Domain not resolving while other is.
Currently creating a testing setup for a project of mine. However I am unable to resolve the domain I have bought for it inside of my virtualmachines, but I am able to resolve it on my host.
Inside of the virtualmachines I am fine to query any other domain. The resolver is set to 1.1.1.1 just like my personal host.
I have checked the network monitor and in the pcap it seems like the queries are being send just fine but there are no responses.
65 Replies
what's the domain? Could just be dns cache, even 1.1.1.1 caches per PoP
Sorry forgot to add the screenshot.
tropometrics.net is the domain I have recently purchased through cloudflare. dnbr.cloud is a domain that is with name.com but DNS hosted at cloudflare
anything else also resolves just fine using both systemd-resolved and directly specifying @1.1.1.1.
But like i said my personal pc uses cloudflare dns as well and does resolve the domain, not quite sure whats going on
Same PC doing the vms or another host
Its a different host.
However
So in comparison to your pc that works. What's different about the host running your vms? Like at the network layer
Nothing other then the vm host has a 20gb link and my pc doesnt.
Its the same switch and same vlans and the same router
Just realised this issue mightve been better to ask in the homelab or sysadmin discords 😅 oh well
nah, tons of smart folks here. I was going to say dns cache like Chaika, but then was curious if it was another host or same as your machine.
I'll step out of the way so people can help you. But, you have a complex setup, if you're talking about VLANs. I'd like do the basic things just to double check.
VM Firewall, Host, confirm the vlans are correct, you reach other things like you would truly expect, then move up the stack.
Same vlan means just vlan 1 atm. I have a seperate vlan for all management interfaces but thats not routed so the network this is on can just be thought of as dumb
Another thing to consider is asymmetric routing.
Well, have you rebooted the vm?
This would rule out dns cache, which is still a possibility if it's only this new domain v. every dns request
I have, multiple times even.
I'm intrigued now, lol. The VM, did you use like an iso or a build you had before and/or did you do any super specific customization? Just thinking outloud. If you get it answered/fixed on another discord will you reply here just so I know
Very fresh ubuntu vm
I was thinking maybe dns overriding/hijacking but it's still weird it'd timeout, can you try
and see what you get?
just fine :/
so it's just on the A type it fails?
yes
wth?
Seems like it indeed 🤔 Thats so strange
what's the output of above?
its still loading cause dig with errors is crazy slow
One last thing from me, could you try forcing tcp?
dig +tcp @1.1.1.1 tropometrics.netThat's a good idea, I'm kinda thinking something force hijacking/redirecting dns
Interesting thing, even dig fails on my own pc
but i can go to tropometrics.net on chrome/edge/firefox and they all just show the site
What type of internet connection?
ps. tropometrics.net points to a private ip (192.168.178.30), possible something in the middle is blocking the request because of that/some setups block private ips in public dns for security
it certainly wouldn't load a webpage outside of your local network, at least
Same result
Just as a sanity test:
guess doh works?
makes sense, nothing can intercept it, it should still be connecting to the local cf location (low latency), so nothing wrong with it
I'd bet on this more then: https://discord.com/channels/595317990191398933/1327008774946295962/1327014904095572091
Is your DNS meant to be pointed as a private internal ip?
What country and is this Starlink or a cell or standard cable/fiber/etc
Oh yes i know. In fact all subdomains on this are also private.
dnbr.cloud also has a few subdomains with private ips for ages. Which, also, resolve properly on my host.
Sadly still on standard cable.
Yes it is supposed to be private ips because I sadly do not own more then one public ip 😄
The reason I ask is because some non-standard ISPs do CGNAT. I was kinda of thinking routing.
Ah no I luckily still have a real public ip, which new customers dont get anymore
telnet 1.1.1.1 53
I assume that connection timeout? What network gear are you using?I can't get past these two points 1) Your desktop also can't dig this. 2) Other domains in a dig from the same machines work (just this single domain). So, my pretend-network advice would say 1) Rules on your network gear 2) Something unique with filtering or that vlan or that vm isn't on the vlan you think 3) Your ISP is doing some type of filtering (for that one domain -- which, I couldn't imagine). Also, are you doing anything fancy with your vlans, like outbound traffic routed through a vpn?
I have the feeling that my ISP modem might indeed do a little naughty.
Because the traffic capture i showed before is the last machine before traffic leaves my network before the modem
I'll make this one last observation and seriously leave you alone hah, and I'll follow this, because I'm super interested now.
I don't know if ISPs filter for "new domains"; but in the email realm, filtering can be used to protect against "brand new domains".
Your domain has a tag (that is not service impacting and is only informational) ... but, maybe your ISP uses it for their filtering and will work after this tag falls off.
Domain Status: addperiod https://icann.org/epp#addperiod
This is 1000% a shot in the dark. I just can't move passed 2 machines on your network & only this domain.would be curious if they did that and only filtered for A queries then and left ns/etc alone
would think they'd just nuke the entire domain
Its crazy to me why they would even touch DNS to another DNS in the first place
haha, I'm not sure. I only say it because it could just be a simple way to defeat Command and Control servers? But it's a stab in the dark. Proof would be after 5 days, is when that flag falls off, I think.
I mean, it works over DoH; filtering is being done somewhere...
fwiw could be longer, CF Radar for example's new domain filter is 30 days
Ohhh, Radar, I hadn't considered that. I just know think that ICANN flag falls off after 5 days
Radar's not blocking this domain though, 1.1.1.1 doesn't use that by default, and if it did, they send
Refused for NS and 0.0.0.0 / etc to blackhole trafficRight. It's just in comparing what you and I can see, and it working over DoH (and also the exact same domain) not working from his PC (different machine) but other domains do work.
That's the only thing that stands out is how new the domain is
The ISP is indeed filtering DNS....
out of curiosity then, what happens when you do
dig 948452.xyz @1.1.1.1?also what about
dig @127.0.0.53 tropometrics.nethe showed that failing in his first screenshot
oh my bad I missed that one.
oh yeh true 😂
Fails. Now im curious what internal ips they block.
lol then I think it's by the result and not by your domain
that's funny though, I was expecting that not to fail
why were you expecting it not to fail
948452.xyz is ~5 months old, I don't think considered new
I was thinking rdm might be right and it was just ISP filtering new domains because they're often malicious/easy blocks
They might still be, but yet it also seems more then that and based on the result as well, at least
Ah no they actually filter out responses with private ips, now i wanna know what ranges do they block
oh, I thought your other domain with Private IPs worked?
Are you in the US or what country are you from? And have you ever noticed anything that would indicate a MITM or DNS poisoning beyond this?
well this is good reason to setup Adguard Home or Pihole if nothing else, can setup DoT and have all local devices use it, even throw on a few adblocking lists if you want
Well it does, which is strange. Its the internal.dnbr.cloud range
Mightve forgotten i moved that to the dns cache of the other part of the lab already.
I think the DNS filtering is pretty new tho, cause that was only late october and before that i just used cloudflare directly on everything
Already got that for all my mobile devices. Just not the lab, thinking im going to migrate it over to that. Still very sketch they are basically doing a MITM on your DNS traffic tho
Could you try
dig @1.1.1.1 48773.NET
This is a random domain I found that was just created
Creation Date: 2025-01-06T08:53:08Z
Domain Status: addPeriod
And has the status, this would rule in/out my hypothesis of filtering at an ISP level using that one ICANN tagyeh that works fine
haha, jeeze. I'll do that homer image and disappear into the bush lol
same tbh, feel dumb thinking that couldnt be it
didnt even think about it as an option tbh
🙂 It's only Discord, we're all here to have a good time, and this was fun. I just started a meeting at work, so I have to disappear anyway. Cheers!
Thanks for all of your help guys! I am going to migrate all over to a pihole and setup dot 😅
Everything works now 🎉