Query timed out looking up A, but resolved by other DNS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: clases.canariaseducacion.org

I ran this command: Let's Debug

It produced this output: DNS problem: query timed out looking up A for clases.canariaseducacion.org

My web server is (include version): nginx 1.18

The operating system my web server runs on is (include version): RHEL 8

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

If I try to resolve 'clases.canariaseducacion.org' it works without problems. Tried with other tools and it works without errors:

Any idea?

I similarly don't see any problems, using DNSViz as well as dig +trace from my own server. Hmm…

Have you actually tried issuing a certificate (using --dry-run or equivalent to try the staging server) and are getting the same problem?

Is there any kind of firewall in front of your DNS servers, seti.gobiernodecanarias.org & acatife.gobiernodecanarias.org, that might lead to them blocking queries from certain regions or IP ranges?

Yes, we tried using —dry-run and with manual option, but we had the same problem.

We have a firewall, but all the queries from sites like https://dnschecker.org/ are working ok. We’ll contact the security team to see if there are any problems there.

Thanks Peter!

Hi Peter,

The security team found the outbound2.letsencrypt.org ip address ( inside a list of 'malicious ips' that they use. They comment that it comes from ThreatRadar.

I've suggested that the ip from outbound2.letsencrypt.org should be allowed too.

Still not solved but getting to it, I hope.

Thanks again Peter.

Well, yeah, if you don't let the requests from Let's Encrypt's servers get to your DNS server then it won't work. :slight_smile:

The core idea here is that in order to verify that you own a name, you need to prove you own it as seen from everywhere on the Internet. So they check, from several places on the Internet, what your DNS resolves to (and for the typical case of using HTTP-01 challenges, also whether they can get to your actual server). So you need to have your system visible from everywhere in order to get a certificate.

For some people, it's easier to do DNS-01 challenges instead (if you can automate updating your DNS) since their security folks feel better about allowing "anybody" access DNS than they do about letting "anybody" access their web server. But even if you go that way, you can't block traffic to your DNS server or you won't get your certificate.

Some people, who really like firewalling off traffic that they're not expecting, go so far as to automate firewall update rules, so that the firewall allows all traffic to come in while they're doing the challenges for a certificate issuance or renewal, and then puts the firewall back to being more restrictive again afterward. That's not usually an easy approach, though.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.