DNS query timeouts

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ryan0270.tplinkdns.com

I ran this command:
It produced this output:

[~]$ sudo certbot certonly -a manual -d ryan0270.tplinkdns.com
[sudo] password for ryantr:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for ryan0270.tplinkdns.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Create a file containing just this data:

c8nIOcEWe696_45nVfeK9osevqcSKF7PaxxB06QvXoI.T2U7GN_xD8p07ayVsgtrA2xPAJTA2fIe5cM1AFv6jSU

And make it available on your web server at this URL:

http://ryan0270.tplinkdns.com/.well-known/acme-challenge/c8nIOcEWe696_45nVfeK9osevqcSKF7PaxxB06QvXoI

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: ryan0270.tplinkdns.com
  Type:   dns
  Detail: DNS problem: query timed out looking up A for ryan0270.tplinkdns.com; DNS problem: NXDOMAIN looking up AAAA for ryan0270.tplinkdns.com - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the manually created challenge files. Ensure that you created these in the correct location.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

[~]$ nginx -version
nginx version: nginx/1.28.0

The operating system my web server runs on is (include version):
Arch Linux, updated May 2025

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

[~]$ certbot --version
certbot 4.0.0

I've been manually updating my certificates for this domain for a many years without issue, but last week I started getting this error. I waited a few days to see if the error fixed itself, but no luck.

The old certificate is still valid and I'm still able to access the normal content (home-assistant, currently stopped) via browser. The only surface problems I see are related to this certificate renewal, but running nslookup from the server (home PC behind router with port forwarding) complains about not finding the server

[~]$ nslookup ryan0270.tplinkdns.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   ryan0270.tplinkdns.com
Address: 68.47.49.146
** server can't find ryan0270.tplinkdns.com: NXDOMAIN

Running the same lookup from a Linode instance I use does not complain that it can't find the server. I'm already well out of my depth; where do I go from here to track down what has change within the last few months since I last renewed without any problems?

It appears that ns1.tplinkdns.com is not currently responding to DNS requests however ns2.tplinkdns.com is responding, That could be causing the responses.

Let's Debug is reporting the same thing:

Your DNS servers aren't responding, which is likely a problem with TPLink's dynamic DNS service. I'd suggest you get in touch with their support channels to see what's going on there, because a good bit of the Internet can't resolve your domain name.

btw this domain while looks like a DDNS domain but isn't in public suffix: not sure if it's popular enough to get ratelimited by 50/w certs per base domain.

I've been back and forth with tplinkdns tech support, and they said AAAA records (error referenced in the Let's Debug link) are not supported but that is not a recent change. Has there been a change in Let's Encrypt with respect that? Is there a way for me to tell it to skip this?

ns1.tplinkdns.com is still not responding and ns2.tplinkdns.com is still only responding to UDP requests, the NXDOMAIN (Name Error) response code returned when querying for AAAA and CAA records is non compliant and indicates that your domain doesn't exist and shouldn't get a certificate (The correct response is NOERROR).

Unless tp-link can fix these issues, I suggest going to another DDNS provider such as duckdns.org.

Thanks for the extra information; I will forward that to them to see what they say.