I had purchased the domain "webcafe.tech" from Hostinger and added A record to GCP VM for Wordpress hosting. Earlier it was working fine. I added cloudflare for better security. At that time the site was working properly. But after few days I started getting error : "webcafe.tech’s server IP address could not be found.". I checked with support team. They updated that DNS propogation was stuck so they have reset it. I waited for 48hrs but for my location it is still not working.
I checked in intoDNS.com and found that it have propagated properly to all regions. But still from my location it is not working, so I tried different location, like mobile or public wifi. But no luck.
Then I tried tor and it is working properly there. Even support person told it is working fine from his location.
I tried using dig, here is the output:
C:\Program Files\ISC BIND 9\bin>dig webcafe.tech +short
C:\Program Files\ISC BIND 9\bin>dig webcafe.tech
; <<>> DiG 9.17.10 <<>> webcafe.tech
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26865
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;webcafe.tech. IN A
;; Query time: 2032 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Mar 04 02:37:18 India Standard Time 2021
;; MSG SIZE rcvd: 41
C:\Program Files\ISC BIND 9\bin>dig webcafe.tech +trace
; <<>> DiG 9.17.10 <<>> webcafe.tech +trace
;; global options: +cmd
. 480854 IN NS k.root-servers.net.
. 480854 IN NS l.root-servers.net.
. 480854 IN NS m.root-servers.net.
. 480854 IN NS a.root-servers.net.
. 480854 IN NS b.root-servers.net.
. 480854 IN NS c.root-servers.net.
. 480854 IN NS d.root-servers.net.
. 480854 IN NS e.root-servers.net.
. 480854 IN NS f.root-servers.net.
. 480854 IN NS g.root-servers.net.
. 480854 IN NS h.root-servers.net.
. 480854 IN NS i.root-servers.net.
. 480854 IN NS j.root-servers.net.
. 480854 IN RRSIG NS 8 0 518400 20210315210000 20210302200000 42351 . ads06V0AhKOpuJ6zWLp1gY6wKDCULWzG04I0GBEH6sPJPedI77SVsJ83 bAvoPk4xTDOfNOP/Zjxc8aO2uThv+32YD7ceHvmxUg5BFOWTComjLfXI CXfPETCn0tMSS82QSPPXyBMsv2XLYas21RbReUYjtZoPTk2olimEDJ5q Bxyk7sBDQfsoIJ6F/F0L5BYpAhXJw4EV7/BJaOzzc+fPLLlQK4I5W1j1 12HWtqhg+H1ZVbv2SH2mm2eVVUAJg6sFC/cfiAR9HVWwCf4D4yFgm6+8 Uq+087Mvj4dhLS5tCieniBIwAXVBpF1bUVunSgmfoJ2oBEIvYl9usqWa 4zHe6g==
;; Received 525 bytes from 192.168.1.1#53(192.168.1.1) in 45 ms
tech. 172800 IN NS b.nic.tech.
tech. 172800 IN NS e.nic.tech.
tech. 172800 IN NS f.nic.tech.
tech. 172800 IN NS a.nic.tech.
tech. 86400 IN DS 50095 8 1 82F72F2462DEE25B99DA2470535AD0A7D131F1EB
tech. 86400 IN DS 50095 8 2 83F40D01141484D8F07305E5D2E44AC5663149054C598D6E9D993C66 1686C6EE
tech. 86400 IN RRSIG DS 8 1 86400 20210316170000 20210303160000 42351 . cAsLi5OXC4/bT/N/x5nu9LWQJIXnSbFkpA8/8V7FxWOYEuNYfJYjVO1Z P8BWT7IB3BKlMaAmGZxQEuQi6Q7plP1n68p+8sDDFdHDzqiy0T7KyZm4 6UScDk3fT3pmGS3nxRl61X67uEaWNy4fmukgkX62xsAdX2Yiq5YubsUq UEQDUpcKBQegnlgr4Hmpm+jhilHLe0mjfhkMXgQaT6mY9HnV8ZUrc1mY Ad9zm/tvj9gBUuEQQqJPTocrftSB3NL9UAJZVf8Ui8oxYdTXR7U0OLzM qfcyaJeSfNMR359kruWgnlcVmXoU+9SFExgCFnv5ahkQrLjAePZ8cVgV PVy+Ow==
;; Received 688 bytes from 192.36.148.17#53(i.root-servers.net) in 196 ms
webcafe.tech. 3600 IN NS ns1.dns-parking.com.
webcafe.tech. 3600 IN NS ns2.dns-parking.com.
webcafe.tech. 3600 IN DS 2371 8 2 55F22368BD05B6405E96C3E14D7A4FB138CCBB970D3FB44AEB911BD6 C7EC3104
webcafe.tech. 3600 IN RRSIG DS 8 2 3600 20210319200140 20210217140833 21876 tech. eDzK56jI7vgFFD3D+kFyMgcBMDemav4/m47KqAQKj48TkMP6QEYdbIV5 3RzfQ/F6yWmuJ6azb1EyPWjLF4gOOymDjBaaq40jewfL+3HQgSmrs8YM 6G8FSE+IwWpewOj653uevU/gCTIacVp38BFgPNUMPT1RRXaqQjIyRZ/d b7A=
;; Received 304 bytes from 212.18.248.60#53(e.nic.tech) in 179 ms
webcafe.tech. 14400 IN A 35.239.116.255
;; Received 57 bytes from 162.159.24.201#53(ns1.dns-parking.com) in 71 ms
Dig trace is showing result but dig short and nslookup is not working.
Can anyone help me out, how to fix this issue?
Edit:
Added GCP server DNS zone and updated Name servers, but still not working. Here are my records:
GCP DNS Zone Record
Hostinger DNS record
c:\Program Files\ISC BIND 9\bin>dig webcafe.tech
; <<>> DiG 9.17.10 <<>> webcafe.tech
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17639
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;webcafe.tech. IN A
;; Query time: 1512 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Mar 04 15:30:12 India Standard Time 2021
;; MSG SIZE rcvd: 41
c:\Program Files\ISC BIND 9\bin>dig webcafe.tech +short
c:\Program Files\ISC BIND 9\bin>dig webcafe.tech +trace
; <<>> DiG 9.17.10 <<>> webcafe.tech +trace
;; global options: +cmd
. 422973 IN NS c.root-servers.net.
. 422973 IN NS d.root-servers.net.
. 422973 IN NS e.root-servers.net.
. 422973 IN NS f.root-servers.net.
. 422973 IN NS g.root-servers.net.
. 422973 IN NS h.root-servers.net.
. 422973 IN NS i.root-servers.net.
. 422973 IN NS j.root-servers.net.
. 422973 IN NS k.root-servers.net.
. 422973 IN NS l.root-servers.net.
. 422973 IN NS m.root-servers.net.
. 422973 IN NS a.root-servers.net.
. 422973 IN NS b.root-servers.net.
. 422973 IN RRSIG NS 8 0 518400 20210315210000 20210302200000 42351 . ads06V0AhKOpuJ6zWLp1gY6wKDCULWzG04I0GBEH6sPJPedI77SVsJ83 bAvoPk4xTDOfNOP/Zjxc8aO2uThv+32YD7ceHvmxUg5BFOWTComjLfXI CXfPETCn0tMSS82QSPPXyBMsv2XLYas21RbReUYjtZoPTk2olimEDJ5q Bxyk7sBDQfsoIJ6F/F0L5BYpAhXJw4EV7/BJaOzzc+fPLLlQK4I5W1j1 12HWtqhg+H1ZVbv2SH2mm2eVVUAJg6sFC/cfiAR9HVWwCf4D4yFgm6+8 Uq+087Mvj4dhLS5tCieniBIwAXVBpF1bUVunSgmfoJ2oBEIvYl9usqWa 4zHe6g==
;; Received 525 bytes from 192.168.1.1#53(192.168.1.1) in 85 ms
tech. 172800 IN NS a.nic.tech.
tech. 172800 IN NS b.nic.tech.
tech. 172800 IN NS e.nic.tech.
tech. 172800 IN NS f.nic.tech.
tech. 86400 IN DS 50095 8 1 82F72F2462DEE25B99DA2470535AD0A7D131F1EB
tech. 86400 IN DS 50095 8 2 83F40D01141484D8F07305E5D2E44AC5663149054C598D6E9D993C66 1686C6EE
tech. 86400 IN RRSIG DS 8 1 86400 20210317050000 20210304040000 42351 . Z8gH+XbVqLv6fagaF75qhHai+D+XVRfWkFECeZ2MS+SMBq47f91Fr/Ez +6wqNUozI4m2GbOpZ/uPhChz6ekikdlXIGTEQnq2aMVUsnY90xXSd4Vr j8fYHqnEpTDn1Z8GxZeBUneDDcygn7EIks2uaXfvHYsh4zhrucpAPUZW +JGLGtnKegTGCwmHpEle9Ho5RaXqJOMO1CO6Rj+5cWoHHMUjn3MLMwtR LiEL83l5mAqcj3Rwb7utj7SfXWTf5NbioLHONkkTv9cKvHDgDDPcmHHc CimyHoYbnL4/lsTw6pnZekWNntXWuGrK7GOW1WpOQysz9onIdqVdT+o7 8LMu7w==
;; Received 656 bytes from 198.97.190.53#53(h.root-servers.net) in 216 ms
webcafe.tech. 3600 IN NS ns-cloud-c1.googledomains.com.
webcafe.tech. 3600 IN NS ns-cloud-c2.googledomains.com.
webcafe.tech. 3600 IN NS ns-cloud-c3.googledomains.com.
webcafe.tech. 3600 IN NS ns-cloud-c4.googledomains.com.
webcafe.tech. 3600 IN DS 2371 8 2 55F22368BD05B6405E96C3E14D7A4FB138CCBB970D3FB44AEB911BD6 C7EC3104
webcafe.tech. 3600 IN RRSIG DS 8 2 3600 20210319200140 20210217140833 21876 tech. eDzK56jI7vgFFD3D+kFyMgcBMDemav4/m47KqAQKj48TkMP6QEYdbIV5 3RzfQ/F6yWmuJ6azb1EyPWjLF4gOOymDjBaaq40jewfL+3HQgSmrs8YM 6G8FSE+IwWpewOj653uevU/gCTIacVp38BFgPNUMPT1RRXaqQjIyRZ/d b7A=
;; Received 374 bytes from 194.169.218.60#53(a.nic.tech) in 181 ms
webcafe.tech. 300 IN A 35.239.116.255
;; Received 57 bytes from 216.239.38.108#53(ns-cloud-c4.googledomains.com) in 103 ms
Currently for webcafe.tech resolves only with nameservers ns-cloud-c[1-3].googledomains.com and ns[1-2].dns-parking.com. Al other servers that I tried return SERVFAIL what means that the server isn't able to answer properly for some reason.
Let's take a look at SOA record
>host -t soa webcafe.tech NS-CLOUD-C2.GOOGLEDOMAINS.COM
Using domain server:
Name: NS-CLOUD-C2.GOOGLEDOMAINS.COM
Address: 216.239.34.108#53
Aliases:
webcafe.tech has SOA record ns-cloud-c1.googledomains.com. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300
> host -t soa webcafe.tech ns1.dns-parking.com
Using domain server:
Name: ns1.dns-parking.com
Address: 162.159.24.201#53
Aliases:
webcafe.tech has SOA record ns1.dns-parking.com. dns.hostinger.com. 2021030401 10000 2400 604800 3600
dns-parking.com still consider their servers as masters for your domain.
Also serial field in google servers is 21600 and for dns-parking.com it is 2021030401.
I'd recommend to change serial in googledomains.com to some number bigger than 2021030401. If problem persists, contact hostinger support.
Related
I'm facing with this strange DNS issue on one of the CentOS boxes, in which the authoritative NS returns outdated records, which results in failure in the resolution.
The domain I'm trying to resolve is chengyu.ga.
Let's call the problematic CentOS box A and a normal CentOS box B.
Here is the dig trace when running on B, which returns correct answers:
$ dig chengyu.ga +trace +additional
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> chengyu.ga +trace +additional
;; global options: +cmd
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
;; Received 239 bytes from 172.31.0.2#53(172.31.0.2) in 0 ms
ga. 172800 IN NS a.ns.ga.
ga. 172800 IN NS b.ns.ga.
ga. 172800 IN NS c.ns.ga.
ga. 172800 IN NS d.ns.ga.
ga. 86400 IN NSEC gal. NS RRSIG NSEC
ga. 86400 IN RRSIG NSEC 8 1 86400 20200327050000 20200314040000 33853 . AUOV4PSeXQZ+PpcrnlNQIxmP1vnMcTe77+bQop06CAx1Q4oPMm+ujQY3 AMnp+ex8onrv
1VpJgaENd4gyf6bgOkYCNcy2hY/DpXyQ1UY/TLBZigkO Q+xtDwVcXnw/BvP+KpDeEj0KcMSh8qqRRkhVH77KPOEVgmQzyuUZ12GH sc9mmcwxT/Ugl+qG60ib7C3jFi8VYGsMNUk+p2RfDw5MPRPfFGZxEyNH XdmW7ABYm62
QdI1oAVPND9UjVkV/aw59Yq55cwrFqcQt+2aM10yrssII nx0o5NX3zqhMt2gkwOnZrGBgIxD1QdJXMZtT7aPk3UgaAvFnOgOpg81Y HtdTFg==
a.ns.ga. 172800 IN A 185.21.168.49
a.ns.ga. 172800 IN AAAA 2a04:1b00:c::1
b.ns.ga. 172800 IN A 185.21.169.49
b.ns.ga. 172800 IN AAAA 2a04:1b00:d::1
c.ns.ga. 172800 IN A 185.21.170.49
c.ns.ga. 172800 IN AAAA 2a04:1b00:e::1
d.ns.ga. 172800 IN A 185.21.171.49
d.ns.ga. 172800 IN AAAA 2a04:1b00:f::1
;; Received 594 bytes from 192.5.5.241#53(F.ROOT-SERVERS.NET) in 3 ms
chengyu.ga. 300 IN NS ns-1096.awsdns-09.org.
chengyu.ga. 300 IN NS ns-58.awsdns-07.com.
chengyu.ga. 300 IN NS ns-720.awsdns-26.net.
chengyu.ga. 300 IN NS ns-1829.awsdns-36.co.uk.
;; Received 178 bytes from 185.21.171.49#53(d.ns.ga) in 186 ms
chengyu.ga. 60 IN A 3.112.158.242
chengyu.ga. 60 IN A 52.196.4.107
chengyu.ga. 60 IN A 13.114.167.91
chengyu.ga. 172800 IN NS ns-1096.awsdns-09.org.
chengyu.ga. 172800 IN NS ns-1829.awsdns-36.co.uk.
chengyu.ga. 172800 IN NS ns-58.awsdns-07.com.
chengyu.ga. 172800 IN NS ns-720.awsdns-26.net.
;; Received 226 bytes from 205.251.199.37#53(ns-1829.awsdns-36.co.uk) in 3 ms
And results from A:
$ dig chengyu.ga +trace +additional
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> chengyu.ga +trace +additional
;; global options: +cmd
. 259199 IN NS a.root-servers.net.
. 259199 IN NS b.root-servers.net.
. 259199 IN NS c.root-servers.net.
. 259199 IN NS d.root-servers.net.
. 259199 IN NS e.root-servers.net.
. 259199 IN NS f.root-servers.net.
. 259199 IN NS g.root-servers.net.
. 259199 IN NS h.root-servers.net.
. 259199 IN NS i.root-servers.net.
. 259199 IN NS j.root-servers.net.
. 259199 IN NS k.root-servers.net.
. 259199 IN NS l.root-servers.net.
. 259199 IN NS m.root-servers.net.
. 259199 IN RRSIG NS 8 0 518400 20200326050000 20200313040000 33853 . Qm1Ie0FEwyqy+PCVypAz7PuwJ4aFaQAjU2om+IRPQb/eQ2xjAwDm0YnW vws6lzDe5KKTkQYmSYmPyJ+ccoCk6zqvVVFzMjNQk5mgIpLdxvxLibkk 0hW5MFtY4fdFKmTS14RuqfEXVkEaYIph/Hvyh7Mw/5hKSttwMbJTELfx 8rBEQwVVFYcdazc2oko0UvnBSlnoYbpvlVR7QcrhJ7fAEQfzyy9SsR0Z jWn2G+OdwSfJgN1f7BXftC055yEnCWfG+qJNWrt+QofNolgQTbQDOY3t 3m9ITkBJvvPSUKH7mIIXHYMM3wbO6PenkY9VaPTYW+XkAxJvR+/r+UvE iEpSQw==
;; Received 525 bytes from 169.254.169.254#53(169.254.169.254) in 2 ms
ga. 172800 IN NS a.ns.ga.
ga. 172800 IN NS b.ns.ga.
ga. 172800 IN NS c.ns.ga.
ga. 172800 IN NS d.ns.ga.
ga. 86400 IN NSEC gal. NS RRSIG NSEC
ga. 86400 IN RRSIG NSEC 8 1 86400 20200327050000 20200314040000 33853 . AUOV4PSeXQZ+PpcrnlNQIxmP1vnMcTe77+bQop06CAx1Q4oPMm+ujQY3 AMnp+ex8onrv1VpJgaENd4gyf6bgOkYCNcy2hY/DpXyQ1UY/TLBZigkO Q+xtDwVcXnw/BvP+KpDeEj0KcMSh8qqRRkhVH77KPOEVgmQzyuUZ12GH sc9mmcwxT/Ugl+qG60ib7C3jFi8VYGsMNUk+p2RfDw5MPRPfFGZxEyNH XdmW7ABYm62QdI1oAVPND9UjVkV/aw59Yq55cwrFqcQt+2aM10yrssII nx0o5NX3zqhMt2gkwOnZrGBgIxD1QdJXMZtT7aPk3UgaAvFnOgOpg81Y HtdTFg==
a.ns.ga. 172800 IN A 185.21.168.49
b.ns.ga. 172800 IN A 185.21.169.49
c.ns.ga. 172800 IN A 185.21.170.49
d.ns.ga. 172800 IN A 185.21.171.49
a.ns.ga. 172800 IN AAAA 2a04:1b00:c::1
b.ns.ga. 172800 IN AAAA 2a04:1b00:d::1
c.ns.ga. 172800 IN AAAA 2a04:1b00:e::1
d.ns.ga. 172800 IN AAAA 2a04:1b00:f::1
;; Received 594 bytes from 198.41.0.4#53(a.root-servers.net) in 2 ms
chengyu.ga. 300 IN NS ns01.freenom.com.
chengyu.ga. 300 IN NS ns02.freenom.com.
chengyu.ga. 300 IN NS ns03.freenom.com.
chengyu.ga. 300 IN NS ns04.freenom.com.
;; Received 126 bytes from 185.21.168.49#53(a.ns.ga) in 2 ms
;; connection timed out; no servers could be reached
[guanshan#instance-2 ~]$ dig #185.21.171.49 chengyu.ga +trace +additional
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> #185.21.171.49 chengyu.ga +trace +additional
; (1 server found)
;; global options: +cmd
;; Received 28 bytes from 185.21.171.49#53(185.21.171.49) in 2 ms
FYI, the .freenom.com. NS servers have been changed to awsdns server a couple of days back. As you can see, the results returned by a.ns.ga are outdated.
My question is, what could cause this kind of behavior?
I have a domain (xanderflood.com) whose DNS is manged by Route 53. I'd like to delegate DNS for test.xanderflood.com to a server that'll be located at ns.test.xanderflood.com, so I added two records:
test.xanderflood.com IN NS ns.test.xanderflood.com
ns.test.xanderflood.com IN A 198.51.100.234
When I run dig +trace #75.75.75.75 media.test.xanderflood.com, I get
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> +trace #75.75.75.75
media.test.xanderflood.com
; (1 server found)
;; global options: +cmd
. 503150 IN NS k.root-servers.net.
. 503150 IN NS l.root-servers.net.
. 503150 IN NS m.root-servers.net.
. 503150 IN NS a.root-servers.net.
. 503150 IN NS b.root-servers.net.
. 503150 IN NS c.root-servers.net.
. 503150 IN NS d.root-servers.net.
. 503150 IN NS e.root-servers.net.
. 503150 IN NS f.root-servers.net.
. 503150 IN NS g.root-servers.net.
. 503150 IN NS h.root-servers.net.
. 503150 IN NS i.root-servers.net.
. 503150 IN NS j.root-servers.net.
. 503150 IN RRSIG NS 8 0 518400 20190704170000 20190621160000 25266 . D5+HDC+b5kZ625Ac27BUxuBSBTATMWEGyjPXTJIR1WaWkb3uGBhNYV5G CC/aFJtwJZ0M5ki9mWfDMBr2TTr4ij9KViXbr7PDVDLHnqixT864P+8t KmHPL1uYIb94DkJza8gTMcJZoQlFEj+gEl2+qPBRc5oZbl4GkVva+La4 T/64g96mORdS8vZGn9aQSCZnPg8Ckt6sTIaELWLAnI3zTFrosg+zrG8D zVJFmFy55SmleFq6Gzs3BMk1DIs8FqrVjS5PPVVIGsjAMhLMeS0Sclps AFf8kjEMzXoREz4DeNYWgmf2nE3HUXSxd/XR7VAlzJmOUt8Suz0YkDr3 OGS+Ig==
;; Received 1041 bytes from 75.75.75.75#53(75.75.75.75) in 12 ms
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20190704170000 20190621160000 25266 . lc916tqVraGg10FCUk6/B5E0xeEbP4c5rnt3bPICTdHmSHgAZ/SpA8MF pIO426+YZ12p/lozYA2nUo6B7lVrjinglyNAnTBrVxYPtiC078gPU1Bq g8gEG6OZHoe/+UdYfvVtblW/ioSExKeyc9/C6KYfzZuD++T05/izeHov iiE+4ViTmaFaDgI+xSpqttRJT/nYRpn1tN9/35MV/rhXDhEGIUdLM98e wscQUzDbfkifK6NKb9Z6Vp689y2N7WV9dJKcDeNqcoRrMrWW9ioWOLqE Kxhv4O6AzL9clubwuzi+ufirwk6euOD8n6q6u51bcRhK8PdgUs2xy2Ms uVcCMQ==
;; Received 1214 bytes from 199.9.14.201#53(b.root-servers.net) in 60 ms
xanderflood.com. 172800 IN NS ns-426.awsdns-53.com.
xanderflood.com. 172800 IN NS ns-823.awsdns-38.net.
xanderflood.com. 172800 IN NS ns-1657.awsdns-15.co.uk.
xanderflood.com. 172800 IN NS ns-1471.awsdns-55.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20190628044430 20190621033430 3800 com. E0fw9vzA0DqWNYImFXrvmV/qH2cH6hDM5E7X6/pCKrhCZp7Qb6iCkp3u PdwVPv5HIs65MaMNSGA9gXCs4JcXBjUx6cmjKUbUfGX2kQffmFm6dGfA WvtjYvzFfG1o/0SUU5awr6hes1fa/G1RxwVW8a4AAdhZ/cPpFS2RTlar i/0=
50C5NFS5N8S46COAHN2QFK40EQF0U3HS.com. 86400 IN NSEC3 1 1 0 - 50C7M61IFHEGFKLIRHD1569DD1CM9NV5 NS DS RRSIG
50C5NFS5N8S46COAHN2QFK40EQF0U3HS.com. 86400 IN RRSIG NSEC3 8 2 86400 20190626053147 20190619042147 3800 com. eYnghQKgo9br7ORy1m6Ago7kBLi6Hj5yYumps4YQNJs/CMlgLt8yuzhw SGIAyzMuRuCnW8N+rH813tURS/zaR8cOWqxqxG/sj7xDZ++kMveCA7VW MQZq8CCplfYqAMpaNqDf3Qi/21612pfQnRnVe1XNwS99rqv/wt7L/OaE 6Ek=
;; Received 693 bytes from 192.55.83.30#53(m.gtld-servers.net) in 25 ms
test.xanderflood.com. 300 IN NS ns.test.xanderflood.com.
^Ccouldn't get address for 'ns.test.xanderflood.com': not found
dig: couldn't get address for 'ns.test.xanderflood.com': no more
In the last stage, the route53 server doesn't seem to send the glue record along with the NS record. But when I check that specifically by running dig #ns-1471.awsdns-55.org test.test.xanderflood.com, it does sen the glue record:
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> #ns-1471.awsdns-55.org test.test.xanderflood.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52944
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.test.xanderflood.com. IN A
;; AUTHORITY SECTION:
test.xanderflood.com. 300 IN NS ns.test.xanderflood.com.
;; ADDITIONAL SECTION:
ns.test.xanderflood.com. 300 IN A 198.51.100.234
;; Query time: 26 msec
;; SERVER: 205.251.197.191#53(205.251.197.191)
;; WHEN: Fri Jun 21 18:58:54 EDT 2019
;; MSG SIZE rcvd: 87
I tried all four of the listed AWS nameservers and they all included the glue record. Similarly, if I ask the AWS servers for ns.test.xanderflood.com, I get the A record, but when I use dig +trace and ask my ISPs recursive server, it gets to the NS record and can't go any further. Any ideas?
The problem is not with the +trace. Since a simple request for the nameserver name receives an error:
$ dig ns.test.xanderflood.com
; <<>> DiG 9.10.3-P4-Debian <<>> ns.test.xanderflood.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6793
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;ns.test.xanderflood.com. IN A
;; Query time: 4625 msec
Because the problem is that this specific nameserver does not reply at all!
The parent correctly provides the glue:
$ dig #ns-1657.awsdns-15.co.uk. ns.test.xanderflood.com | grep 'IN A '
ns.test.xanderflood.com. 5m IN A 198.51.100.234
(+short does not work because the information is in the additional section, not the answer one)
But then:
$ dig #198.51.100.234 ns.test.xanderflood.com
; <<>> DiG 9.12.0 <<>> #198.51.100.234 ns.test.xanderflood.com
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30129
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f266724ac73b2e54
;; QUESTION SECTION:
;ns.test.xanderflood.com. IN A
;; QUERY SIZE: 64
;; connection timed out; no servers could be reached
(the usual troubleshooting then involves trying +tcp/+notcp to debug UDP/TCP problems and +dnssec/+nodnssec to involve DNSSEC related problems. No options change the above result, the server does not reply)
This server does not reply. dig +trace finishes by asking this server but does not get a reply, hence the final error.
As soon as this nameserver starts to reply to DNS queries your problem will go away.
You can as well have a look at a monitoring service: http://dnsviz.net/d/ns.test.xanderflood.com/dnssec/
The popup on the name says: No response was received from server over UDP (tried 12 times.)
By the way, surely obvious, but just to be sure: it is a bad idea to delegate a domain to a single nameserver (especially if not anycasted)
From what I understood when my computer performs a DNS request it does the following:
Firstly my computer send a DNS request to its default dns server (my ISP DNS in my case).
Then my ISP DNS server send a request to a "root node DNS server".
My question is in that last point.
How does the ISP DNS server contact te root node (with an IP ? (I heard that DNS root node IPs where secret (in order to avoid attacks / spamming))).
Which port is used by the root node DNS
Can I contact directly from my computer the root DNS ? (if yes how ?)
Thank you very much !
Each recursive nameserver in the world ships with a preconfigured root zone with the list of root nameservers and their IPv4+IPv6 addresses.
By a process called "priming" on start, each recursive nameserver will connect one of these to query for the current list, so that it can update its list of root servers.
All of that is not hidden in any way because otherwise the DNS does not work.
Every nameserver (recursive or authoritative) uses port 53, for both UDP and TCP queries.
You can of course contact directly the root nameservers but based on your questions I believe you have a misconception on what purpose this may have.
The DNS is a tree, if you contact a root nameserver it will only be able to reply with data about the level just below it, that is the list of TLDs, and you will not get data there about domains further down the tree.
Some examples:
Getting list of current root nameservers
$ dig . NS
; <<>> DiG 9.12.0 <<>> . NS
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62572
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c0ea66cf097962ab
;; QUESTION SECTION:
;. IN NS
;; QUERY SIZE: 40
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62572
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 264162 IN NS a.root-servers.net.
. 264162 IN NS d.root-servers.net.
. 264162 IN NS m.root-servers.net.
. 264162 IN NS j.root-servers.net.
. 264162 IN NS e.root-servers.net.
. 264162 IN NS f.root-servers.net.
. 264162 IN NS l.root-servers.net.
. 264162 IN NS k.root-servers.net.
. 264162 IN NS g.root-servers.net.
. 264162 IN NS h.root-servers.net.
. 264162 IN NS b.root-servers.net.
. 264162 IN NS i.root-servers.net.
. 264162 IN NS c.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 600270 IN A 198.41.0.4
a.root-servers.net. 168267 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 600268 IN A 199.9.14.201
b.root-servers.net. 168267 IN AAAA 2001:500:200::b
c.root-servers.net. 600270 IN A 192.33.4.12
c.root-servers.net. 168267 IN AAAA 2001:500:2::c
d.root-servers.net. 600269 IN A 199.7.91.13
d.root-servers.net. 168267 IN AAAA 2001:500:2d::d
e.root-servers.net. 600268 IN A 192.203.230.10
e.root-servers.net. 168267 IN AAAA 2001:500:a8::e
f.root-servers.net. 600268 IN A 192.5.5.241
f.root-servers.net. 168267 IN AAAA 2001:500:2f::f
g.root-servers.net. 600268 IN A 192.112.36.4
g.root-servers.net. 168267 IN AAAA 2001:500:12::d0d
h.root-servers.net. 600270 IN A 198.97.190.53
h.root-servers.net. 168267 IN AAAA 2001:500:1::53
i.root-servers.net. 600270 IN A 192.36.148.17
i.root-servers.net. 168267 IN AAAA 2001:7fe::53
j.root-servers.net. 600268 IN A 192.58.128.30
j.root-servers.net. 168267 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 600268 IN A 193.0.14.129
k.root-servers.net. 168267 IN AAAA 2001:7fd::1
l.root-servers.net. 600268 IN A 199.7.83.42
l.root-servers.net. 168267 IN AAAA 2001:500:9f::42
m.root-servers.net. 600268 IN A 202.12.27.33
m.root-servers.net. 168267 IN AAAA 2001:dc3::35
;; Query time: 1 msec
;; SERVER: 192.168.10.229#53(192.168.10.229)
;; WHEN: Mon Oct 29 10:19:08 EST 2018
;; MSG SIZE rcvd: 811
Asking a root nameserver about data for a TLD (yes, red is a TLD)
$ dig #g.root-servers.net red. NS +nocookie
; <<>> DiG 9.12.0 <<>> #g.root-servers.net red. NS +nocookie
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18270
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;red. IN NS
;; QUERY SIZE: 32
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18270
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 9
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;red. IN NS
;; AUTHORITY SECTION:
red. 172800 IN NS b0.nic.red.
red. 172800 IN NS c0.nic.red.
red. 172800 IN NS a2.nic.red.
red. 172800 IN NS a0.nic.red.
;; ADDITIONAL SECTION:
a0.nic.red. 172800 IN A 65.22.36.25
a2.nic.red. 172800 IN A 65.22.39.25
b0.nic.red. 172800 IN A 65.22.37.25
c0.nic.red. 172800 IN A 65.22.38.25
a0.nic.red. 172800 IN AAAA 2a01:8840:26::25
a2.nic.red. 172800 IN AAAA 2a01:8840:29::25
b0.nic.red. 172800 IN AAAA 2a01:8840:27::25
c0.nic.red. 172800 IN AAAA 2a01:8840:28::25
;; Query time: 104 msec
;; SERVER: 192.112.36.4#53(192.112.36.4)
;; WHEN: Mon Oct 29 10:20:35 EST 2018
;; MSG SIZE rcvd: 280
Asking a root nameserver for anything else down the tree (no direct reply as expected, just data to contact other nameservers for further recursive queries)
$ dig #g.root-servers.net www.stackoverflow.com. NS +nocookie
; <<>> DiG 9.12.0 <<>> #g.root-servers.net www.stackoverflow.com. NS +nocookie
; (1 server found)
;; global options: +cmd
;; Sending:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8649
;; flags: rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.stackoverflow.com. IN NS
;; QUERY SIZE: 50
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8649
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.stackoverflow.com. IN NS
;; AUTHORITY SECTION:
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30
d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30
e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30
f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30
g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30
h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30
i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30
j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30
k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30
l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30
m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30
;; Query time: 105 msec
;; SERVER: 192.112.36.4#53(192.112.36.4)
;; WHEN: Mon Oct 29 10:21:50 EST 2018
;; MSG SIZE rcvd: 846
How does my system know about root name server "." when it is resolving "www.example.com."? I am using an ISP, do they have the root DNS configuration?
Bit, confused on DNS concepts.
The root name servers are found by making a standard DNS NS query of the '.' domain.
Any DNS server that will query the public name servers will have a local copy of the root servers that it will periodically update.
One of the steps to installing a new DNS server is initially seeding these root DNS servers. Typically named root.hints. This file can be downloaded from ftp://ftp.rs.internic.net/domain/db.cache
Alternatively, you can run
dig +bufsize=1200 +norec NS . #a.root-servers.net
Which will produce
; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> +bufsize=1200 +norec NS . #a.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29307
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 25
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS h.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS a.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS d.root-servers.net.
;; ADDITIONAL SECTION:
h.root-servers.net. 3600000 IN A 198.97.190.53
h.root-servers.net. 3600000 IN AAAA 2001:500:1::53
j.root-servers.net. 3600000 IN A 192.58.128.30
j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
g.root-servers.net. 3600000 IN A 192.112.36.4
e.root-servers.net. 3600000 IN A 192.203.230.10
c.root-servers.net. 3600000 IN A 192.33.4.12
c.root-servers.net. 3600000 IN AAAA 2001:500:2::c
k.root-servers.net. 3600000 IN A 193.0.14.129
k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
a.root-servers.net. 3600000 IN A 198.41.0.4
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30
f.root-servers.net. 3600000 IN A 192.5.5.241
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
m.root-servers.net. 3600000 IN A 202.12.27.33
m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
b.root-servers.net. 3600000 IN A 192.228.79.201
b.root-servers.net. 3600000 IN AAAA 2001:500:84::b
l.root-servers.net. 3600000 IN A 199.7.83.42
l.root-servers.net. 3600000 IN AAAA 2001:500:3::42
i.root-servers.net. 3600000 IN A 192.36.148.17
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
d.root-servers.net. 3600000 IN A 199.7.91.13
d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d
;; Query time: 10 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Mar 03 06:37:09 UTC 2016
;; MSG SIZE rcvd: 755
As you can see with that file you can resolve any host on the public internet.
You contact the DNS server you specify, they then contact the list of root servers to look up who authority is on the domain example.com, that dns server then contacts this authority (the dns server on record) to resolve the ip of the host.
IP, Gateway & DNS Servers IPs will be provided by the DHCP Service. So, it is the DHCP Server of your ISP who is providing the IP of a locally configured DNS Server to your System.
I found two strange DNS entry in the *.bnl top-level domain. First,
Running dig bnl. a ; dig bnl. mx results in:
bnl. 3600 IN A 127.0.53.53
bnl. 3600 IN MX 10 your-dns-needs-immediate-attention.bnl.
This is strange for two reasons:
TLDs normally don't have an A record. Also, it points to an
IP within the loopback IP range.
TLDs normally don't have an MX entry. Also, the MX record is obviously
designed to get some administrator's attention.
What is going wrong here? Did some administrator misconfigure their TLD?
There is nothing wrong with it, it's just in the process of being brought online. If you do a TXT lookup on it you get a nice URL to follow where you can read all about what's going on:
Kadath:~$ dig txt bnl. +short
"your dns configuration needs immediate attention see https://icann.org/namecollision"
Edit: The point of what you see is to give anyone using the upcoming TLD for their own purposes a heads-up that their setup is about to break. The A record, for example, uses the address 127.0.53.53 since that is in the 127.0.0.0/8 localhost block (so traffic sent there will not disturb anyone else) while using the DNS port number as a hint about what's going on.
I would suggest that since the TLD is valid and resolves, with DNSSEC, all the way from the root:
root#ent01:/etc/bind# dig +trace bnl.
; <<>> DiG 9.9.5-3ubuntu0.4-Ubuntu <<>> +trace bnl.
;; global options: +cmd
. 478397 IN NS a.root-servers.net.
. 478397 IN NS m.root-servers.net.
. 478397 IN NS g.root-servers.net.
. 478397 IN NS c.root-servers.net.
. 478397 IN NS b.root-servers.net.
. 478397 IN NS l.root-servers.net.
. 478397 IN NS f.root-servers.net.
. 478397 IN NS j.root-servers.net.
. 478397 IN NS k.root-servers.net.
. 478397 IN NS h.root-servers.net.
. 478397 IN NS e.root-servers.net.
. 478397 IN NS i.root-servers.net.
. 478397 IN NS d.root-servers.net.
;; Received 239 bytes from 208.67.222.222#53(208.67.222.222) in 303 ms
bnl. 172800 IN NS c0.nic.bnl.
bnl. 172800 IN NS b0.nic.bnl.
bnl. 172800 IN NS a2.nic.bnl.
bnl. 172800 IN NS a0.nic.bnl.
bnl. 86400 IN DS 49953 7 2 C183F9CD6ECD80BF9CB0AFF9D8F3C21DC7D14D866967C51924D0F674 9A52B5BB
bnl. 86400 IN DS 49953 7 1 1A4FAA58FB885D0290D573ADDEABCAC75A547255
bnl. 86400 IN RRSIG DS 8 1 86400 20150817170000 20150807160000 1518 . E7tbHUR9+Te+laSwBmPxDjPzdd+yoc+xtCB4cN2mG7maTXMAitkSrp9x 6kiwPknriSbE9JwvyCBTmUkR+BliHWC3BezBKbTQIpeyqWHeFjzaQ5ou z3br+hg1OTNuIwZTutDC++7+tMRRwSDM2NTUJo+GcZKMaNNCpYhd7/Vr Xzg=
;; Received 523 bytes from 192.112.36.4#53(g.root-servers.net) in 684 ms
bnl. 3600 IN A 127.0.53.53
bnl. 3600 IN RRSIG A 7 1 3600 20150826073521 20150805063521 37410 bnl. CIf4p35OC136zABgXEZ/UvnLRZQw+vLSSeRiCJ2jbKxC3wMRzDj1x0Ym npii+AvJijMFlqm5I8VRNmcAq5cyDUY98twM/4bb6eKc/qtaszLjNnw9 WV8z3TibF0bZaqugNIpmh5PIM5P5yRSq0ToyxVLmKABuiSyn7RBseWbq lA8=
bnl. 86400 IN NS b0.nic.bnl.
bnl. 86400 IN NS c0.nic.bnl.
bnl. 86400 IN NS a0.nic.bnl.
bnl. 86400 IN NS a2.nic.bnl.
bnl. 86400 IN RRSIG NS 7 1 86400 20150826073521 20150805063521 37410 bnl. SxOOfC2B4opb+Or9t+0GZCMF6ajA/uyFEXZNcXuLO9m4rREOT8K7n6l6 05CuwtFDD6LjK3vC9tbm9piXNJ0bh2qoeXjWRTCuGxeU+o7iyazA1Lx/ 1Ik7z/guZzRistMlRpkQKhF72G83jBf2Udm+biWq3jIFhnzD+Ntj4Z03 jKc=
;; Received 622 bytes from 65.22.65.1#53(b0.nic.bnl) in 52 ms
That it's "working as intended". Unless you know someone on the inside at Banca Nazionale del Lavoro, who owns the TLD, that says otherwise. It does, however, appear to be a fairly new zone, so they may simply have not completed a roll-out or are using it as a placeholder.