Some domain names are not available in AirVPN DNS

[membrane 0]

Not sure if I'm just doing something wrong but: connected to AirVPN via Eddie everything works as expected, except some domains can not be resolved through AirVPN dns, for example "parabox.game".

Without AirVPN:

; <<>> DiG 9.18.5 <<>> parabox.game
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 563
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;parabox.game.                  IN      A

;; ANSWER SECTION:
parabox.game.           14400   IN      A       109.232.216.113

;; Query time: 79 msec
;; SERVER: 9.9.9.10#53(9.9.9.10) (UDP)
;; WHEN: Thu Sep 01 xx:xx:xx CEST 2022
;; MSG SIZE  rcvd: 57


With AirVPN:

; <<>> DiG 9.18.5 <<>> parabox.game
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14200
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;parabox.game.                  IN      A

;; Query time: 4733 msec
;; SERVER: 10.13.194.1#53(10.13.194.1) (UDP)
;; WHEN: Thu Sep 01 xx:xx:xx CEST 2022
;; MSG SIZE  rcvd: 41



 

[OpenSourcerer 1435]

That's odd, their DNS servers are configured properly. Usually, when something like this happened it was the website's DNS having some errors, like parent nameservers not containing the name you're trying to resolve.
Can you to a +trace?

[membrane 0]

; <<>> DiG 9.18.5 <<>> parabox.game +trace                        
;; global options: +cmd                                                                                                                      
.                       80001   IN      NS      g.root-servers.net.                                                                                                                                                                                                                       
.                       80001   IN      NS      c.root-servers.net.
.                       80001   IN      NS      d.root-servers.net.
.                       80001   IN      NS      f.root-servers.net.
.                       80001   IN      NS      l.root-servers.net.                                                                                                                                                                                                                       
.                       80001   IN      NS      a.root-servers.net.
.                       80001   IN      NS      b.root-servers.net.
.                       80001   IN      NS      j.root-servers.net.
.                       80001   IN      NS      i.root-servers.net.
.                       80001   IN      NS      h.root-servers.net.
.                       80001   IN      NS      e.root-servers.net.
.                       80001   IN      NS      k.root-servers.net.
.                       80001   IN      NS      m.root-servers.net.
.                       80001   IN      RRSIG   NS 8 0 518400 20220913210000 20220831200000 20826 . HCE+lqUS3Vgf+DDA3U+SZzcjVUdGUYWl7pOt4ujuQWFZHusDoYiIkewU fBGrCdQNIH2TVTakJbUtW1qSM8u3mVTg90/AH/5Rv5JIxOoNkXl3giKC XS3vmxnV0ht2J5zMCOYIbeHs95LnoLFwGu1N0CjadPFg/yNdZxmPriod haXmIXcw8gJ
T0VtOB4E92UImItwh11JBZsz8H8ntJbf7opdEqhGsG/Mq cemaNayj4HEr5bodBMSrxPtuelbnFL1JJtlkz+9oQQZqZAPgCZ5SEcXw ixXO96drPlCdG6yR2pdIoSgyp4T5h44r3bTeWRz9qwJJb0Q4nELLebkm m6WPFg==
;; Received 525 bytes from 10.13.194.1#53(10.13.194.1) in 43 ms

game.                   172800  IN      NS      a.nic.game.
game.                   172800  IN      NS      c.nic.game.
game.                   172800  IN      NS      b.nic.game.
game.                   172800  IN      NS      d.nic.game.
game.                   86400   IN      DS      39133 5 1 FB1F7E5D4D62AA9F930B77A9494BB3B04D84340A
game.                   86400   IN      DS      32929 5 1 AC35DD8C5C6E00427FCE4432F9F817D54C5DBB9F
game.                   86400   IN      DS      4126 5 2 F69BE762D422754930EE00176F377AB6A7FF074A48B2076A6F0CEE71 1D97001D
game.                   86400   IN      DS      4126 5 1 0BFD20235875E18EE7D8B0FAD0A9F566D296CB09
game.                   86400   IN      DS      32929 5 2 C7602F661849EF5422CB5E5D7CCC91E7EA8344C7FD20F0E43A198CC6 99EC895C
game.                   86400   IN      DS      39133 5 2 ECA12999E650C648FEABAB0AA1870D10D6E9F6316FA609B126C98477 F964C6A4
game.                   86400   IN      RRSIG   DS 8 1 86400 20220913210000 20220831200000 20826 . LFk49B/zOSD5SXno+1bGVTcKFCh8o4kk0ZeNvWzN4ZFdUwnTUzWJlAZJ YYZLCOM1hBjIiMCKLimA9DT3lj4FSVx98WqPgVuSO/Uyglodq+r7FTql JzFod8kDYAyaDYO3ipqZ6oisy1dx985EIdZxrEyPB0mYmf21EyNK8c1F 7E1NCLF24KkT
gP9llBQw5J2RV8RFzMggJESeDraVlGcQ6ruyJx8DnX01 V6Kn9qJ8aS16A6uITlpGdeoP+30dQw+anaoVTJHy8dOCImY3EPKDimt8 JNQhsv9NjQJI8Jy9fF8x00Z4c0yzEd9OkE3gwxlVZi1Jnkk5LiK/ipSe K8W+8w==
;; Received 828 bytes from 202.12.27.33#53(m.root-servers.net) in 56 ms

parabox.game.           3600    IN      NS      cpns1.turhost.com.
parabox.game.           3600    IN      NS      cpns2.turhost.com.
parabox.game.           3600    IN      NSEC    parade.game. NS RRSIG NSEC
parabox.game.           3600    IN      RRSIG   NSEC 5 2 3600 20220908153637 20220809042014 11877 game. dkDJZsjlmMzWgrPcJGKJ6JbmjcbcNkL/eGbaOrPhkfVKWSTERpl+dhqa ptinN6LhNfRAZzljKRVFwfXMFZR046YCPHMi+8xkFE0LRXoo+Eu2bvyG wtlmJsCdyTUSJ8hZdwCEn+XbVEL7m/IdQMT9SxZItOGU7cUXSRMaYu4R 3A4=
couldn't get address for 'cpns1.turhost.com': failure
couldn't get address for 'cpns2.turhost.com': failure
dig: couldn't get address for 'cpns1.turhost.com': no more

 

[OpenSourcerer 1435]

21 hours ago, membrane said:

couldn't get address for 'cpns1.turhost.com': failure
couldn't get address for 'cpns2.turhost.com': failure
dig: couldn't get address for 'cpns1.turhost.com': no more

I can confirm this on multiple German servers. AirDNS doesn't seem to be able to resolve either of parabox.game's nameservers (ns1/2.turhost.com), which is of course a necessity since they answer authoritatively for that domain. But I don't see why that wouldn't be possible.

[Staff 9973]

Hello!

Perhaps their DNS servers block our VPN servers (each VPN server runs its own DNS server). Such blatant NN and end-to-end connectivity principle infringement practice is unfortunately more and more common and one of the bad practices which are dismantling the original Internet concept. A couple of years ago GoDaddy authoritative servers blocked all Leaseweb DNS queries, for example, causing worldwide chaos for several days.

We will look into the issue and if confirmed we will try to find a way to circumvent the absurd block.

Kind regards
 

[OpenSourcerer 1435]

Maybe the concept of running separate DNS servers has run its course. It could be more worthwhile to forward DNS requests from all servers to some sort of DNS infrastructure of AirVPN which is hosted with companies you wouldn't associate VPN activities with, and in a way similar to a CDN, ergo, worldwide.
To expand on this, one can even think about offering some sort of DoT/DoH in the future building on this "DNS CDN", helping people who cannot connect to AirVPN against DNS poisoning and other things. Just a thought, though.

[Staff 9973]

4 hours ago, OpenSourcerer said:

Maybe the concept of running separate DNS servers has run its course. It could be more worthwhile to forward DNS requests from all servers to some sort of DNS infrastructure of AirVPN which is hosted with companies you wouldn't associate VPN activities with

Hello!

Yes, probably that's a good solution.  We should maintain the VPN DNS address matching the VPN gateway address (to neutralize as usual the infamous and dangerous route hijack attack) and then internally perform the routing which is necessary. In this way we would save one of the most exclusive AirVPN features and at the same time achieve the purpose to untie the DNS servers from VPN servers.

Kind regards
 

[OpenSourcerer 1435]

Looking forward to what you can cook up there. And even more to test that out at some point