New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Google DNS does not resolve new domain
DennisdeWit
Member
in Help
Hello,
A few days ago I registered a new domain name. Most DNS servers resolve it perfectly, except for Google (that 10% of the internet seems to use, including LetsEncrypt).
I just get a SERVFAIL when I use a dig at Google's DNS.
Does anyone know why this happens?
Comments
Try to flush Google DNS cache for your domain from https://developers.google.com/speed/public-dns/cache and see if it helps
Dose your domain use dnssec if so it might not be setup correctly as that one possible cuase of Google DNS returning servfail.
Let's encrypt don't use Google DNS they query the domain authoritative DNS server directly.
@Razza I keep having this issue with LetsEncrypt
1..2..3..4..5..
Challenge status: invalid. Challenge error: "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "dns :: DNS problem: SERVFAIL looking up A for hitplus.es", "status": 400 . Exiting...
With particularly one domain, all the others work fine. I am close to pulling my hair out. 3 days wasted and no result.
Well, you should teach yourself DNSSEC...
https://dnssec-analyzer.verisignlabs.com/hitplus.es
My other domains don't have DNSSEC either and they work fine.
Well, your domain has DNSSEC (enabled) but your zone is not signed (among other issues), so DNSSEC is (rightfully) broken.
See here: http://dnsviz.net/d/hitplus.es/dnssec/
It cannot work, SERVFAIL is to expect.
As for your other domains: if you say so... Proof?
I have the option to enable DNSSEC with DirectAdmin. Would that fix it? I tried it today but it didn't fix the problem. I'm willing to pay you to fix it. Please PM me if you are interested.
@Shot2
Sure: proof.
http://dnsviz.net/d/xseu.net/dnssec/
I would first double-check the settings at your registrar for this domain (Nameservers, DNSSEC On), then re-activate DNSSEC on your zone (and give it some time for zone signing + dns cache invalidation/propagation)
Status : insecure everywhere (not broken, just not protected by DNSSEC). And your nameservers are wrong, too - which seems to be the cause: you and your registrar disagree on which nameservers your zone uses, therefore the "chain of trust" can't work.
Bis repetita: either learn a bit more about DNSSEC until you feel confident about potential issues (and it takes a bit of practice to get it right, and some close monitoring later), or disable DNSSEC altogether everywhere and call it a day.
I'm surprised that the upstream of media12.net isn't a lame delegation itself.
But, it has its' own surprise:
ns2.media12.net has address 172.107.94.213
ns1.media12.net has address 172.107.94.213
This whole thing is a fustercluck.
Holy macaroni.
The whole thing would make for a neat case study
(edit: nothing personal hey, dns is definitely some hairy topic)
This whole thing would probably fail if it gets like 120-200Mbps DNS query traffic, i assume.
Clearly DNS is not his strong point even the DNS for the domain in his signature is poorly done.
Nameserver
ns1.megahit.live. ['172.107.94.213']
ns,2.megahit.live. ['172.107.94.213']
The NS record returned when querying the nameservers
ns1.xseu.net ['172.107.94.213']
ns2.xseu.net ['172.107.94.213']
Given the hierarchical nature, this implementation of DNS is wrong on so many levels.
@DennisdeWit This whole thing is bad. First of all, get a $18/yr TinyKVM from @ramnet and setup a proper slave/secondary. Then, fix this.
Well, its not wrong running a single dns server for a domain.
Its not ideal if you have a outage there, but its not wrong.
If you want it to be "IDEAL", get at least 2 nameservers, on 2 different networks, from 2 different providers which at least one has Anti DDoS.
You will find enough cheap offers over the year, to deploy 2 of these for around 20$/y.
A lot of unlimited 9999999999MB Master/Alpha/dickcheese WHM Reseller cPanel providers are using two IPs on the very same VPS.
Top notch.
I’ll look into the secondary DNS as I do have a second server with a second DirectAdmin
As @Neoon said, having a second (different) nameserver (not a strong requirement) is the least of your worries. Reproducing the same misconfiguration on a second server is unlikely to help...
Could this issue happen because of a different TLD and domain registrar?
Not if it is setup correctly.
Set your authoritative nameservers to at least identify who they are.
ns1.xseu.net and ns1.media12.net being the same host doesn't matter; you have ns1.xseu.net being your point of origin in your zone, so this is what you should have set with the registrar, too (I really don't suggest doing split horizon naming on the same single IP address- that WILL get ugly), or you should set your boilerplate NS to say it's ns1.media12.net, or at least, you know, fix your SOA.
There's a difference between a $3/yr disposable service, and fucking things up so badly you want to cry. Although, one is an allegory for the other, I suppose.
I have taken some of your advices:
I have been lazy with setting up the second nameserver and that was totally my own fault. I came up with excuses instead of owning the problem. I have learnt from that.
I am not here to clusterfuck anything and I am not someone who is incapable of running servers. Hosting a server is just not my main business. I have customers who host their servers elsewhere and I fix their issues. Running a hosting company myself would be way too stressful.
I already have a lot of physical health issues and just didn’t have time to fix it and went on to excuses. That was my mistake. Sorry.
@DennisdeWit The site link in your signature is it legal music streaming or something shady ?
Nothing shady. MegaHit is from Romania and is owned by a Romanian owner. I just do the music directing and technical part for them.