DNS problem: query timed out looking up A for exon.name

matthewexon · March 30, 2016, 9:14am

I know that this is a very common problem and I’ve looked through a bunch of earlier threads. Often people are directed to check their domain’s NS servers respond correctly, and I’m pretty sure mine do. I’ve tried this several times over about a month, so I doubt that it’s a transient problem.

My domain is exon.name and I have a ton of subdomains running on the same server. I’m trying to use letsencrypt to work on one at a time, mostly either exon.name or rei.exon.name. Both of these fail the A lookups, but appear to work for me fine. See the dig commands below.

My DNS provider is DNSpod. That’s a Chinese company, which may or may not be relevant (lots of things don’t make it through the GFW). The three NS servers are a.dnspod.com, b.dnspod.com and c.dnspod.com. When I tried just now all three replied correctly.

Any ideas?

BTW, it seems to be a common problem that the DNS lookup fails. People are directed to check their NS records, and then check that all the listed NS servers reply with the correct address. Might be worth automating this to provide a better error message, i.e. “Your domain lists NS servers a.dnspod.com, b.dnspod.com, c.dnspod.com, but two of them didn’t reply to our query”.

mat@rei:~/letsencrypt$ dig @8.8.8.8 exon.name NS

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @8.8.8.8 exon.name NS
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27341
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;exon.name.			IN	NS

;; ANSWER SECTION:
exon.name.		599	IN	NS	c.dnspod.com.
exon.name.		599	IN	NS	a.dnspod.com.
exon.name.		599	IN	NS	b.dnspod.com.

;; Query time: 138 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 30 09:09:24 UTC 2016
;; MSG SIZE  rcvd: 96

mat@rei:~/letsencrypt$ dig @a.dnspod.com exon.name A

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @a.dnspod.com exon.name A
; (3 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21318
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;exon.name.			IN	A

;; ANSWER SECTION:
exon.name.		600	IN	A	52.76.96.61

;; AUTHORITY SECTION:
exon.name.		600	IN	NS	c.dnspod.com.
exon.name.		600	IN	NS	a.dnspod.com.
exon.name.		600	IN	NS	b.dnspod.com.

;; Query time: 193 msec
;; SERVER: 112.90.141.215#53(112.90.141.215)
;; WHEN: Wed Mar 30 09:09:42 UTC 2016
;; MSG SIZE  rcvd: 132

mat@rei:~/letsencrypt$ dig @b.dnspod.com exon.name A

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @b.dnspod.com exon.name A
; (3 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1778
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;exon.name.			IN	A

;; ANSWER SECTION:
exon.name.		600	IN	A	52.76.96.61

;; AUTHORITY SECTION:
exon.name.		600	IN	NS	a.dnspod.com.
exon.name.		600	IN	NS	b.dnspod.com.
exon.name.		600	IN	NS	c.dnspod.com.

;; Query time: 53 msec
;; SERVER: 119.28.48.234#53(119.28.48.234)
;; WHEN: Wed Mar 30 09:09:56 UTC 2016
;; MSG SIZE  rcvd: 132

mat@rei:~/letsencrypt$ dig @c.dnspod.com exon.name A

; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> @c.dnspod.com exon.name A
; (3 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12921
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;exon.name.			IN	A

;; ANSWER SECTION:
exon.name.		600	IN	A	52.76.96.61

;; AUTHORITY SECTION:
exon.name.		600	IN	NS	a.dnspod.com.
exon.name.		600	IN	NS	b.dnspod.com.
exon.name.		600	IN	NS	c.dnspod.com.

;; Query time: 277 msec
;; SERVER: 115.236.151.160#53(115.236.151.160)
;; WHEN: Wed Mar 30 09:10:05 UTC 2016
;; MSG SIZE  rcvd: 132

pfg · March 30, 2016, 9:29am

I’m getting intermittent timeouts from your name servers, e.g.:

dig @c.dnspod.com exon.name

; <<>> DiG 9.8.3-P1 <<>> @c.dnspod.com exon.name
; (3 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Might just be the GFW as you mentioned. Not sure there’s much you can do, other than possibly switching to a different DNS provider.

matthew_exon · March 30, 2016, 9:38am

Bummer. Any free DNS providers people recommend around these parts?

pfg · March 30, 2016, 9:42am

I usually just go with CloudFlare. The proxy/WAF thing is optional, you can use them as a DNS-only provider. They even have some PoPs in China AFAIK, although I’m not sure if those are used by default.

matthew_exon · March 30, 2016, 9:47am

Thanks for the advice, I’ll switch to cloudflare, give it a couple of days to settle down, then try again.

matthew_exon · March 31, 2016, 2:05am

Well it’s working great already! It does look like DNSpod just sucks. I originally chose it because I mostly operate in China, but now I think about it, there have been more and more random DNS problems in the last few months. Hopefully Cloudflare will be more reliable.