[Dnsmasq-discuss] DNSMasq does not resolv *.org domains

Simon Kelley simon at thekelleys.org.uk
Wed Aug 20 19:54:13 BST 2014


On 20/08/14 14:28, Michael Tremer wrote:
> Hello list,
> 
> I think I might have some very similar problem here. It is not specific
> to dnsmasq. The result is the same to what Conrad has reported.
> 
> When ever dnsmasq is running with DNSSEC enabled, I cannot resolve any
> DNSSEC-enabled domain. Zones that do not have DNSSEC work as usual.
> 
> When tracing with tcpdump what is happening, I can easily see that
> dnsmasq (or dig [1]) is walking through that DNSSEC key chain and
> resolving one after an other. I am trying to resolve www.ipfire.org for
> example here. It all gets stuck when dnsmasq tries to fetch the DNSKEY
> record of the root zone.
> 
> 15:16:58.135942 IP 93.200.64.128.46432 > 178.63.73.246.53: 12823+ [1au] DNSKEY? ipfire.org. (39)
> 15:16:58.170687 IP 178.63.73.246.53 > 93.200.64.128.46432: 12823$ 2/0/1 DNSKEY, DNSKEY (463)
> 15:17:07.449158 IP 93.200.64.128.37448 > 178.63.73.246.53: 54451+ [1au] A? www.ipfire.org. (43)
> 15:17:07.483714 IP 178.63.73.246.53 > 93.200.64.128.37448: 54451$ 4/0/1 CNAME web01.ipfire.org., RRSIG, A 178.63.73.246, RRSIG (419)
> 15:17:07.505287 IP 93.200.64.128.56633 > 178.63.73.246.53: 47477+ [1au] DNSKEY? ipfire.org. (39)
> 15:17:07.541306 IP 178.63.73.246.53 > 93.200.64.128.56633: 47477$ 3/0/1 DNSKEY, DNSKEY, RRSIG (761)
> 15:17:07.542774 IP 93.200.64.128.45576 > 178.63.73.246.53: 58759+ [1au] DS? ipfire.org. (39)
> 15:17:07.576272 IP 178.63.73.246.53 > 93.200.64.128.45576: 58759$ 2/0/1 DS, RRSIG (238)
> 15:17:07.582642 IP 93.200.64.128.43441 > 178.63.73.246.53: 42710+ [1au] DNSKEY? org. (32)
> 15:17:07.617901 IP 178.63.73.246.53 > 93.200.64.128.43441: 42710$ 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, RRSIG, RRSIG[|domain]
> 15:17:07.618604 IP 93.200.64.128.51370 > 178.63.73.246.53: 53036+ [1au] DS? org. (32)
> 15:17:07.649326 IP 178.63.73.246.53 > 93.200.64.128.51370: 53036$ 3/0/1 DS, DS, RRSIG (275)
> 15:17:07.651213 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28)
> 15:17:12.652416 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28)
> 15:17:17.657531 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28)
> 
> I am operating the resolver and tried to figure out why that query is
> never answered. At first I suspected some MTU problem which seems to be
> just false. The query never reaches my resolver (also works when I use
> other name servers like 8.8.8.8). I can resolve anything I want except
> any records of the root zone. Not even the SOA. When I use TCP, I can
> get the DNSKEYs, but that is nothing that I want to use by default for
> the obvious reasons.
> 
> This is a system connected to the Internet via a DSL link from Deutsche
> Telekom AG. I have access to multiple places with the same connection
> and they all work except this one. I wonder if Conrad is experiencing
> exactly the same or if someone else has ever experienced some similar
> problem. DNSSEC is basically not usable here.

Are you saying that the DNSKEY query for the root works when sent to
8.8.8.8, but fails when sent to 178.63.73.246. In that case the problem
is likely to be 178.63.73.246. If both fail, then it's possible your ISP
is doing bad things with packets to port 53.

>From here,

dig @178.63.73.246 dnskey .

Seems to work fine.


Cheers,

Simon.

> 
> -Michael
> 
> [1] dig @178.63.73.246 DNSKEY .
> 
> On Mon, 2014-08-18 at 22:03 +0100, Simon Kelley wrote:
>> On 18/08/14 21:37, Conrad Kostecki wrote:
>>> Bingo! That seems to be the cause. When I disable dnssec, its working fine. When I enable it again, it’s failing again on *.org domains.
>>> Why? Do you have some explanation?
>>
>> Well, if dnssec is enabled in dnsmasq it needs to do load of extra
>> queries to do the validation, so one of them may be failing.
>>
>> What happens if you do the queries direct to the google servers, but ask
>> for dnsmasq validation?
>>
>> dig +dnssec domain.org
>>
>>
>> The most useful information at this point would be the logs after
>> enabling dnssec and log-queries. That would tell us which DNSSEC queries
>> are timing out.
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>
>>>
>>> Conrad
>>>
>>> Von: sven falempin [mailto:sven.falempin at gmail.com]
>>> Gesendet: Donnerstag, 14. August 2014 23:08
>>> An: Conrad Kostecki
>>> Betreff: Re: [Dnsmasq-discuss] DNSMasq does not resolv *.org domains
>>>
>>> what bout sending the dnsmasq conf... maybe dnssec ?
>>>
>>> and look at your logs
>>>
>>>
>>> On Thu, Aug 14, 2014 at 4:47 PM, Conrad Kostecki <ck at conrad-kostecki.de<mailto:ck at conrad-kostecki.de>> wrote:
>>> Hi!
>>> I am having a very strange problem. I am unable to resolve any *.org domains via DNSMasq.
>>> My currently used DNSMasq is 2.72test3-7-g993f8cb. The problem happens only within DNSMasq.
>>>
>>> Galactica # cat /etc/resolv.conf
>>> nameserver 127.0.0.1
>>> nameserver ::1
>>> nameserver 8.8.8.8
>>> nameserver 8.8.4.4
>>> nameserver 2001:4860:4860::8888
>>> nameserver 2001:4860:4860::8844
>>>
>>> As you see, there is localhost in first two lines defined and then the Google DNS servers, which DNSMasq should use.
>>> It's pretty funny, that DNSMasq just says, it can't reach any server. But when I choose the Google DNS directly on the same machine, it works perfectly fine. So which Server can't DNSMasq reach?
>>>
>>> Galactica # nslookup
>>>> server 127.0.0.1
>>> Default server: 127.0.0.1
>>> Address: 127.0.0.1#53
>>>> gentoo.org<http://gentoo.org>
>>> ;; connection timed out; no servers could be reached
>>>> server 8.8.8.8
>>> Default server: 8.8.8.8
>>> Address: 8.8.8.8#53
>>>> gentoo.org<http://gentoo.org>
>>> Server:         8.8.8.8
>>> Address:        8.8.8.8#53
>>>
>>> Non-authoritative answer:
>>> Name:   gentoo.org<http://gentoo.org>
>>> Address: 89.16.167.134
>>>>
>>>
>>> What did I wrong? I don't understand this, as it only affects *.org domains??
>>>
>>> Conrad
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk<mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>>
>>>
>>> --
>>> ---------------------------------------------------------------------------------------------------------------------
>>> () ascii ribbon campaign - against html e-mail
>>> /\
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 




More information about the Dnsmasq-discuss mailing list