Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Troubles with DNS resolution
See original GitHub issueHello,
I’m sorry if I won’t be clear because the problem isn’t a subject I master a lot.
One of our users has some troubles to reach your servers.
What he told me:
cdn.jsdelivr.net answers NXDOMAIN when we activate QNAME minimisation (the server answers NXDOMAIN for ENT (Empty Non-Terminal))
The test:
dig @ns1.flexbalancer.net. A a7e454.flexbalancer.net
; <<>> DiG 9.10.3-P4-Debian <<>> @ns1.flexbalancer.net. A a7e454.flexbalancer.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 627
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;a7e454.flexbalancer.net. IN A
;; Query time: 20 msec
;; SERVER: 2400:cb00:2049:1::a29f:18a3#53(2400:cb00:2049:1::a29f:18a3)
;; WHEN: Wed Jul 31 12:16:34 CEST 2019
;; MSG SIZE rcvd: 52
% dig @ns1.flexbalancer.net. A jsdelivr.a7e454.flexbalancer.net
; <<>> DiG 9.10.3-P4-Debian <<>> @ns1.flexbalancer.net. A jsdelivr.a7e454.flexbalancer.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17070
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;jsdelivr.a7e454.flexbalancer.net. IN A
;; ANSWER SECTION:
jsdelivr.a7e454.flexbalancer.net. 10 IN CNAME dualstack.f3.shared.global.fastly.net.
;; Query time: 20 msec
;; SERVER: 2400:cb00:2049:1::a29f:18a3#53(2400:cb00:2049:1::a29f:18a3)
;; WHEN: Wed Jul 31 12:17:37 CEST 2019
;; MSG SIZE rcvd: 109
It’s apparently not normal.
Could you try to fix this? If you need more information, do not hesitate to ask me. 😃
Issue Analytics
- State:
- Created 4 years ago
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Troubleshooting DNS Issues {nslookup, dig, host & More}
DNS Troubleshooting · Check TCP/IP Settings · Flush the DNS Cache · Release and Renew DHCP Server IP · Change to Public DNS...
Read more >10 Ways to Troubleshoot DNS Resolution Issues - TechGenix
10 Ways to Troubleshoot DNS Resolution Issues · 1. Check for network connectivity · 2. Verify your DNS server IP addresses are correct...
Read more >How To Resolve DNS Issues | HP® Tech Takes
How to resolve DNS issues · 1. Rule out ISP issues · 2. Restart your networking equipment · 3. Flush DNS cache and...
Read more >How to Fix "DNS Server Not Responding" Error (11 Methods)
1. Troubleshoot Network Problems · 2. Connect With a Different Device · 3. Switch to Another Web Browser · 4. Restart PC in...
Read more >Identifying and Troubleshooting DNS Issues - N-able
Basic troubleshooting for a DNS issue · Check your cables and connections: If you have wired connections, make sure everything is plugged in ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
To add some explanations (warning: long and may be useless):
First, the symptom:
cdn.jsdelivr.netdoes not exist:Second, why does it work for some people? To explain it, we have to dig (pun intended) deeper:
̀
cdn.jsdelivr.netis an alias tojsdelivr.a7e454.flexbalancer.net:The authoritative name servers for
flexbalancer.netare:Both reply correctly when queried about
jsdelivr.a7e454.flexbalancer.netbut not when queried abouta7e454.flexbalancer.net:That’s the crux of the issue: they should not reply NXDOMAIN since the domain exists. jsdelivr wrongly aliases to a name which is served by broken name servers.
a7e454.flexbalancer.netexists because a subdomain, `jsdelivr.a7e454.flexbalancer.net exists, even if it has no resource records itself. This is what is called an ENT (Empty Non-Terminal domain name). Replying NXDOMAIN for an ENT is a bug that was present in some CDN some time ago (Akamai had it, at a time), but that I thought almost disappeared (among other issues, it is incompatible with DNSSEC).So,
flexbalancer.netis clearly wrong, and jsdelivr should have them fix that, or should move to another name. But why does it work for some people?This is because the traditional way of doing DNS resolution was to send the entire name to every authoritative name server queried. So,
flexbalancer.net’s servers receive the full namejsdelivr.a7e454.flexbalancer.net, for which they work. But the traditional way is bad for privacy (for instance, the root name servers, and the Verisign .net servers see the entire query), leading to QNAME minimization, described in RFC 7816. QNAME minimization, following a general principle of privacy, sends only the minimum data required to accomplish a task. So, the root name servers will only receive a query fornet, the Verisign name servers only a query forflexbalancer.netand so on. Consequence:flexbalancer.net’s name servers will first receive a query fora7e454.flexbalancer.net, revealing the bug.Not all DNS resolvers use QNAME minimization yet. Also, some who do use it in a lax mode, where the resolver retries with the full name, to work around broken name servers like yours. (The
qname-minimisation-strict: yesoption above disables this lax mode.) So, not everyone will see the problem, although they will probably be more and more as time goes.Great! Thanks for reporting this, if you have any other feedback please let me know.