[Dnsmasq-discuss] dnscrypt -dnssec problems
Lonnie Abelbeck
lists at lonnie.abelbeck.com
Thu May 26 01:14:15 BST 2016
On May 25, 2016, at 4:08 PM, wkitty42 at gmail.com wrote:
> On 05/25/2016 03:24 PM, Johnny Appleseed wrote:
>> dig +dnssec wikipedia.org
>> ;; Truncated, retrying in TCP mode.
>>
>> ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33183
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
>
> why is this EDNS udp 4096 but
>
> [...]
>> dig +dnssec wikipedia.org
>>
>> ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13239
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 1280
>
> this one is only 1280??
It would seem the "EDNS ... udp: 4096" query is using dnscrypt-proxy but the "EDNS ... udp: 1280" query is not.
Johnny, possibly you need "no-resolv" in your dnsmasq.conf ?
I assume you have something like:
--
server=127.0.0.1#2053
--
pointing to your dnscrypt-proxy instance.
You may also look into using "proxy-dnssec" if you trust your upstream server's DNSSEC since it traveling over a secure dnscrypt-proxy connection.
Lonnie
More information about the Dnsmasq-discuss
mailing list