DNS not resolving some domains

Happy new year everyone!

I’m having trouble resolving some domain names from a Debian machine using the internal MikroTik DNS resolver, see example with domain name php.net below. Other domain names are resolved successfully.
The issue occurs only with large DNS anwers, e.g. while doing an “ANY” request. If requesting for example A or MX for the same domain name, everything is fine.


(192.168.1.1 is the IP of the MikroTik with v7.13)

root@linux-server:/# dig any php.net

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> any php.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8617
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;php.net.                       IN      ANY

;; Query time: 10004 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (TCP)
;; WHEN: Mon Jan 01 22:30:33 CET 2024
;; MSG SIZE  rcvd: 25

If using the Google DNS on the Debian machine, everything is working as expected:

root@linux-server:/# dig any php.net @8.8.8.8

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> any php.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1269
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;php.net.                       IN      ANY

;; ANSWER SECTION:
php.net.                300     IN      SOA     ns1.php.net. admin.easydns.com. 1704142862 16384 2048 1048576 2560
php.net.                30      IN      MX      0 php-smtp4-ip4.php.net.
php.net.                300     IN      TXT     "_globalsign-domain-verification=YKIbqgUIt0x2vDkmdYS8TzqfqP6jyVp2fVVyJWyopw"
php.net.                300     IN      TXT     "v=spf1 ip4:140.211.15.143 ip4:45.112.84.5 ip4:142.93.197.176 ip6:2604:a880:400:d0::1c74:1001 ip6:2a02:cb43:8000::1102 ip4:157.90.121.187 ip6:2a01:4f8:1c1e:416d::1 ?all"
php.net.                300     IN      TXT     "google-site-verification=R0anXzbL507wmRx5iv1S-5jN55RYVo2UYIqFP2L_k1g"
php.net.                300     IN      A       185.85.0.29
php.net.                300     IN      AAAA    2a02:cb40:200::1ad
php.net.                300     IN      NS      dns2.easydns.net.
php.net.                300     IN      NS      dns3.easydns.org.
php.net.                300     IN      NS      dns1.easydns.com.
php.net.                300     IN      NS      dns4.easydns.info.

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (TCP)
;; WHEN: Mon Jan 01 22:30:38 CET 2024
;; MSG SIZE  rcvd: 622

I thought the problem might be related to the pppoe uplink and some MTU stuff. Reducing MTU / MRU to lower values has no positive effect.

Extract from the config (let me know if you’d like to see more):

/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=8.8.8.8

/interface pppoe-client
add add-default-route=yes disabled=no interface=combo1 max-mru=1492 max-mtu=1492 name=Telekom-DSL profile=telekom user=00000123456789@t-online.de

MikroTik log during the failed DNS request:

23:12:40 dns query from 255.255.255.255: #420373 php.net. ALL 
23:12:50 dns done query: #420373 dns server failure

Any ideas would be helpful! Thank you very much!

Well,
show firewall - maybe a tcp/53 is cut somewhere? (just a hunch)

capture a pcap - on client side and on MT, both in LAN and - WAN (PPPoE) side

/ip dns cache flush

and what does
/ip dns cache all
say?

Also when:
/ip dns
set allow-remote-requests=yes

Be carefoul - whole internet could use your machine as opendns (use firewall, don’t allow queries from internet/wan side)

Port 53 input is accepted for UDP as well as TCP. Firewall filters are fine.

Did that. Doesn’t help.

No record related to the example domain php.net.

If your MT device is setup properly, why are you here? Try a debian forum!
If you want help then provide the config and we can decide, based on EVIDENCE not opinion, that there is nothing amiss on your config.

/export file=anynameyouwish ( minus router serial number, public WANIP information, keys, long lists of dhcp leases etc. )

# 2024-01-01 23:23:18 by RouterOS 7.13
# model = CCR1009-7G-1C-1S+
/interface bridge add arp=proxy-arp name=bridge port-cost-mode=short priority=0x1000
/interface ethernet set [ find default-name=combo1 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether3 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether4 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether5 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether6 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=ether7 ] rx-flow-control=auto tx-flow-control=auto
/interface ethernet set [ find default-name=sfp-sfpplus1 ] rx-flow-control=auto tx-flow-control=auto
/interface vlan add interface=combo1 name=combo1-v7 vlan-id=7
/interface list add name=WAN
/interface list add name=LAN
/ppp profile add name=telekom
/interface pppoe-client add add-default-route=yes disabled=no interface=combo1 max-mru=1400 max-mtu=1480 name=Telekom-DSL profile=telekom user=00000123456789@t-online.de
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip settings set max-neighbor-entries=8192
/ipv6 settings set disable-ipv6=yes max-neighbor-entries=8192
/interface list member add interface=combo1 list=WAN
/interface list member add interface=bridge list=LAN
/interface list member add interface=combo1-v7 list=WAN
/interface list member add interface=Telekom-DSL list=WAN
/interface list member add interface=sfp-sfpplus1 list=LAN
/ip address add address=192.168.1.1/24 interface=bridge network=192.168.1.0
/ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=8.8.8.8
/ip firewall address-list add address=192.168.1.0/24 list=intern
/ip firewall filter add action=accept chain=input comment="accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="Accept incoming connections to router from intern" connection-state=new src-address-list=intern
/ip firewall filter add action=accept chain=forward comment="accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=forward comment="Accept forwarding DSTNAT" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="Acceppt internet access from intern" connection-state=new out-interface-list=WAN src-address-list=intern
/ip firewall filter add action=drop chain=forward comment="Drop *"
/ip firewall filter add action=drop chain=input comment="Drop *"
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall nat add action=dst-nat chain=dstnat comment="HTTP & HTTPS" dst-port=80,443 in-interface-list=WAN log=yes protocol=tcp to-addresses=192.168.1.100
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP Presence and Provisioning HTTPS" dst-port=5001 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=5001
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP SIP UDP" dst-port=5060 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 to-ports=5060
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP SIP TCP" dst-port=5060 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=5060
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP SIP TLS" dst-port=5061 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=5061
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP Media UDP" dst-port=9000-10999 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 to-ports=9000-10999
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP Tunnel TCP" dst-port=5090 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.150 to-ports=5090
/ip firewall nat add action=dst-nat chain=dstnat comment="VOIP Tunnel UDP" dst-port=5090 in-interface-list=WAN protocol=udp to-addresses=192.168.1.150 to-ports=5090

Observations
(1) The vlan7 you assigned to combo1 is all very nice but where is it in your pppoe connection??

/interface pppoe-client add add-default-route=yes disabled=no interface=combo1 max-mru=1400 max-mtu=1480 name=Telekom-DSL profile=telekom user=

If indeed the ISP is providing pppoe over vlan7 then your config should be:
/interface pppoe-client add add-default-route=yes disabled=no **interface=**combo1-v7 max-mru=1400 max-mtu=1480 name=Telekom-DSL profile=telekom user=

(2) The interface list member should be as follows
/interface list member add interface=combo1 list=WAN → not needed can be removed
/interface list member add interface=bridge list=LAN
/interface list member add interface=combo1-v7 list=WAN → probably not needed as the interface name is what is required and that is Telekom-DSL
/interface list member add interface=Telekom-DSL list=WAN
/interface list member add interface=sfp-sfpplus1 list=LAN

(3) Your Input chain rule is disorganized, keep chains together for easy viewing, understanding etc…

(4) You dont need connection-state=new on firewall rules.

(5) Why dont you use fastrack rule in forward chain?

(6) Clearly NOT the complete config…

Thus cannot comment further.

Workaround: Adding a DoH server (e.g. https://dns.google/dns-query) fixed the problem.

I haven’t been able to identify the root cause yet. My guess is that MikroTik is sending it’s DNS requests to the upstream DNS with DF (don’t fragment) and the response packets have to be fragmented due to the amount of DNS records. All tests with different MTU / MRU on the PPPoE client interface failed.

If 192.168.1.1 is your Mikrotik, what is this then?

/ip address add address=192.1.1.1/24 interface=bridge network=192.1.1.0
/ip dns set allow-remote-requests=yes cache-max-ttl=1d cache-size=4096KiB servers=8.8.8.8
/ip firewall address-list add address=192.1.1.0/24 list=intern

Hard to say as the OP thinks he knows better by not providing the evidence and information to make an accurate diagnosis.

Thanks for your help guys!

My fault! I made a search & replace error when removing the real addresses from the export. I’ve corrected the IPs in the above post.

VLAN 7 was left over from an old config. Removed it. Thanks for the hint!

I hardly think that RFC1918 IP addresses are a security problem. Keep these where they are and remove the public ones, as well as the keys, usernames and hashes, and serial numbers when you post the full config.

What is the problem in the excerpt you posted is that the query is received from 255.255.255.255 - here is one on my mikrotik:

 21:28:39 dns query from 192.168.2.254: #239527 www.whitehouse.gov. A
 21:28:39 dns done query: #239527 www.whitehouse.gov. 192.0.66.168

See? Unicast, not broadcast.

Post the full configuration. Without that, can’t help you.

You are very brave you have port 53 exposed to the world and you were so proud of it

You clearly didn’t read the DNS WIKI did you
https://help.mikrotik.com/docs/display/ROS/DNS

see this they put it in a green box

When DNS server allow-remote-requests are used make sure that you limit access to your server over TCP and UDP protocol port 53 only for known hosts.

You are probably getting DNS attacked by every assphat under the sun and yes your DNS goes flakey.

DNS requests are only accepted from internal network via this rule:
/ip firewall filter add action=accept chain=input comment=“Accept incoming connections to router from intern” connection-state=new src-address-list=intern
Requests from WAN are dropped via:
/ip firewall filter add action=drop chain=input comment=“Drop *”

Please try again with an ANY request. Also in other (working) setups I get the log entry “dns query from 255.255.255.255[” when using dig with ANY.

You won’t get reliable answers with ANY for some domains anyway, see rfc8482

; <<>> DiG 9.10.6 <<>> any whitehouse.gov @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31249
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;whitehouse.gov.			IN	ANY

;; ANSWER SECTION:
whitehouse.gov.		3600	IN	HINFO	"RFC8482" ""
whitehouse.gov.		3600	IN	RRSIG	HINFO 8 2 3600 20240107025553 20240105005553 10104 gov. n84jyIFK6NfnAkx+rmwD73ZCIWzyc/5JNCA4rNrkE3f3ZdlyQTbuHW1n q8G2OZdYXvGRvhJf9kzXMgUvOGGP/JOz8+5/OCgj/Da0tP/IS6MYbZfB 3mLDwL0XS+5F78e1p89C/O/XmKwRdsAaJbLf2RzpMVPtDm5zfCSk/VpX 7qOd0OqW5OuBCJWFyqHyJGihQ3OG/P6xlSIXeDMrbHD88Q==

;; Query time: 284 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Jan 06 02:55:53 CET 2024
;; MSG SIZE  rcvd: 259

In my case is working when I set 8.8.8.8 in ROS DNS as upstream

; <<>> DiG 9.10.6 <<>> any php.net @192.168.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9457
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 4, ADDITIONAL: 0

;; QUESTION SECTION:
;php.net.			IN	ANY

;; ANSWER SECTION:
php.net.		300	IN	SOA	ns1.php.net. admin.easydns.com. 1704506462 16384 2048 1048576 2560
php.net.		30	IN	MX	0 php-smtp4-ip4.php.net.
php.net.		300	IN	TXT	"v=spf1 ip4:140.211.15.143 ip4:45.112.84.5 ip4:142.93.197.176 ip6:2604:a880:400:d0::1c74:1001 ip6:2a02:cb43:8000::1102 ip4:157.90.121.187 ip6:2a01:4f8:1c1e:416d::1 ?all"
php.net.		300	IN	TXT	"google-site-verification=R0anXzbL507wmRx5iv1S-5jN55RYVo2UYIqFP2L_k1g"
php.net.		300	IN	TXT	"_globalsign-domain-verification=YKIbqgUIt0x2vDkmdYS8TzqfqP6jyVp2fVVyJWyopw"
php.net.		300	IN	A	185.85.0.29
php.net.		300	IN	AAAA	2a02:cb40:200::1ad
php.net.		300	IN	NS	dns2.easydns.net.
php.net.		300	IN	NS	dns4.easydns.info.
php.net.		300	IN	NS	dns1.easydns.com.
php.net.		300	IN	NS	dns3.easydns.org.

;; AUTHORITY SECTION:
php.net.		300	IN	NS	dns2.easydns.net.
php.net.		300	IN	NS	dns4.easydns.info.
php.net.		300	IN	NS	dns1.easydns.com.
php.net.		300	IN	NS	dns3.easydns.org.

;; Query time: 362 msec
;; SERVER: 192.168.100.1#53(192.168.100.1)
;; WHEN: Sat Jan 06 03:11:44 CET 2024
;; MSG SIZE  rcvd: 686

but I got SERVFAIL when it’s set to server which doesn’t support ANY like Pi-Hole or Unbound (they return NOTIMP). Even Cloudflare (1.1.1.1) deprecated ANY - https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any

If your MT device is setup properly, why are you here? Try a debian forum!



If you want help then provide the config and we can decide, based on EVIDENCE not opinion, that there is nothing amiss on your config.



(3) Your Input chain rule is disorganized, keep chains together for easy viewing, understanding etc…



(6) Clearly NOT the complete config…



Hard to say as the OP thinks he knows better by not providing the evidence and information to make an accurate diagnosis.



You clearly didn’t read the DNS WIKI did you

Kinda concerned about the partially negative and judging tone in this community recently. Feeling sorry for the OPs who are faced with this, when being a bit kinder and forthcoming wouldn’t cost a thing.

Yup, I agree: lots of negativity. On the other hand, the forum is full of messages of people demanding help and of “consultants” asking for help but really having the members of the forum doing their jobs. Nothing more pleasant than seeing a guy whose credentials are obviously “was able to install a TP-link at his house” start installing routers for clients. He inevitably gets into issues and the net results is that that client’s trust in network engineers is diminished.

Anyway, regarding the question at hand. I did tests.

With Mikrotik, I suspect the logging has a bug - using ANY queries result in weird source addresses. This may simply be that the ANY request is not handled in code and has a bit of an unpredictable result. I will open a ticket with the support to report the issue.

13:02:41 dns,packet --- got query from 48.70.4.0:58282:
13:02:41 dns,packet id:14a6 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2
13:02:41 dns,packet question: www.whitehouse.gov.:ALL:IN
13:02:41 dns,packet additional:
13:02:41 dns,packet <.:UNKNOWN (41):0=rawbytes:12>
13:02:41 dns query from 48.70.4.0: #283750 www.whitehouse.gov. ALL
13:02:41 dns,packet --- sending udp query to 172.29.0.1:53:

It was mentioned that ANY queries have been more or less deprecated as there is no real, legitimate use for them[1], and some ISP are not responding to them. Using whitehouse.gov as an example, some servers respond, other don’t.

NS				Response
8.8.8.8			Yes
1.1.1.1			No
9.9.9.9			Yes
208.67.222.222	No
193.110.81.9		No

Ticket open - SUP-139658

You are forgetting the (I believe more common) case of the guy who “was able to install a TP-link at his house” and wants to replace it with a Mikrotik (without claiming to be a network engineer, nor doing it for clients), he is seemingly not treated much more kindly.

Which server responds answer for that domain and is not masked by RFC 8482? Masked responses are useless (example in my previous post).

8.8.8.8 and 9.9.9.9 respond, see below for the full response which is identical between 8.8.8.8 and 9.9.9.9. The other 3 I tried don’t respond (1.1.1.1, 208.67.222.222, 193.110.81.9). As you correctly indicated in your earlier message, the error is “NOTIMP.”

All of these are public resolvers that anyone can query.

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> ANY whitehouse.gov @9.9.9.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31367
;; flags: qr rd ra; QUERY: 1, ANSWER: 21, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;whitehouse.gov.			IN	ANY

;; ANSWER SECTION:
whitehouse.gov.		300	IN	NSEC3PARAM 1 0 1 D4D891484D1ED95E
whitehouse.gov.		300	IN	RRSIG	NSEC3PARAM 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. 1RCH7VqTcimGifNVWQJF1Gx1p+DzJPvQApo/YcZwncIdmGSlJGM3l6Bg PUqkbffy7kkTVHrKWQKoyabViA9+xA==
whitehouse.gov.		300	IN	A	192.0.66.168
whitehouse.gov.		300	IN	RRSIG	A 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. GHb5tiJi6isxCJgTFHd/DtLS4fnm2qIVrs3Xb00HgZgRlGeqeR5w3yGE VaczNKX7pqK/cAWoh+e/Ut1uI+/iyA==
whitehouse.gov.		300	IN	AAAA	2a04:fa87:fffd::c000:42a8
whitehouse.gov.		300	IN	RRSIG	AAAA 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. DwmiqwcwPa+Io66GIc+IT7tHtWwIAGG4ZN7JG4grwZ7SMTQVAr3AJgaA KnWlU6FzJ/qi96B1KxmxPSvc98d8IA==
whitehouse.gov.		300	IN	SOA	399e-adcs001.ede.pitc.gov. postmaster.whitehouse.gov. 2017022510 300 300 604800 300
whitehouse.gov.		300	IN	RRSIG	SOA 13 2 300 20240109220212 20240106210212 13144 whitehouse.gov. c1LPzqUOILWhu1QjmxUls1icrD41S6W9oOgWA+xz3f7fDMsZG5hVp892 Pql6N6W0GjWWvXKCd6fg1sTU8SOfGw==
whitehouse.gov.		3600	IN	NS	a1-61.akam.net.
whitehouse.gov.		3600	IN	NS	a3-67.akam.net.
whitehouse.gov.		3600	IN	NS	a22-66.akam.net.
whitehouse.gov.		3600	IN	NS	a12-64.akam.net.
whitehouse.gov.		3600	IN	NS	a5-64.akam.net.
whitehouse.gov.		3600	IN	NS	a20-65.akam.net.
whitehouse.gov.		3600	IN	RRSIG	NS 13 2 3600 20240109220212 20240106210212 13144 whitehouse.gov. JhkihbAIGvlJCvVDDw70z2oAfQsadu5QoECA0U6PrJACIc/9zRBEjVml Asl0dVG+jjb+t+67Pz9x/y/5hP8SGA==
whitehouse.gov.		7200	IN	DNSKEY	257 3 13 DxacCrTcl+JVxjXbN7d5xiAbeD15h/CAHAwY7k2dzK2W1B9muSwUW1lm JOi9zQxhMVZ0QWnSgVeKXvmt5g+T1g==
whitehouse.gov.		7200	IN	DNSKEY	256 3 13 wAggPbe1QZV8wu/7Enkt78w2Yl0+zufTk24YBVI3ppR3+Gk5rxNtRBcM 767f6+qQ2s5+TgOVOsfC/5kKOWxTOw==
whitehouse.gov.		7200	IN	DNSKEY	256 3 13 fuhg2P8BMgLfKJyeHNshz7VRplL0xz+IeIc8pXtl72MCauGsfxfdT5s8 AHeTJf31xvFF9pLPjZulJ439p8g+mw==
whitehouse.gov.		7200	IN	RRSIG	DNSKEY 13 2 7200 20240109220212 20240106210212 58791 whitehouse.gov. QOBQwKl0Qo8IP+JQbxi3WE18C/x6iSMY14tDESo9RuonXxZ5TUTFSiRg 2XhG8FjJSE2mqXgTMzW97uTjCMchsQ==
whitehouse.gov.		3600	IN	TXT	"v=spf1 +mx include:spf.mandrillapp.com ip4:214.3.140.16/32 ip4:214.3.140.255/32 ip4:214.3.115.12/32 ip4:214.3.115.10/32 ip4:214.3.115.225/32 ip4:214.3.115.14/32 ip4:214.3.140.22/32 ~all"
whitehouse.gov.		3600	IN	RRSIG	TXT 13 2 3600 20240109220212 20240106210212 13144 whitehouse.gov. sKoLEof0KQMCQjBMg7J7mqfAs1UmaoP8GOWluvzbfskQLhRxXfZjq61r f9S+M6K4k3KInCPP5Szt7Ss06kp/JQ==

;; Query time: 64 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Sun Jan 07 14:04:24 CET 2024
;; MSG SIZE  rcvd: 1520

That being said, the point is not so much to find which domains return a complete record set and which don’t, but more to see which DNS resolvers return something vs which don’t. The point is also to understand why the Mikrotik logs display a source address that is incorrect, in my case the log shows the query coming from “48.70.4.0” where the IP address of my host is 192.168.2.254. This looks like the code path for the ANY query (which has often be flagged as a “special case”) may have a bug.