Strange DNS Issue w/ RT6600ax

[Mokers]

I have a strange DNS issue with my network. There is no real impact because I have a workaround and it only affects some devices.

ISP: Comcast (Bay Area, CA)
Router: Synology RT6600ax
DNS: 9.9.9.9

For some reason this configuration has some sort of problem on iOS and iPad OS resolving some names. In particular, it has trouble resolving https://www.americastestkitchen.com - something particularly useful to me during this time of year! Every single other device in the house including MacOS, Windows, Android and Chrome have no trouble with this configuration. This is not the end of the world, there are other DNS servers out there, but I like Quad9 for security and privacy. Plus as somebody who always taps the "Did you check DNS?" sign in the office when things happen, I feel like the DNS spirits are out to get me.

• Problem persists in every browser as well as the ATK app.
• Problem resolves itself after changing to any other DNS I have tested (Google, OpenDNS, CloudFlare, ISP)
• Problem persists no matter which safe browsing settings (hide my ip, etc) are disabled

Admittedly, I haven't exhausted all options because my alternative is to use Control-D. But wondering if anybody has seen anything similar to this in their home setup.

 

[sfx2000]

For some reason this configuration has some sort of problem on iOS and iPad OS resolving some names. In particular, it has trouble resolving https://www.americastestkitchen.com - something particularly useful to me during this time of year!

iCloud private-reley enabled?

 

[Treadler]

I have a strange DNS issue with my network. There is no real impact because I have a workaround and it only affects some devices.

ISP: Comcast (Bay Area, CA)
Router: Synology RT6600ax
DNS: 9.9.9.9

For some reason this configuration has some sort of problem on iOS and iPad OS resolving some names. In particular, it has trouble resolving https://www.americastestkitchen.com - something particularly useful to me during this time of year! Every single other device in the house including MacOS, Windows, Android and Chrome have no trouble with this configuration. This is not the end of the world, there are other DNS servers out there, but I like Quad9 for security and privacy. Plus as somebody who always taps the "Did you check DNS?" sign in the office when things happen, I feel like the DNS spirits are out to get me.

• Problem persists in every browser as well as the ATK app.
• Problem resolves itself after changing to any other DNS I have tested (Google, OpenDNS, CloudFlare, ISP)
• Problem persists no matter which safe browsing settings (hide my ip, etc) are disabled

Admittedly, I haven't exhausted all options because my alternative is to use Control-D. But wondering if anybody has seen anything similar to this in their home setup.

FWIW, that site is not blocked by Quad9.

 

[dave14305]

It intermittently fails to resolve on Quad9 however.

root@router:~# dig @9.9.9.9 www.americastestkitchen.com.

; <<>> DiG 9.20.0 <<>> @9.9.9.9 www.americastestkitchen.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 749
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.americastestkitchen.com.   IN      A

;; ANSWER SECTION:
www.americastestkitchen.com. 4  IN      A       52.223.46.195
www.americastestkitchen.com. 4  IN      A       3.33.193.101
www.americastestkitchen.com. 4  IN      A       15.197.246.237
www.americastestkitchen.com. 4  IN      A       99.83.183.127

;; Query time: 20 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Fri Nov 29 23:43:59 EST 2024
;; MSG SIZE  rcvd: 120

root@router:~# dig @9.9.9.9 www.americastestkitchen.com.

; <<>> DiG 9.20.0 <<>> @9.9.9.9 www.americastestkitchen.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58045
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 22 (No Reachable Authority): (delegation americastestkitchen.com)
;; QUESTION SECTION:
;www.americastestkitchen.com.   IN      A

;; Query time: 140 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Fri Nov 29 23:44:01 EST 2024
;; MSG SIZE  rcvd: 96

 

[Mokers]

iCloud private-reley enabled?

I don't think so. I don't have it enabled on my iOS devices. In networking, Private WiFi address and limit IP address are turned off for this network.

 

[Mokers]

FWIW, that site is not blocked by Quad9.

That is the strange part. I can reach the site on every other device in the house, so I know it is not Quad9. It's something in iOS, but I can't figure out what it could be. I'm not doing any filtering on the router.

 

[sfx2000]

It intermittently fails to resolve on Quad9 however.

works fine here...

sfx@blaster:~$ dig @9.9.9.9 www.americastestkitchen.com

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> @9.9.9.9 www.americastestkitchen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64155
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.americastestkitchen.com.    IN    A

;; ANSWER SECTION:
www.americastestkitchen.com. 20    IN    A    3.33.193.101
www.americastestkitchen.com. 20    IN    A    15.197.246.237
www.americastestkitchen.com. 20    IN    A    52.223.46.195
www.americastestkitchen.com. 20    IN    A    99.83.183.127

;; Query time: 21 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Sat Nov 30 17:17:12 PST 2024
;; MSG SIZE  rcvd: 120

sfx@blaster:~$ dig @9.9.9.9 www.americastestkitchen.com

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> @9.9.9.9 www.americastestkitchen.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10705
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.americastestkitchen.com.    IN    A

;; ANSWER SECTION:
www.americastestkitchen.com. 17    IN    A    3.33.193.101
www.americastestkitchen.com. 17    IN    A    15.197.246.237
www.americastestkitchen.com. 17    IN    A    52.223.46.195
www.americastestkitchen.com. 17    IN    A    99.83.183.127

;; Query time: 18 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Sat Nov 30 17:17:15 PST 2024
;; MSG SIZE  rcvd: 120

 

[dave14305]

works fine here...

Huzzah. I can still produce failures. Seems some of its nameservers are unresponsive.

www.americastestkitchen.com | DNSViz

 

[sfx2000]

Huzzah. I can still produce failures. Seems some of its nameservers are unresponsive.

www.americastestkitchen.com | DNSViz

DNS issue on the host site...

 

[Digilog]

Looking at it, the site is hosted on a consumer connection the wrong way. So its not going to pass the DNSSEC security checks of quad 9 because it might flag it as a site that has no real origin. This is why dynamic DNS hosting should be only used for VPNs and remote desktop access.

I really don't understand why anyone would host a web site in the US on their own home connection when there is a lot of inexpensive hosting out there that are $5/mo. or less as long as you ignore the go daddys/blue ocean/gators/amazon web hosts. There are thousands of other people that sell hosting.

What you need to do is add different DNS servers that don't check DNSSEC origin like Google DNS. That is why you are having issues with that site. I would program Google DNS as the second or backup DNS so it would fallback to google if quad 9 doesn't resolve it.