Help about TLD not working

Unbound
1

Hi,

I would like help to understand/troubleshoot a failure to site www.nfs-e.net

local unbound seems correct:

unbound:~$ dig www.netflix.com @127.0.0.1 +short

www.dradis.netflix.com.
www.us-east-1.internal.dradis.netflix.com.
dualstack.apiproxy-website-nlb-prod-2-22bf9dee8ebc92ff.elb.us-east-1.amazonaws.com.
54.237.226.164
3.230.129.93
52.3.144.142

But, dig to specified site/domain (www.nfs-e.net) doesn’t get any result in local unbound

(via https://www.digwebinterface.com/?hostnames=www.nfs-e.net&type=&useresolver=8.8.4.4&ns=all&nameservers= each one of resolvers gets 177.11.21.10 as result)

unbound:~$ dig www.nfs-e.net @127.0.0.1

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.nfs-e.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53101
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.nfs-e.net. IN A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 02 16:42:36 -04 2021
;; MSG SIZE rcvd: 42

2

dig A www.nfs-e.net @localhost
dig AAAA www.nfs-e.net @localhost

Optionally, check the manual (page) of dig tool for available options?
https://man.openbsd.org/dig.1

$ dig A www.nfs-e.net

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> A www.nfs-e.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26932
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.nfs-e.net. IN A

;; ANSWER SECTION:
www.nfs-e.net. 0 IN A 177.11.21.10

;; Query time: 5 msec
;; SERVER: 172.25.224.1#53(172.25.224.1)
;; WHEN: Tue Mar 02 22:12:58 CET 2021
;; MSG SIZE rcvd: 60

$ dig AAAA www.nfs-e.net @1.1.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> AAAA www.nfs-e.net @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23336
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.nfs-e.net. IN AAAA

;; AUTHORITY SECTION:
nfs-e.net. 3600 IN SOA ns1.nfs-e.net.
hostmaster.nfs-e.net. 2021010113 14400 7200 1209600 14400

;; Query time: 210 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Mar 02 22:13:33 CET 2021
;; MSG SIZE rcvd: 93

$ dig A www.nfs-e.net @resolver1.opendns.com

; <<>> DiG 9.16.11-Debian <<>> A www.nfs-e.net @resolver1.opendns.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22143
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.nfs-e.net. IN A

;; ANSWER SECTION:
www.nfs-e.net. 555 IN A 177.11.21.10

;; Query time: 0 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Tue Mar 02 21:16:11 UTC 2021
;; MSG SIZE rcvd: 58

3

How is your authoritative set-up done? Same machine(s) with different
public IP's?

NSD/Coredns/PowerDNS/BIND as the authoritative DNS server? And unbound
as a forwarder?

4

Hi,

It seems it’s something related to IPv4 connectivity

My CIDR prefixes are not being delivered to destination via BGP (upstream failure)

This way responses from authoritative servers of nfs-e.net domain doesn’t return to local unbound

Why I’m saying this:

unbound:~# dig www.nfs-e.net

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.nfs-e.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15680
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.nfs-e.net. IN A

;; ANSWER SECTION:
www.nfs-e.net. 900 IN A 177.11.21.10

;; AUTHORITY SECTION:
nfs-e.net. 3600 IN NS darwin.nfs-e.net.
nfs-e.net. 3600 IN NS ns2.nfs-e.net.
nfs-e.net. 3600 IN NS ns1.nfs-e.net.

;; ADDITIONAL SECTION:
ns1.nfs-e.net. 3600 IN A 177.11.20.10
ns2.nfs-e.net. 3600 IN A 177.11.20.20
darwin.nfs-e.net. 3600 IN A 189.28.42.146

;; Query time: 4011 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 02 17:29:25 -04 2021
;; MSG SIZE rcvd: 163

After I changed BGP announcements to another upstream, servers 177.11.20.10 / 177.11.20.20 and 189.28.42.146 were able to answer my dig requests

Now I need to convince upstream provider to fix propagation of my public prefixes

Thank you for your attention