05T16:03:04Z","challenges":[{"type":"tls-alpn-01","status":"invalid","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/G9k2UgXpjccnj-TwjwL2BPDdj1VsTv9vDgWXNUlDOV8\/10848253459","token":"7vr1dp25wBnN4PF7jjOb0m3LZG4jay7bHt7e7vKGfts"},{"type":"dns-01","status":"invalid","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/G9k2UgXpjccnj-TwjwL2BPDdj1VsTv9vDgWXNUlDOV8\/10848253462","token":"lNR_XyXN43Y7Dvj8QvYhY47Qhvk5cw8AyxLRohIvHTs"},{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:dns","detail":"DNS problem: query timed out looking up A for edwinchambilla.com","status":400},"uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/G9k2UgXpjccnj-TwjwL2BPDdj1VsTv9vDgWXNUlDOV8\/10848253467","token":"JIP7Ku_TTkOxRtfC6S5DrD9hFxCcZuJMbrB4ZssDLwU","validationRecord":[{"url":"http:\/\/edwinchambilla.com\/.well-known\/acme-challenge\/JIP7Ku_TTkOxRtfC6S5DrD9hFxCcZuJMbrB4ZssDLwU","hostname":"edwinchambilla.com","port":"80"}]}],"combinations":[[0],[2],[1]]}

As you can see, the detail is: “DNS problem: query timed out looking up A for edwinchambilla.com” but if you go to Google DNS check tool, you can get the IP for that domain: https://dns.google.com/resolve?name=edwinchambilla.com&type=A&cd=1

Please, help me, I need to know why the Let’s Encrypt API returns that message when at the DNS for the domain all seems right.

Thanks.


#2

This seems to be a geographically restricted problem.

From the west coast (California), I can reproduce the timeout. (And you can too, since unboundtest.com is hosted in CA).

When I run the exact same DNS test (using the same software, though you can try at letsdebug.net) from the east coast (New York), it is fine.

I’ve made a packet capture of a failed lookup attempt from CA (DigitalOcean SF2) available, which shows a whole bunch of unanswered queries that lead to timeout:

timeout.pcap (31.5 KB)

The large number of queries to your nameservers is caused by the nameservers’ lack of support for 0x20 mixed case randomization (https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00), which causes the resolver to go into “caps-for-id fallback mode”, where it needs to send a large volume of queries to verify the responses.

Additionally, I observed that after my failed test, your nameservers were completely dropping all DNS traffic from my host (which did work initially), but ICMP echo continued to work. That’s pretty suggestive of rate limiting or firewall behavior.

The other aspect of this is that ns1.dondominio.com/ns2.dondominio.com are anycasted hosts.

So, to summarize, it would seem to be that the NY anycasted nameservers for this domain are responding well to Let’s Encrypt’s queries, whereas the CA anycasted ones are not.

Since this can be reproduced with relative ease, I would probably send the packet capture to your host/NOC and ask them to look into why the traffic is dropping.


#3

I now see:
Resolving edwinchambilla.com (edwinchambilla.com)… 159.69.61.151
Connecting to edwinchambilla.com (edwinchambilla.com)|159.69.61.151|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://www.edwinchambilla.com/ [following]

Where:
www.edwinchambilla.com
Name: rivendel.arcadina.net
Addresses: 2a01:4f8:231:d1b::2
159.69.61.151
Aliases: www.edwinchambilla.com
edwinchambilla.arcadina.com

And:
Connecting to www.edwinchambilla.com (www.edwinchambilla.com)|2a01:4f8:231:d1b::2|:80… failed: No route to host.


#4

Thanks a lot, that info was very usefull. We pass it to our registrar, which operates the DNS servers.


#5

Thanks for the info.