Can't resolve hostnames for some TorGuard VPN Servers ~ maximum IP addresses reached issue?

[Xentrk]

@themiron

I've been living with this issue on Asuswrt-Merlin for probably over one year now. DNS is unable to resolve the host name for some of the TorGuard OpenVPN servers I connect to. The work around is to hard code the IP address in the OpenVPN Client screen. I would rather use the host name. I suspect the number of IP addresses returned is the issue. An nslookup us-la.torguard.com on a Windows CMD line works. But on asuswrt-merlin, I get nslookup: can't resolve 'us-la.torguard.com'. Thank you in advance for looking into the concern.

 

[themiron]

@themiron

I've been living with this issue on Asuswrt-Merlin for probably over one year now. DNS is unable to resolve the host name for some of the TorGuard OpenVPN servers I connect to. The work around is to hard code the IP address in the OpenVPN Client screen. I would rather use the host name. I suspect the number of IP addresses returned is the issue. An nslookup us-la.torguard.com on a Windows CMD line works. But on asuswrt-merlin, I get nslookup: can't resolve 'us-la.torguard.com'. Thank you in advance for looking into the concern.

try to install dig from entware and check what does you dns server reply with:

dig a us-la.torguard.com @dns.server.ip.address
dig aaaa us-la.torguard.com @dns.server.ip.address

old uclibc used in bcm arm models has limitation for max number of addresses in one reply, this can be why

 

[eibgrad]

FWIW, I'm using Merlin 384.17, and it (nslookup) works fine.

ASUSWRT-Merlin RT-AC68U 384.17_0 Sun Apr 26 02:25:09 UTC 2020
admin@merlin-lab1:/tmp/home/root# nslookup us-la.torguard.com
Server:    192.168.61.6
Address 1: 192.168.61.6 vpn-gateway

Name:      us-la.torguard.com
Address 1: 98.143.158.50 98.143.158.50.static.quadranet.com
Address 2: 96.44.175.210 96.44.175.210.static.quadranet.com
Address 3: 96.44.187.34 96.44.187.34.static.quadranet.com
Address 4: 96.44.139.178 96.44.139.178.static.quadranet.com
Address 5: 204.152.214.74 204.152.214.74.static.quadranet.com
Address 6: 69.12.80.74 69.12.80.74.static.quadranet.com
Address 7: 66.154.116.194 66.154.116.194.static.quadranet.com
Address 8: 67.215.231.234 67.215.231.234.static.quadranet.com
Address 9: 204.152.207.226 204.152.207.226.static.quadranet.com
Address 10: 204.152.214.114 204.152.214.114.static.quadranet.com
Address 11: 67.215.237.114 67.215.237.114.static.quadranet.com
Address 12: 96.44.154.98 96.44.154.98.static.quadranet.com
Address 13: 67.215.237.58 67.215.237.58.static.quadranet.com
Address 14: 66.63.172.154 66.63.172.154.static.quadranet.com
Address 15: 67.215.241.26 67.215.241.26.static.quadranet.com
Address 16: 173.254.222.154 173.254.222.154.static.quadranet.com
Address 17: 96.44.175.218 96.44.175.218.static.quadranet.com
Address 18: 204.152.207.202 204.152.207.202.static.quadranet.com
Address 19: 67.215.233.122 67.215.233.122.static.quadranet.com
Address 20: 173.254.218.242 173.254.218.242.static.quadranet.com
Address 21: 204.152.214.106 204.152.214.106.static.quadranet.com
Address 22: 204.152.207.250 204.152.207.250.static.quadranet.com
Address 23: 96.44.159.66 96.44.159.66.static.quadranet.com
Address 24: 204.152.214.130 204.152.214.130.static.quadranet.com
Address 25: 67.215.231.18 67.215.231.18.static.quadranet.com
Address 26: 67.215.228.66 67.215.228.66.static.quadranet.com
Address 27: 204.152.214.34 204.152.214.34.static.quadranet.com
Address 28: 204.152.214.66 204.152.214.66.static.quadranet.com
Address 29: 66.63.172.18 66.63.172.18.static.quadranet.com

Maybe something since 384.17 has changed.

 

[eibgrad]

P.S. A better workaround would be to convert the output of nslookup to remote directives, giving you additional servers to choose from, and not being stuck w/ the one you happen to pick.

nslookup us-la.torguard.com | awk '/^Name:/,0 {if (/^Addr[^:]*: [0-9]{1,3}\./) print "remote " $3}'

Add the server-poll-timeout directive and the output of the above (use any domain name you prefer) to custom configuration.

server-poll-timeout 10
#remote-random
remote 198.55.97.130
remote 67.215.244.186
remote 67.215.246.50
remote 173.254.218.250
remote 204.152.207.178
remote 69.12.90.130
remote 173.254.222.178
remote 67.215.235.2
remote 96.44.187.42
remote 67.215.236.58
remote 96.44.144.218
remote 96.44.132.50
remote 96.44.139.130
remote 67.215.232.186
remote 173.254.222.130
remote 69.12.80.82
remote 67.215.228.58
remote 173.254.222.170
remote 67.215.235.146
remote 173.254.222.162
remote 67.215.234.242
remote 67.215.236.18
remote 67.215.238.18
remote 96.44.175.202
remote 173.254.212.210
remote 204.152.207.194
remote 67.215.236.90
remote 96.44.175.250
remote 67.215.241.242

By default, it will process these sequentially, unless you add the remote-random directive as well (which I commented out).

 

[ColinTaylor]

FWIW, I'm using Merlin 384.17, and it (nslookup) works fine.

I think that's because dnsmasq is truncating the reply before it gets to nslookup.

C:\Users\Colin>nslookup us-la.torguard.com 8.8.8.8
Server:  dns.google
Address:  8.8.8.8

Non-authoritative answer:
Name:    us-la.torguard.com
Addresses:  198.55.97.130
          67.215.234.250
          67.215.231.234
          96.44.163.114
          67.215.236.98
          96.47.229.162
          69.12.90.162
          67.215.236.58
          67.215.237.58
          67.215.236.90
          204.152.214.34
          96.44.159.114
          173.254.212.194
          67.215.232.186
          96.44.187.26
          67.215.236.106
          67.215.241.26
          173.254.222.162
          204.152.214.18
          66.63.172.18
          96.44.155.82
          173.254.222.170
          96.44.175.234
          96.44.175.218
          67.215.228.42
          67.215.228.50
          204.152.214.106
          173.254.218.242
          173.254.218.250
          204.152.214.98
          67.215.227.122
          67.215.236.42
          173.254.222.130
          72.11.148.234
          204.152.207.202
          204.152.214.66
          204.152.214.114
          96.44.187.34
          67.215.228.58
          66.212.31.34
          67.215.235.2
          67.215.231.18
          67.215.234.242
          96.44.187.42
          173.254.218.234
          66.63.172.154
          67.215.237.42
          67.215.235.146
          67.215.235.154
          67.215.228.90
          204.152.207.178
          67.215.236.18
          67.215.236.2
          67.215.236.26
          66.212.30.146
          67.215.237.26
          67.215.236.82
          204.152.207.226
          67.215.244.186
          67.215.237.114
          204.152.207.138
          173.254.212.210
          96.44.139.130
          67.215.238.18
          67.215.240.114
          67.215.241.242
          204.152.207.194
          96.44.175.194
          67.215.246.50
          69.12.80.74
          96.44.154.98
          67.215.233.122
          69.12.90.138
          67.215.228.66
          173.254.218.226
          72.11.148.250
          72.11.150.194
          96.44.132.50
          173.254.222.154
          96.44.139.178
          96.44.139.194
          96.44.144.218
          69.12.80.82
          204.152.207.250
          173.254.222.178
          96.44.159.66
          96.44.159.82
          69.12.90.130
          66.154.116.194
          96.44.175.202
          96.44.175.210
          204.152.214.130
          204.152.207.218
          96.44.175.250
          173.254.222.146
          204.152.214.2
          198.96.91.58
          204.152.214.74
          98.143.158.50

# nslookup us-la.torguard.com 8.8.8.8
Server:    8.8.8.8
Address 1: 8.8.8.8 dns.google

nslookup: can't resolve 'us-la.torguard.com'

# nslookup us-la.torguard.com
Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain

Name:      us-la.torguard.com
Address 1: 96.44.139.130 96.44.139.130.static.quadranet.com
Address 2: 69.12.80.74 69.12.80.74.static.quadranet.com
Address 3: 96.47.229.162 96.47.229.162.static.quadranet.com
Address 4: 67.215.237.26 67.215.237.26.static.quadranet.com
Address 5: 204.152.214.2 204.152.214.2.static.quadranet.com
Address 6: 67.215.237.58 67.215.237.58.static.quadranet.com
Address 7: 69.12.80.82 69.12.80.82.static.quadranet.com
Address 8: 204.152.207.250 204.152.207.250.static.quadranet.com
Address 9: 67.215.241.242 67.215.241.242.static.quadranet.com
Address 10: 67.215.235.146 67.215.235.146.static.quadranet.com
Address 11: 204.152.207.194 204.152.207.194.static.quadranet.com
Address 12: 67.215.246.50 67.215.246.50.static.quadranet.com
Address 13: 204.152.207.218 204.152.207.218.static.quadranet.com
Address 14: 173.254.218.234 173.254.218.234.static.quadranet.com
Address 15: 173.254.222.130 173.254.222.130.static.quadranet.com
Address 16: 69.12.90.138 69.12.90.138.static.quadranet.com
Address 17: 204.152.214.130 204.152.214.130.static.quadranet.com
Address 18: 72.11.148.234 72.11.148.234.static.quadranet.com
Address 19: 72.11.148.250 72.11.148.250.static.quadranet.com
Address 20: 198.96.91.58 198.96.91.58.static.quadranet.com
Address 21: 96.44.132.50 96.44.132.50.static.quadranet.com
Address 22: 173.254.222.170 173.254.222.170.static.quadranet.com
Address 23: 66.63.172.154 66.63.172.154.static.quadranet.com
Address 24: 96.44.139.194 96.44.139.194.static.quadranet.com
Address 25: 67.215.236.26 67.215.236.26.static.quadranet.com
Address 26: 96.44.154.98 96.44.154.98.static.quadranet.com
Address 27: 96.44.155.82 96.44.155.82.static.quadranet.com
Address 28: 96.44.159.114 96.44.159.114.static.quadranet.com
Address 29: 96.44.139.178 96.44.139.178.static.quadranet.com

 

[Xentrk]

try to install dig from entware and check what does you dns server reply with:

dig a us-la.torguard.com @dns.server.ip.address
dig aaaa us-la.torguard.com @dns.server.ip.address

old uclibc used in bcm arm models has limitation for max number of addresses in one reply, this can be why

Thanks for the reply. I'm on RT-AC88U. I saw some msgs I didn't notice before when using dig and drill. I get a reply but a warning msg about "truncated" appears and tcp. If I add the tcp flag to the dig and drill commands, the results appear without the warning message. The bind-tools nslookup returns results.

/usr/bin/nslookup

/usr/bin/nslookup us-la.torguard.com
Server:    1.1.1.1
Address 1: 1.1.1.1 one.one.one.one

nslookup: can't resolve 'us-la.torguard.com'

bind-tools nslookup from entware (/opt/bin/nslookup us-la.torguard.com)

;; Truncated, retrying in TCP mode.
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   us-la.torguard.com
Address: 67.215.235.146
Name:   us-la.torguard.com
Address: 69.12.80.82
Name:   us-la.torguard.com
<snip>

drill us-la.torguard.com
(Note the trunc message at the end - Msg goes away if I add the TCP (-t) flag to the query)

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 58429
;; flags: qr tc rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; us-la.torguard.com.  IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 38 msec
;; SERVER: 1.1.1.1
;; WHEN: Sat Sep  5 07:32:59 2020
;; MSG SIZE  rcvd: 36

;; WARNING: The answer packet was truncated; you might want to
;; query again with TCP (-t argument), or EDNS0 (-b for buffer size)

dig a us-la.torguard.com (Note the Truncated msg below.

If I change to dig +tcp us-la.torguard.com, the truncated message does not appear.

;; Truncated, retrying in TCP mode.

; <<>> DiG 9.16.3 <<>> a us-la.torguard.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8981
;; flags: qr rd ra; QUERY: 1, ANSWER: 99, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;us-la.torguard.com.            IN      A

;; ANSWER SECTION:
us-la.torguard.com.     292     IN      A       67.215.236.26
us-la.torguard.com.     292     IN      A       173.254.218.250
us-la.torguard.com.     292     IN      A       96.44.175.250
us-la.torguard.com.     292     IN      A       96.44.175.218
us-la.torguard.com.     292     IN      A       173.254.222.154
<snip>

 

[Xentrk]

P.S. A better workaround would be to convert the output of nslookup to remote directives, giving you additional servers to choose from, and not being stuck w/ the one you happen to pick.

nslookup us-la.torguard.com | awk '/^Name:/,0 {if (/^Addr[^:]*: [0-9]{1,3}\./) print "remote " $3}'

Add the server-poll-timeout directive and the output of the above (use any domain name you prefer) to custom configuration.

server-poll-timeout 10
#remote-random
remote 198.55.97.130
remote 67.215.244.186
remote 67.215.246.50
remote 173.254.218.250
remote 204.152.207.178
remote 69.12.90.130
remote 173.254.222.178
remote 67.215.235.2
remote 96.44.187.42
remote 67.215.236.58
remote 96.44.144.218
remote 96.44.132.50
remote 96.44.139.130
remote 67.215.232.186
remote 173.254.222.130
remote 69.12.80.82
remote 67.215.228.58
remote 173.254.222.170
remote 67.215.235.146
remote 173.254.222.162
remote 67.215.234.242
remote 67.215.236.18
remote 67.215.238.18
remote 96.44.175.202
remote 173.254.212.210
remote 204.152.207.194
remote 67.215.236.90
remote 96.44.175.250
remote 67.215.241.242

By default, it will process these sequentially, unless you add the remote-random directive as well (which I commented out).

Thank you @eibgrad! That is a nice work around.
I add the following one liner to the custom config:

config "/jffs/configs/la-server.config"

There is a 64 limit to the number of remote addresses. I also found I had to add the port number

I used the bind-tools nslookup since the busybox nslookup does not work:

/opt/bin/nslookup us-la.torguard.com | awk '/^Address:/,0 {if (/^Address[^:]*: [0-9]{1,3}\./) print "remote " $2 " 121
5"}'

<snip>
remote 198.96.91.58 1215
remote 173.254.212.194 1215
remote 67.215.236.58 1215
remote 96.44.187.42 1215
remote 67.215.235.2 1215
remote 204.152.214.66 1215

 

[RMerlin]

Thank you @eibgrad! That is a nice work around.

However it will defeat the round-robin selection implemented by DNS, which means you will always end up on the same server. So if your first server turns out to be a slower one, you will always use that slower server.

 

[eibgrad]

However it will defeat the round-robin selection implemented by DNS, which means you will always end up on the same server. So if your first server turns out to be a slower one, you will always use that slower server.

Which is why you should use the remote-random directive. And the fact that DNS round-robins the public IPs does NOT guarantee you'll get the fastest server, or even a faster server (which seems to be what you're suggesting). It's just a simple rotation only intended for load balancing purposes. In order to find the fastest server, you would actually have to speedtest each server, one by one (and I have seen scripts written for that purpose).

 

[RMerlin]

And the fact that DNS round-robins the public IPs does NOT guarantee you'll get the fastest server, or even a faster server (which seems to be what you're suggesting).

That's not what I wrote. I wrote that IF it turned out to be a slow server, then you would always be on the same slow server. RR means you won't always get stuck to the same server.