-1

So wired issue. Ubuntu 16.04 - I receive no ANSWER of the dig command (for specific domain), unless ANY is set in the dig command

Of course regular dns queries does not work too :/

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 stg-test102.example.net ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18534
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;stg-test102.example.net.           IN      ANY

;; ANSWER SECTION:
stg-test102.example.net.    599     IN      A       172.16.x.x

;; Query time: 53 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Feb 08 17:58:50 CET 2017
;; MSG SIZE  rcvd: 64

root@uhost:/home/user# dig @8.8.8.8 stg-test102.example.net  

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @8.8.8.8 stg-test102.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36491
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;stg-test102.example.net.           IN      A

;; Query time: 47 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Feb 08 17:58:56 CET 2017
;; MSG SIZE  rcvd: 48

tcpdumps:

tcpdump -i any port 53 -A -n -w /tmp/t.pcap

regular dig, my host:

Frame 2: 92 bytes on wire (736 bits), 92 bytes captured (736 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 8.8.8.8, Dst: 192.168.x.x
User Datagram Protocol, Src Port: 53 (53), Dst Port: 33205 (33205)
Domain Name System (response)
    [Request In: 1]
    [Time: 0.053160000 seconds]
    Transaction ID: 0x4b37
    Flags: 0x8180 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        stg-test102.example.net: type A, class IN
            Name: stg-test102.example.net
            [Name Length: 19]
            [Label Count: 3]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 512
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

dig ANY, my host

Frame 4: 108 bytes on wire (864 bits), 108 bytes captured (864 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 8.8.8.8, Dst: 192.168.x.x
User Datagram Protocol, Src Port: 53 (53), Dst Port: 34839 (34839)
Domain Name System (response)
    [Request In: 3]
    [Time: 0.046263000 seconds]
    Transaction ID: 0xe8eb
    Flags: 0x8180 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 1
    Queries
        stg-test102.example.net: type ANY, class IN
            Name: stg-test102.example.net
            [Name Length: 19]
            [Label Count: 3]
            Type: * (A request for all records the server/cache has available) (255)
            Class: IN (0x0001)
    Answers
        stg-test102.example.net: type A, class IN, addr 172.16.z.y
            Name: stg-test102.example.net
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 599
            Data length: 4
            Address: 172.16.z.y
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 512
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x0000
                0... .... .... .... = DO bit: Cannot handle DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 0

regular dig, some other host

Frame 128: 98 bytes on wire (784 bits), 98 bytes captured (784 bits)
Linux cooked capture
Internet Protocol Version 4, Src: 216.239.x.x, Dst: 192.168.x.x
User Datagram Protocol, Src Port: 53 (53), Dst Port: 33085 (33085)
Domain Name System (response)
    [Request In: 127]
    [Time: 0.023883000 seconds]
    Transaction ID: 0x5576
    Flags: 0x8400 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...0 .... = Non-authenticated data: Unacceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 0
    Additional RRs: 0
    Queries
        stg-test102.example.net: type A class IN,
            Name: stg-test102.example.net
            [Name Length: 20]
            [Label Count: 3]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Answers
        stg-test102.example.net: type A, class IN, addr 172.16.z.y
            Name: stg-test102.example.net
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 600
            Data length: 4
            Address: 172.16.x.193

Nice commands page: http://linoxide.com/how-tos/useful-options-dig/

sirkubax
  • 121
  • 1
  • 7
  • Please make the actual question explicit, right now there are only statements about observed behavior. Also, can we reproduce the behavior ourselves? Is `prd-promo204.so1.net` the name and is `8.8.8.8` the server you actually query when you get the responses that appear inconsistent? – Håkan Lindqvist Feb 08 '17 at 18:23
  • More than likely your requests are hitting different servers in Google's DNS farm. As for why those servers are returning different results, it's hard for us to say for sure unless you provide the answers Håkan is looking for. `NOERROR` with 0 answers suggests that one of your authoritative servers told Google that no `A` record existed. (and indicates successful communication with your servers) – Andrew B Feb 09 '17 at 05:47

2 Answers2

1

I disabled the 'Local DNS enforcement' and it did started to work.

gadgoyle stetup

JonathanDavidArndt
  • 1,414
  • 3
  • 20
  • 29
sirkubax
  • 121
  • 1
  • 7
0

I think I've got it - there is some issue at my network. The connection via Mobile-internet works.

I do have a Land-line router + TP-link (Gargoyle-openWRT) - there must be some networking issue (packet's getting dropped?). I'm going to do further debugging - any suggestions?

sirkubax
  • 121
  • 1
  • 7
  • 1
    You clearly get responses, so it doesn't look like packets are dropped. Possibly intercepted and sent elsewhere than the intended destination, though. – Håkan Lindqvist Feb 09 '17 at 18:47
  • It does not explain why the ALL works. My current guess is the Gargoyle router. I need to check, if I can install dig package there (not present by default). Someone did suggest, that dns-related packages with small size may be 'dropped' (there is size difference), but It happen only for one domain name. Strange. – sirkubax Feb 09 '17 at 19:40
  • As he said, no dropping is occurring here. `NOERROR` with 0 records in the answer section is a completely valid reply. The answer count is contained in the reply header, and is not something that your client calculates based on the number of records that it saw. – Andrew B Feb 09 '17 at 23:38