[Dnsmasq-discuss] dnscrypt -dnssec problems

Lonnie Abelbeck lists at lonnie.abelbeck.com
Thu May 26 01:14:15 BST 2016


On May 25, 2016, at 4:08 PM, wkitty42 at gmail.com wrote:

> On 05/25/2016 03:24 PM, Johnny Appleseed wrote:
>> dig +dnssec wikipedia.org
>> ;; Truncated, retrying in TCP mode.
>> 
>> ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33183
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 4096
> 
> why is this EDNS udp 4096 but
> 
> [...]
>>  dig +dnssec wikipedia.org
>> 
>> ; <<>> DiG 9.8.3-P1 <<>> +dnssec wikipedia.org
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13239
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags: do; udp: 1280
> 
> this one is only 1280??

It would seem the "EDNS ... udp: 4096" query is using dnscrypt-proxy but the "EDNS ... udp: 1280" query is not.

Johnny, possibly you need "no-resolv" in your dnsmasq.conf ?

I assume you have something like:
--
server=127.0.0.1#2053
--
pointing to your dnscrypt-proxy instance.

You may also look into using "proxy-dnssec" if you trust your upstream server's DNSSEC since it traveling over a secure dnscrypt-proxy connection.

Lonnie




More information about the Dnsmasq-discuss mailing list