Why can't I reach a specific host using a specific DNS?

Question

I'm trying to send some info to www2.agenciatributaria.gob.es. I can do it from several hosts but one.

From this one I get the error Temporary failure in name resolution. However, from the same host I can reach many other servers though its default DNS (I can ping www.google.es, etc).

So I used dig to check what happens. If I execute dig www2.agenciatributaria.gob.es, the IP of the remote host is searched by the DNS on 127.0.0.53, and the results are wrong (nevertheless, results are successful if I dig on www.google.es):

; <<>> DiG 9.16.1-Ubuntu <<>> www2.agenciatributaria.gob.es
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58113
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www2.agenciatributaria.gob.es. IN      A

;; Query time: 7 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Sep 27 09:17:00 UTC 2021
;; MSG SIZE  rcvd: 58

On the other hand, If I execute dig +norecurse @8.8.8.8 www2.agenciatributaria.gob.es, to search the IP of the remote host with the DNS on 8.8.8.8, the results are successful:

; <<>> DiG 9.16.1-Ubuntu <<>> +norecurse @8.8.8.8 www2.agenciatributaria.gob.es
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31565
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www2.agenciatributaria.gob.es. IN      A

;; ANSWER SECTION:
www2.agenciatributaria.gob.es. 201 IN   A       195.77.198.18

;; Query time: 0 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Sep 27 09:16:28 UTC 2021
;; MSG SIZE  rcvd: 74

I'm not an expert on this subject. But I guess there is some problem with the DNS for only that domain. Can anyone help me here? How can I solve this problem or what should I check now?

resolvectl status

Global
       LLMNR setting: no                  
MulticastDNS setting: no                  
  DNSOverTLS setting: no                  
      DNSSEC setting: no                  
    DNSSEC supported: no                  
          DNSSEC NTA: 10.in-addr.arpa     
                      16.172.in-addr.arpa 
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa 
                      18.172.in-addr.arpa 
                      19.172.in-addr.arpa 
                      20.172.in-addr.arpa 
                      21.172.in-addr.arpa 
                      22.172.in-addr.arpa 
                      23.172.in-addr.arpa 
                      24.172.in-addr.arpa 
                      25.172.in-addr.arpa 
                      26.172.in-addr.arpa 
                      27.172.in-addr.arpa 
                      28.172.in-addr.arpa 
                      29.172.in-addr.arpa 
                      30.172.in-addr.arpa 
                      31.172.in-addr.arpa 
                      corp                
                      d.f.ip6.arpa        
                      home                
                      internal            
                      intranet            
                      lan                 
                      local               
                      private             
                      test                

Link 2 (ens3)
      Current Scopes: DNS           
DefaultRoute setting: yes           
       LLMNR setting: yes           
MulticastDNS setting: no            
  DNSOverTLS setting: no            
      DNSSEC setting: no            
    DNSSEC supported: no            
  Current DNS Server: 213.186.33.99 
         DNS Servers: 213.186.33.99 
          DNS Domain: openstacklocal

Aside - 127.0.0.53 is a localhost IP address used by systemd for a "caching DNS resolver" that runs on your local machine. In theory, it is only caching your lookups. — Criggie, Sep 27 '21 at 20:57

score 7 · Accepted Answer · edited Sep 28 '21 at 14:33

7

Your domain is not configured correctly, see https://dnsviz.net/d/www2.agenciatributaria.gob.es/YVHoZA/dnssec/

You can ignore the DS warnings on es and gob.es as you won't be able to do anything about those and they won't block resolution.

However do read the warning about the NS set mismatch which means you are in a lame delegation situation. This has the direct effect that your results will depend on which nameserver you ask and can be wrong 50% of the time, or more.

Fix your DNS settings, by making sure your parents (gob.es) list the same servers as authoritative as you do:

$ dig gob.es NS +short
c.nic.es.
fnicdos.rediris.es.
n3ns.nic.es.
h.nic.es.
g.nic.es.
$ dig agenciatributaria.gob.es NS @c.nic.es +noall +auth
agenciatributaria.gob.es. 1d IN NS ns3chos01.telefonica-data.com.
agenciatributaria.gob.es. 1d IN NS nsjc8hos01.telefonica-data.com.
$ dig agenciatributaria.gob.es NS @nsjc8hos01.telefonica-data.com. +short
nsalchos01.telefonica-data.com.
nsjc8hos01.telefonica-data.com.

These 2 sets of NS records do not match and they MUST match for correct DNS resolutions.

edited Sep 28 '21 at 14:33

Community

1

answered Sep 27 '21 at 15:54

Patrick Mevzek

9,921
7
32
43

So you mean that I can do nothing by myself, don't you? Since I do not have much idea about this, will this problem disappear if I start to use Google DNS servers? Apparently yes. – forvas Sep 27 '21 at 17:20
"So you mean that I can do nothing by myself, don't you?" This is not at all what I said. Please see the paragraph starting with "However do read the warning". You HAVE TO fix your delegation as it is wrong. Only the owner of `agenciatributaria.gob.es` can do that. "Since I do not have much idea about this, will this problem disappear if I start to use Google DNS servers?" Absolutely not (maybe you see it "fixed" but others will still have problems). If you are new to DNS it may be wise for now to let someone else run the DNS service for your domain and to learn more about it. – Patrick Mevzek Sep 27 '21 at 17:24
I've understood you that *agenciatributaria.gob.es* has a problem that they must fix. But I am not the owner of *agenciatributaria.gob.es*. That is an organisation which I depend on. And yeah, I'm a newbie on these DNS subjects. – forvas Sep 27 '21 at 17:34
1

"That is an organisation which I depend on." Ask them to fix their DNS configuration then. You can find workarounds that may work for a time and then break again, especially in the least favorable moment, so they should fix their delegation. Any DNS professional should understand the term "lame delegation" and be able to know what needs to be fixed, so let them know this, and the DNSViz link can give another view on the subject. – Patrick Mevzek Sep 27 '21 at 17:36
Ok, I understand, thank you @Patrick. – forvas Sep 27 '21 at 17:46

Michael Hampton · Answer 2 · 2021-09-27T19:26:35.770

2

Your local resolver is configured to forward DNS queries to 213.186.33.99, DNS server that OVH provides to its customers. Querying this server directly reveals that it is reporting a failure.

$ host www2.agenciatributaria.gob.es 213.186.33.99
Using domain server:
Name: 213.186.33.99
Address: 213.186.33.99#53
Aliases: 

Host www2.agenciatributaria.gob.es not found: 2(SERVFAIL)

Edit your /etc/resolv.conf to provide another set of nameservers and then try again. Keep in mind that the domain you're looking up still is broken, as described by Patrick Mevzek's answer, and so this is just a workaround.

edited Sep 27 '21 at 19:26

answered Sep 27 '21 at 12:00

Michael Hampton

244,070
43
506
972

Thank you! I can do that by `systemd-resolve --set-dns=8.8.8.8 --interface=ens3` command, but after rebooting server I get the problem again. How can I make it persistent? – forvas Sep 27 '21 at 15:30
@forvas See the last line of my answer. – Michael Hampton Sep 27 '21 at 18:50

Why can't I reach a specific host using a specific DNS?

2 Answers2