It’s Always DNS

I recently registered a nice short domain name for someone. I had a choice of regsitrars. One was my usual domain registrar, and another was a local Isle of Man company who were significantly cheaper. I decided to buy local (and save money!) thinking that I was doing the right thing of supporting a business that pays taxes here and employs local people. I did have a niggling doubt about how good they would be, given that I’d never used them before…

I wasn’t too surprised to see pre-filled IP addresses against my new domain name in their clunky configuration pages. A lot of domain companies do this, so that the new domain points to some advertising pages along the lines of “This domain was just registered by ACME-Domains…” so I duly deleted everything and replaced it all with just the A record that I needed.

Now it was a waiting game. DNS records propagate from server to server across the internet. My registrar claimed this takes around 48 hours. I checked about 24 hours later and nothing had updated. A bit suspect, I felt. So I deleted all the records and re-entered them. This seemed to work, as within minutes I could see DNS servers around the globe serving the correct details. Success. Or so I thought.

I waited another couple of days, and it looked like I was good to go. All the DNS servers I queried around the world were returning the correct IP address for the new domain name. I went ahead a built the website to go with the domain name.

I ran into a problem when trying to get an HTTPS certificate for my site. I use Certbot to do this for me, and it failed. I spent a good while tinkering with my server’s configuration files and double checking everything, but it all seemed to be fine. I was clearly doing something wrong…

Except I wasn’t. I sifted through my server logs to find the error was actually at the point where Certbot queries its own DNS to check the address for my domain. Yep, the DNS which Certbot uses was still returning the original IP address of my registrars advertising page! That’s despite it now being almost a week since I updated the DNS records.

A little digging later and it looked like half the planet had the correct DNS info, while the other half didn’t. I queried my registrar’s name server. You know, the one which should have the definitive records. Most of the time I got the result I expected, but sometimes it would spit out the rogue record. I assume they have a few DNS servers behind a load-balancer and some of these servers were telling lies.

Anyway, it was time to try out my registrar’s “industry reputation for reliability, support and customer success” which they tout on their website. To be fair, it wasn’t too long before I was able to chat with a human rather than an AI. Of course it must be my fault. I need to clear my DNS caches and the like. I pushed on, giving evidence of their misdeeds with some screenshots of the queries and replies from their own name servers. The person on the other end of the chat was able to “update the records” and magically the solution propagated around the internet. Funnily enough, it only took about half an hour this time, instead of the quoted 48!

I asked the support person what the issue was. They denied there was a problem. It’s just that these things take time. I was curious though, and provided more evidence, and even cheekily asked if their DNS service is unreliable. In the end, the support staff conceded “there was a glitch”.

So, it’s nice to know I *do* actually know what I’m doing when it comes to domain names, DNS, webservers and HTTPS. It also shows that you probably do get what you pay for when it comes to buying domain names. My decision to go cheap (but local!) might not have been the best, but I suppose I should be thankful I was able to get a reasonably quick solution from their support channels.

Whenever anything breaks on the internet, it’s always DNS…