Bonjour,
I am wondering why some dns servers are available and some other are not if I set them in resolv.conf (or other dns config files)?
For instance this can be seen using dig:
dig @8.8.8.8 sci-hub.se returns:
; <<>> DiG 9.18.28 <<>> @8.8.8.8 sci-hub.se ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40528 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;sci-hub.se. IN A
;; ANSWER SECTION: sci-hub.se. 33 IN A 186.2.163.219
;; Query time: 31 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP) ;; WHEN: Wed Apr 23 19:11:41 CEST 2025 ;; MSG SIZE rcvd: 55
And dig @80.67.169.12 sci-hub.se returns:
;; communications error to 80.67.169.12#53: host unreachable ;; communications error to 80.67.169.12#53: timed out ;; communications error to 80.67.169.12#53: timed out
; <<>> DiG 9.18.28 <<>> @80.67.169.12 sci-hub.se ; (1 server found) ;; global options: +cmd ;; no servers could be reached
while this server is working (and is a dns server):
ping 80.67.169.12 PING 80.67.169.12 (80.67.169.12) 56(84) octets de données. 64 octets de 80.67.169.12 : icmp_seq=1 ttl=52 temps=25.9 ms 64 octets de 80.67.169.12 : icmp_seq=2 ttl=52 temps=25.3 ms 64 octets de 80.67.169.12 : icmp_seq=3 ttl=52 temps=26.1 ms 64 octets de 80.67.169.12 : icmp_seq=4 ttl=52 temps=26.0 ms
Am 23.04.2025 um 19:15:45 Uhr schrieb François Patte:
I am wondering why some dns servers are available and some other are not if I set them in resolv.conf (or other dns config files)?
Some might be public servers and other might be not accessible for the public by design (UDP DNS can be used for amplification attacks).
And dig @80.67.169.12 sci-hub.se returns:
;; communications error to 80.67.169.12#53: host unreachable ;; communications error to 80.67.169.12#53: timed out ;; communications error to 80.67.169.12#53: timed out
Same for me.
while this server is working (and is a dns server):
ping 80.67.169.12 PING 80.67.169.12 (80.67.169.12) 56(84) octets de données. 64 octets de 80.67.169.12 : icmp_seq=1 ttl=52 temps=25.9 ms
This is the ICMP echo request. It confirms that this server is reachable, but it doesn't indicate that it provides a public DNS resolver at all. Please ask the operator of this server if it is intended as a public server.
If not, choose another or run your own.
Le 23/04/2025 à 19:19, Marco Moock a écrit :
Am 23.04.2025 um 19:15:45 Uhr schrieb François Patte:
I am wondering why some dns servers are available and some other are not if I set them in resolv.conf (or other dns config files)?
Some might be public servers and other might be not accessible for the public by design (UDP DNS can be used for amplification attacks).
And dig @80.67.169.12 sci-hub.se returns:
;; communications error to 80.67.169.12#53: host unreachable ;; communications error to 80.67.169.12#53: timed out ;; communications error to 80.67.169.12#53: timed out
Same for me.
while this server is working (and is a dns server):
ping 80.67.169.12 PING 80.67.169.12 (80.67.169.12) 56(84) octets de données. 64 octets de 80.67.169.12 : icmp_seq=1 ttl=52 temps=25.9 ms
This is the ICMP echo request. It confirms that this server is reachable, but it doesn't indicate that it provides a public DNS resolver at all. Please ask the operator of this server if it is intended as a public server.
It is a public server:
https://www.fdn.fr/actions/dns/%C2%A0%C2%A0 (sorry, in french
F.P.
Am 23.04.2025 um 19:26:53 Uhr schrieb François Patte:
It is a public server:
https://www.fdn.fr/actions/dns/%C2%A0%C2%A0 (sorry, in french
It doesn't work, I also tried the other addresses they listed. I gave me an ICMPv6 prohibited, so their firewall is improperly configured.
Contact the operator, you can't fix that.
On 4/23/25 10:15, François Patte wrote:
Bonjour,
Bonjour,
I am wondering why some dns servers are available and some other are not if I set them in resolv.conf (or other dns config files)?
The nameservers in resolv.conf will be tried.
And dig @80.67.169.12 sci-hub.se returns:
;; communications error to 80.67.169.12#53: host unreachable ;; communications error to 80.67.169.12#53: timed out ;; communications error to 80.67.169.12#53: timed out
Checking with telnet on ports 53 and 853 on ns0.fdn.fr. gives the following reply:
telnet ns0.fdn.fr. 853
Trying 80.67.169.12... Connected to ns0.fdn.fr.. Escape character is '^]'. Connection closed by foreign host.
That shows that there is some kind of server there and that it answers on the standard dns ports. It just don't reply to any requests.
Perhaps misconfigured?
The dig utility you're using says that the (supposed) DNS server at that address and port are not giving a valid DNS host response, neither does it return a response within the timeout period.
By the way, the server at 80.67.169.40 (ns1.fdn.fr) is behaving the same way.
On Wed, 2025-04-23 at 12:45 -0700, Mike Wright wrote:
That shows that there is some kind of server there and that it answers on the standard dns ports. It just don't reply to any requests.
Or is it region-fenced? Allowing local (to it) usage, not world-wide.
On 4/23/25 22:39, Tim via users wrote:
On Wed, 2025-04-23 at 12:45 -0700, Mike Wright wrote:
That shows that there is some kind of server there and that it answers on the standard dns ports. It just don't reply to any requests.
Or is it region-fenced? Allowing local (to it) usage, not world-wide.
Could be. But François is in France as is fdn.fr.
Tim:
Or is it region-fenced? Allowing local (to it) usage, not world-
wide.
Mike Wright:
Could be. But François is in France as is fdn.fr.
https://www.fdn.fr/renforcement-serveurs-dns-2025/
Auto-translation of that page comes up with this:
------------- begin paste ----------------
Reinforcement of protections for FDN open recursive DNS servers
15 March 2025 by Eric
In order to protect our DNS servers from Ongoing DDoS attack on our network, we have just drastically strengthened their protection measures. This enhanced protection will remain in place for an indefinite period, while the attack will cease.
What are the consequences for people using our DNS services?
None for members of the FDN and FFDN; None for people outside our networks using our DoT and DoH services; An unavailability of our DNS services for the rest of the world.
How can we continue to use our DNS services outside the FDN and FFDN networks? By configuring your routers, boxes or browsers to activate the DoT and DoH services. See ours Configuration information.
What if that is not possible? We then invite you to use other alternative open recursive DNS servers, a non-exhaustive list of which is available on the Wiki from sebsauvage.net.
Thank you for your understanding.
---------------- end paste ------------
So you may need to be some kind of member, or within a specific network, to use some of their servers. And open DNS server doesn't have to be completely open to everyone.
DoH and DoT are not the traditional methods used to query DNS servers, you'll need different configuration to use them. I'm not sure what can use *them* beyond a web browser. And I have my misgivings about them being the panacea some suggest they are. For one thing, they circumvent many protective measures we use at the moment.
My DNS server block some known problem domains, but they only block regular DNS requests. Likewise with ISP DNS servers. So, if protection is your want, you'd need to find a DoH server which offers it.
-
François Patte -
Marco Moock -
Mike Wright -
Tim