I have written up a web masters question for this, but to summarise....
How can I manipulate the DNS records I have on my website managed in godaddy to make the www. part of the URL work?
I'm stumped at what to change and plus I don't want to cause any more down time on the site. Any help would be appreciated.
My wordpress site is hosted on kinsta if that helps. Even though I think that this is more of a go daddy issue that I'm not too comfortable with.
See Question for more details. Thanks for taking a look.
Seeing unavailability on lots of sites or intermittent access; from our research looks like a DNS error - for example:
;; Got SERVFAIL reply from 192.168.3.253, trying next server
Server: 8.8.8.8
Address: 8.8.8.8#53
** server can't find pge.com: SERVFAIL
Downdetector.com is showing big spikes.
EDIT: gotoconnect says "3rd party dependencies so it may indeed by CDN, but that odd DNS response is throwing me.
EDIT 2: AKAMAI was issue; they seem to have resolved, and services are returning to normal.
Hello,
I figured I would reach out to some networking gurus as this is a little above my head. We have been getting spammed with port 53 DNS requests from 192.5.5.241, which is an Internet Systems Consortium F-ROOT server.
Our firewall is dropping the traffic, but it's borderline like a DoS attack. I am kind of at a loss on where to go from here.
Thanks in advanced.
[EDIT] Thanks for all the responses.
- We initiated packet captures but could not identify any internal traffic going out and making requests
- We blocked all DNS going out except for 2 DNS servers, 1.1.1.1 and 8.8.8.8. 192.5.5.241 are responses are still coming in.
- 192.5.5.241 is saying that the firewall is making those DNS requests and it's coming over TCP, not UDP (as traditional DNS requests are supposed to come in as)
- We are going to try and unplug the local LAN switch and monitor the firewall from one device to see if the packets are still coming in
- The ISP has NOT been helpful at all and basically said "If the internet is up and the modem is working we can't do anything" (This is Charter Spectrum in the LA Area)
- If the requests continue to come in, we may just change the static IP
This morning my users where seeing slow browsing, my initial thought was that it was my defender ATP filtering that somehow was having issues, so i began testing.
On my client machine i manually changed DNS server to point to google DNS instead of our internal DNS server, browsing speed was restored. ( my edgerouter also uses google DNS )
with that test i figured it must be something to do with my internal DNS server because my edgerouter uses google DNS aswell so setting it manually on my client machine only ment bypassing AD DNS, however i couldn't find a reasons why the internal DNS would cause this slowdown, i could however see that i was getting DNS errors looking up DNS to defender ATP ( my DNS server has defender ATP sensor installed aswell)
i kept scratching my head for while, doing nslookup on external domains would give me timeouts ( execept microsoft.com and google.com they would resolve fine )
internal lookup was working flawlessly
for good measure i rebooted both my DC's wich are running the DNS service. ( this didn't help issue kept persisting )
after 4 hours troubleshooting the issue resolved itself, but im sitting here still wondering what the hell was the issue, was it simply microsoft ATP that was having issues and preventing DNS lookup?
but when i do an external nslookup from a client machine against the domain DNS , i would not assume the defender ATP client would interfere with that traffic ?
I opened tickets with cloudflare and google's DNS teams, however it's a public ticketing system so no idea when I'll hear back. I have 2 zones, one's working totally fine, one's non working on google dns and cloudflare (and a local ISP), but works fine on opendns and another local ISP's dns servers. What are things I can check for that might help me figure out why some DNS resolvers are basically ignoring my entire zone?
edit: problem ended up being dnssec, was expired
I couldn't find an answer to this one. Negate says on the pfSense docs that the resolver (unbound) that is installed and enabled by default ignores any recursive name servers set and instead query the root servers directly, unless configured otherwise. (https://docs.netgate.com/pfsense/en/latest/services/dns/resolver.html). So I was thinking, in a privacy point of view, why having an intermediate and send them all your browsing history? Cloudflare implements, for example, DNS over TLS, DNS over HTTPS and even encryption of SNI (so "your ISP can't really see the names you are querying"). But ISPs can see the IPs you are accessing and, therefore, can trace back the IPs to their corresponding names. It looks like a bogus sense of privacy only to convince the users to send them their DNS requests. Besides, running it locally could bypass censorship on the DNS level (yes, it happens sometimes in my country, very "democratic") and the local cache could not only speed things up but also really improve privacy by reducing the number of queries sent though wan (and, obviously, excluding intermediates). Idk, maybe I am misunderstanding the functionality of the DNS stack. Am I missing something? Could someone help elaborate? Thanks!
I recently noticed a bunch of DNS requests hitting my WAN IP (where I don't run a DNS server). They're sustained, from a fairly small set of source IPs. The queries are weird: The "Question" is for <Root> (a single 00 byte), and have an "Additional record" of type OPT, also with name <Root>. Is this part of an attack against some recent CVE? Is it worth reporting these sorts of things to the abuse contact in WHOIS for the IP?
22:30:06.406020 IP (tos 0x0, ttl 240, id 43779, offset 0, flags [none], proto UDP (17), length 56)
169.55.119.4.43136 > xxx.xxx.xxx.xxx.53: [udp sum ok] 22510+ [1au] A? . ar: . OPT UDPsize=1280 (28)
22:30:12.415737 IP (tos 0x0, ttl 240, id 43789, offset 0, flags [none], proto UDP (17), length 56)
169.55.119.4.35237 > xxx.xxx.xxx.xxx.53: [udp sum ok] 12216+ [1au] A? . ar: . OPT UDPsize=1280 (28)
22:30:23.110057 IP (tos 0x0, ttl 240, id 15394, offset 0, flags [none], proto UDP (17), length 56)
198.23.119.36.2532 > xxx.xxx.xxx.xxx.53: [udp sum ok] 37476+ [1au] A? . ar: . OPT UDPsize=1280 (28)
22:30:29.129976 IP (tos 0x0, ttl 240, id 15402, offset 0, flags [none], proto UDP (17), length 56)
198.23.119.36.45860 > xxx.xxx.xxx.xxx.53: [udp sum ok] 31860+ [1au] A? . ar: . OPT UDPsize=1280 (28)
22:30:35.139692 IP (tos 0x0, ttl 240, id 15410, offset 0, flags [none], proto UDP (17), length 56)
198.23.119.36.16678 > xxx.xxx.xxx.xxx.53: [udp sum ok] 13519+ [1au] A? . ar: . OPT UDPsize=1280 (28)
22:30:45.435683 IP (tos 0x0, ttl 240, id 43833, offset 0, flags [none], proto UDP (17), length 56)
169.55.119.4.44565 > xxx.xxx.xxx.xxx.53: [udp sum ok] 14516+ [1au] A? . ar: . OPT UDPsize=1280 (28)
In case anyone is curious here's a redacted (-) hexdump of one of the packets:
-- -- -- -- -- -- -- -- -- -- -- -- 08 00 45 00
00 38 a8 81 00 00 f0 11 12 df a9 37 77 04 -- --
-- -- 40 cd 00 35 00 24 59 f9 4d 2b 01 00 00 01
00 00 00 00 00 01 00 00 01 00 01 00 00 29 05 00
00 00 00 00 00 00
I have not been able to find any information on doing such a thing, not on this website or the web itself (I suppose because it is considered pointless). So I will be first to ask does anyone with good experience in Bind know if it is possible to set up Bind as a root DNS, and how to change the local recursive server's root hints file (not making a new one which would prevent from accessing the official roots) to include this new root which could point delegate local TLDs? And yes, I know I could just set up the recursive server to handle local domains, but I can't help but feel that this is possible, and I have a few computers collecting dust that could be doing something. This will be a simple activity for learning's sake, so what is practical and not can be ignored. I appreciate any help you can provide.
Hi DNS Experts,
Error: a problem occurred while trying to add the conditional forwarder. The operation requested is not permitted on a DNS root server.
We have "com" zone and under that Microsoft delegation but now trying to create logins.microsoft.com conditional forwarder but getting the above error.
Our Internal DNS forwarding to DMZ DNZ for the external name resolution but trying to set up direct access.
Do I have to create a stub zone with that name?
Hi.
I have setup my own recursive DNS servers. All works fine, but I have still concerns about privacy. On what port my servers are connecting to root hint servers? Usual unencrypted 53? Do they log queries?
Hey guys, I've been noticing a slowdown in name resolution on my home network, and when checking the query log in adguard I see tons of requests that are timing out from dns.local.hass.io to root-servers.net with a ttl of around 500,000ms. Are these requests normal, and if so what can I do to get them to move a little faster?
I'm rooted on Android 11 (December patch), using Pixel 4XL.
DNS filtering doesn't work when in auto proxy mode. I can select the DNS server and turn on filtering, but the selected DNS server isn't used, nor is there any kind of filtering. My wifi provider is used instead; it's the same on mobile data.
DNS filtering works on VPN mode.
Can anyone tell me why? Is there a setting I need to check?
Thank you and God Bless.
I have a handful of docker containers that connect out to the internet to look for updates and unfortunately it appears that if the container is running under a non-root account, DNS fails. But if the container is run under root, DNS works. For example I have a Nextcloud container which for the most part is fine with DNS not working (with the exception of reaching the DB server, but I'm using IPs for that) but it fails to check for updates to addons. I ran a "docker exec -it nextcloud /bin/bash" which connects as root and have no problem issuing a "curl www.google.com" or any other site. But if I connect as "docker exec -it -u www-data nextcloud /bin/bash", DNS completely fails. I THINK it has something to do with rights to the /etc/resolve.conf file within the container as only root has read access. Would this be an issue with the image, my docker config, or possibly even my filesystem? I do have my config file stored as a bind and not a docker volume, but I allowed the container to create the folder upon creation.
Weird DNS Issue. Our Bind 9 server is pointed to the root hints. We tried to resolve zoom.us and get a time out. Tried to resolve google.com and it resolves. So instead of using the root hints, we changed it to 8.8.8.8 and are able resolve zoom.us.
Anyone else seeing this?
My current Pihole setup with redundancy:
Raspberry 3b+: Pihole DNS #1
Raspberry 3b: Pihole DNS #2
Stubby is setup on both the Rpi's with DOT using Quad DNS 9.9.9.9 on PiHole #1 and 149.112.112.112 on Pihole #2.
Benefits of DOT with Quad9:
- Safety from MITM Attack
- Quad9 Blocks list of domains combined from 19 different threat intelligence partners
I know DOT doesn't provide any security or privacy as the ISP can still see the plaintext SNI.
Lately, I have been reading a lot of comments on reddit about Unbound DNS.
If I switch to Unbound with Root Name servers, then I will lose the two benefits that I am getting with DOT using Quad9.
Shall I switch to Unbound DNS or stick with DOT using Quad9?
Cheers
Akl
Hey guys, I've got a couple of DNS-related questions for you all.
-
When you're hosting multiple authoritative name servers for your enterprise - perhaps in primary/backup or active/active data centers - would you typically anycast them to one logical IP address? Or can you register your domain as having multiple authoritative servers?
-
if you can have multiple authoritative servers, how does the TLD server decide which one to route requests to? Are there assigned levels of priority? Is it round robin? Are there any health checks involved?
-
Typically on your corporate DNS servers would they query all the root-level DNS servers directly, or do they need to route through your ISP's DNS servers / public DNS servers such as 8.8.8.8.
Sorry if these are stupid questions, I'm just trying to understand a bit more about how DNS is configured both on the enterprise side as well as the TLD & root sides. I've searched online and I can't seem to find any answers to this question beyond just the basics of DNS.
I follow https://docs.pi-hole.net/guides/unbound/ all domains seems resolved properly except those domain with load balance CNAME. dig command return CNAME but no A record. Only happen when using root-hints instead of forwarding to 1.1.1.1 etc. Any insight?
I created a static site with Hugo and hosted it on gitlab, in a repository called (for example) "example.gitlab.io" which can be reached (again for example) at the address "https://example.gitlab.io"
I own a domain that has been assigned to me by tophost.it, say example.it
As explained in this document, and in particular in this paragraph (*), I created 4 dns:
@A35.185.44.232wwwCNAMEexample.gitlab.io_gitlab-pages-verification-codeTXTgitlab-pages-verification-code = ..._gitlab-pages-verification-code.wwwTXTgitlab-pages-verification-code = ...
In my gitlab control panel Settings/General/Visibility/Pages is setted to βEveryoneβ.
If I type in any browser example.it my site hosted on gitlab opens normally; if instead I type www.example.it I get the following error message:
> 401 > > You don't have permission to access the resource. > > The resource that you are attempting to access is protected and you don't have the necessary permissions to view it.
What's the mistake? How to correct it? Can those who have a site hosted on gitlab explain to me how they set their DNS to connect their custom domain with and without "www"?
(*): ... There are a few cases where you need point both subdomain and root domain to the same website, for instance, example.com and www.example.com. ...
EDIT: QUESTION ANSWERED, got Adguard.
Changing DNS requires VPN.
Blocking internet access to apps requires VPN.
I've found apps that do either one of these, but not both. Which means I can only use the VPN on my phone for one thing at a time rather than both.
I couldn't find an answer to this one. Negate says on the pfSense docs that the resolver (unbound) that is installed and enabled by default ignores any recursive name servers set and instead query the root servers directly, unless configured otherwise. (https://docs.netgate.com/pfsense/en/latest/services/dns/resolver.html). So I was thinking, in a privacy point of view, why having an intermediate and send them all your browsing history? Cloudflare implements, for example, DNS over TLS, DNS over HTTPS and even encryption of SNI (so "your ISP can't really see the names you are querying"). But ISPs can see the IPs you are accessing and, therefore, can trace back the IPs to their corresponding names. It looks like a bogus sense of privacy only to convince the users to send them their DNS requests. Besides, running it locally could bypass censorship on the DNS level (yes, it happens sometimes in my country, very "democratic") and the local cache could not only speed things up but also really improve privacy by reducing the number of queries sent though wan (and, obviously, excluding intermediates). Idk, maybe I am misunderstanding the functionality of the DNS stack. Am I missing something? Could someone help elaborate? Thanks!
