resolving .org - connection timed out; no servers could be reached

Stephane Bortzmeyer bortzmeyer at nic.fr
Sun Jan 12 13:30:11 UTC 2020


On Sun, Jan 12, 2020 at 02:20:24PM +0100,
 Erik Dobák <erik.dobak at gmail.com> wrote 
 a message of 109 lines which said:

> as i wrote other TLDs (.net .com and some country TLDs) resolved all
> fine.  for .org i tried debian.org ietf.org gentoo.org and maybe
> some others with all failing.

Then, I suggest to query directly the authoritative name servers of
.org, to see if they are reachable. (If not, it's not Unbound's fault.)

% dig @a0.org.afilias-nst.info. gentoo.org
...
;; AUTHORITY SECTION:
gentoo.org.	86400 IN NS ns1.gentoo.org.
gentoo.org.	      86400 IN NS ns2.gentoo.org.
gentoo.org.	      	    86400 IN NS ns3.gentoo.org.
...
;; Query time: 246 msec
;; SERVER: 2001:500:e::1#53(2001:500:e::1)
;; WHEN: Sun Jan 12 14:28:22 CET 2020
;; MSG SIZE  rcvd: 408

> so you say the message 'connection timed out; no servers could be reached'
> from dig does not mean that my pc got trouble to connect the router but the
> router got trouble to connect to root DNS servers?

Or other authoritative name servers. Probably not the root since other
TLDs work.

When you query the resolver, it has to contact the authoritative name
servers. May be dig timeouted before Unbound did. dig +timeout=30 to
see if, giving more time, Unbound makes a decision (probably SERVFAIL,
if there is a reachability problem)?

> looks like something is killing my (or returning) packets filtered by the
> presence of .org string.
> MITM??? or who is now trying to screw .org??

Let's search simple explanations first: a routing/reachability
problem.

> ps: i am using DNSSEC but AFAIK this does not mean the resolve requests are
> encrypted...

Indeed. DNSSEC signs but does not encrypt.



More information about the Unbound-users mailing list