hetzner default nameservers not always resolving
I have couple of Hetzner 'root servers' (as they call it - dedicated co-located linux machines) and all of them experience the same problem (which i simply do not fully understand).
The domain www.dnsblchile.org does not want to resolve to an IP (servers are installed from Hetzner own Debian Jessie images). All other domains of course resolve properly (i did not experience any problems before with any other domains resolving - or i did not spot it before).
When i test nslookup -type=A www.dnsblchile.org
i get:
;; Got SERVFAIL reply from 213.133.98.98, trying next server
;; Got SERVFAIL reply from 213.133.99.99, trying next server
Server: 213.133.100.100
Address: 213.133.100.100#53
** server can't find www.dnsblchile.org: SERVFAIL
so NO proper answer here, but when i try using 8.8.8.8 (google) as nameserver like nslookup -type=A www.dnsblchile.org 8.8.8.8
i get:
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: www.dnsblchile.org
Address: 66.23.231.212
so everything is OK here and i get proper IP.
The contents of `/etc/resolv.conf' (default after installation) is:
### Hetzner Online GmbH installimage
# nameserver config
nameserver 213.133.98.98
nameserver 213.133.99.99
nameserver 213.133.100.100
If i add the 8.8.8.8 as a new entry to /etc/resolv.conf
all is working just fine as well.
Now - is it something wrong on Hetzner nameservers configuration side or shall i just use 8.8.8.8 nameserver instead (as a good practice)?
I'm talking to Hetzner support for two days already but have no common ground here - hearing that their nameservers are all perfectly fine.
Shall their own nameservers as well properly resolve the www.dnsblchile.org domain?
update from support:
..but as the domain are using nameservers which are not allowing requests from our resolvers the domain can not be resolved. If you want to resolve the domain you have to use other resolvers or maybe own resolvers, which are allowed to request the nameservers of the domain
Now - may their nameservers be 'blocked' like they say (i'm not an expert here)?
As well - is it a common practice (as the answer below suggests) to use e.g. google name server and just skip Hetzner nameservers setup?
Would i just add the google name server to the list (at top or bottom of /etc/resolv.conf
file) and shall i remove the Hetzner nameservers (or leave them)?
Solution 1:
I don't understand why you are still trying to use the Hetzner DNS servers if they are demonstrably not working correctly. Just update your /etc/resolv.conf appropriately and get on with your life.
I usually chuck 8.8.8.8 and 8.8.4.4 (or 2001:4860:4860::8888, 2001:4860:4860::8844) in and forget about it.
Solution 2:
See also: https://cwiki.apache.org/confluence/display/SPAMASSASSIN/CachingNameserver for a lot of good options to avoid this problem, e.g. by installing a local caching DNS server like: unbound
After you make sure it starts upon reboot make sure to change /etc/resolv.conf to begin with:
nameserver 127.0.0.1
Finally make sure your server is not overwriting this setting (e.g. a dhcp client may overwrite it) by making the file immutable:
sudo chattr +i /etc/resolv.conf
Or the following line in /etc/dhcp/dhclient.conf
supersede domain-name-servers 127.0.0.1;
Or other solutions like described here: https://www.cyberciti.biz/faq/dhclient-etcresolvconf-hooks/
Let's block all spam mails :-)