[Dnsmasq-discuss] DNSMasq does not resolv *.org domains

Michael Tremer michael.tremer at ipfire.org
Wed Aug 20 21:32:33 BST 2014 

On Wed, 2014-08-20 at 19:54 +0100, Simon Kelley wrote:
> On 20/08/14 14:28, Michael Tremer wrote:
> > Hello list,
> > 
> > I think I might have some very similar problem here. It is not specific
> > to dnsmasq. The result is the same to what Conrad has reported.
> > 
> > When ever dnsmasq is running with DNSSEC enabled, I cannot resolve any
> > DNSSEC-enabled domain. Zones that do not have DNSSEC work as usual.
> > 
> > When tracing with tcpdump what is happening, I can easily see that
> > dnsmasq (or dig [1]) is walking through that DNSSEC key chain and
> > resolving one after an other. I am trying to resolve www.ipfire.org for
> > example here. It all gets stuck when dnsmasq tries to fetch the DNSKEY
> > record of the root zone.
> > 
> > 15:16:58.135942 IP 93.200.64.128.46432 > 178.63.73.246.53: 12823+ [1au] DNSKEY? ipfire.org. (39)
> > 15:16:58.170687 IP 178.63.73.246.53 > 93.200.64.128.46432: 12823$ 2/0/1 DNSKEY, DNSKEY (463)
> > 15:17:07.449158 IP 93.200.64.128.37448 > 178.63.73.246.53: 54451+ [1au] A? www.ipfire.org. (43)
> > 15:17:07.483714 IP 178.63.73.246.53 > 93.200.64.128.37448: 54451$ 4/0/1 CNAME web01.ipfire.org., RRSIG, A 178.63.73.246, RRSIG (419)
> > 15:17:07.505287 IP 93.200.64.128.56633 > 178.63.73.246.53: 47477+ [1au] DNSKEY? ipfire.org. (39)
> > 15:17:07.541306 IP 178.63.73.246.53 > 93.200.64.128.56633: 47477$ 3/0/1 DNSKEY, DNSKEY, RRSIG (761)
> > 15:17:07.542774 IP 93.200.64.128.45576 > 178.63.73.246.53: 58759+ [1au] DS? ipfire.org. (39)
> > 15:17:07.576272 IP 178.63.73.246.53 > 93.200.64.128.45576: 58759$ 2/0/1 DS, RRSIG (238)
> > 15:17:07.582642 IP 93.200.64.128.43441 > 178.63.73.246.53: 42710+ [1au] DNSKEY? org. (32)
> > 15:17:07.617901 IP 178.63.73.246.53 > 93.200.64.128.43441: 42710$ 7/0/1 DNSKEY, DNSKEY, DNSKEY, DNSKEY, RRSIG, RRSIG, RRSIG[|domain]
> > 15:17:07.618604 IP 93.200.64.128.51370 > 178.63.73.246.53: 53036+ [1au] DS? org. (32)
> > 15:17:07.649326 IP 178.63.73.246.53 > 93.200.64.128.51370: 53036$ 3/0/1 DS, DS, RRSIG (275)
> > 15:17:07.651213 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28)
> > 15:17:12.652416 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28)
> > 15:17:17.657531 IP 93.200.64.128.57826 > 178.63.73.246.53: 12511+ [1au] DNSKEY? . (28)
> > 
> > I am operating the resolver and tried to figure out why that query is
> > never answered. At first I suspected some MTU problem which seems to be
> > just false. The query never reaches my resolver (also works when I use
> > other name servers like 8.8.8.8). I can resolve anything I want except
> > any records of the root zone. Not even the SOA. When I use TCP, I can
> > get the DNSKEYs, but that is nothing that I want to use by default for
> > the obvious reasons.
> > 
> > This is a system connected to the Internet via a DSL link from Deutsche
> > Telekom AG. I have access to multiple places with the same connection
> > and they all work except this one. I wonder if Conrad is experiencing
> > exactly the same or if someone else has ever experienced some similar
> > problem. DNSSEC is basically not usable here.
> 
> Are you saying that the DNSKEY query for the root works when sent to
> 8.8.8.8, but fails when sent to 178.63.73.246. In that case the problem
> is likely to be 178.63.73.246. If both fail, then it's possible your ISP
> is doing bad things with packets to port 53.

It fails for *both* name servers and all others that I tested. I suspect
that the ISP is doing some weird things and I just wanted to know if
that ever happened to someone else, too.

> From here,
> 
> dig @178.63.73.246 dnskey .
> 
> Seems to work fine.

Yes, works from my home and everywhere else. So I don't think that there
is anything wrong with that name server.

> Cheers,
> 
> Simon.
> 
> > 
> > -Michael
> > 
> > [1] dig @178.63.73.246 DNSKEY .
> > 
> > On Mon, 2014-08-18 at 22:03 +0100, Simon Kelley wrote:
> >> On 18/08/14 21:37, Conrad Kostecki wrote:
> >>> Bingo! That seems to be the cause. When I disable dnssec, its working fine. When I enable it again, it’s failing again on *.org domains.
> >>> Why? Do you have some explanation?
> >>
> >> Well, if dnssec is enabled in dnsmasq it needs to do load of extra
> >> queries to do the validation, so one of them may be failing.
> >>
> >> What happens if you do the queries direct to the google servers, but ask
> >> for dnsmasq validation?
> >>
> >> dig +dnssec domain.org
> >>
> >>
> >> The most useful information at this point would be the logs after
> >> enabling dnssec and log-queries. That would tell us which DNSSEC queries
> >> are timing out.
> >>
> >>
> >> Cheers,
> >>
> >> Simon.
> >>
> >>
> >>>
> >>> Conrad
> >>>
> >>> Von: sven falempin [mailto:sven.falempin at gmail.com]
> >>> Gesendet: Donnerstag, 14. August 2014 23:08
> >>> An: Conrad Kostecki
> >>> Betreff: Re: [Dnsmasq-discuss] DNSMasq does not resolv *.org domains
> >>>
> >>> what bout sending the dnsmasq conf... maybe dnssec ?
> >>>
> >>> and look at your logs
> >>>
> >>>
> >>> On Thu, Aug 14, 2014 at 4:47 PM, Conrad Kostecki <ck at conrad-kostecki.de<mailto:ck at conrad-kostecki.de>> wrote:
> >>> Hi!
> >>> I am having a very strange problem. I am unable to resolve any *.org domains via DNSMasq.
> >>> My currently used DNSMasq is 2.72test3-7-g993f8cb. The problem happens only within DNSMasq.
> >>>
> >>> Galactica # cat /etc/resolv.conf
> >>> nameserver 127.0.0.1
> >>> nameserver ::1
> >>> nameserver 8.8.8.8
> >>> nameserver 8.8.4.4
> >>> nameserver 2001:4860:4860::8888
> >>> nameserver 2001:4860:4860::8844
> >>>
> >>> As you see, there is localhost in first two lines defined and then the Google DNS servers, which DNSMasq should use.
> >>> It's pretty funny, that DNSMasq just says, it can't reach any server. But when I choose the Google DNS directly on the same machine, it works perfectly fine. So which Server can't DNSMasq reach?
> >>>
> >>> Galactica # nslookup
> >>>> server 127.0.0.1
> >>> Default server: 127.0.0.1
> >>> Address: 127.0.0.1#53
> >>>> gentoo.org<http://gentoo.org>
> >>> ;; connection timed out; no servers could be reached
> >>>> server 8.8.8.8
> >>> Default server: 8.8.8.8
> >>> Address: 8.8.8.8#53
> >>>> gentoo.org<http://gentoo.org>
> >>> Server:         8.8.8.8
> >>> Address:        8.8.8.8#53
> >>>
> >>> Non-authoritative answer:
> >>> Name:   gentoo.org<http://gentoo.org>
> >>> Address: 89.16.167.134
> >>>>
> >>>
> >>> What did I wrong? I don't understand this, as it only affects *.org domains??
> >>>
> >>> Conrad
> >>>
> >>> _______________________________________________
> >>> Dnsmasq-discuss mailing list
> >>> Dnsmasq-discuss at lists.thekelleys.org.uk<mailto:Dnsmasq-discuss at lists.thekelleys.org.uk>
> >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>>
> >>>
> >>> --
> >>> ---------------------------------------------------------------------------------------------------------------------
> >>> () ascii ribbon campaign - against html e-mail
> >>> /\
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Dnsmasq-discuss mailing list
> >>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>
> >>
> >> _______________________________________________
> >> Dnsmasq-discuss mailing list
> >> Dnsmasq-discuss at lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> > 
> > 
>

More information about the Dnsmasq-discuss mailing list