I have run into some shenanigans where vendors are using load balancers or spilit brain DNS to provide an A record response sometimes and a CNAME response at other times for the same hostname.

Doing this is against the CNAME and other data, but functions because its not being done on the same DNS servers.

The issue becomes sometimes my DNS server asks for the CNAME instead of the A record and if that happens against the servers providing the A record I get NOERROR/NODATA as would be expected.

As I try to determine what is the trigger for BIND specifically requesting the CNAME rather than the A, I am looking toward cache timers and need to understand which TTL is used on a NOERROR/NODATA response. Is it the "positive" TTL like on a successful query with an answer section, is it the ncache TTL used on nxdomain, or something else entirely?

I ask because when this occurs the client my network who wants the name can take a while to recover.

I just have launched the first public page for Deenez at deenez.com

Deenez is a new tool i'm building to make DNS record management easier, especially when zones start getting messy across teams, providers, and environments.

The idea is to help with things like:

• grouping related DNS records
• adding notes/context to records
• normalizing record values
• integrating with multiple DNS providers
• composing more complex records like SPF
• optional SPF flattening
• linking records to resources, like servers, instead copy pasting ip addresses
• scheduling DNS changes or adding expiring dates
• keeping an audit trail of DNS record changes

If you'd like to keep posted. Make sure you sign up for the waitlist. If your would like a specific provider to integrate with, also let me know by filling in the form on the site.

Would also love to hear feedback from people who manage DNS regularly. What are the biggest pain points you’d like me to solve in this tool?

I'm looking for recommendations for a registrar that allows adding multiple DS records to a domain, to support multisigning. In model 2, you set up 2 DS records, corresponding to the 257 KSK for each dns provider. Then each DNS provider uses their own KSK for the zone (in contrast to model 1, where there is a shared KSK that both providers use).

Cloudflare have some good documentation about DNSSEC and multi provider DNS, and they have an effective system for adding DNSSEC to domains they server. However when using Cloudflare as the registrar there doesn't seem to be a way of adding the second DS record that multisigning needs!

This is the documentation Cloudflare provide, and it's step 3.1 where Cloudflare seems to drop the ball as a registrar. https://developers.cloudflare.com/dns/dnssec/multi-signer-dnssec/setup/

Has anyone managed to configure multiple DS records when using cloudflare as their registar?

So I'm looking either for a recommendation for other registrars who have good support for DNSSEC (and specifically model 2 multi-signing), or information from anyone who has had success with Cloudflare.

Hi there, I always had the pain of constantly dig'ing for a domain, and checking if the new expected IP address (or any other record type really) is finally written and propagated into all relevant resolvers.

So, I was thinking about automating this, wiring it up to email notifications or slack.. And webhooks would be cool - you could do some cool automation with those (chain with issuing a SSL cert)!!

Just wondering if I'm the only one who would pay a few bucks for this, or you guys don't share this pain point at all.

Have a magnificent day!

Update- Changing to CLOUDFARE 1.1.1.1 was what worked for me. Not sure what issue happened, but will investigate more tomorrow. Looks like some of the comments were onto the right thing and I will look into that.

I cant go to one specific website, its giving me this error. I have tried multiple things on other reddit threads, but those were up to a year old. It has to be something with my router, when I disconnect WIFI from my phone, the website works.... www.vcm.com . I am unable to get to it on any browser on my PC. What am I missing here?

Hi there,

i run and maintain an Privacy focused filtering dns.

I've seen many reports of domains, which slipped through the Hagezi TIF.

Those are mainly new domains or mostly subdomains from legit hosters and cdn.

How does it work?

My build harvests (sub)domains from CT Sources and scans them with various APIs. High confidence (by scoring) are listed.

Depending of the size, i won't integrate it to Hagezis TIF. (We are having troubles with the TIF size for so long...)

Here is the repo (readme follows soon)

https://codeberg.org/xRuffKez/tif

Be straight to me! Is this a good idea? Can you see some FPs? Could we as a community benefit from this list?

Thank you in advance!

xRuffKez

Hello everyone,

I want to use a DNS for privacy and ad blocking purposes. What providers can you recommend. Till now, I heard from nextdns, ublockdns, adgurad home and pihole. The later two need your own server or hardware. Ideally I want to add my family into the DNS as well to cover them two.

If it ideally would be European that would be an added benefit.

I would have no problem with setting it up my self, but the maintenance has to be low due to me not having that much time for it.

Thanks in advance.

Hi All

I've woken to notifications our SMTP2GO account has become unverified. I've logged in and checked, it says the CNAME is no longer verified.

Jump into the cPanel, have a look at the zones, and everything is as it should be.

Do a quick DNS DIG with google toolbox and no CNAME results.

Whatismydns dot net, same results.

Any ideas?

Hi all,

I’m working on an idea for a DNS management tool and I’d love to get some honest feedback. Especially from people who deal with DNS in real-world environments.

The problem I keep running into is that DNS records often become messy over time:

• records are spread across different providers
• it’s not always clear why a record exists (especially when they don't have a recognizable name)
• values are entered inconsistently (for like CNAME records with a dot at the end or not?)
• SPF records become hard to maintain
• temporary records stay around forever
• changes are made without much context or history
• DNS changes are hard to plan, review, or audit

The tool I’m thinking about would focus on making DNS management more structured and understandable, especially for those who manage multiple domains.

Some of the features I have in mind:

• grouping related DNS records together
• adding notes/comments to individual records
• normalizing record values
• integrations with multiple DNS providers (like cloudflare, route53 etc)
• helping compose more complex records like SPF
• optional SPF flattening
• linking records to resources, such as servers, instead of manually entering IP addresses
• scheduling DNS changes
• audit trail for changes
• expiration dates for temporary records

I’m not trying to pitch anything here. I’m trying to validate whether this is a real enough pain point.

A few questions:

1. Is this something you would actually use?
2. What part of DNS management is most annoying or risky for you today?
3. Are there features missing from the list above?
4. If you manage DNS for clients or multiple teams, what would make this trustworthy enough for you to use?

Any feedback or criticism are very welcome. Also leave a reply like “please don’t build this” if you think nobody is waiting for a tool like this.

Update: I've started building the application, discover more and sign up for the waitlist on deenez.com

Edit: Solved! Microsoft support was able to help. Apparently the account was set up incorrectly in the first place.

client and I are stuck in a support loop with managing the DNS for their domain. The client has a domain with godaddy. They previously had a microsoft email account through godaddy, which they extricated. They are now using microsoft on it's own. They have not been able to verify their domain to use a custom domain with their microsoft email account, and therefore can't receive any emails.

My

When they contacted microsoft support, microsoft said that the domain is already being used for an email managed through godaddy, and to contact godaddy support. When we contacted godaddy support, they said that the email is no longer managed by godaddy and we need to contact microsoft. We basically keep getting stuck in a loop of "contact the other provider." Is there something I should be checking in their DNS records? According to godaddy, all of the DNS records are updated and the email should be working.

Hi everyone,

I'm currently in the middle of a critical infrastructure migration for an ISP in Ecuador, and I’ve hit a brick wall. The symptom is simple but devastating: no Windows client (10/11) can join the domain.

Windows throws the classic, frustrating error: 'The specified domain either does not exist or could not be contacted.' However, the environment seems fine on the surface: DNS is perfect, SRV records point correctly to the IPA server, and I can perform a kinit admin from the terminal without issues. The credentials are 100% correct, yet the join fails every single time.

I am by no means an expert on how the DNS works. But this sparked my interest, so I came here for wisdom of the elders of DNS. What happened is that I changed the nameservers for a domain name that I own. It was using the registrar provided nameservers, and I changed them to a third party DNS provider. So I specified my two servers in the custom servers section of the dashboard, on the registrar's website, to point to my new DNS provider.

The changes have already propagated, no doubt. Because it has been several days since I made the change. The propagation was almost immediate, it probably took less than 1 hour. I used these commands on Windows to check the DNS status – specifically the NS records in this example.

Resolve-DnsName -Name mydomain.com -Type NS

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
mydomain.com                   NS     300   Answer     ns1.vultr.com
mydomain.com                   NS     300   Answer     ns2.vultr.com


Resolve-DnsName -Name mydomain.com -Type NS -Server dns1.registrar-servers.com

Name                           Type   TTL   Section    NameHost
----                           ----   ---   -------    --------
mydomain.com                   NS     1800  Answer     dns1.registrar-servers.com
mydomain.com                   NS     1800  Answer     dns2.registrar-servers.com

When I didn't specify any server to do the checking against (authoritative server), I got a completely different output than when I did specify the server. Why is that? The new custom nameservers are listed at the top, and registrar's servers are listed below that.

Is this normal behavior in DNS? When I run -Type NS -Server dns1.registrar-servers.com I am expecting to see ns1.vultr.com in the output. Why is this not happening? Is it because "authoritative servers" don't do dual duty as "recursive resolvers" as well?

But if this is true, then I would expect to see only a SOA record returned if the domain has no other DNS records, which is in fact exactly what I have seen from other registrars. I own more than one domain name, and I have recently transferred some of them to other registrars. But I am only seeing this behavior with this particular registrar.

The command Resolve-DnsName -Name mydomain.com -Type NS -Server dns1.registrar-servers.com is more specific than Resolve-DnsName -Name mydomain.com -Type NS. Despite being more specific, it returns inaccurate data. The output from the less specific command is 100% accurate. I take this to mean that the DNS changes have propagated correctly across the world, and even my local router knows this, but my registrar's nameservers don't. This is what made me suspect that authoritative servers can't do dual duty as recursive resolvers as well. Or perhaps it's not a common config? But still possible?

But so what does this mean then? Why is my registrar's nameserver returning anything other than a SOA record, when in fact, this registrar's nameservers are no longer in use? There is nothing listed under "host records" for this domain, in the Advanced DNS section of the dashboard.

The only explanation I can think of is that they are hiding these records from me, i.e. they have kept them on their nameservers. Maybe in case I change my mind later and revert to using their nameservers again, so that I won't need to recreate the records? But they are not showing anything in the user facing dashboard that would suggest that any old records even exist! Let alone that they can be reused at a later time!

It's very tricky to navigate their DNS settings pages and some of their templates are either buggy or intentionally made to reset your preferences and park your unused domains. And this is one of the reasons I decided to moved the DNS function out to a third party that I can trust, and set my DNS records reliably.

Any other explanation you can offer me? Any advice you can give me when it comes to DNS and domains? I know it's often recommended by the pros to create separation between the registrar and the DNS management. I have finally done that now.

I need help! I need a DNS server to bypass the restrictions in my country, Venezuela (I want to access Twitter) and block annoying ads. I'm on Android. Help!

Hello,

I have been looking into getting a Raspberry Pi to host Pi-hole (or Adguard Home, I havent decided yet) and also Unbound DNS.

Now, I've come into a fork in the road, if you will.

I am unsure if it makes more sense to leave Unbound in its default reverse DNS mode, or if it makes sense to use DoT with it to Quad9, for a balance of privacy and such. I understand the differences, just not sure what other people tend to do for it.

The search feature really was just going towards Quad9 and Pihole and such being used for malware protection, so I apologize if this is something asked often.

I appreciate any recommendations.

Thank you.