Seeing exception 'Couldn't resolve the following domains to an IPv4 record' when creating 7 domain certificate

[Lodesys]

Seeing same issue as #33 but with just 7 domains. Reduce list to 6 and all is well. Running version 0.2.11 under Windows 2008 Server and PHP 7.1 in a virtual environment, using a .yml file.

Error comes thru as something like...

C:\Apache24\conf\ssl.le>php acme-client.phar auto --ttl 45
Issuance for the following domains failed: older-browser.lodesys.com, aidswalkaz
.org, casadecristo.org, lodesys.com, redbrunch.org, redisthenight.org, thehopeta
pes.com
Reason: Kelunik\Acme\AcmeException: Unexpected exit code (1) for '"C:\php\php.ex
e" "acme-client.phar" "issue" "--server" "letsencrypt" "--storage" "/Apache24/co
nf/ssl.le" "--domains" "older-browser.lodesys.com,aidswalkaz.org,casadecristo.or
g,lodesys.com,redbrunch.org,redisthenight.org,thehopetapes.com" "--path" "/web-s
ites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_Le
tsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncryp
t"'.
Kelunik\Acme\AcmeException: Couldn't resolve the following domains to an IPv4 no
r IPv6 record: redbrunch.org, thehopetapes.com in phar://C:/Apache24/conf/ssl.le
/acme-client.phar/src/Commands/Issue.php:197

 in phar://C:/Apache24/conf/ssl.le/acme-client.phar/src/Commands/Auto.php:239
Stack trace:
#0 [internal function]: Kelunik\AcmeClient\Commands\Auto->checkAndIssue(Array, '
letsencrypt', '/Apache24/conf/...')
#1 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(876): Generator->send(Object(stdClass))
#2 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/Placehol
der.php(91): Amp\__coroutineSend(NULL, Object(stdClass), Object(Amp\CoroutineSta
te))
#3 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/PublicPr
omisor.php(48): Amp\Deferred->resolve(NULL, Object(stdClass))
#4 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/process/Process.
php(106): Amp\Deferred->succeed(Object(stdClass))
#5 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(100): Amp\Process->Amp\{closure}('000000002a25e11...', NULL)
#6 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(172): Amp\NativeReactor->tryImmediate(Object(stdClass))
#7 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(71): Amp\NativeReactor->doTick(false)
#8 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(46): Amp\NativeReactor->run(Object(Closure))
#9 phar://C:/Apache24/conf/ssl.le/acme-client.phar/bin/acme(170): Amp\run(Object
(Closure))
#10 C:\Apache24\conf\ssl.le\acme-client.phar(2): include('phar://C:/Apach...')
#11 {main}

Sometimes it has problems resolving just redbrunch.org domain.

The corresponding part of the .yml file is

  - paths:
      /web-sites/_LetsEncrypt:
          - older-browser.lodesys.com
          - aidswalkaz.org
          - casadecristo.org
          - lodesys.com
          - redbrunch.org
          - redisthenight.org
          - thehopetapes.com

Eliminate one of the domains, and all is well. Using the letsencrypt staging server produces the same results.

Seems to be some sort of timing or time-out issue, but have not been able to narrow it down.

[kelunik]

I have just released v0.2.12 with an improved error message. Could you retry and post the error here?

[Lodesys]

Thanks for the quick reply. Sorry it took so long on this end.
Here's the results...

Issuance for the following domains failed: older-browser.lodesys.com, aidswalkaz
.org, casadecristo.org, lodesys.com, redbrunch.org, redisthenight.org, thehopeta
pes.com
Reason: Kelunik\Acme\AcmeException: Unexpected exit code (1) for '"C:\php\php.ex
e" "acme-client.phar" "issue" "--server" "letsencrypt" "--storage" "/Apache24/co
nf/ssl.le" "--domains" "older-browser.lodesys.com,aidswalkaz.org,casadecristo.or
g,lodesys.com,redbrunch.org,redisthenight.org,thehopetapes.com" "--path" "/web-s
ites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_Le
tsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncryp
t"'.
Kelunik\Acme\AcmeException: Couldn't resolve the following domains to an IPv4 no
r IPv6 record: redbrunch.org

Amp\Dns\ResolutionException: All name resolution requests failed in phar://C:/Ap
ache24/conf/ssl.le/acme-client.phar/src/Commands/Issue.php:203



 in phar://C:/Apache24/conf/ssl.le/acme-client.phar/src/Commands/Auto.php:239
Stack trace:
#0 [internal function]: Kelunik\AcmeClient\Commands\Auto->checkAndIssue(Array, '
letsencrypt', '/Apache24/conf/...')
#1 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(876): Generator->send(Object(stdClass))
#2 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/Placehol
der.php(91): Amp\__coroutineSend(NULL, Object(stdClass), Object(Amp\CoroutineSta
te))
#3 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/PublicPr
omisor.php(48): Amp\Deferred->resolve(NULL, Object(stdClass))
#4 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/process/Process.
php(106): Amp\Deferred->succeed(Object(stdClass))
#5 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(100): Amp\Process->Amp\{closure}('0000000024a68cc...', NULL)
#6 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(172): Amp\NativeReactor->tryImmediate(Object(stdClass))
#7 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(71): Amp\NativeReactor->doTick(false)
#8 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(46): Amp\NativeReactor->run(Object(Closure))
#9 phar://C:/Apache24/conf/ssl.le/acme-client.phar/bin/acme(170): Amp\run(Object
(Closure))
#10 C:\Apache24\conf\ssl.le\acme-client.phar(2): include('phar://C:/Apach...')
#11 {main}

Running nslookup redbrunch.org immediately produces the correct results.

Ran it a second time after doing the nslookup and the SSL cert was created. (Love computers)

Reordered the list of domains within the .yml file, deleted the new cert and ran it again. Failed with

Issuance for the following domains failed: older-browser.lodesys.com, aidswalkaz
.org, casadecristo.org, redbrunch.org, lodesys.com, redisthenight.org, thehopeta
pes.com
Reason: Kelunik\Acme\AcmeException: Unexpected exit code (1) for '"C:\php\php.ex
e" "acme-client.phar" "issue" "--server" "letsencrypt" "--storage" "/Apache24/co
nf/ssl.le" "--domains" "older-browser.lodesys.com,aidswalkaz.org,casadecristo.or
g,redbrunch.org,lodesys.com,redisthenight.org,thehopetapes.com" "--path" "/web-s
ites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_Le
tsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncryp
t"'.
Kelunik\Acme\AcmeException: Couldn't resolve the following domains to an IPv4 no
r IPv6 record: redisthenight.org, lodesys.com

Amp\Dns\NoRecordException: No records returned for redisthenight.org

Amp\Dns\NoRecordException: No records returned for lodesys.com in phar://C:/Apac
he24/conf/ssl.le/acme-client.phar/src/Commands/Issue.php:203

 in phar://C:/Apache24/conf/ssl.le/acme-client.phar/src/Commands/Auto.php:239
Stack trace:
#0 [internal function]: Kelunik\AcmeClient\Commands\Auto->checkAndIssue(Array, '
letsencrypt', '/Apache24/conf/...')
#1 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(876): Generator->send(Object(stdClass))
#2 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/Placehol
der.php(91): Amp\__coroutineSend(NULL, Object(stdClass), Object(Amp\CoroutineSta
te))
#3 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/PublicPr
omisor.php(48): Amp\Deferred->resolve(NULL, Object(stdClass))
#4 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/process/Process.
php(106): Amp\Deferred->succeed(Object(stdClass))
#5 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(100): Amp\Process->Amp\{closure}('00000000212a9a2...', NULL)
#6 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(172): Amp\NativeReactor->tryImmediate(Object(stdClass))
#7 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(71): Amp\NativeReactor->doTick(false)
#8 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(46): Amp\NativeReactor->run(Object(Closure))
#9 phar://C:/Apache24/conf/ssl.le/acme-client.phar/bin/acme(170): Amp\run(Object
(Closure))
#10 C:\Apache24\conf\ssl.le\acme-client.phar(2): include('phar://C:/Apach...')
#11 {main}

Some sort of timing or timeout issue when doing the DNS lookups?

[kelunik]

Could you provide a Wireshark compatible trace of a failure / success?

[Lodesys]

Tracked it down to using 8.8.8.8 (Google DNS) to resolve IP addresses. Doing DNS lookups one-by-one is no problem. Sending 32 requests at once appears to trip some sort of spam/DDOS filter. Only 16 requests receive responses. My server lives in the middle of a very large Softlayer server farm, so Google probably already has the address block with my IP addresses on a watch list.

Attached are 3 Wireshark trace files (CSV format) showing only 16 responses to 32 queries.

The console for the 3rd try is as follows...

C:\Apache24\conf\ssl.le>php acme-client.phar auto --ttl 45
Issuance for the following domains failed: w.lodesys.com, older-browser.lodesys.
com, aidswalkaz.org, casadecristo.org, redbrunch.org, lodesys.com, redisthenight
.org, thehopetapes.com
Reason: Kelunik\Acme\AcmeException: Unexpected exit code (1) for '"C:\php\php.ex
e" "acme-client.phar" "issue" "--server" "letsencrypt" "--storage" "/Apache24/co
nf/ssl.le" "--domains" "w.lodesys.com,older-browser.lodesys.com,aidswalkaz.org,c
asadecristo.org,redbrunch.org,lodesys.com,redisthenight.org,thehopetapes.com" "-
-path" "/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;
/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sites/_LetsEncrypt;/web-sit
es/_LetsEncrypt;/web-sites/_LetsEncrypt"'.
Kelunik\Acme\AcmeException: Couldn't resolve the following domains to an IPv4 no
r IPv6 record: lodesys.com, redisthenight.org, thehopetapes.com

Amp\Dns\NoRecordException: No records returned for lodesys.com

Amp\Dns\NoRecordException: No records returned for redisthenight.org

Amp\Dns\ResolutionException: All name resolution requests failed in phar://C:/Ap
ache24/conf/ssl.le/acme-client.phar/src/Commands/Issue.php:203

 in phar://C:/Apache24/conf/ssl.le/acme-client.phar/src/Commands/Auto.php:239
Stack trace:
#0 [internal function]: Kelunik\AcmeClient\Commands\Auto->checkAndIssue(Array, '
letsencrypt', '/Apache24/conf/...')
#1 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(876): Generator->send(Object(stdClass))
#2 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/Placehol
der.php(91): Amp\__coroutineSend(NULL, Object(stdClass), Object(Amp\CoroutineSta
te))
#3 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/PublicPr
omisor.php(48): Amp\Deferred->resolve(NULL, Object(stdClass))
#4 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/process/Process.
php(106): Amp\Deferred->succeed(Object(stdClass))
#5 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(100): Amp\Process->Amp\{closure}('000000001198f4f...', NULL)
#6 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(172): Amp\NativeReactor->tryImmediate(Object(stdClass))
#7 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(71): Amp\NativeReactor->doTick(false)
#8 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(46): Amp\NativeReactor->run(Object(Closure))
#9 phar://C:/Apache24/conf/ssl.le/acme-client.phar/bin/acme(170): Amp\run(Object
(Closure))
#10 C:\Apache24\conf\ssl.le\acme-client.phar(2): include('phar://C:/Apach...')
#11 {main}

This would account for why changing the order of domains in the .yml file caused different domains to fail and why, on occasion, the request would actually complete.

Is there / can there be an option to use another DNS server other than 8.8.8.8?

Try 1 Wireshark.txt
Try 2 Wireshark.txt
Try 3 Wireshark.txt

[kelunik]

Thanks for taking a deeper look. I have finally figured out how to read the Windows Registry without any extension. amphp/dns#40 will use the local system config. We'll have a release soon, probably today.

[kelunik]

I have just released v0.2.13, could you try it out?

[Lodesys]

OK, so getting there. :-)

Good news: Acme-client is now using the Windows DNS settings rather than 8.8.8.8. Bad news: Still seeing random DNS timeout/failure issues.

Acme-client is now correctly accessing an internal Softlayer DNS server at 10.0.80.11. Have no idea what software the DNS server is running.

Many times, was seeing this...

C:\Apache24\conf\ssl.le>php acme-client.phar auto --ttl 45
Registration failed (1)
"C:\php\php.exe" "acme-client.phar" "setup" "--server" "letsencrypt" "--storage"
 "/Apache24/conf/ssl.le" "--email" "chris@lodesys.com"

    Using existing private key ...
    Registering with acme-v01.api.letsencrypt.org/directory ...
Amp\Dns\TimeoutException: Name resolution timed out for acme-v01.api.letsencrypt
.org in phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/dns/lib/Def
aultResolver.php:271

Next Kelunik\Acme\AcmeException: Could not obtain directory. in phar://C:/Apache
24/conf/ssl.le/acme-client.phar/vendor/kelunik/acme/lib/AcmeClient.php:189

Here is a Wireshark file
acme-v01 Timeout.zip

Once was able to get the multi-domain cert issued, but not a single domain one.

C:\Apache24\conf\ssl.le>php acme-client.phar auto --ttl 45
Certificate for older-browser.lodesys.com, aidswalkaz.org, casadecristo.org, red
brunch.org, lodesys.com, redisthenight.org, spiritualintersections.org, thehopet
apes.com successfully renewed.
Issuance for the following domains failed: www.spiritualintersections.org
Reason: Kelunik\Acme\AcmeException: Unexpected exit code (1) for '"C:\php\php.ex
e" "acme-client.phar" "issue" "--server" "letsencrypt" "--storage" "/Apache24/co
nf/ssl.le" "--domains" "www.spiritualintersections.org" "--path" "/web-sites/_Le
tsEncrypt"'.

Could not obtain directory.
Kelunik\Acme\AcmeException: Issuance failed, not all challenges could be solved.
 in phar://C:/Apache24/conf/ssl.le/acme-client.phar/src/Commands/Issue.php:104

 in phar://C:/Apache24/conf/ssl.le/acme-client.phar/src/Commands/Auto.php:239
Stack trace:
#0 [internal function]: Kelunik\AcmeClient\Commands\Auto->checkAndIssue(Array, '
letsencrypt', '/Apache24/conf/...')
#1 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(876): Generator->send(Object(stdClass))
#2 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/Placehol
der.php(91): Amp\__coroutineSend(NULL, Object(stdClass), Object(Amp\CoroutineSta
te))
#3 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/PublicPr
omisor.php(48): Amp\Deferred->resolve(NULL, Object(stdClass))
#4 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/process/Process.
php(106): Amp\Deferred->succeed(Object(stdClass))
#5 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(100): Amp\Process->Amp\{closure}('000000005a77127...', NULL)
#6 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(172): Amp\NativeReactor->tryImmediate(Object(stdClass))
#7 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(71): Amp\NativeReactor->doTick(false)
#8 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(46): Amp\NativeReactor->run(Object(Closure))
#9 phar://C:/Apache24/conf/ssl.le/acme-client.phar/bin/acme(170): Amp\run(Object
(Closure))
#10 C:\Apache24\conf\ssl.le\acme-client.phar(2): include('phar://C:/Apach...')
#11 {main}

Reran just to pick up the single domain and got this...

C:\Apache24\conf\ssl.le>php acme-client.phar auto --ttl 45
Issuance for the following domains failed: www.spiritualintersections.org
Reason: Kelunik\Acme\AcmeException: Unexpected exit code (1) for '"C:\php\php.ex
e" "acme-client.phar" "issue" "--server" "letsencrypt" "--storage" "/Apache24/co
nf/ssl.le" "--domains" "www.spiritualintersections.org" "--path" "/web-sites/_Le
tsEncrypt"'.

Could not obtain directory.
Kelunik\Acme\AcmeException: Issuance failed, not all challenges could be solved.
 in phar://C:/Apache24/conf/ssl.le/acme-client.phar/src/Commands/Issue.php:104

 in phar://C:/Apache24/conf/ssl.le/acme-client.phar/src/Commands/Auto.php:239
Stack trace:
#0 [internal function]: Kelunik\AcmeClient\Commands\Auto->checkAndIssue(Array, '
letsencrypt', '/Apache24/conf/...')
#1 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(876): Generator->send(Object(stdClass))
#2 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/Placehol
der.php(91): Amp\__coroutineSend(NULL, Object(stdClass), Object(Amp\CoroutineSta
te))
#3 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/PublicPr
omisor.php(48): Amp\Deferred->resolve(NULL, Object(stdClass))
#4 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/process/Process.
php(106): Amp\Deferred->succeed(Object(stdClass))
#5 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(100): Amp\Process->Amp\{closure}('000000004da678f...', NULL)
#6 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(172): Amp\NativeReactor->tryImmediate(Object(stdClass))
#7 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/NativeRe
actor.php(71): Amp\NativeReactor->doTick(false)
#8 phar://C:/Apache24/conf/ssl.le/acme-client.phar/vendor/amphp/amp/lib/function
s.php(46): Amp\NativeReactor->run(Object(Closure))
#9 phar://C:/Apache24/conf/ssl.le/acme-client.phar/bin/acme(170): Amp\run(Object
(Closure))
#10 C:\Apache24\conf\ssl.le\acme-client.phar(2): include('phar://C:/Apach...')
#11 {main}

Here is the Wireshark file for that
Single Domain Fail.zip

Let everything rest for a while (15+ minutes) and tired again. Was able to pick up the final single domain cert.

C:\Apache24\conf\ssl.le>php acme-client.phar auto --ttl 45
Certificate for www.spiritualintersections.org successfully renewed.

Here is the Wireshark file for this final run
Final Success.zip

Couple of thoughts. No idea if they are valid or not. :-)

. Are the DNAME queries needed? The appears to be some question as to if the DNAME record is now obsolete.

. Is it possible to throttle the DNS queries? Yes, requests would take a longer to run, but it might not trigger what appears to be DDOS protections in the DNS server.

. "Could not obtain directory" error message seems to be tied to failed DNS queries. Is the message correct?

[kelunik]

Acme-client is now correctly accessing an internal Softlayer DNS server at 10.0.80.11. Have no idea what software the DNS server is running.

Do you know whether 10.0.80.11 is really the right one? It's now searching all interfaces for nameservers, not sure if that's the right thing to do, but it was required to make our tests work on AppVeyor.

. Are the DNAME queries needed? The appears to be some question as to if the DNAME record is now obsolete.

I'm not sure about that one. Will defer that question to @DaveRandom and @bwoebi. But we have plans to send the current 4 packets / requests for one resolution in a single packet in the figure.

Could you ask your service provider about the failures? I think every server environment should be able to handle 10 concurrent name resolutions without running into DDoS protections.

[Lodesys]

OK, so ran some more tests tonight.

10.0.80.11 is the correct internal primary DNS server for Softlayer. nslookup confirms the IP address is correct. Launched Acme-client and was seeing the same errors to above.

Switched primary DNS for my server to my internal BIND instance (127.0.0.1). Acme-client ran multiple times with no errors and I was able to create SSL certs.

Switched back to 10.0.80.11 and saw the errors errors again.

Checked with Softlayer and got the following response: For security reasons we can not provide you with the version of Bind that our resolvers run.

I'm running BIND 9.9.... I'm guessing they are on some version of BIND 9.10 or 9.11 ... or some customized software.

So the issue, IMHO, appears to be a version(s) of BIND(?) DNS server software not responding fast enough or as expected. Or some Softlayer virtual network issue that's causing problems with both 10.0.80.11 and 8.8.8.8. :-)

At this point, I would close or put this issue on hold. Once your new DNS "send the ... requests ... in a single packet" is in place, notify me and I will try the various DNS servers again. In the mean time, I'll use 127.0.0.1 and BIND 9.9... as primary DNS, which seems to be working just fine.

Thanks for your help and support!

[kelunik]

Yes, 10.0.80.11 is definitely right according to http://knowledgelayer.softlayer.com/faqs/13#26, too.

I'm not sure whether it's a BIND version issue or a configuration issue.

[Lodesys]

BIND 9.10 implemented a Response Rate Limiting Feature to prevent DNS amplification attacks that may be causing this problem. See https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html Have been using BIND 9.9 for DNS and seeing no problems.

[kelunik]

Do you have a timeout specified using options timeout:n in your /etc/resolv.conf?

[Lodesys]

I'm running on Windows, not Linux. In Windows, DNS servers are configured under the network adapter settings. AFAIK there are no timeout setting options ... or at least none that I've set.

[kelunik]

There is one, but we don't support that one yet. Ok, fine then.