5

I am receiving some reports from different clients in Spain, US and France that they cannot access my website, https://www.ultreyatours.com. They get a ERR_NAME_NOT_RESOLVED error saying the server cannot be found.

Personally, I do not get any error and most visitors don't experience it, but one of my clients has been kind enough to send me their traceroute outputs - below. He uses Google DNS in his browser.

I have a shared IP address which made me think it was blocked by an ISP, but it doesn't seem like it is the case. I have contacted Telefonica (which is the last server reached by my client) to ask if they blocked my IP address just in case, but it has been nine days and no response so far.

All website testing programs I've tried cannot seem to find the error. The only red flag I found was that my MX records points to a CNAME. But this is the standard mail settings of my host, Go Daddy.

Could anyone tell me if they cannot access the website and send me the traceroute or do you have any suggestions as to why this is happening? Should I change host just in case?

traceroute to ultreyatours.com (160.153.74.24), 64 hops max, 52 byte packets
 1  192.168.1.1 (192.168.1.1)  7.887 ms  2.594 ms  2.378 ms
 2  192.168.144.1 (192.168.144.1)  51.844 ms  42.309 ms  41.189 ms
 3  * * *
 4  26.red-80-58-89.staticip.rima-tde.net (80.58.89.26)  55.877 ms
    65.red-81-46-3.staticip.rima-tde.net (81.46.3.65)  54.211 ms
    26.red-80-58-89.staticip.rima-tde.net (80.58.89.26)  54.896 ms
 5  216.184.113.116.nuevatel.com (216.184.113.116)  51.841 ms  51.221 ms  51.849 ms
 6  xe0-0-0-8-grtlontlw1.red.telefonica-wholesale.net (94.142.125.246)  88.292 ms
    xe6-1-0-0-grtlontl1.net.telefonicaglobalsolutions.com (213.140.36.254)  94.572 ms
    xe-2-0-2-0-grtparix1.net.telefonicaglobalsolutions.com (94.142.117.174)  115.531 ms
 7  xe2-0-1-0-grtwaseq6.net.telefonicaglobalsolutions.com (94.142.116.209)  164.105 ms
    xe-3-1-4-0-grtwaseq6.red.telefonica-wholesale.net (213.140.36.242)  148.022 ms
    xe0-0-1-0-grtnycpt3.red.telefonica-wholesale.net (94.142.126.73)  185.685 ms
 8  xe-0-0-2-0-grtnycpt3.red.telefonica-wholesale.net (94.142.126.69)  150.588 ms
    dcp-brdr-03.inet.qwest.net (63.235.40.197)  157.253 ms  151.465 ms
 9  phn-edge-08.inet.qwest.net (67.14.40.50)  218.708 ms
    dcp-brdr-03.inet.qwest.net (63.235.40.197)  163.898 ms
    xe3-1-1-0-grtwaseq6.net.telefonicaglobalsolutions.com (5.53.6.145)  178.165 ms
10  xe6-0-6-0-grtwaseq6.net.telefonicaglobalsolutions.com (94.142.116.102)  183.294 ms
    phn-edge-08.inet.qwest.net (67.14.40.50)  218.202 ms
    63-232-81-254.dia.static.qwest.net (63.232.81.254)  235.276 ms
11  be39.trmc0215-01.ars.mgmt.phx3.gdg (184.168.0.73)  224.855 ms
    63-232-81-254.dia.static.qwest.net (63.232.81.254)  255.575 ms
    phn-edge-08.inet.qwest.net (67.14.40.50)  227.479 ms
12  be39.trmc0215-01.ars.mgmt.phx3.gdg (184.168.0.73)  230.942 ms
    be38.trmc0215-01.ars.mgmt.phx3.gdg (184.168.0.69)  230.278 ms
    63-232-81-254.dia.static.qwest.net (63.232.81.254)  235.399 ms
13  * * be39.trmc0215-01.ars.mgmt.phx3.gdg (184.168.0.73)  243.940 ms
14  * * be39.trmc0215-01.ars.mgmt.phx3.gdg (184.168.0.73)  239.542 ms
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
31  * * *
32  *
Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
NinilieM
  • 53
  • 2
  • 1
    When the configuration of DNS occured? You have to remeber that DNS records require in some cases up to 48hrs to be propagated. – Mateusz Pacek Sep 09 '15 at 13:28
  • For me its not a dns or ip/routing problems . If you check with a ssl report you have some incompatibility with ie6 , nothing bad ie6 must die. – YuKYuK Sep 09 '15 at 13:30
  • That's not it there has been no change in my DNS for 2 weeks... :/ – NinilieM Sep 09 '15 at 13:30

1 Answers1

14

If I'm not mistaken, the problem is that your registrar has published DS records for your domain - that is, DNSSEC signing keys:

[me@risby player]$ dig ds ultreyatours.com
[...]
;; ANSWER SECTION:
ultreyatours.com.       85920   IN      DS      49864 8 1 0152C1213569799FAFA42C7699A20132A293F908
ultreyatours.com.       85920   IN      DS      20536 8 1 291A619699C18BF007CB937928EA99A81CC73314

but your A record is unsigned:

[me@risby player]$ dig www.ultreyatours.com +trace +dnssec
[...]
.                       487995  IN      NS      i.root-servers.net.
[...]
.                       487995  IN      RRSIG   NS 8 0 518400 20150919050000 20150909040000 1518 . m8MEJxwjDheKkuBXEMRTO+vqGHVFRznH45Tr8bT6iCb+0uulK3y5QLuA 627T5DJ65LbWlnTlM3QjFlSVkgO7d9Km5gLD9BJ6txuwyxlI2XR+BQmW GykfNbqpMpvvnaZpBu6UoIts7oP0TrvbvD8hePoGwBGE5gtnKWGV151z LFI=
;; Received 913 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
[...]
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20150919050000 20150909040000 1518 . ktOAFoG5Ymb03TSau6Fu6HHdoo6T4tXmHEvXbX9aAbsy3JmEPirZtr2C 6ZJikjUc4AhTZ69aHhca1T3uoc2LwhuNbXdL6bSHTC+tdWnBNYE4wqXk USAfz2eCJSNG6MBIPclYxY8N9CvekmrTCWrFZpisv44dLqRPfxizUdX1 TQc=
;; Received 744 bytes from 193.0.14.129#53(k.root-servers.net) in 23 ms

ultreyatours.com.       172800  IN      NS      pdns05.domaincontrol.com.
ultreyatours.com.       172800  IN      NS      pdns06.domaincontrol.com.
ultreyatours.com.       86400   IN      DS      49864 8 1 0152C1213569799FAFA42C7699A20132A293F908
ultreyatours.com.       86400   IN      DS      20536 8 1 291A619699C18BF007CB937928EA99A81CC73314
ultreyatours.com.       86400   IN      RRSIG   DS 8 2 86400 20150913044955 20150906033955 35864 com. fCufZ3SGLfbzgEQHKuZm1kz77cJFoNyW0tZOSMvZhpYSHSxkVwcWSDlM knyJ+Fvh4+yekb/hqtn0BzBJE20GmRCUdd4DBqqRj7+Y8Ki0cUn52CFu Ii1mWS7XhtmR62AgZcUl+Z0CGSC8gxApUAS/H+jgQatOuGonnWIWp6pt UC8=
;; Received 372 bytes from 2001:503:231d::2:30#53(b.gtld-servers.net) in 29 ms

www.ultreyatours.com.   600     IN      A       160.153.74.24

Note the absence of an RRSIG record after your A record. That means that the chain of trust cannot be established, and though I get an answer back, my nameserver ignores it:

[me@risby player]$ dig www.ultreyatours.com

; <<>> DiG 9.10.2-P3-RedHat-9.10.2-4.P3.fc22 <<>> www.ultreyatours.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57573
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ultreyatours.com.          IN      A

;; Query time: 1944 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 09 14:47:03 BST 2015
;; MSG SIZE  rcvd: 49

I suspect the problem happens with those clients who are checking DNSSEC signatures, for they will certainly get name not resolved errors.

Note that the traceroute output above is highly-misleading; they have tried to traceroute to ultreyatours.com, which does have an RRSIG:

ultreyatours.com.       600     IN      A       160.153.74.24
ultreyatours.com.       600     IN      RRSIG   A 8 2 600 20150924120914 20150909120914 8274 ultreyatours.com. ToF8G2xBluSzGVVbjXA02wIOodSrvzTHmFPwYwupeeDDmVC4nXgZbmzK 4RGICA0sZhU8dionVySlDPErD8GBMegOB/vjW77DgVLP0BYY3STA5m0y annQ/AUjTq0boyFj2aYmHSu0mfTnu/TkMgjkV/cDIekCC1LfeoNruFxF N4w=

and which resolves correctly in the output you show above. I must urge you to be very precise in investigating this sort of issue; clients who report resolution problems with one hostname do you no favours when they try to traceroute to another.

Edit: I can confirm that you've turned off DNSSEC for your domain: dig ds ultreyatours.com @a.gtld-servers.net no longer produces any records. Hopefully, in less than a day your cached DS records will age out, and your DNS will start working again, even for DNSSEC-aware clients.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • MadHatter, that could be the issue indeed thank you but I must admit I have very little knowledge about this. How could I check if the zone is signed and how could I solve that issue? – NinilieM Sep 09 '15 at 14:02
  • I'm sorry, but a DNSSEC HOWTO is **way** beyond the scope of a SF answer. If logging into your registrar's web interface doesn't present a handy switch for turning DNSSEC off, then all I can suggest is that you get yourself some qualified professional assistance. Debugging this sort of thing is not for the faint-hearted. – MadHatter Sep 09 '15 at 14:05
  • I'll contact GoDaddy see if they can find that "handy switch" and I'll let you know if you had the error right! – NinilieM Sep 09 '15 at 14:11
  • 1
    Good plan. If you don't intend to use DNSSEC (which involves learning about it, as you are finding out) then not advertising to the world that you are (which is what publishing `DS` records does) is definitely a good idea! By the way, the TTLs on your DS records are large - 86,400s - so even if you do manage to turn it off, it will take up to a day for name resolution to start working again for clients who are DNSSEC-aware. – MadHatter Sep 09 '15 at 14:19
  • I contacted GoDaddy for the 6th time in regards to this issue and was told again they had nothing to do with it, that it could only be the ISP blocking my IP address.... great customer service eh! but I found the DNSSEC switch! so hopefully that solves the problem. We'll see in 24h :) – NinilieM Sep 09 '15 at 15:41
  • Your nameservers are `pdns0[56].domaincontrol.com.`. I'm not saying that's not GoDaddy, but it isn't obviously so; is there some possibility that your DNS service is provided by someone else? – MadHatter Sep 09 '15 at 15:45
  • No, the domain was bought and is hosted by GoDaddy. The hosting plan included the SSL and DNS services which is all hosted by them. - Domaincontrol.com nameservers are the default nameservers godaddy provides for the domains that have hosted the dns with godaddy. – NinilieM Sep 09 '15 at 15:50
  • Ah, OK - their `whois` server is down right now, so I couldn't check. Worth a try. You might want to consider if this is a sign that you need a better registrar. – MadHatter Sep 09 '15 at 16:06
  • 1
    I know from experience that *.domaincontrol.com are GoDaddy's DNS servers. Given the various outages that GoDaddy has had over the past few years, as well as their stellar customer service that you've experienced, I'd strongly recommend switching to another host/registrar. – Doktor J Sep 09 '15 at 16:58
  • Yes, if the problem is not solved by the switching off of the DNSSEC and the ISP tells me it is not their fault, I will be changing provider in the next week. Otherwise I would have liked to stay with them at least until my subscription expires in January... Thank you for your help anyway! – NinilieM Sep 09 '15 at 17:08