upD8R
May 14, 2020, 10:49am
1
Hi there,
I'm not an expert in using dig but somehow my unbound is not able to resolve careers.microsoft.com .
External name server:
pi@pihole ~> dig careers.microsoft.com @1.1.1.1
; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> careers.microsoft.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45311
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;careers.microsoft.com. IN A
;; ANSWER SECTION:
careers.microsoft.com. 3600 IN CNAME microsoft.phenompeople.com.
microsoft.phenompeople.com. 600 IN CNAME msftprod.trafficmanager.net.
msftprod.trafficmanager.net. 300 IN CNAME c969e059-fb71-44c0-ba62-ea3a6b460f2b.cloudapp.net.
c969e059-fb71-44c0-ba62-ea3a6b460f2b.cloudapp.net. 10 IN A 13.92.199.137
;; Query time: 122 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Do Mai 14 12:46:55 CEST 2020
;; MSG SIZE rcvd: 225
Local unbound:
pi@pihole ~> dig -p 5353 careers.microsoft.com @127.0.0.1
; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> -p 5353 careers.microsoft.com @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached
In most cases I run into this timeout but sometimes also this happens:
pi@pihole /e/u/unbound.conf.d> dig -p 5353 careers.microsoft.com @127.0.0.1
; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> -p 5353 careers.microsoft.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 36280
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;careers.microsoft.com. IN A
;; Query time: 42 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Do Mai 14 12:26:21 CEST 2020
;; MSG SIZE rcvd: 50
Any idea what's going on here?
mibere
May 14, 2020, 11:22am
2
Interesting, same here with Unbound.
dig @1.1.1.1 careers.microsoft.com
dig @8.8.8.8 careers.microsoft.com
dig @9.9.9.9 careers.microsoft.com
All 3 above commands return an IP. But with my local Unbound
dig @127.10.10.2 -p 8153 careers.microsoft.com
;; connection timed out; no servers could be reached
Also can't visit the website, https://careers.microsoft.com/
I use Unboud too, it's working here
nanopi@nanopi:~$ dig @127.0.0.1 -p 5335 careers.microsoft.com
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @127.0.0.1 -p 5335 careers.microsoft.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13501
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;careers.microsoft.com. IN A
;; ANSWER SECTION:
careers.microsoft.com. 3506 IN CNAME microsoft.phenompeople.com.
microsoft.phenompeople.com. 506 IN CNAME msftprod.trafficmanager.net.
msftprod.trafficmanager.net. 206 IN CNAME c969e059-fb71-44c0-ba62-ea3a6b460f2b.cloudapp.net.
c969e059-fb71-44c0-ba62-ea3a6b460f2b.cloudapp.net. 0 IN A 13.92.199.137
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Do Mai 14 13:58:46 CEST 2020
;; MSG SIZE rcvd: 204
Coro
May 14, 2020, 12:05pm
4
Maybe it means they screwed up DNSSEC.
careers.microsoft.com is a CNAME to microsoft.phenompeople.com
microsoft.phenompeople.com is a CNAME to msftprod.trafficmanager.net
msftprod.trafficmanager.net is a CNAME to c969e059-fb71-44c0-ba62-ea3a6b460f2b.cloudapp.net
However, there is neither a DS record for trafficmanager.net nor for cloudapp.net in the net zone. Maybe this means you should not work for them because they don't know how to do things. If you know how to fix it, this may be your first challenge (try disabling DNSSEC validation in unbound and try again)
I think its their fault. Pinging @DanSchaper which has replied with enormous knowledge about DNSSEC to other posts in the part (when I was still in read-only mode on this forum).
1 Like
Please check your unbound config on which port it listens to, maybe this will help
jfb
May 14, 2020, 1:34pm
6
No problems here. Repeatable results on four Pi-holes. I don't think the problem is with the nameserver information.
dig careers.microsoft.com @127.0.0.1 -p5335
; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> careers.microsoft.com @127.0.0.1 -p5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52830
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;careers.microsoft.com. IN A
;; ANSWER SECTION:
careers.microsoft.com. 3600 IN CNAME microsoft.phenompeople.com.
microsoft.phenompeople.com. 3600 IN CNAME msftprod.trafficmanager.net.
msftprod.trafficmanager.net. 3600 IN CNAME c969e059-fb71-44c0-ba62-ea3a6b460f2b.cloudapp.net.
c969e059-fb71-44c0-ba62-ea3a6b460f2b.cloudapp.net. 3600 IN A 13.92.199.137
;; Query time: 500 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu May 14 08:33:30 CDT 2020
;; MSG SIZE rcvd: 204
upD8R
May 14, 2020, 2:55pm
7
Hmm, so it's most likely an unbound configuration issue then? I set it up to some tutorial but I can't remember the source ...
upD8R
May 14, 2020, 3:20pm
9
Yes, that's the one I used. I also just compared the config in the tutorial with my one and there is no obvious difference.
Both validations (sigfail, sigok) passed as expected.
jfb
May 14, 2020, 3:25pm
10
I don't think this is an unbound issue, but is farther upstream.
You can dig other domains, others can dig other domains, and some others are having the same problem as you are.
You can run this command which will check your unbound configuration; i suspect you will find no problems.
unbound-checkconf
upD8R
May 14, 2020, 3:29pm
11
jfb:
unbound-checkconf
Indeed, no error found. But if you say "upstream" - how can it work for others but not for me?
upD8R
May 14, 2020, 3:59pm
12
I now tried the different entries from this CNAME chain in my first (working) example. The issue is already on the phenompeople.com domain. This is the one, which doesn't work here.
All the others can be resolved by my unbound.
Hi I have opened a different topic, but I have the same problem with domains from Facebook.
whatsapp.com
Instagram.com
Facebook.com
have disabled for the moment the unbound service