hollow icon indicating copy to clipboard operation
hollow copied to clipboard
verified publisher icon Netflix

Google Public DNS fails to resolve hollow.how

Open arjantop opened this issue 7 years ago • 6 comments

Look like hollow.how no longer works. Not sure if temporary or not.

arjantop avatar May 20 '18 14:05 arjantop

It was probably a temporary thing. Works for me -> https://hollow.how/

rpalcolea avatar May 21 '18 00:05 rpalcolea

I believe you can close this issue now @arjantop

rpalcolea avatar May 21 '18 02:05 rpalcolea

Hmm, actually using google's DNS 8.8.8.8 it does not work, if I switch to cloudflare's 1.1.1.1 I get the website.

dig hollow.how @1.1.1.1

; <<>> DiG 9.12.1 <<>> hollow.how @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34459
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;hollow.how.			IN	A

;; ANSWER SECTION:
hollow.how.		1799	IN	CNAME	netflix.github.io.
netflix.github.io.	3600	IN	CNAME	sni.github.map.fastly.net.
sni.github.map.fastly.net. 1000	IN	A	185.199.108.153
sni.github.map.fastly.net. 1000	IN	A	185.199.109.153
sni.github.map.fastly.net. 1000	IN	A	185.199.110.153
sni.github.map.fastly.net. 1000	IN	A	185.199.111.153

;; Query time: 122 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon May 21 11:06:20 CEST 2018
;; MSG SIZE  rcvd: 173

dig hollow.how @8.8.8.8

; <<>> DiG 9.12.1 <<>> hollow.how @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60627
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hollow.how.			IN	A

;; Query time: 78 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon May 21 11:06:25 CEST 2018
;; MSG SIZE  rcvd: 39

arjantop avatar May 21 '18 09:05 arjantop

This issue is specific to Google Public DNS and DNSSEC. They appear to be validating all domains against DNSSEC. We believe this to be a bug and have filed a ticket with Google. Specifying dig ... +cd disables the DNSSEC checks and then hollow.how resolves.

dig @8.8.8.8 hollow.how. +cd

; <<>> DiG 9.10.6 <<>> @8.8.8.8 hollow.how. +cd
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58175
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hollow.how.			IN	A

;; ANSWER SECTION:
hollow.how.		1798	IN	CNAME	netflix.github.io.
netflix.github.io.	3599	IN	CNAME	sni.github.map.fastly.net.
sni.github.map.fastly.net. 3599	IN	A	185.199.108.153
sni.github.map.fastly.net. 3599	IN	A	185.199.109.153
sni.github.map.fastly.net. 3599	IN	A	185.199.110.153
sni.github.map.fastly.net. 3599	IN	A	185.199.111.153

;; Query time: 83 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue May 29 11:41:10 PDT 2018
;; MSG SIZE  rcvd: 173

dig @8.8.8.8 hollow.how.

; <<>> DiG 9.10.6 <<>> @8.8.8.8 hollow.how.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60078
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;hollow.how.			IN	A

;; Query time: 91 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Jun 01 12:17:01 PDT 2018
;; MSG SIZE  rcvd: 39

I couldn't find any information about Google Public DNS switching to require DNSSEC always, though maybe they silently rolled that out or I missed the info. Also, we use a CNAME for an apex domain which is non-standard but (to date) supported. Nevertheless, this might be tripping an edge condition in Google Public DNS.

Some temporary workarounds:

  • temporarily remove Google Public DNS from your resolvers
  • add Level 3 and/or OpenDNS resolvers to your DNS config. Both are resolving successfully

ghost avatar Jun 01 '18 19:06 ghost

Google responded to our ticket with WONTFIX:

Status: Won't Fix (Intended Behavior)
The resolution for hollow.how is failing because there is a CNAME at the apex of hollow.how along with other record types. See details at http://dnsviz.net/d/hollow.how/dnssec/. CNAME at apex is disallowed by RFC 2181 section 10.1 (https://tools.ietf.org/html/rfc2181#section-10) though it has been implemented by some authoritative and recursive resolvers.

We'll need to stop using the apex CNAME.

ghost avatar Jul 09 '18 19:07 ghost

An easy fix would be to use the apex A records instead of the CNAME

hollow.how. 3600 IN A 185.199.108.153 hollow.how. 3600 IN A 185.199.109.153 hollow.how. 3600 IN A 185.199.110.153 hollow.how. 3600 IN A 185.199.111.153

More info at https://help.github.com/en/github/working-with-github-pages/managing-a-custom-domain-for-your-github-pages-site#configuring-an-apex-domain

vg avatar Nov 03 '19 09:11 vg