DNS problem: query timed out looking up A

And I decide each week to win the lottery ...
But my decision matters not; Week after week I don't win it.

3 Likes

(probably language barrier, they possibly meant “thought”)

3 Likes

I mean, I've considered applying to work there, but I'm pretty happy in my current job. I appreciate the vote of confidence that I could do so if I wanted to, though. :slight_smile:

Another tool, which I haven't seen mentioned in this thread yet, is DNSViz. In the "advanced options" for analyzing a site, you can pick a couple different "perspectives", to try getting to your DNS server from a few different places on the Internet.

In general, though, I don't think there's really much of anything that anyone here can do, as your DNS server has to be fully available in order to get a certificate from a CA. You might be able to try some other CAs too, if you can find one for whom all their tests can connect to your networks, but you may run into the same sorts of problems when you go to renew unless your hosting/network provider has fixed the problems. (And my understanding is that some CAs don't want to deal with issuing for .ru domains at all.)

6 Likes

This issue opens a question: why does reachability of one (or two) out of many authoritative DNS servers lead to certificate renewal issues? We store zones on multiple DNS servers exactly for the purpose of high availability. Why isn't LE satisfied with the replies from the other servers?

@petercooperjr DNSViz found two issues:

abisoft.spb.ru zone: The server(s) were not responsive to queries over TCP. (216.218.130.2)
ru zone: The server(s) were not responsive to queries over UDP. (2001:678:14:0:193:232:156:17)

which obviously shouldn't affect the renewal

It most definitely could.

1 Like

Hopefully, it's legal to call for someone from LE.

@mcpherrinm any chances you or your colleagues could shed some light on this issue?

Found this service Let's Debug

It shows that everything is OK with the domain, and yet when you try to issue a certificate, the same error occurs.

What else can be done in this situation?

I have the same trouble in zone spb.ru. Has anyone found what the problem?

1 Like

Yes, also have problem with renew LE SSL in spb.ru zone/

@knX5Fw In my understanding some LE's servers are located behind some Russian ISPs that have a traffic blocking device installed (TSPU) and that blocks access to certain IPs, in this case to the HE's IP addresses.

From 4 zones works only 1 :smiley: example.spb.ru works, but www.example.spb.ru don't. We tried from different servers. Tried different zones. Nothing helps.

There is information that there was a DDoS attack on the root DNS servers of geodomains (including .spb.ru) and filtering worked. Apparently, LE's IP addresses were also blocked. But today the filtering was removed, but LE still does not see the domains. Maybe some cache on the LE side. Is there anyone in the community who can check and fix this?

Works! It's a liveeee!!!!!!11

Yeah!! Thanks a lot to everyone involved!

Yes, it worked!

No one reported to Russian domain services... Except me. Enjoy friends :slight_smile:

1 Like

@schors that wasn't obvious. btw, those IPs are still blocked in TSPU.
anyway, thanks to you too! :slight_smile:

The problem was in RU-CENTER DNS. There are Letsencrypt IP-addresses was blocked by RU-CENETR DDoS protection system. For me and few my friend problem was solved about hour ago

4 Likes

Ack, solved also here

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.