www.heroesonline.com unresolvable via local unbound instance?

Todd Blake tbblake at gmail.com
Wed May 1 22:14:06 CEST 2019


I've got pi-hole installed locally on my LAN and it forwards it's uncached
requests to a local unbound instance, listening on 127.0.0.1:5353.  I
recently discovered that the FQDN www.heroesonline.com was unresolvable.
After hitting my unbound instance directly, I found it to be the culprit.
As near as I can tell, the hosts listed in it's NS records, simply answer
with an empty reply.  I don't know how better to describe it than "empty"
but I'm hoping the attached debugging I have sheds some light on it.

If I hit the nameservers for the domain directly, I get what appears to be
an empty reply.
If I hit up google dns at 8.8.8.8, I get a valid reply.
If I hit up localhost at 127.0.0.1:5353 I get a timeout, and the unbound
logs appear to show unbound retrying after numerous empty replys from the
NS servers for that domain.


I've:
1) turned up the verbosity on unbound
2) requested a valid domain that works (cnn.com), and copied out the log
3) requested the failing domain, and copied out the log
4) Ran some host and dig commands to emulate to the best of my ability how
this would function.  i.e. hit a root server, hit a .com server, hit the
servers for heroesonline.com.

My best guess is that the DNS servers for the domain, (ns*.kpmedia.org) are
configured to only respond to major ISP DNS servers?  Is that a thing these
days?  I can't imagine what else a complete lack of an answer would dictate.

Thankfully I just hopped on LTE to get to the website to do what I needed
too, I need my local mini-con tickets ;-).  But I'm curious why this would
be this way.  I'm wondering if maybe they're blocking requests from
un-authoritative nameservers or something?

Below you'll see my dig attempts.  I uploaded the listed files to pastebin:

unbound config files:
https://pastebin.com/fRYKKrQB /etc/unbound/unbound.conf
https://pastebin.com/0JMCXeAW /etc/unbound/unbound.conf.d/pi-hole.conf
https://pastebin.com/08gQF4mj
/etc/unbound/unbound.conf.d/qname-minimisation.conf
https://pastebin.com/6eNNhcT8
/etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf

# logfile for a working domain (www.cnn.com)
https://pastebin.com/c5auFtfM unbound.log.cnn.com.txt
# logfile for the failing domain (www.heroesonline.com)
https://pastebin.com/FGrDXwEk unbound.log.heroesonline.com.txt

# dig directly against google all looks good

    root at stretch:~# dig www.heroesonline.com @8.8.8.8

    ; <<>> DiG 9.10.3-P4-Debian <<>> www.heroesonline.com @8.8.8.8
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49963
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 512
    ;; QUESTION SECTION:
    ;www.heroesonline.com.          IN      A

    ;; ANSWER SECTION:
    www.heroesonline.com.   7       IN      A       162.213.254.70

    ;; Query time: 19 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Tue Apr 30 16:57:12 EDT 2019
    ;; MSG SIZE  rcvd: 65

# dig directly against my local unbound instance, times out.  I'm assuming
that unbound does the same as what my next step does ultimately, hits up
nameservers for heroesonline.com to find out the A record for
www.heroesonline.com.  I'd also assumed that since unbound timed out back
to me, that it retries (from what I'm reading in the logs) and eventually
just returns me nothing since it gets empty answers from ns*.kpmedia.org

    root at stretch:~# dig www.heroesonline.com @127.0.0.1 -p 5353

    ; <<>> DiG 9.10.3-P4-Debian <<>> www.heroesonline.com @127.0.0.1 -p 5353
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached


# dig directly against the nameservers for heroesonline.com, gets me an
empty answer if I'm reading it right

    root at stretch:~# host -t NS heroesonline.com 8.8.8.8
    Using domain server:
    Name: 8.8.8.8
    Address: 8.8.8.8#53
    Aliases:

    heroesonline.com name server ns21.kpmedia.org.
    heroesonline.com name server ns19.kpmedia.org.
    heroesonline.com name server ns20.kpmedia.org.
    root at stretch:~# host ns21.kpmedia.org. 8.8.8.8
    Using domain server:
    Name: 8.8.8.8
    Address: 8.8.8.8#53
    Aliases:

    ns21.kpmedia.org has address 37.61.235.107
    root at stretch:~# dig www.heroesonline.com @37.61.235.107

    ; <<>> DiG 9.10.3-P4-Debian <<>> www.heroesonline.com @37.61.235.107
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 8231
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    ;; WARNING: recursion requested but not available

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.heroesonline.com.          IN      A

    ;; Query time: 104 msec
    ;; SERVER: 37.61.235.107#53(37.61.235.107)
    ;; WHEN: Tue Apr 30 16:58:40 EDT 2019
    ;; MSG SIZE  rcvd: 49
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://nlnetlabs.nl/pipermail/unbound-users/attachments/20190501/1ddf0cdb/attachment-0001.html>


More information about the Unbound-users mailing list