8

I have couple of Hetzner 'root servers' (as they call it - dedicated co-located linux machines) and all of them experience the same problem (which i simply do not fully understand).

The domain www.dnsblchile.org does not want to resolve to an IP (servers are installed from Hetzner own Debian Jessie images). All other domains of course resolve properly (i did not experience any problems before with any other domains resolving - or i did not spot it before).

When i test nslookup -type=A www.dnsblchile.org i get:

;; Got SERVFAIL reply from 213.133.98.98, trying next server
;; Got SERVFAIL reply from 213.133.99.99, trying next server
Server:         213.133.100.100
Address:        213.133.100.100#53

** server can't find www.dnsblchile.org: SERVFAIL

so NO proper answer here, but when i try using 8.8.8.8 (google) as nameserver like nslookup -type=A www.dnsblchile.org 8.8.8.8 i get:

Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   www.dnsblchile.org
Address: 66.23.231.212

so everything is OK here and i get proper IP.

The contents of `/etc/resolv.conf' (default after installation) is:

### Hetzner Online GmbH installimage
# nameserver config
nameserver 213.133.98.98
nameserver 213.133.99.99
nameserver 213.133.100.100

If i add the 8.8.8.8 as a new entry to /etc/resolv.conf all is working just fine as well.

Now - is it something wrong on Hetzner nameservers configuration side or shall i just use 8.8.8.8 nameserver instead (as a good practice)?
I'm talking to Hetzner support for two days already but have no common ground here - hearing that their nameservers are all perfectly fine.
Shall their own nameservers as well properly resolve the www.dnsblchile.org domain?

update from support:

..but as the domain are using nameservers which are not allowing requests from our resolvers the domain can not be resolved. If you want to resolve the domain you have to use other resolvers or maybe own resolvers, which are allowed to request the nameservers of the domain

Now - may their nameservers be 'blocked' like they say (i'm not an expert here)?

As well - is it a common practice (as the answer below suggests) to use e.g. google name server and just skip Hetzner nameservers setup?
Would i just add the google name server to the list (at top or bottom of /etc/resolv.conf file) and shall i remove the Hetzner nameservers (or leave them)?

Mc Bton
  • 83
  • 1
  • 5
  • 1
    I've just tried this from my Hetzner VPS, and I confirm your results. It looks to me like Hetzner's nameservers are doing something wrong, and reproducibly so. You have something clear-cut to show them: you **can** resolve that A record off google, and you **cannot** resolve it off their nameservers. I'm not sure how it's taken them two days to get their heads around that. – MadHatter Sep 02 '16 at 11:27
  • On your update: yes, it's perfectly possible that `dnsblchile.org`'s authoritative nameservers could be blocking or ignoring requests from Hetzner's servers, though I can't imagine why they'd do such a thing. You'd have to ask them about that. – MadHatter Sep 02 '16 at 15:33

2 Answers2

5

I don't understand why you are still trying to use the Hetzner DNS servers if they are demonstrably not working correctly. Just update your /etc/resolv.conf appropriately and get on with your life.

I usually chuck 8.8.8.8 and 8.8.4.4 (or 2001:4860:4860::8888, 2001:4860:4860::8844) in and forget about it.

user9517
  • 114,104
  • 20
  • 206
  • 289
  • 1
    Is it assumed a good practice to use e.g. google nameservers ? – Mc Bton Sep 02 '16 at 13:34
  • 2
    Whilst I hardly ever disagree with Iain, because he's almost always right, I'm going to disagree this time. I make a point of *never* using google's nameservers for long periods on production equipment. I'm very sure google log and mine the lookup data, and I have no intention of going round configuring my clients' equipment to leak information to google, who have quite enough of it already. If I were you, I'd keep pressing Hetzner to fix their nameservers. But I'm fairly bloodyminded about a lot of things, and I concede Iain's plan is a lot simpler. – MadHatter Sep 02 '16 at 13:43
  • @MadHatter Google helpfully tell you [exactly what they log](https://developers.google.com/speed/public-dns/privacy). – Michael Hampton Sep 02 '16 at 14:19
  • @MichaelHampton that's informative, thank you. That said, I won't be changing my policy, because Google don't covenant to never plumbing that information more than they do now, and I don't have time to keep revisiting the page to check they've not changed their position. What I don't give them, they definitely can't abuse. – MadHatter Sep 02 '16 at 15:30
  • Shall the 8.8.8.8/8.8.4.4 be added at the top or bottom of file (or does not matter), and shall the Hetzner IPs be removed from the `/etc/resolv.conf` file (or not)? Maybe i'm overcomplicating - but just want to be sure not to spoil something (which i do not 100% understand yet). – Mc Bton Sep 02 '16 at 15:31
  • 3
    `man 5 resolv.conf` – user9517 Sep 02 '16 at 15:32
  • @MadHatter I'm even less sure of what Hetzner's DNS servers log. I think if privacy is that important the only thing you can do is run your own. – Michael Hampton Sep 02 '16 at 17:41
  • I agree, and I do. But Hetzner are hosting this particular server, so they can see what I'm doing even if I roll my own DNS service. I'm not giving them anything they can't get, in other words; they're also in the EU, so covered by fairly strong privacy law; and they haven't set out to collect and privacy-mine an awful lot of data. None of that can be said for google. – MadHatter Sep 03 '16 at 10:06
  • We now also have Cloudflare's 1.1.1.1 and 1.0.0.1 service, which seems to be slightly faster and is not from an advertising company, so there is hope that it will be more privacy-sensitive. – Jan Rychter Jul 11 '20 at 10:13
1

See also: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver for a lot of good options to avoid this problem, e.g. by installing a local caching DNS server like: unbound

After you make sure it starts upon reboot make sure to change /etc/resolv.conf to begin with:

nameserver 127.0.0.1

Finally make sure your server is not overwriting this setting (e.g. a dhcp client may overwrite it) by making the file immutable:

sudo chattr +i /etc/resolv.conf

Or the following line in /etc/dhcp/dhclient.conf

supersede domain-name-servers 127.0.0.1;

Or other solutions like described here: https://www.cyberciti.biz/faq/dhclient-etcresolvconf-hooks/

Let's block all spam mails :-)

JohannesB
  • 201
  • 1
  • 4
  • `sudo chattr +i /etc/resolv.conf` Output: chattr: Operation not supported while reading flags on /etc/resolv.conf `file /etc/resolv.conf` Output: /etc/resolv.conf: symbolic link to ../run/systemd/resolve/stub-resolv.conf – Sergey Serov Jun 24 '22 at 15:35
  • 1
    @SergeySerov depending on what you try maybe look at: https://unbound.docs.nlnetlabs.nl/en/latest/use-cases/local-stub.html to setup your own local DNS server on a systemd machine. – JohannesB Jun 24 '22 at 19:11