I've got pi-hole installed locally on my LAN and it forwards it's uncached requests to a local unbound instance, listening on 127.0.0.1:5353. I recently discovered that the FQDN www.heroesonline.com was unresolvable. After hitting my unbound instance directly, I found it to be the culprit. As near as I can tell, the hosts listed in it's NS records, simply answer with an empty reply. I don't know how better to describe it than "empty" but I'm hoping the attached debugging I have sheds some light on it.
If I hit the nameservers for the domain directly, I get what appears to be an empty reply. If I hit up google dns at 8.8.8.8, I get a valid reply. If I hit up localhost at 127.0.0.1:5353 I get a timeout, and the unbound logs appear to show unbound retrying after numerous empty replys from the NS servers for that domain. I've: 1) turned up the verbosity on unbound 2) requested a valid domain that works (cnn.com), and copied out the log 3) requested the failing domain, and copied out the log 4) Ran some host and dig commands to emulate to the best of my ability how this would function. i.e. hit a root server, hit a .com server, hit the servers for heroesonline.com. My best guess is that the DNS servers for the domain, (ns*.kpmedia.org) are configured to only respond to major ISP DNS servers? Is that a thing these days? I can't imagine what else a complete lack of an answer would dictate. Thankfully I just hopped on LTE to get to the website to do what I needed too, I need my local mini-con tickets ;-). But I'm curious why this would be this way. I'm wondering if maybe they're blocking requests from un-authoritative nameservers or something? Below you'll see my dig attempts. I uploaded the listed files to pastebin: unbound config files: https://pastebin.com/fRYKKrQB /etc/unbound/unbound.conf https://pastebin.com/0JMCXeAW /etc/unbound/unbound.conf.d/pi-hole.conf https://pastebin.com/08gQF4mj /etc/unbound/unbound.conf.d/qname-minimisation.conf https://pastebin.com/6eNNhcT8 /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf # logfile for a working domain (www.cnn.com) https://pastebin.com/c5auFtfM unbound.log.cnn.com.txt # logfile for the failing domain (www.heroesonline.com) https://pastebin.com/FGrDXwEk unbound.log.heroesonline.com.txt # dig directly against google all looks good root@stretch:~# dig www.heroesonline.com @8.8.8.8 ; <<>> DiG 9.10.3-P4-Debian <<>> www.heroesonline.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49963 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.heroesonline.com. IN A ;; ANSWER SECTION: www.heroesonline.com. 7 IN A 162.213.254.70 ;; Query time: 19 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Tue Apr 30 16:57:12 EDT 2019 ;; MSG SIZE rcvd: 65 # dig directly against my local unbound instance, times out. I'm assuming that unbound does the same as what my next step does ultimately, hits up nameservers for heroesonline.com to find out the A record for www.heroesonline.com. I'd also assumed that since unbound timed out back to me, that it retries (from what I'm reading in the logs) and eventually just returns me nothing since it gets empty answers from ns*.kpmedia.org root@stretch:~# dig www.heroesonline.com @127.0.0.1 -p 5353 ; <<>> DiG 9.10.3-P4-Debian <<>> www.heroesonline.com @127.0.0.1 -p 5353 ;; global options: +cmd ;; connection timed out; no servers could be reached # dig directly against the nameservers for heroesonline.com, gets me an empty answer if I'm reading it right root@stretch:~# host -t NS heroesonline.com 8.8.8.8 Using domain server: Name: 8.8.8.8 Address: 8.8.8.8#53 Aliases: heroesonline.com name server ns21.kpmedia.org. heroesonline.com name server ns19.kpmedia.org. heroesonline.com name server ns20.kpmedia.org. root@stretch:~# host ns21.kpmedia.org. 8.8.8.8 Using domain server: Name: 8.8.8.8 Address: 8.8.8.8#53 Aliases: ns21.kpmedia.org has address 37.61.235.107 root@stretch:~# dig www.heroesonline.com @37.61.235.107 ; <<>> DiG 9.10.3-P4-Debian <<>> www.heroesonline.com @37.61.235.107 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 8231 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.heroesonline.com. IN A ;; Query time: 104 msec ;; SERVER: 37.61.235.107#53(37.61.235.107) ;; WHEN: Tue Apr 30 16:58:40 EDT 2019 ;; MSG SIZE rcvd: 49
