-1

When I visit anythinghere.mysite.tld I get a DNS error. However, if you observe the behaviour of anythinghere.google.com and anythinghere.example.com you'll see there's no DNS error.

Note: doesnotexist.mysite.tld, random.mysite.tld and so on don't exist; all non-existing subdomains seem to be affected. What could be the reason for getting a DNS error in this situation?

Note 2: I'm using GitHub Pages with CloudFlare.

Update: If I clear my browser cache the DNS error doesn't happen. I see the exact same behaviour at random.lsquo.com as I see at random.google.com. That's good as it's exactly what I want. However, when I then visit lsquo.com again and then re-visit random.lsquo.com I see the DNS error again.

henrywright
  • 127
  • 1
  • 9
  • 2
    With DNS problems you really need to tell us the domain names if you want effective advice. – Tim May 10 '17 at 18:58
  • 3
    I'm voting to close this question as off-topic because all the critical information is censored. – ceejayoz May 10 '17 at 18:58
  • @Tim the domain name is lsquo.com. random.example.com or random.google.com is exactly the behaviour I'd like to see when I visit random.lsquo.com – henrywright May 10 '17 at 19:22
  • @ceejayoz I've added the critical info (the domain name in question) in my comment above. – henrywright May 10 '17 at 19:26
  • 1
    I'm not sure I understand what you are trying to achieve. Neither of anythinghere.google.com or anythinghere.example.com resolve, rather produce DNS errors. – Håkan Lindqvist May 10 '17 at 19:34
  • Without really knowing what the goal actually is, my guess would be that it's about some browser behavior (optional?) which one way or another interacts with the **includeSubDomains** of `strict-transport-security:max-age=15552000; includeSubDomains; preload`, largely based on that you say clearing the cache affects the behavior. – Håkan Lindqvist May 10 '17 at 19:41
  • @HåkanLindqvist I need anythinghere.lsquo.com to behave exactly the same as anythinghere.google.com. For the subdomain at lsquo, I get a DNS error – henrywright May 10 '17 at 19:42
  • As I said, I get a DNS error in both cases. What do you want to happen? – Håkan Lindqvist May 10 '17 at 19:42
  • @HåkanLindqvist I get this for example.google.com http://imgur.com/a/rWLsq and this for example.lsquo.com http://imgur.com/a/XqxcN. I'd like example.lsquo.com to get the same as example.google.com. – henrywright May 10 '17 at 19:48
  • @henrywright What I get is http://imgur.com/Hm0eoJU and http://imgur.com/ddAkxWQ – Håkan Lindqvist May 10 '17 at 19:53
  • 4
    @henrywright Looks like your ISP is hijacking NXDOMAIN. Not good. – ceejayoz May 10 '17 at 19:56
  • @ceejayoz why would my ISP do this for example.google.com and not for example.lsquo.com? – henrywright May 10 '17 at 19:59
  • @henrywright The made-up Google.com subdomain has never served a security policy that'd cause your browser to ignore the hijacking. Your subdomain has, so your browser refuses to fall for it. – ceejayoz May 10 '17 at 20:00
  • @HåkanLindqvist thanks for the screenshots. So you see identical behaviour for example.google.com and example.lsquo.com? – henrywright May 10 '17 at 20:00
  • @henrywright It does it for both. But your `strict-transport-security` including subdomains ensures that the browser will only do HTTPS under your domain, which their hijack nonsense can't support. – Håkan Lindqvist May 10 '17 at 20:02
  • @ceejayoz apologies for the basic question but can you explain what you mean by security policy? do you mean HSTS? – henrywright May 10 '17 at 20:03
  • 1
    @HåkanLindqvist " It does it for both. But your strict-transport-security including subdomains ensures that the browser will only do HTTPS under your domain, which their hijack nonsense can't support." - Could you explain this some more to help me understand? Perhaps in an answer. I'd appreciate the info :) – henrywright May 10 '17 at 20:12
  • I'm voting to close this question as off-topic because the behavior described in the question is not reproducible. – kasperd May 23 '17 at 20:41

2 Answers2

5

First of all, it's normal to get a DNS error in all the mentioned examples (none of them resolve, neither random.google.com nor random.lsquo.com).

However, looking at your screenshots it's important to note that you do not in fact get a DNS error for random.lsquo.com, you get "Connection timed out".

It appears that your configured DNS server (probably provided by your ISP) does NXDOMAIN hijacking, where they make names that do not resolve, ie status NXDOMAIN, resolve to some page that generates revenue for them.

What changes the behavior after visiting your site is that you use HSTS and say that the policy also applies to subdomains.
Ie, includeSubDomains in Strict-Transport-Security: max-age=15552000; includeSubDomains; preload

The browser is tricked by the NXDOMAIN hijack in your case as well, but as the servers hosting the NXDOMAIN-hijack site do not do HTTPS (and if it would, it wouldn't have a valid certificate for your domain anyway, so there would be no point even trying), the browser fails to connect.

All in all, your domain fares best out of the mentioned examples thanks to your HSTS policy. Good!

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
1

In order to achieve this, you should have a Wildcard Record for your domain. Currently you don't have

*.lsquo.com.   IN   A       104.27.176.48
*.lsquo.com.   IN   A       104.27.177.48
*.lsquo.com.   IN   AAAA    2400:cb00:2048:1:0:0:681b:b030  
*.lsquo.com.   IN   AAAA    2400:cb00:2048:1:0:0:681b:b130

where the IP addresses match your lsquo.com..

What I can't understand is why you got this working once and how you got it working with Google, that doesn't seem to have any wildcard records, either.

What's good is that you have HSTS configured and your sertificate has wildcard *.lsquo.com. This means you have everything else in shape for your desired state. In many cases these would become the next problem.

Hopefully your webserver doesn't have a catch-all virtualhost, but uses redirects to a canonical hostname for your site instead.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I don't think this is what they are talking about, rather some variation on the "Use a web service to help resolve navigation errors" setting in the browser. – Håkan Lindqvist May 10 '17 at 19:55
  • 1
    OP likely didn't get anything "working with Google". Looks like an ISP-injected NXDOMAIN page. – ceejayoz May 10 '17 at 19:56
  • 1
    (For one thing, Google does not have any wildcard record, and if they did it wouldn't go to a Yahoo search page like in their screenshot) – Håkan Lindqvist May 10 '17 at 19:56
  • 1
    @ceejayoz Yes, that's probably the right interpretation! That fits with how strict-transport-security causes the NXDOMAIN hijack to break – Håkan Lindqvist May 10 '17 at 19:58
  • 1
    So ISP broke how Google should behave and OP's sites HSTS header corrected ISP's bad desicion. Nice. – Esa Jokinen May 10 '17 at 19:58
  • Thanks for the answer. Check out this answer for a good explanation of the issue https://serverfault.com/a/849371/217903 – henrywright May 10 '17 at 20:22
  • Håkan's answer is brilliant! I wasn't aware of the local environment and looked this merely from outside. However, I'll keep this answer because it - and especially its comments - might be helpful to others. – Esa Jokinen May 10 '17 at 20:42
  • Yes your answer may be helpful to someone else. Thanks again for trying to help. – henrywright May 10 '17 at 20:43