[Dnsmasq-discuss] DNSMasq does not resolv *.org domains

Michael Tremer michael.tremer at ipfire.org
Wed Aug 20 14:28:59 BST 2014 

Hello list,

I think I might have some very similar problem here. It is not specific
to dnsmasq. The result is the same to what Conrad has reported.

When ever dnsmasq is running with DNSSEC enabled, I cannot resolve any
DNSSEC-enabled domain. Zones that do not have DNSSEC work as usual.

When tracing with tcpdump what is happening, I can easily see that
dnsmasq (or dig [1]) is walking through that DNSSEC key chain and
resolving one after an other. I am trying to resolve www.ipfire.org for
example here. It all gets stuck when dnsmasq tries to fetch the DNSKEY
record of the root zone.

15:16:58.135942 IP 93.200.64.128.46432 > 178.63.73.246.53: 12823+ [1au] DNSKEY? ipfire.org. (39)
15:16:58.170687 IP 178.63.73.246.53 > 93.200.64.128.46432: 12823$ 2/0/1 DNSKEY, DNSKEY (463)
15:17:07.449158 IP 93.200.64.128.37448 > 178.63.73.246.53: 54451+ [1au] A? www.ipfire.org. (43)
15:17:07.483714 IP 178.63.73.246.53 > 93.200.64.128.37448: 54451$ 4/0/1 CNAME web01.ipfire.org., RRSIG, A 178.63.73.246, RRSIG (419)
15:17:07.505287 IP 93.200.64.128.56633 > 178.63.73.246.53: 47477+ [1au] DNSKEY? ipfire.org. (39)
15:17:07.541306 IP 178.63.73.246.53 > 93.200.64.128.56633: 47477$ 3/0/1 DNSKEY, DNSKEY, RRSIG (761)
15:17:07.542774 IP 93.200.64.128.45576 > 178.63.73.246.53: 58759+ [1au] DS? ipfire.org. (39)
15:17:07.576272 IP 178.63.73.246.53 > 93.200.64.128.45576: 58759$ 2/0/1 DS, RRSIG (238)
15:17:07.582642 IP 93.200.64.128.43441 > 178.63.73.246.53: 42710+ [1au] DNSKEY? org. (32)
15:17:07.617901 IP 178.63.73.246.53 > 93.200.64.128.43441: 42710$ 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, RRSIG, RRSIG[|domain]
15:17:07.618604 IP 93.200.64.128.51370 > 178.63.73.246.53: 53036+ [1au] DS? org. (32)
15:17:07.649326 IP 178.63.73.246.53 > 93.200.64.128.51370: 53036$ 3/0/1 DS, DS, RRSIG (275)
15:17:07.651213 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28)
15:17:12.652416 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28)
15:17:17.657531 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28)

I am operating the resolver and tried to figure out why that query is
never answered. At first I suspected some MTU problem which seems to be
just false. The query never reaches my resolver (also works when I use
other name servers like 8.8.8.8). I can resolve anything I want except
any records of the root zone. Not even the SOA. When I use TCP, I can
get the DNSKEYs, but that is nothing that I want to use by default for
the obvious reasons.

This is a system connected to the Internet via a DSL link from Deutsche
Telekom AG. I have access to multiple places with the same connection
and they all work except this one. I wonder if Conrad is experiencing
exactly the same or if someone else has ever experienced some similar
problem. DNSSEC is basically not usable here.

-Michael

[1] dig @178.63.73.246 DNSKEY .

On Mon, 2014-08-18 at 22:03 +0100, Simon Kelley wrote:
> On 18/08/14 21:37, Conrad Kostecki wrote:
> > Bingo! That seems to be the cause. When I disable dnssec, its working fine. When I enable it again, it’s failing again on *.org domains.
> > Why? Do you have some explanation?
> 
> Well, if dnssec is enabled in dnsmasq it needs to do load of extra
> queries to do the validation, so one of them may be failing.
> 
> What happens if you do the queries direct to the google servers, but ask
> for dnsmasq validation?
> 
> dig +dnssec domain.org
> 
> 
> The most useful information at this point would be the logs after
> enabling dnssec and log-queries. That would tell us which DNSSEC queries
> are timing out.
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> > 
> > Conrad
> > 
> > Von: sven falempin [mailto:sven.falempin at gmail.com]
> > Gesendet: Donnerstag, 14. August 2014 23:08
> > An: Conrad Kostecki
> > Betreff: Re: [Dnsmasq-discuss] DNSMasq does not resolv *.org domains
> > 
> > what bout sending the dnsmasq conf... maybe dnssec ?
> > 
> > and look at your logs
> > 
> > 
> > On Thu, Aug 14, 2014 at 4:47 PM, Conrad Kostecki <ck at conrad-kostecki.de<mailto:ck at conrad-kostecki.de>> wrote:
> > Hi!
> > I am having a very strange problem. I am unable to resolve any *.org domains via DNSMasq.
> > My currently used DNSMasq is 2.72test3-7-g993f8cb. The problem happens only within DNSMasq.
> > 
> > Galactica # cat /etc/resolv.conf
> > nameserver 127.0.0.1
> > nameserver ::1
> > nameserver 8.8.8.8
> > nameserver 8.8.4.4
> > nameserver 2001:4860:4860::8888
> > nameserver 2001:4860:4860::8844
> > 
> > As you see, there is localhost in first two lines defined and then the Google DNS servers, which DNSMasq should use.
> > It's pretty funny, that DNSMasq just says, it can't reach any server. But when I choose the Google DNS directly on the same machine, it works perfectly fine. So which Server can't DNSMasq reach?
> > 
> > Galactica # nslookup
> >> server 127.0.0.1
> > Default server: 127.0.0.1
> > Address: 127.0.0.1#53
> >> gentoo.org<http://gentoo.org>
> > ;; connection timed out; no servers could be reached
> >> server 8.8.8.8
> > Default server: 8.8.8.8
> > Address: 8.8.8.8#53
> >> gentoo.org<http://gentoo.org>
> > Server:         8.8.8.8
> > Address:        8.8.8.8#53
> > 
> > Non-authoritative answer:
> > Name:   gentoo.org<http://gentoo.org>
> > Address: 89.16.167.134
> >>
> > 
> > What did I wrong? I don't understand this, as it only affects *.org domains??
> > 
> > Conrad
> > 
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk<mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> > 
> > 
> > 
> > --
> > ---------------------------------------------------------------------------------------------------------------------
> > () ascii ribbon campaign - against html e-mail
> > /\
> > 
> > 
> > 
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> > 
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list