MASTER DCV: 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: query timed out looking up A for ulsyart.com; DNS problem: query timed out looking up AAAA for ulsyart.com) 400 urn:ietf:params:acme:error:dns (There was a problem with a DNS query) (DNS problem: SERVFAIL looking up TXT for _acme-challenge.ulsyart.com - the domain's nameservers may be malfunctioning)
I'm getting this error is there a problem?
The error messages imply that there is a problem with the DNS servers hosting your domain. However, I can't seem to reproduce them when I try the same queries manually. So it may have been temporary. Are you still getting the errors?
yes, I have been getting the same error for about 12 hours. There is no server-side problem. The DNS query is returning through the server. intoDNS: ulsyart.com - check DNS server and mail server health
I'm not sure about that. A dig +trace ulsyart.com from my AWS-based test server fails with
ulsyart.com. 172800 IN NS ns1.hostyonel.com.
ulsyart.com. 172800 IN NS ns2.hostyonel.com.
(RRSIG / NSEC3 data omitted)
;; Received 667 bytes from 192.12.94.30#53(e.gtld-servers.net) in 1 ms
;; connection timed out; no servers could be reached
And, unboundtest.com fails with similar timeout. That uses similar method to Let's Encrypt servers. I believe that is also hosted on AWS but a general AWS problem would probably be news 
LetsDebug does confirm that the Unbound resolvers Let's Encrypt uses definitely does not like something about how your DNS server works.
Unfortunately, I can't say what that might be. dig seems to work just fine for the same queries:
>dig @ns2.hostyonel.com +norecurse ulsyart.com caa
; <<>> DiG 9.17.15 <<>> @ns2.hostyonel.com +norecurse ulsyart.com caa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9176
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ulsyart.com. IN CAA
;; AUTHORITY SECTION:
ulsyart.com. 86400 IN SOA ns1.hostyonel.com. info.hostyonel.com. 2022081554 3600 1800 1209600 86400
;; Query time: 201 msec
;; SERVER: 185.243.181.3#53(ns2.hostyonel.com) (UDP)
;; WHEN: Mon Aug 15 09:48:05 Pacific Daylight Time 2022
;; MSG SIZE rcvd: 95
>dig @ns2.hostyonel.com +norecurse _acme-challenge.ulsyart.com txt
; <<>> DiG 9.17.15 <<>> @ns2.hostyonel.com +norecurse _acme-challenge.ulsyart.com txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52620
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_acme-challenge.ulsyart.com. IN TXT
;; ANSWER SECTION:
_acme-challenge.ulsyart.com. 14400 IN TXT "_CGcO4f-s_AlWo73qsxI4zZZGe8OFMcs-6M8ZaxM2Dc"
_acme-challenge.ulsyart.com. 14400 IN TXT "gtAYaFx9gc8OCEHdawSuTMfUQqBK_byx7NFPzwiEMdQ"
;; Query time: 214 msec
;; SERVER: 185.243.181.3#53(ns2.hostyonel.com) (UDP)
;; WHEN: Mon Aug 15 09:49:18 Pacific Daylight Time 2022
;; MSG SIZE rcvd: 168
Do you have a firewall blocking inbound DNS requests from some portion of the Internet? Also, why do you have two NS records ultimately pointing to the same IP?
FWIW, that request on my AWS test server gives:
dig @ns2.hostyonel.com +norecurse ulsyart.com caa
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> @ns2.hostyonel.com +norecurse ulsyart.com caa
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Definitely seems like there is something between the DNS server and the internet selectively allowing traffic.
When did your authoritative DNS servers change?:
ulsyart.com nameserver = dexter.ns.cloudflare.com
ulsyart.com nameserver = stella.ns.cloudflare.com
When the problem was not resolved, I activated SSL via Cloudflare.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.