[AC66/380.70] Query Against External DNS Servers Fails Only For Some Domains, And Only From Router

[GokieKS]

I'm having some really weird DNS issues that I can't figure out, which is driving me insane (and also with shame, seeing as how networking is part of my job). So I want to see if anyone can think of something that I'm missing.

The problem: DNS queries for many (but not all) sites, including seemingly all federal .gov ones*, are not working.
*: it seems the issue doesn't apply to ALL .gov domains - state domains (ca.gov, texas.gov, michigan.gov) seem to work fine, but all the federal ones I tried (state.gov, nasa.gov, treasury.gov, supremecourt.gov) don't.

Configuration: ASUS RT-AC66 running 380.70, configured to use the CloudFlare 1.1.1.1 / 1.0.0.1 as DNS servers. Clients do not have DNS servers specifically configured, thus they use the router.

Findings:

From my client desktop, DNS queries will fail when using the default DNS server (router), but if I run the query against the 1.1.1.1 DNS server, it works:

$ nslookup nasa.gov
Server: 192.168.1.1
Address: 192.168.1.1#53

** server can't find nasa.gov: SERVFAIL

$ nslookup nasa.gov 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: nasa.gov
Address: 52.0.14.116
Name: nasa.gov
Address: 23.22.39.120

So this would seem to indicate it's an issue with the router, likely the DNS forwarding. However, and this is the part that's weird, DNS queries made from the router against 1.1.1.1 also does not work:

RT-AC66R:/tmp/home/root# nslookup nasa.gov
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

nslookup: can't resolve 'nasa.gov'

RT-AC66R:/tmp/home/root# nslookup nasa.gov 1.1.1.1
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

nslookup: can't resolve 'nasa.gov'

But DNS queries against some other domains appears to work just fine from the router:

RT-AC66R:/tmp/home/root# nslookup google.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      google.com
Address 1: 2607:f8b0:4000:80f::200e dfw25s16-in-x0e.1e100.net
Address 2: 216.58.194.142 dfw06s49-in-f142.1e100.net

kai@RT-AC66R:/tmp/home/root# nslookup google.com 1.1.1.1
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

Name:      google.com
Address 1: 2607:f8b0:4000:80f::200e dfw25s16-in-x0e.1e100.net
Address 2: 216.58.194.142 dfw06s49-in-f142.1e100.net

And this issue is not specific to Cloudflare's DNS servers. I've tried using Google's 8.8.8.8 instead, and the results are exactly the same

Working from client:

$ nslookup nasa.gov 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: nasa.gov
Address: 23.22.39.120
Name: nasa.gov
Address: 52.0.14.116

Not working from router for nasa.gov:

RT-AC66R:/tmp/home/root# nslookup nasa.gov 8.8.8.8
Server:    8.8.8.8
Address 1: 8.8.8.8 google-public-dns-a.google.com

nslookup: can't resolve 'nasa.gov'

But working from router for google.com:

RT-AC66R:/tmp/home/root# nslookup google.com 8.8.8.8
Server:    8.8.8.8
Address 1: 8.8.8.8 google-public-dns-a.google.com

Name:      google.com
Address 1: 2607:f8b0:4000:80c::200e dfw06s48-in-x0e.1e100.net
Address 2: 172.217.6.174 dfw25s17-in-f174.1e100.net

So, at this point I'm pretty stumped. I've tried everything I can think of (restarting dnsmasq service, restarting the router, restarting the modem), to no avail. If anyone has any ideas or can think of something I might be missing, I would love to know.

 

[RMerlin]

If you have DNSSEC enabled try disabling it.

 

[Zonkd]

Go by process of elimination? My last ditch troubleshooting method is to backup settings and then factory reset router and step by step go through setup to see when the problems begin.

 

[GokieKS]

If you have DNSSEC enabled try disabling it.

This turned out to be it. I saw your other post about changed signature key and added the custom script for the new signature and it worked. Thanks for your help!