DNS not resolving some domains

kehrlein · Mon Jan 01, 2024 11:45 pm

Happy new year everyone!

I'm having trouble resolving some domain names from a Debian machine using the internal MikroTik DNS resolver, see example with domain name php.net below. Other domain names are resolved successfully.
The issue occurs only with large DNS anwers, e.g. while doing an "ANY" request. If requesting for example A or MX for the same domain name, everything is fine.

(192.168.1.1 is the IP of the MikroTik with v7.13)

root@linux-server:/# dig any php.net

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> any php.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8617
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;php.net.                       IN      ANY

;; Query time: 10004 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (TCP)
;; WHEN: Mon Jan 01 22:30:33 CET 2024
;; MSG SIZE  rcvd: 25

If using the Google DNS on the Debian machine, everything is working as expected:

root@linux-server:/# dig any php.net @8.8.8.8

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> any php.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1269
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;php.net.                       IN      ANY

;; ANSWER SECTION:
php.net.                300     IN      SOA     ns1.php.net. admin.easydns.com. 1704142862 16384 2048 1048576 2560
php.net.                30      IN      MX      0 php-smtp4-ip4.php.net.
php.net.                300     IN      TXT     "_globalsign-domain-verification=YKIbqgUIt0x2vDkmdYS8TzqfqP6jyVp2fVVyJWyopw"
php.net.                300     IN      TXT     "v=spf1 ip4:140.211.15.143 ip4:45.112.84.5 ip4:142.93.197.176 ip6:2604:a880:400:d0::1c74:1001 ip6:2a02:cb43:8000::1102 ip4:157.90.121.187 ip6:2a01:4f8:1c1e:416d::1 ?all"
php.net.                300     IN      TXT     "google-site-verification=R0anXzbL507wmRx5iv1S-5jN55RYVo2UYIqFP2L_k1g"
php.net.                300     IN      A       185.85.0.29
php.net.                300     IN      AAAA    2a02:cb40:200::1ad
php.net.                300     IN      NS      dns2.easydns.net.
php.net.                300     IN      NS      dns3.easydns.org.
php.net.                300     IN      NS      dns1.easydns.com.
php.net.                300     IN      NS      dns4.easydns.info.

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (TCP)
;; WHEN: Mon Jan 01 22:30:38 CET 2024
;; MSG SIZE  rcvd: 622

I thought the problem might be related to the pppoe uplink and some MTU stuff. Reducing MTU / MRU to lower values has no positive effect.

Extract from the config (let me know if you'd like to see more):

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=8.8.8.8

/interface pppoe-client
add add-default-route=yes disabled=no interface=combo1 max-mru=1492 max-mtu=1492 name=Telekom-DSL profile=telekom user=00000123456789@t-online.de

MikroTik log during the failed DNS request:

23:12:40 dns query from 255.255.255.255: #420373 php.net. ALL 
23:12:50 dns done query: #420373 dns server failure

Any ideas would be helpful! Thank you very much!

krzysioD · Mon Jan 01, 2024 11:55 pm

Well,
show firewall - maybe a tcp/53 is cut somewhere? (just a hunch)

capture a pcap - on client side and on MT, both in LAN and - WAN (PPPoE) side

/ip dns cache flush

and what does
/ip dns cache all
say?

Also when:
/ip dns
set allow-remote-requests=yes

Be carefoul - whole internet could use your machine as opendns (use firewall, don't allow queries from internet/wan side)

kehrlein · Tue Jan 02, 2024 12:05 am

Well,
show firewall - maybe a tcp/53 is cut somewhere? (just a hunch)

Port 53 input is accepted for UDP as well as TCP. Firewall filters are fine.

/ip dns cache flush

Did that. Doesn't help.

and what does
/ip dns cache all
say?

No record related to the example domain php.net.

anav · Tue Jan 02, 2024 12:17 am

If your MT device is setup properly, why are you here? Try a debian forum!
If you want help then provide the config and we can decide, based on EVIDENCE not opinion, that there is nothing amiss on your config.

/export file=anynameyouwish ( minus router serial number, public WANIP information, keys, long lists of dhcp leases etc. )

kehrlein · Tue Jan 02, 2024 12:51 am

# 2024-01-01 23:23:18 by RouterOS 7.13
# model = CCR1009-7G-1C-1S+
/interface bridge add arp=proxy-arp name=bridge port-cost-mode=short priority=0x1000
/interface ethernet set [ find default-name=combo1 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether6 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether7 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=sfp-sfpplus1 ] rx-flow-control=auto tx-flow-control=auto
/interface vlan add interface=combo1 name=combo1-v7 vlan-id=7
/interface list add name=WAN
/interface list add name=LAN
/ppp profile add name=telekom
/interface pppoe-client add add-default-route=yes disabled=no interface=combo1 max-mru=1400 max-mtu=1480 name=Telekom-DSL profile=telekom user=00000123456789@t-online.de
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface list member add interface=combo1 list=WAN
/interface list member add interface=bridge list=LAN
/interface list member add interface=combo1-v7 list=WAN
/interface list member add interface=Telekom-DSL list=WAN
/interface list member add interface=sfp-sfpplus1 list=LAN
/ip address add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=8.8.8.8
/ip firewall address-list add address=192.168.1.0/24 list=intern
/ip firewall filter add action=accept chain=input comment="accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Accept incoming connections to router from intern" connection-state=new src-address-list=intern
/ip firewall filter add action=accept chain=forward comment="accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="Accept forwarding DSTNAT" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Acceppt internet access from intern" connection-state=new out-interface-list=WAN src-address-list=intern
/ip firewall filter add action=drop chain=forward comment="Drop *"
/ip firewall filter add action=drop chain=input comment="Drop *"
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment="HTTP & HTTPS" dst-port=80,443 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.1.100
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP Presence and Provisioning HTTPS" dst-port=5001 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=5001
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP SIP UDP" dst-port=5060 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 to-ports=5060
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP SIP TCP" dst-port=5060 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=5060
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP SIP TLS" dst-port=5061 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=5061
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP Media UDP" dst-port=9000-10999 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 to-ports=9000-10999
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP Tunnel TCP" dst-port=5090 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=5090
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP Tunnel UDP" dst-port=5090 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 to-ports=5090

anav · Tue Jan 02, 2024 1:21 am

Observations
(1) The vlan7 you assigned to combo1 is all very nice but where is it in your pppoe connection??

/interface pppoe-client add add-default-route=yes disabled=no interface=combo1 max-mru=1400 max-mtu=1480 name=Telekom-DSL profile=telekom user=

If indeed the ISP is providing pppoe over vlan7 then your config should be:
/interface pppoe-client add add-default-route=yes disabled=no interface=combo1-v7 max-mru=1400 max-mtu=1480 name=Telekom-DSL profile=telekom user=

(2) The interface list member should be as follows
/interface list member add interface=combo1 list=WAN --> not needed can be removed
/interface list member add interface=bridge list=LAN
/interface list member add interface=combo1-v7 list=WAN --> probably not needed as the interface name is what is required and that is Telekom-DSL
/interface list member add interface=Telekom-DSL list=WAN
/interface list member add interface=sfp-sfpplus1 list=LAN

(3) Your Input chain rule is disorganized, keep chains together for easy viewing, understanding etc........

(4) You dont need connection-state=new on firewall rules.

(5) Why dont you use fastrack rule in forward chain?

(6) Clearly NOT the complete config...........

Thus cannot comment further.

kehrlein · Tue Jan 02, 2024 8:55 pm

Workaround: Adding a DoH server (e.g. https://dns.google/dns-query) fixed the problem.

I haven't been able to identify the root cause yet. My guess is that MikroTik is sending it's DNS requests to the upstream DNS with DF (don't fragment) and the response packets have to be fragmented due to the amount of DNS records. All tests with different MTU / MRU on the PPPoE client interface failed.

vingjfg · Tue Jan 02, 2024 9:18 pm

If 192.168.1.1 is your Mikrotik, what is this then?

/ip address add address=192.1.1.1/24 interface=bridge network=192.1.1.0
/ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=8.8.8.8
/ip firewall address-list add address=192.1.1.0/24 list=intern

anav · Tue Jan 02, 2024 9:38 pm

Hard to say as the OP thinks he knows better by not providing the evidence and information to make an accurate diagnosis.

kehrlein · Tue Jan 02, 2024 9:55 pm

Thanks for your help guys!

If 192.168.1.1 is your Mikrotik, what is this then?

My fault! I made a search & replace error when removing the real addresses from the export. I've corrected the IPs in the above post.

VLAN 7 was left over from an old config. Removed it. Thanks for the hint!

vingjfg · Tue Jan 02, 2024 10:34 pm

I hardly think that RFC1918 IP addresses are a security problem. Keep these where they are and remove the public ones, as well as the keys, usernames and hashes, and serial numbers when you post the full config.

What is the problem in the excerpt you posted is that the query is received from 255.255.255.255 - here is one on my mikrotik:

 21:28:39 dns query from 192.168.2.254: #239527 www.whitehouse.gov. A
 21:28:39 dns done query: #239527 www.whitehouse.gov. 192.0.66.168

See? Unicast, not broadcast.

Post the full configuration. Without that, can't help you.

LdB · Wed Jan 03, 2024 7:21 am

You are very brave you have port 53 exposed to the world and you were so proud of it

You clearly didn't read the DNS WIKI did you
https://help.mikrotik.com/docs/display/ROS/DNS

see this they put it in a green box

When DNS server allow-remote-requests are used make sure that you limit access to your server over TCP and UDP protocol port 53 only for known hosts.

You are probably getting DNS attacked by every assphat under the sun and yes your DNS goes flakey.

kehrlein · Sat Jan 06, 2024 1:25 am

You are very brave you have port 53 exposed to the world and you were so proud of it

DNS requests are only accepted from internal network via this rule:
/ip firewall filter add action=accept chain=input comment="Accept incoming connections to router from intern" connection-state=new src-address-list=intern
Requests from WAN are dropped via:
/ip firewall filter add action=drop chain=input comment="Drop *"

What is the problem in the excerpt you posted is that the query is received from 255.255.255.255 - here is one on my mikrotik:
Code: Select all
 21:28:39 dns query from 192.168.2.254: #239527 www.whitehouse.gov. A
 21:28:39 dns done query: #239527 www.whitehouse.gov. 192.0.66.168
See? Unicast, not broadcast.

Please try again with an ANY request. Also in other (working) setups I get the log entry "dns query from 255.255.255.255[" when using dig with ANY.

optio · Sat Jan 06, 2024 3:31 am

You won't get reliable answers with ANY for some domains anyway, see rfc8482

; <<>> DiG 9.10.6 <<>> any whitehouse.gov @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31249
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;whitehouse.gov.			IN	ANY

;; ANSWER SECTION:
whitehouse.gov.		3600	IN	HINFO	"RFC8482" ""
whitehouse.gov.		3600	IN	RRSIG	HINFO 8 2 3600 20240107025553 20240105005553 10104 gov. n84jyIFK6NfnAkx+rmwD73ZCIWzyc/5JNCA4rNrkE3f3ZdlyQTbuHW1n q8G2OZdYXvGRvhJf9kzXMgUvOGGP/JOz8+5/OCgj/Da0tP/IS6MYbZfB 3mLDwL0XS+5F78e1p89C/O/XmKwRdsAaJbLf2RzpMVPtDm5zfCSk/VpX 7qOd0OqW5OuBCJWFyqHyJGihQ3OG/P6xlSIXeDMrbHD88Q==

;; Query time: 284 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 06 02:55:53 CET 2024
;; MSG SIZE  rcvd: 259

In my case is working when I set 8.8.8.8 in ROS DNS as upstream

; <<>> DiG 9.10.6 <<>> any php.net @192.168.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9457
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;php.net.			IN	ANY

;; ANSWER SECTION:
php.net.		300	IN	SOA	ns1.php.net. admin.easydns.com. 1704506462 16384 2048 1048576 2560
php.net.		30	IN	MX	0 php-smtp4-ip4.php.net.
php.net.		300	IN	TXT	"v=spf1 ip4:140.211.15.143 ip4:45.112.84.5 ip4:142.93.197.176 ip6:2604:a880:400:d0::1c74:1001 ip6:2a02:cb43:8000::1102 ip4:157.90.121.187 ip6:2a01:4f8:1c1e:416d::1 ?all"
php.net.		300	IN	TXT	"google-site-verification=R0anXzbL507wmRx5iv1S-5jN55RYVo2UYIqFP2L_k1g"
php.net.		300	IN	TXT	"_globalsign-domain-verification=YKIbqgUIt0x2vDkmdYS8TzqfqP6jyVp2fVVyJWyopw"
php.net.		300	IN	A	185.85.0.29
php.net.		300	IN	AAAA	2a02:cb40:200::1ad
php.net.		300	IN	NS	dns2.easydns.net.
php.net.		300	IN	NS	dns4.easydns.info.
php.net.		300	IN	NS	dns1.easydns.com.
php.net.		300	IN	NS	dns3.easydns.org.

;; AUTHORITY SECTION:
php.net.		300	IN	NS	dns2.easydns.net.
php.net.		300	IN	NS	dns4.easydns.info.
php.net.		300	IN	NS	dns1.easydns.com.
php.net.		300	IN	NS	dns3.easydns.org.

;; Query time: 362 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Sat Jan 06 03:11:44 CET 2024
;; MSG SIZE  rcvd: 686

but I got SERVFAIL when it's set to server which doesn't support ANY like Pi-Hole or Unbound (they return NOTIMP). Even Cloudflare (1.1.1.1) deprecated ANY - https://blog.cloudflare.com/rfc8482-say ... bye-to-any

verbylab · Sat Jan 06, 2024 4:38 am

If your MT device is setup properly, why are you here? Try a debian forum!

If you want help then provide the config and we can decide, based on EVIDENCE not opinion, that there is nothing amiss on your config.

(3) Your Input chain rule is disorganized, keep chains together for easy viewing, understanding etc........

(6) Clearly NOT the complete config...........

Hard to say as the OP thinks he knows better by not providing the evidence and information to make an accurate diagnosis.

You clearly didn't read the DNS WIKI did you

Kinda concerned about the partially negative and judging tone in this community recently. Feeling sorry for the OPs who are faced with this, when being a bit kinder and forthcoming wouldn't cost a thing.

vingjfg · Sun Jan 07, 2024 2:21 pm

Yup, I agree: lots of negativity. On the other hand, the forum is full of messages of people demanding help and of "consultants" asking for help but really having the members of the forum doing their jobs. Nothing more pleasant than seeing a guy whose credentials are obviously "was able to install a TP-link at his house" start installing routers for clients. He inevitably gets into issues and the net results is that that client's trust in network engineers is diminished.

Anyway, regarding the question at hand. I did tests.

With Mikrotik, I suspect the logging has a bug - using ANY queries result in weird source addresses. This may simply be that the ANY request is not handled in code and has a bit of an unpredictable result. I will open a ticket with the support to report the issue.

13:02:41 dns,packet --- got query from 48.70.4.0:58282:
13:02:41 dns,packet id:14a6 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2
13:02:41 dns,packet question: www.whitehouse.gov.:ALL:IN
13:02:41 dns,packet additional:
13:02:41 dns,packet <.:UNKNOWN (41):0=rawbytes:12>
13:02:41 dns query from 48.70.4.0: #283750 www.whitehouse.gov. ALL
13:02:41 dns,packet --- sending udp query to 172.29.0.1:53:

It was mentioned that ANY queries have been more or less deprecated as there is no real, legitimate use for them[1], and some ISP are not responding to them. Using whitehouse.gov as an example, some servers respond, other don't.

NS				Response
8.8.8.8			Yes
1.1.1.1			No
9.9.9.9			Yes
208.67.222.222	No
193.110.81.9		No

vingjfg · Sun Jan 07, 2024 2:33 pm

Ticket open - SUP-139658

jaclaz · Sun Jan 07, 2024 2:46 pm

Yup, I agree: lots of negativity. On the other hand, the forum is full of messages of people demanding help and of "consultants" asking for help but really having the members of the forum doing their jobs. Nothing more pleasant than seeing a guy whose credentials are obviously "was able to install a TP-link at his house" start installing routers for clients. He inevitably gets into issues and the net results is that that client's trust in network engineers is diminished.

You are forgetting the (I believe more common) case of the guy who "was able to install a TP-link at his house" and wants to replace it with a Mikrotik (without claiming to be a network engineer, nor doing it for clients), he is seemingly not treated much more kindly.

optio · Sun Jan 07, 2024 2:47 pm

Using whitehouse.gov as an example, some servers respond, other don't.

Which server responds answer for that domain and is not masked by RFC 8482? Masked responses are useless (example in my previous post).

vingjfg · Sun Jan 07, 2024 3:17 pm

8.8.8.8 and 9.9.9.9 respond, see below for the full response which is identical between 8.8.8.8 and 9.9.9.9. The other 3 I tried don't respond (1.1.1.1, 208.67.222.222, 193.110.81.9). As you correctly indicated in your earlier message, the error is "NOTIMP."

All of these are public resolvers that anyone can query.

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> ANY whitehouse.gov @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31367
;; flags: qr rd ra; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;whitehouse.gov.			IN	ANY

;; ANSWER SECTION:
whitehouse.gov.		300	IN	NSEC3PARAM 1 0 1 D4D891484D1ED95E
whitehouse.gov.		300	IN	RRSIG	NSEC3PARAM 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. 1RCH7VqTcimGifNVWQJF1Gx1p+DzJPvQApo/YcZwncIdmGSlJGM3l6Bg PUqkbffy7kkTVHrKWQKoyabViA9+xA==
whitehouse.gov.		300	IN	A	192.0.66.168
whitehouse.gov.		300	IN	RRSIG	A 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. GHb5tiJi6isxCJgTFHd/DtLS4fnm2qIVrs3Xb00HgZgRlGeqeR5w3yGE VaczNKX7pqK/cAWoh+e/Ut1uI+/iyA==
whitehouse.gov.		300	IN	AAAA	2a04:fa87:fffd::c000:42a8
whitehouse.gov.		300	IN	RRSIG	AAAA 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. DwmiqwcwPa+Io66GIc+IT7tHtWwIAGG4ZN7JG4grwZ7SMTQVAr3AJgaA KnWlU6FzJ/qi96B1KxmxPSvc98d8IA==
whitehouse.gov.		300	IN	SOA	399e-adcs001.ede.pitc.gov. postmaster.whitehouse.gov. 2017022510 300 300 604800 300
whitehouse.gov.		300	IN	RRSIG	SOA 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. c1LPzqUOILWhu1QjmxUls1icrD41S6W9oOgWA+xz3f7fDMsZG5hVp892 Pql6N6W0GjWWvXKCd6fg1sTU8SOfGw==
whitehouse.gov.		3600	IN	NS	a1-61.akam.net.
whitehouse.gov.		3600	IN	NS	a3-67.akam.net.
whitehouse.gov.		3600	IN	NS	a22-66.akam.net.
whitehouse.gov.		3600	IN	NS	a12-64.akam.net.
whitehouse.gov.		3600	IN	NS	a5-64.akam.net.
whitehouse.gov.		3600	IN	NS	a20-65.akam.net.
whitehouse.gov.		3600	IN	RRSIG	NS 13 2 3600 20240109220212 20240106210212 13144 whitehouse.gov. JhkihbAIGvlJCvVDDw70z2oAfQsadu5QoECA0U6PrJACIc/9zRBEjVml Asl0dVG+jjb+t+67Pz9x/y/5hP8SGA==
whitehouse.gov.		7200	IN	DNSKEY	257 3 13 DxacCrTcl+JVxjXbN7d5xiAbeD15h/CAHAwY7k2dzK2W1B9muSwUW1lm JOi9zQxhMVZ0QWnSgVeKXvmt5g+T1g==
whitehouse.gov.		7200	IN	DNSKEY	256 3 13 wAggPbe1QZV8wu/7Enkt78w2Yl0+zufTk24YBVI3ppR3+Gk5rxNtRBcM 767f6+qQ2s5+TgOVOsfC/5kKOWxTOw==
whitehouse.gov.		7200	IN	DNSKEY	256 3 13 fuhg2P8BMgLfKJyeHNshz7VRplL0xz+IeIc8pXtl72MCauGsfxfdT5s8 AHeTJf31xvFF9pLPjZulJ439p8g+mw==
whitehouse.gov.		7200	IN	RRSIG	DNSKEY 13 2 7200 20240109220212 20240106210212 58791 whitehouse.gov. QOBQwKl0Qo8IP+JQbxi3WE18C/x6iSMY14tDESo9RuonXxZ5TUTFSiRg 2XhG8FjJSE2mqXgTMzW97uTjCMchsQ==
whitehouse.gov.		3600	IN	TXT	"v=spf1 +mx include:spf.mandrillapp.com ip4:214.3.140.16/32 ip4:214.3.140.255/32 ip4:214.3.115.12/32 ip4:214.3.115.10/32 ip4:214.3.115.225/32 ip4:214.3.115.14/32 ip4:214.3.140.22/32 ~all"
whitehouse.gov.		3600	IN	RRSIG	TXT 13 2 3600 20240109220212 20240106210212 13144 whitehouse.gov. sKoLEof0KQMCQjBMg7J7mqfAs1UmaoP8GOWluvzbfskQLhRxXfZjq61r f9S+M6K4k3KInCPP5Szt7Ss06kp/JQ==

;; Query time: 64 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Sun Jan 07 14:04:24 CET 2024
;; MSG SIZE  rcvd: 1520

That being said, the point is not so much to find which domains return a complete record set and which don't, but more to see which DNS resolvers return something vs which don't. The point is also to understand why the Mikrotik logs display a source address that is incorrect, in my case the log shows the query coming from "48.70.4.0" where the IP address of my host is 192.168.2.254. This looks like the code path for the ANY query (which has often be flagged as a "special case") may have a bug.

vingjfg · Sun Jan 07, 2024 3:31 pm

Interestingly, there seems to be some variance between the replies from 9.9.9.9

 <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> ANY whitehouse.gov @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19722
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;whitehouse.gov.			IN	ANY

;; ANSWER SECTION:
whitehouse.gov.		2013	IN	NS	a20-65.akam.net.
whitehouse.gov.		2013	IN	NS	a12-64.akam.net.
whitehouse.gov.		2013	IN	NS	a5-64.akam.net.
whitehouse.gov.		2013	IN	NS	a3-67.akam.net.
whitehouse.gov.		2013	IN	NS	a22-66.akam.net.
whitehouse.gov.		2013	IN	NS	a1-61.akam.net.
whitehouse.gov.		2013	IN	RRSIG	NS 13 2 3600 20240109220212 20240106210212 13144 whitehouse.gov. JhkihbAIGvlJCvVDDw70z2oAfQsadu5QoECA0U6PrJACIc/9zRBEjVml Asl0dVG+jjb+t+67Pz9x/y/5hP8SGA==

;; Query time: 8 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Sun Jan 07 14:30:51 CET 2024
;; MSG SIZE  rcvd: 284

to compare with

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> ANY whitehouse.gov @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31367
;; flags: qr rd ra; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;whitehouse.gov.			IN	ANY

;; ANSWER SECTION:
whitehouse.gov.		300	IN	NSEC3PARAM 1 0 1 D4D891484D1ED95E
whitehouse.gov.		300	IN	RRSIG	NSEC3PARAM 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. 1RCH7VqTcimGifNVWQJF1Gx1p+DzJPvQApo/YcZwncIdmGSlJGM3l6Bg PUqkbffy7kkTVHrKWQKoyabViA9+xA==
whitehouse.gov.		300	IN	A	192.0.66.168
whitehouse.gov.		300	IN	RRSIG	A 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. GHb5tiJi6isxCJgTFHd/DtLS4fnm2qIVrs3Xb00HgZgRlGeqeR5w3yGE VaczNKX7pqK/cAWoh+e/Ut1uI+/iyA==
whitehouse.gov.		300	IN	AAAA	2a04:fa87:fffd::c000:42a8
whitehouse.gov.		300	IN	RRSIG	AAAA 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. DwmiqwcwPa+Io66GIc+IT7tHtWwIAGG4ZN7JG4grwZ7SMTQVAr3AJgaA KnWlU6FzJ/qi96B1KxmxPSvc98d8IA==
whitehouse.gov.		300	IN	SOA	399e-adcs001.ede.pitc.gov. postmaster.whitehouse.gov. 2017022510 300 300 604800 300
whitehouse.gov.		300	IN	RRSIG	SOA 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. c1LPzqUOILWhu1QjmxUls1icrD41S6W9oOgWA+xz3f7fDMsZG5hVp892 Pql6N6W0GjWWvXKCd6fg1sTU8SOfGw==
whitehouse.gov.		3600	IN	NS	a1-61.akam.net.
whitehouse.gov.		3600	IN	NS	a3-67.akam.net.
whitehouse.gov.		3600	IN	NS	a22-66.akam.net.
whitehouse.gov.		3600	IN	NS	a12-64.akam.net.
whitehouse.gov.		3600	IN	NS	a5-64.akam.net.
whitehouse.gov.		3600	IN	NS	a20-65.akam.net.
whitehouse.gov.		3600	IN	RRSIG	NS 13 2 3600 20240109220212 20240106210212 13144 whitehouse.gov. JhkihbAIGvlJCvVDDw70z2oAfQsadu5QoECA0U6PrJACIc/9zRBEjVml Asl0dVG+jjb+t+67Pz9x/y/5hP8SGA==
whitehouse.gov.		7200	IN	DNSKEY	257 3 13 DxacCrTcl+JVxjXbN7d5xiAbeD15h/CAHAwY7k2dzK2W1B9muSwUW1lm JOi9zQxhMVZ0QWnSgVeKXvmt5g+T1g==
whitehouse.gov.		7200	IN	DNSKEY	256 3 13 wAggPbe1QZV8wu/7Enkt78w2Yl0+zufTk24YBVI3ppR3+Gk5rxNtRBcM 767f6+qQ2s5+TgOVOsfC/5kKOWxTOw==
whitehouse.gov.		7200	IN	DNSKEY	256 3 13 fuhg2P8BMgLfKJyeHNshz7VRplL0xz+IeIc8pXtl72MCauGsfxfdT5s8 AHeTJf31xvFF9pLPjZulJ439p8g+mw==
whitehouse.gov.		7200	IN	RRSIG	DNSKEY 13 2 7200 20240109220212 20240106210212 58791 whitehouse.gov. QOBQwKl0Qo8IP+JQbxi3WE18C/x6iSMY14tDESo9RuonXxZ5TUTFSiRg 2XhG8FjJSE2mqXgTMzW97uTjCMchsQ==
whitehouse.gov.		3600	IN	TXT	"v=spf1 +mx include:spf.mandrillapp.com ip4:214.3.140.16/32 ip4:214.3.140.255/32 ip4:214.3.115.12/32 ip4:214.3.115.10/32 ip4:214.3.115.225/32 ip4:214.3.115.14/32 ip4:214.3.140.22/32 ~all"
whitehouse.gov.		3600	IN	RRSIG	TXT 13 2 3600 20240109220212 20240106210212 13144 whitehouse.gov. sKoLEof0KQMCQjBMg7J7mqfAs1UmaoP8GOWluvzbfskQLhRxXfZjq61r f9S+M6K4k3KInCPP5Szt7Ss06kp/JQ==

;; Query time: 64 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Sun Jan 07 14:04:24 CET 2024
;; MSG SIZE  rcvd: 1520

optio · Sun Jan 07, 2024 3:37 pm

You can see from my post on 8.8.8.8 it was masked, it seems it is not reliable, depends maybe from which authoritative DNS is requested. Currently also for me is responding with full answer.

Edit: Performed 10 queries and 1 was masked again.

apestalménos1 · Sun Jan 07, 2024 3:58 pm

[/quote]
Kinda concerned about the partially negative and judging tone in this community recently. Feeling sorry for the OPs who are faced with this, when being a bit kinder and forthcoming wouldn't cost a thing.
[/quote]

Some people have issues. It's best to ignore them.

woobilicious · Mon Mar 25, 2024 5:25 am

I get issues with resolving domains, DNSKEY returns SERVFAIL too, definitely something weird going on.
note the router is pointed to 8.8.8.8, so it should give identical responses but instead just downgrades the request on second attempt.

The response can easily fit in to a single udp packet, so not related to TCP/packet sizes issues as others have suggested.

~ via 🐍
❯ dig -t DNSKEY docs.gtk.org @192.168.88.1

; <<>> DiG 9.18.21 <<>> -t DNSKEY docs.gtk.org @192.168.88.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27036
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;docs.gtk.org.                  IN      DNSKEY

;; Query time: 1004 msec
;; SERVER: 192.168.88.1#53(192.168.88.1) (UDP)
;; WHEN: Mon Mar 25 15:42:01 NZDT 2024
;; MSG SIZE  rcvd: 30

~ via 🐍
❯ dig -t DNSKEY docs.gtk.org @8.8.8.8

; <<>> DiG 9.18.21 <<>> -t DNSKEY docs.gtk.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50382
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;docs.gtk.org.                  IN      DNSKEY

;; ANSWER SECTION:
docs.gtk.org.           600     IN      CNAME   ocp-ingress.fastly.gnome.org.

;; AUTHORITY SECTION:
gnome.org.              900     IN      SOA     ns-master.gnome.org. hostmaster.gnome.org. 1710776484 600 900 86400 3600

;; Query time: 1003 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Mon Mar 25 15:54:49 NZDT 2024
;; MSG SIZE  rcvd: 137

DNS not resolving some domains

DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains

Re: DNS not resolving some domains