Summary of the problem:
Clients on my network cannot resolve login.live.com.
When running “host login.live.com” they get:
$ host login.live.com
;; communications error to 10.0.0.52#53: end of file
;; Connection to 10.0.0.50#53(10.0.0.50) for login.live.com failed: timed out.
;; communications error to 10.0.0.52#53: end of file
If I then do “dig login.live.com” it does get a valid response, and immediately afterwards “host login.live.com” starts returning a response as well. Then after a while it is back to not working again.
Full output of the host and dig commands below.
What can be the cause of this problem?
How do I fix it? Or even debug it further?
Bind9 does not seem to produce any relevant log details.
Details about my environment:
On my LAN I have two DNS servers:
Main DNS and Pihole.
The main DNS server is a bind9 server running on Debian.
This acts as a DNS server for the LAN and allows resolution of local addresses as well as upstream DNS.
This DNS server is used by most servers and devices on the network.
The address of the main DNS server is 10.0.0.50.
I also have an additional DNS server: pihole.
This is a raspberrypi 3 running pihole version 5.8.1.
Pihole acts as a DNS server that blocks DNS requests to a lot of ad networks.
Pihole is configured to use the main DNS server (10.0.0.50) as Upstream DNS server.
So that any DNS request that is not explicitly in pihole’s own blacklist is immediately forwarded to the main DNS server.
Pihole address is 10.0.0.52.
The clients are configured with two nameservers in their /etc/resolv.conf:
nameserver 10.0.0.52
nameserver 10.0.0.50
All clients are running Linux. Mostly Debian 10 and 11.
I have verified that pihole does not have any blacklist filter that matches login.live.com. So that is not it.
I have also tried temporarily disabling pihole. But the problem persists.
Full output of dig and host commands on a client:
(root@muscat) (2022-01-20 14:31:59) [0]
~# host login.live.com
;; communications error to 10.0.0.52#53: end of file
;; Connection to 10.0.0.50#53(10.0.0.50) for login.live.com failed: connection refused.
(root@muscat) (2022-01-20 14:32:16) [0]
~# dig login.live.com
; <<>> DiG 9.16.22-Debian <<>> login.live.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52488
;; flags: qr rd ra; QUERY: 1, ANSWER: 12, AUTHORITY: 10, ADDITIONAL: 11
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 0d2944eb18058a23735dde5861e96462433b0a9093dc2ce8 (good)
;; QUESTION SECTION:
;login.live.com. IN A
;; ANSWER SECTION:
login.live.com. 297 IN CNAME login.msa.msidentity.com.
login.msa.msidentity.com. 297 IN CNAME www.tm.lg.prod.aadmsa.akadns.net.
www.tm.lg.prod.aadmsa.akadns.net. 57 IN CNAME prda.aadg.msidentity.com.
prda.aadg.msidentity.com. 297 IN CNAME www.tm.a.prd.aadg.akadns.net.
www.tm.a.prd.aadg.akadns.net. 297 IN A 20.190.160.70
www.tm.a.prd.aadg.akadns.net. 297 IN A 20.190.160.1
www.tm.a.prd.aadg.akadns.net. 297 IN A 20.190.160.135
www.tm.a.prd.aadg.akadns.net. 297 IN A 20.190.160.74
www.tm.a.prd.aadg.akadns.net. 297 IN A 20.190.160.9
www.tm.a.prd.aadg.akadns.net. 297 IN A 20.190.160.72
www.tm.a.prd.aadg.akadns.net. 297 IN A 20.190.160.7
www.tm.a.prd.aadg.akadns.net. 297 IN A 20.190.160.133
;; AUTHORITY SECTION:
akadns.net. 5125 IN NS a11-129.akadns.net.
akadns.net. 5125 IN NS a7-131.akadns.net.
akadns.net. 5125 IN NS a28-129.akagtm.org.
akadns.net. 5125 IN NS a18-128.akagtm.org.
akadns.net. 5125 IN NS a3-129.akadns.net.
akadns.net. 5125 IN NS a12-131.akagtm.org.
akadns.net. 5125 IN NS a1-128.akadns.net.
akadns.net. 5125 IN NS a13-130.akagtm.org.
akadns.net. 5125 IN NS a5-130.akagtm.org.
akadns.net. 5125 IN NS a9-128.akadns.net.
;; ADDITIONAL SECTION:
a1-128.akadns.net. 5125 IN A 193.108.88.128
a3-129.akadns.net. 5125 IN A 96.7.49.129
a5-130.akagtm.org. 48773 IN A 95.100.168.130
a7-131.akadns.net. 5125 IN A 23.61.199.131
a9-128.akadns.net. 5125 IN A 184.85.248.128
a11-129.akadns.net. 5125 IN A 84.53.139.129
a12-131.akagtm.org. 48773 IN A 184.26.160.131
a13-130.akagtm.org. 48773 IN A 2.22.230.130
a18-128.akagtm.org. 48773 IN A 95.101.36.128
a28-129.akagtm.org. 48773 IN A 95.100.173.129
;; Query time: 12 msec
;; SERVER: 10.0.0.52#53(10.0.0.52)
;; WHEN: Thu Jan 20 14:32:18 CET 2022
;; MSG SIZE rcvd: 721
(root@muscat) (2022-01-20 14:32:18) [0]
~# host login.live.com
login.live.com is an alias for login.msa.msidentity.com.
login.msa.msidentity.com is an alias for www.tm.lg.prod.aadmsa.akadns.net.
www.tm.lg.prod.aadmsa.akadns.net is an alias for prda.aadg.msidentity.com.
prda.aadg.msidentity.com is an alias for www.tm.a.prd.aadg.akadns.net.
www.tm.a.prd.aadg.akadns.net has address 20.190.160.133
www.tm.a.prd.aadg.akadns.net has address 20.190.160.7
www.tm.a.prd.aadg.akadns.net has address 20.190.160.72
www.tm.a.prd.aadg.akadns.net has address 20.190.160.9
www.tm.a.prd.aadg.akadns.net has address 20.190.160.74
www.tm.a.prd.aadg.akadns.net has address 20.190.160.135
www.tm.a.prd.aadg.akadns.net has address 20.190.160.1
www.tm.a.prd.aadg.akadns.net has address 20.190.160.70
(root@muscat) (2022-01-20 14:32:20) [0]
~# host login.live.com
;; communications error to 10.0.0.52#53: end of file
;; Connection to 10.0.0.50#53(10.0.0.50) for login.live.com failed: connection refused.
(root@muscat) (2022-01-20 14:33:37) [0]
~# host login.live.com
;; communications error to 10.0.0.52#53: end of file
;; Connection to 10.0.0.50#53(10.0.0.50) for login.live.com failed: connection refused.
(root@muscat) (2022-01-20 14:34:05) [0]
~#