Authoritative DNS returns NXDOMAIN for routerpool7.rlb.teamviewer.com

Teamviewer is unable to connect to the servers because it is getting NXDOMAIN replies when trying to connect to router7.teamviewer.com (or any other routerX hostname).

The auhtoritative response to router7.teamviewer.com is ok and it is a CNAME routerpool7.rlb.teamviewer.com. But response to A query for routerpool7.rlb.teamviewer.com on authoritave DNS server 185.81.208.1 is NXDOMAIN

@185.81.208.1 routerpool7.rlb.teamviewer.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @185.81.208.1 routerpool7.rlb.teamviewer.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45639
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;routerpool7.rlb.teamviewer.com. IN A

;; Query time: 186 msec
;; SERVER: 185.81.208.1#53(185.81.208.1)
;; WHEN: Tue Apr 28 08:21:23 CEST 2020
;; MSG SIZE rcvd: 5

This happens only in specific network. Could that be an issue on your DNS server or datacenter? 

Besides that it seems that there is also an issue with DNSSEC according to dnsviz https://dnsviz.net/d/router7.teamviewer.com/Xqc93A/dnssec/

tv.PNG

Tagged:

Best Answer

Answers

  • JeanK
    JeanK Posts: 7,052 Community Manager 🌍
    edited December 2020

    Hello @anyuserqwerty 

    Thank you for your message and welcome in the Community! ?

    We have forwarded your input to our dedicated team.
    We are investigating this right now.

    Best,

    Jean

    Community Manager

  • jeansieb
    jeansieb Posts: 2

    Good day

    What is the update of this issue?
    I see that we are also randomly getting NXDOMAIN for any of the routerpoolX.rlb.teamviewer.com domains from all of your authorative servers. 
    DNSSEC is still broken (Incomplete) which seems to be the cause for this.
    https://dnsviz.net/d/router7.teamviewer.com/Xqc93A/dnssec/
    https://dnsviz.net/d/router5.teamviewer.com/dnssec/

  • jeansieb
    jeansieb Posts: 2

    Good day

    Of further investigation I am finding that randomly, any of the routerpoolX.rlb.teamviewer.com hostnames can not get and answer from ANY of the TeamViewer name servers

    tv-ns1.rlb.teamviewer.com
    tv-ns2.rlb.teamviewer.com
    tv-ns3.rlb.teamviewer.com
    tv-ns4.rlb.teamviewer.com
    tv-ns5.rlb.teamviewer.com

    Direct lookup against them, a dig +trace from a host, or a recursive lookup via my server, all have this behaviour and show that the authorative servers are randomly giving a NXDOMAIN answer.

    DNSSEC is still broken for your DNS, and has been reported months ago. 

    When can we expect a resolution to this?

  • 768kb
    768kb Posts: 1
    edited December 2020

    This is still the same:

    Dec 20 19:35:39 fedoralaptop systemd-resolved[733]: [🡕] DNSSEC validation failed for question routerpool11.rlb.teamviewer.com IN SOA: failed-auxiliary

    Dec 20 19:35:40 fedoralaptop systemd-resolved[733]: [🡕] DNSSEC validation failed for question routerpool5.rlb.teamviewer.com IN SOA: failed-auxiliary

    Dec 20 19:35:40 fedoralaptop systemd-resolved[733]: [🡕] DNSSEC validation failed for question routerpool12.rlb.teamviewer.com IN A: failed-auxiliary

    Dec 20 19:35:40 fedoralaptop systemd-resolved[733]: [🡕] DNSSEC validation failed for question routerpool6.rlb.teamviewer.com IN A: failed-auxiliary

    Guys, please disable DNSSEC, or take some time to configure it right.

  • This is still a problem. I have to manually disable DNSSEC validation on any of my personal or customer networks where TeamViewer is in use. I'm sick of compromising my security just to use this app.

    DNSSEC isn't hard. Log me onto your DNS servers and I'll fix this in minutes. It shouldn't take TeamViewer years to even respond.

  • Quppa
    Quppa Posts: 2

    @JeanK can this be raised again internally?

    This issue means that TeamViewer is broken (stuck in the 'Not ready. Please check your connection' state) on a fresh Fedora install when using DNS servers that support DNSSEC (including Cloudflare's 1.1.1.1 and Google's 8.8.8.8).

    https://www.quppa.net/blog/2022/11/07/teamviewer-dnssec-broken/

  • JeanK
    JeanK Posts: 7,052 Community Manager 🌍
    Answer ✓

    We have made changes to the DNS setup, which should fix this problem.

    Please test again to see if the problem persists or is resolved.

    @Quppa @rhymeswithmogul @768kb @jeansieb @anyuserqwerty

    We are looking forward to hearing your feedback!

    /JeanK

    Community Manager

  • Quppa
    Quppa Posts: 2

    Thanks @JeanK - I can confirm my systemd-resolved issue is gone and the DNS analysis looks healthier (before, after).

  • JeanK
    JeanK Posts: 7,052 Community Manager 🌍

    Thank you, @Quppa, for taking the time to update us!

    Have a great day, and see you soon!

    /JeanK

    Community Manager