Home / server / Questions / 1165319
Accepted
hzahradnik
Asked: 2024-09-17 03:11:32 +0800 CST

Faulty SOA entry is cached at service provider DNS servers after domain suspension

  • 772

Our company transferred a .com domain to a different domain provider. This worked just fine for 14 days, but today our domain was suspended, because we had a problem with our mail provider and didn't get the mail for the verification of the owner adress.

After some time we managed to fix the mail problems and verify the domain. We were also able to get our application to run as expected, when using Google/Cloudflare/... DNS. However, many of our customers still have problems to reach our application after almost 12 hours.

In the meantime we could track down a possible cause. Our suspect is the DNS caching of some internet providers. See the output of nslookup for requesting the SOA entry of the subdomain for our application.

Using Google DNS (8.8.8.8), the SOA entry for app.EXAMPLE.com is from our domain EXAMPLE.com.

> server 8.8.8.8
Default Server:  dns.google
Address:  8.8.8.8

> set type=soa
> set d2
> app.EXAMPLE.com
Server:  dns.google
Address:  8.8.8.8

------------
SendRequest(), len 34
    HEADER:
        opcode = QUERY, id = 25, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        app.EXAMPLE.com, type = SOA, class = IN

------------
------------
Got answer (99 bytes):
    HEADER:
        opcode = QUERY, id = 25, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        app.EXAMPLE.com, type = SOA, class = IN
    AUTHORITY RECORDS:
    ->  EXAMPLE.com
        type = SOA, class = IN, dlen = 53
        ttl = 1800 (30 mins)
        primary name server = ns1.DOMAINPROVIDER.de
        responsible mail addr = postmaster.DOMAINPROVIDER.de
        serial  = 2024091603
        refresh = 86400 (1 day)
        retry   = 10800 (3 hours)
        expire  = 3600000 (41 days 16 hours)
        default TTL = 3600 (1 hour)

------------
EXAMPLE.com
        type = SOA, class = IN, dlen = 53
        ttl = 1800 (30 mins)
        primary name server = ns1.DOMAINPROVIDER.de
        responsible mail addr = postmaster.DOMAINPROVIDER.de
        serial  = 2024091603
        refresh = 86400 (1 day)
        retry   = 10800 (3 hours)
        expire  = 3600000 (41 days 16 hours)
        default TTL = 3600 (1 hour)
> set type=A
> app.EXAMPLE.com
Server:  dns.google
Address:  8.8.8.8
------------
[...]
------------
Non-authoritative answer:
Name:    app.EXAMPLE.com
Address:  <IP ADDRESS OF OUR SERVER>

When using the DNS server of our internet provider, we get a completely different result for the sub domain.

> set type=soa
> set d2
> app.EXAMPLE.com
Server:  <DNS OF INTERNET PROVIDER>
Address:  <DNS OF INTERNET PROVIDER>

------------
SendRequest(), len 34
    HEADER:
        opcode = QUERY, id = 28, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        app.EXAMPLE.com, type = SOA, class = IN

------------
------------
Got answer (107 bytes):
    HEADER:
        opcode = QUERY, id = 28, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        app.EXAMPLE.com, type = SOA, class = IN
    ANSWERS:
    ->  app.EXAMPLE.com
        type = SOA, class = IN, dlen = 61
        ttl = 2335 (38 mins 55 secs)
        primary name server = ns1.emailverification.info
        responsible mail addr = hostmaster.emailverification.info
        serial  = 2024090700
        refresh = 7200 (2 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)

------------
Non-authoritative answer:
app.EXAMPLE.com
        type = SOA, class = IN, dlen = 61
        ttl = 2335 (38 mins 55 secs)
        primary name server = ns1.emailverification.info
        responsible mail addr = hostmaster.emailverification.info
        serial  = 2024090700
        refresh = 7200 (2 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 3600 (1 hour)
> set type=A
> app.EXAMPLE.com
Server:  <DNS OF INTERNET PROVIDER>
Address:  <DNS OF INTERNET PROVIDER>
------------
[...]
------------
Non-authoritative answer:
Name:    app.EXAMPLE.com
Address:  <WRONG IP ADDRESS>

My question: Does this resolve automatically after some time or do we need to do something? Is it possible to speed up the process?

domain-name-system

1 Answers

  1. Best Answer

    Run dnstracer -s . app.example.com to verify that the (uncached) delegation information is correct. That will check whether the domain registry has correct NS records for your domain, and that your domain has correct NS records for your 'app' subdomain. (Since it has its own SOA, that implies it's a separate zone delegated from the main domain.)

    Alternatively use nslookup -d -q=NS example.com a.gtld-servers.net (that's one of the .com nameservers), then do a similar query for app.example.com against your main domain's nameservers.

    It's common for TLDs to have slightly longer cache TTLs for the NS delegation records, sometimes up to 24 hours (where the "24-48 hour propagation" thing likely comes from), so it's possible that your ISP's resolver has cached not only the bad A and SOA records but also the bad NS delegation records, and will keep querying the wrong nameservers until those expire.

    The only thing you can do about it is verify that the authoritative data in all nameservers is correct.

    • 0