I created a new CNAME under my domain and waited for a while (about 1h).
Then I tried creating a letsencrypt certificate and got DNS resoution errors, so I started testing the name resolution on my own.
It turns out that dig
can find the CNAME without issues, no matter which nameserver I use, but nslookup and host just can't.
As an example, here is the output I get when using 1.1.1.1
:
root@pre ~ # dig my.subdomain.com @1.1.1.1
; <<>> DiG 9.10.3-P4-Ubuntu <<>> my.subdomain.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8098
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;my.subdomain.com. IN A
;; ANSWER SECTION:
my.subdomain.com. 113 IN CNAME \@.
;; AUTHORITY SECTION:
. 9382 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020040300 1800 900 604800 86400
;; Query time: 2 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Apr 03 12:37:55 CEST 2020
;; MSG SIZE rcvd: 136
root@pre ~ # nslookup my.subdomain.com 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53
** server can't find my.subdomain.com: NXDOMAIN
root@pre ~ # host my.subdomain.com
Host my.subdomain.com not found: 3(NXDOMAIN)
root@pre ~ # cat /etc/resolv.conf
nameserver 1.1.1.1
Some considerations:
- There are similar questions out there, but the ones I found end up either comparing only dig and nslookup or querying different name servers.
- I am aware of the nslookup deprecation warnings, but afaik host and dig should be consistent with each other if they use the same name server.
- If I try any other thing, like curl or ping, name resolution also fails. Only
dig
seems to figure it out. - The same behavior can be observed if I run the commands on other machines and networks, and even if I use online tools. Google dig works (https://toolbox.googleapps.com/apps/dig/), but Kloth.net nslookup does not (http://www.kloth.net/services/nslookup.php)
Can you help me understand what's happening?