Strange DNS Problem

[Lavien]

Hello, my port 53 is open and my websites on server are running but when I use intodns, I got some errors about DNS A records. I attached my intodns result, netplan yaml file, DNS records and resolvectl result. I don't know what to do. Can you help me?

 

[zEitEr]

Hello,

Your issue was already discussed here Incoming mail problem and LAN connection problem

Either your ISP is blocking TCP/UDP: 53 ports or your hardware is blocking it.

 

[Lavien]

Hello,

Your issue was already discussed here Incoming mail problem and LAN connection problem

Either your ISP is blocking TCP/UDP: 53 ports or your hardware is blocking it.

My ISP was blocking it but it is now open. My web site url works but into dns does not work. I can telnet port 53 and port checker web sites say port 53 is open. So where should I look at this stage do you think? I reinstalled DA without csf and nothing changed so csf is not the issue

 

[zEitEr]

And still no DNS service is available on TCP:53

$ nslookup elektrikakademi.com 95.70.147.170
;; connection timed out; no servers could be reached

even if TCP:53 port is opened:

Host is up (0.052s latency).
Not shown: 985 filtered ports
PORT     STATE  SERVICE
20/tcp   closed ftp-data
21/tcp   open   ftp
22/tcp   open   ssh
25/tcp   open   smtp
53/tcp   open   domain
80/tcp   open   http
110/tcp  open   pop3
143/tcp  open   imap
443/tcp  open   https
465/tcp  open   smtps
587/tcp  open   submission
993/tcp  open   imaps
995/tcp  open   pop3s
2222/tcp open   EtherNet/IP-1
5000/tcp open   upnp

Traffic to TCP:53 is not routed outside the world.

 

[Lavien]

Is my problem related to server settings some conf files may be or the problem is relevant with my router? Where should I check?

 

[zEitEr]

Where should I check?

On the server's side: Use tcpdump to see how traffic to DNS goes, and check system/kernel logs for possible clues

 

[DrWizzle]

What does it say when you enter #resolvectl??

root@amber /etc/systemd # resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 2a01:4ff:ff00::add:2 2a01:4ff:ff00::add:1 185.12.64.1 185.12.64.2

Above you'll see resolve.conf is set as stub which is fine, and my nameservers for this server are my hosts (Haven't gotten round to editing them yet)

I suspect your server is only routing on localhost (127.0.0.1:53) so you may need to set nameservers in your files.

# nano /etc/systemd/resolve.conf
[Resolve]
# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare->
# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
#DNS=
#FallbackDNS=
#Domains=

Uncomment #DNS= and change to DNS=8.8.8.8 1.1.1.1
Uncomment #FallbackDNS= and change to FallbackDNS=8.8.4.4 1.0.0.1
(Feel free to add IPv6 servers as well if you like)

Result will look like:

# systemctl restart systemd-resolved
root@amber /etc/systemd # resolvectl
Global
           Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    resolv.conf mode: stub
         DNS Servers: 8.8.8.8 1.1.1.1
Fallback DNS Servers: 8.8.4.4 1.0.0.1

Link 2 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 2a01:4ff:ff00::add:2 2a01:4ff:ff00::add:1 185.12.64.1 185.12.64.2

Next go to your networking conf file. If you're on ubuntu 24.x it'll more than likely be netplan.
Open the file:

#cd /etc/netplan
#nano 50-cloud-init.yaml # or whatever network.yaml file is in there

Then look for the nameservers section

network:
  version: 2
  ethernets:
    eth0:
      match:
        macaddress: "xx:xx:xx:xx:xx:xx"
      addresses:
      - "xxxxxxxxxxxxxxxxxxxxx/xx"
      nameservers:
        addresses:
        - 8.8.8.8
        - 1.1.1.1
        - 2a01:4ff:ff00::add:2
        - 2a01:4ff:ff00::add:1
      dhcp4: true
      set-name: "eth0"
      routes:
      - on-link: true
        to: "default"
        via: "fe80::1"

Close that and then:

root@amber /etc/netplan # netplan apply
root@amber /etc/netplan # resolvectl
Global
         Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
  resolv.conf mode: stub

Link 2 (eth0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
       DNS Servers: 8.8.8.8 1.1.1.1 2a01:4ff:ff00::add:2 2a01:4ff:ff00::add:1 185.12.64.1 185.12.64.2
root@amber /etc/netplan #

You should be able to get out now and everything should resolve.

 

[DrWizzle]

Sorry, I've just realised you posted screenshots above so the instructions above may not help that much.

On one of them, you have fe80::1 on the resolvectl output. That shouldn't really be there, that's localhost and your resolver might be trying to use its internal DNS to resolve when it should really be using an external dns.

Also I note you have nameservers ns1.server.xxx.com so do you have a subdomain setup for the server.xxxxxx.com part of the domain? I'm wondering if it's failing because it's looking for a subdomain to resolve to.

 

[zEitEr]

I suspect your server is only routing on localhost (127.0.0.1:53) so you may need to set nameservers in your files.

If it was the case nmap from a remote server would report TCP:53 as closed:

- When I tested my server which has DNS on 127.0.0.1 only, I got the following:

$ nslookup domain.com ns.example.net
;; connection timed out; no servers could be reached

- nmap (example):

PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    filtered ssh
43/tcp    filtered whois
80/tcp    open     http
110/tcp   open     pop3
113/tcp   filtered ident
143/tcp   open     imap
443/tcp   open     https
993/tcp   open     imaps
995/tcp   open     pop3s
2222/tcp  open     EtherNetIP-1

I'm wondering if it's failing because it's looking for a subdomain to resolve to.

TCP:53 on the target host is opened. But nslookup reports connection timed out; no servers could be reached. I guess the DNS service receives requests and even responds, but replies from DNS services is not routed outside the network/server.

 

[DrWizzle]

If it was the case nmap from a remote server would report TCP:53 as closed:

- When I tested my server which has DNS on 127.0.0.1 only, I got the following:

$ nslookup domain.com ns.example.net
;; connection timed out; no servers could be reached

- nmap (example):

PORT      STATE    SERVICE
21/tcp    open     ftp
22/tcp    filtered ssh
43/tcp    filtered whois
80/tcp    open     http
110/tcp   open     pop3
113/tcp   filtered ident
143/tcp   open     imap
443/tcp   open     https
993/tcp   open     imaps
995/tcp   open     pop3s
2222/tcp  open     EtherNetIP-1

TCP:53 on the target host is opened. But nslookup reports connection timed out; no servers could be reached. I guess the DNS service receives requests and even responds, but replies from DNS services is not routed outside the network/server.

Could it have something to do with the fe80::1 address that's being injected into the systemd resolver? Maybe he could disable ipv6 by adding dhcp6: false to his network.yaml file? Looking at all his other screenshots (which I should've noticed first) most of the hard work looks done and he should be able to resolve using external servers.

 

[zEitEr]

Could it have something to do with the fe80::1 address that's being injected into the systemd resolver?

OK, I went deeper. And here is what I found:

The ISP used to block TCP requests to DNS, and now they opened it:

# dig +tcp A elektrikakademi.com @95.70.147.170

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> +tcp A elektrikakademi.com @95.70.147.170
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24716
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;elektrikakademi.com.           IN      A

;; ANSWER SECTION:
elektrikakademi.com.    3600    IN      A       95.70.147.170

;; Query time: 52 msec
;; SERVER: 95.70.147.170#53(95.70.147.170)
;; WHEN: Tue Jul 08 00:40:17 +07 2025
;; MSG SIZE  rcvd: 64

but UDP is still blocked:

# dig +notcp A elektrikakademi.com @95.70.147.170

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> +notcp A elektrikakademi.com @95.70.147.170
;; global options: +cmd
;; connection timed out; no servers could be reached

The TS will need to make sure:

1. UDP:53 is opened at the router
2. UDP:53 is not filtered by the ISP
3. UDP:53 is NATed too

 

[Lavien]

On the server's side: Use tcpdump to see how traffic to DNS goes, and check system/kernel logs for possible clues

tcpdump lists lots of things and I couldnt find any clue within it. I think my main problem is about ipv6. I will try to ignore it and will write here the results

 

[zEitEr]

tcpdump lists lots of things and I couldnt find any clue within it.

Learn on how to filter traffic then https://www.tcpdump.org/manpages/tcpdump.1.html

I think my main problem is about ipv6

see #11

 

[Lavien]

How can I check whether my ISP or something else blocks UDP 53

 

[zEitEr]

How can I check whether my ISP or something else blocks UDP 53

commands used to detect it can be seen in the post #11

 

[DrWizzle]

How can I check whether my ISP or something else blocks UDP 53

Also (And i'm sure you have) check your CSF installation to make sure that port 53 is opened UDP and TCP on ipv4 and ipv6. This can be found in your Admin => Extra Features => ConfigServer Security & Firewall => Firewall Configuration, or edit your /etc/csf/csf.conf file and then run csf -r && systemctl restart lfd

Stars are masking the SSH port on my server, nothing else.

 

[Lavien]

Also (And i'm sure you have) check your CSF installation to make sure that port 53 is opened UDP and TCP on ipv4 and ipv6. This can be found in your Admin => Extra Features => ConfigServer Security & Firewall => Firewall Configuration, or edit your /etc/csf/csf.conf file and then run csf -r && systemctl restart lfd

Stars are masking the SSH port on my server, nothing else.

View attachment 9130

Yes. 53 is already in there.

 

[Lavien]

commands used to detect it can be seen in the post #11

I got this answer inside server

root@emre:/# dig +notcp A elektrikakademi.com @95.70.147.170

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> +notcp A elektrikakademi.com @95.70.147.170
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21788
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 2f3b5a9967f4f0ad01000000686c1817264808f3f04840e9 (good)
;; QUESTION SECTION:
;elektrikakademi.com. IN A

;; ANSWER SECTION:
elektrikakademi.com. 3600 IN A 95.70.147.170

;; Query time: 0 msec
;; SERVER: 95.70.147.170#53(95.70.147.170) (UDP)
;; WHEN: Mon Jul 07 18:55:19 UTC 2025
;; MSG SIZE rcvd: 92

So What do you think? Problem stems from ISP or something else on server block communication?

 

[DrWizzle]

Might have to contact your ISP then and request them open port 53 udp if they haven't yet opened it.

I am not getting anything here, looks like your DNS is resolving locally for that specific domain. I can't reach it here from a UK based server and a German based server

 

[Lavien]

OK. I will open a ticket to my ISP for unblocking UDP 53 port. I will write the result here. If you have any idea for solving this problem please help me