[Dnsmasq-discuss] Dnsmasq responses broken for Linux and Mac clients, but working on Windows and Android clients
Timo Sigurdsson
public_timo.s at silentcreek.de
Thu Oct 20 00:47:19 BST 2016
Hi again,
I have more details to add to my question - the issue just occured
again and I was able to capture a failed DNS query on the router. Full
details below the cited original message...
Timo Sigurdsson schrieb am 19.10.2016 22:45:
> Hi,
>
> I have a weird issue with Dnsmasq which I think is related to DNSSEC, but I
> don't exactly understand why or what is happening and how to fix it.
>
> I'm currently running Dnsmasq 2.76 on my router powered by a fairly recent
> build of LEDE (r1792, Kernel 4.4.23). DNSSEC validation and
> DNSSEC-check-unsigned are both turned on.
>
> Sometimes, the Linux and Mac clients in my network cannot resolve random domain
> names. But at the same time, resolution of the exact same names works on
> Windows clients as well as my Android devices - and even on the router itself.
> When I restart Dnsmasq everything works again.
>
> For example, just now, my Debian machine could not resolve the domain
> security.debian.org. `nslookup security.debian.org` would show:
> ;; Truncated, retrying in TCP mode.
> Server: 192.168.123.1
> Address: 192.168.123.1#53
>
> ** server can't find security.debian.org: SERVFAIL
>
<snip>
So, the query for security.debian.org happened to fail again.
Apparently Dnsmasq declares ABANDONS the DNSSEC validation. I also
think that my initial assesment that my Windows clients are still able
to resolve the name was wrong. Because now a quick test on a Windows
machine shows the same error for the same domain - probably the results
during my previous tests were still cached on the machine itself.
Anyway, so here is the log of the caputerd DNS query (timestamps
removed for better readability - but it all happens within 5 seconds):
dnsmasq[9650]: 23525 192.168.123.75/52394 query[A] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23525 192.168.123.75/52394 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: 23525 192.168.123.75/52394 forwarded security.debian.org to 8.8.8.8
dnsmasq[9650]: 23526 192.168.123.75/52394 query[AAAA] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23526 192.168.123.75/52394 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: 23527 192.168.123.75/52395 query[A] ftp.de.debian.org from 192.168.123.75
dnsmasq[9650]: 23527 192.168.123.75/52395 forwarded ftp.de.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: 23528 192.168.123.75/52395 query[AAAA] ftp.de.debian.org from 192.168.123.75
dnsmasq[9650]: 23528 192.168.123.75/52395 forwarded ftp.de.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52394 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52395 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52394 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52395 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52394 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52395 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52394 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52395 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: 23525 192.168.123.75/52394 reply security.debian.org is 212.211.132.32
dnsmasq[9650]: 23525 192.168.123.75/52394 reply security.debian.org is 195.20.242.89
dnsmasq[9650]: 23525 192.168.123.75/52394 reply security.debian.org is 212.211.132.250
dnsmasq[13030]: 23529 192.168.123.75/57452 query[A] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23528 192.168.123.75/52395 reply ftp.de.debian.org is NODATA-IPv6
dnsmasq[9650]: 23527 192.168.123.75/52395 reply ftp.de.debian.org is 141.76.2.4
dnsmasq[9650]: 23526 192.168.123.75/52394 reply security.debian.org is 2001:a78:5::216:35ff:fe7f:be4f
dnsmasq[9650]: 23526 192.168.123.75/52394 reply security.debian.org is 2001:a78:5:1:216:35ff:fe7f:6ceb
dnsmasq[13031]: 23629 192.168.123.75/57453 query[A] ftp.de.debian.org from 192.168.123.75
dnsmasq[13030]: 23529 192.168.123.75/57452 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[13031]: 23629 192.168.123.75/57453 forwarded ftp.de.debian.org to 2001:4860:4860::8844
dnsmasq[13031]: * 192.168.123.75/57453 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[13031]: * 192.168.123.75/57453 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[13030]: * 192.168.123.75/57452 reply org is DNSKEY keytag 17883, algo 7
dnsmasq[13030]: * 192.168.123.75/57452 reply org is DNSKEY keytag 48497, algo 7
dnsmasq[13030]: * 192.168.123.75/57452 reply org is DNSKEY keytag 9795, algo 7
dnsmasq[13030]: * 192.168.123.75/57452 reply org is DNSKEY keytag 64353, algo 7
dnsmasq[13030]: * 192.168.123.75/57452 reply debian.org is DS keytag 62260, algo 8, digest 2
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DS] security.debian.org to 2001:4860:4860::8844
dnsmasq[13031]: * 192.168.123.75/57453 reply org is DNSKEY keytag 48497, algo 7
dnsmasq[13031]: * 192.168.123.75/57453 reply org is DNSKEY keytag 17883, algo 7
dnsmasq[13031]: * 192.168.123.75/57453 reply org is DNSKEY keytag 9795, algo 7
dnsmasq[13031]: * 192.168.123.75/57453 reply org is DNSKEY keytag 64353, algo 7
dnsmasq[13031]: * 192.168.123.75/57453 reply debian.org is DS keytag 62260, algo 8, digest 2
dnsmasq[13031]: * 192.168.123.75/57453 dnssec-query[DNSKEY] debian.org to 2001:4860:4860::8844
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DNSKEY] debian.org to 2001:4860:4860::8844
dnsmasq[13031]: * 192.168.123.75/57453 reply debian.org is DNSKEY keytag 22800, algo 8
dnsmasq[13031]: * 192.168.123.75/57453 reply debian.org is DNSKEY keytag 62260, algo 8
dnsmasq[13031]: * 192.168.123.75/57453 reply debian.org is DNSKEY keytag 7866, algo 8
dnsmasq[13031]: 23629 192.168.123.75/57453 validation result is SECURE
dnsmasq[13031]: 23629 192.168.123.75/57453 reply ftp.de.debian.org is 141.76.2.4
dnsmasq[13031]: 23630 192.168.123.75/57453 query[AAAA] ftp.de.debian.org from 192.168.123.75
dnsmasq[13030]: 23529 192.168.123.75/57452 validation security.debian.org is ABANDONED
dnsmasq[13030]: 23529 192.168.123.75/57452 reply security.debian.org is 195.20.242.89
dnsmasq[13030]: 23529 192.168.123.75/57452 reply security.debian.org is 212.211.132.32
dnsmasq[13030]: 23529 192.168.123.75/57452 reply security.debian.org is 212.211.132.250
dnsmasq[13030]: 23530 192.168.123.75/57452 query[AAAA] security.debian.org from 192.168.123.75
dnsmasq[13030]: 23530 192.168.123.75/57452 forwarded security.debian.org to 8.8.8.8
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DS] security.debian.org to 8.8.8.8
dnsmasq[13031]: 23630 192.168.123.75/57453 forwarded ftp.de.debian.org to 8.8.8.8
dnsmasq[13031]: 23630 192.168.123.75/57453 validation result is SECURE
dnsmasq[13031]: 23630 192.168.123.75/57453 reply ftp.de.debian.org is NODATA-IPv6
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DNSKEY] debian.org to 8.8.8.8
dnsmasq[13030]: 23530 192.168.123.75/57452 validation security.debian.org is ABANDONED
dnsmasq[13030]: 23530 192.168.123.75/57452 reply security.debian.org is 2001:a78:5::216:35ff:fe7f:be4f
dnsmasq[13030]: 23530 192.168.123.75/57452 reply security.debian.org is 2001:a78:5:1:216:35ff:fe7f:6ceb
dnsmasq[9650]: 23729 192.168.123.75/52396 query[A] security.debian.org.lan from 192.168.123.75
dnsmasq[9650]: 23729 192.168.123.75/52396 config security.debian.org.lan is NXDOMAIN
dnsmasq[9650]: 23730 192.168.123.75/52396 query[AAAA] security.debian.org.lan from 192.168.123.75
dnsmasq[9650]: 23730 192.168.123.75/52396 config security.debian.org.lan is NXDOMAIN
dnsmasq[9650]: 23731 192.168.123.75/52397 query[A] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23731 192.168.123.75/52397 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: 23732 192.168.123.75/52397 query[AAAA] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23732 192.168.123.75/52397 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52397 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52397 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52397 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52397 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: 23731 192.168.123.75/52397 reply security.debian.org is 195.20.242.89
dnsmasq[9650]: 23731 192.168.123.75/52397 reply security.debian.org is 212.211.132.32
dnsmasq[9650]: 23731 192.168.123.75/52397 reply security.debian.org is 212.211.132.250
dnsmasq[13032]: 23733 192.168.123.75/57456 query[A] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23732 192.168.123.75/52397 reply security.debian.org is 2001:a78:5:1:216:35ff:fe7f:6ceb
dnsmasq[9650]: 23732 192.168.123.75/52397 reply security.debian.org is 2001:a78:5::216:35ff:fe7f:be4f
dnsmasq[13032]: 23733 192.168.123.75/57456 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[13032]: * 192.168.123.75/57456 reply org is DNSKEY keytag 17883, algo 7
dnsmasq[13032]: * 192.168.123.75/57456 reply org is DNSKEY keytag 48497, algo 7
dnsmasq[13032]: * 192.168.123.75/57456 reply org is DNSKEY keytag 9795, algo 7
dnsmasq[13032]: * 192.168.123.75/57456 reply org is DNSKEY keytag 64353, algo 7
dnsmasq[13032]: * 192.168.123.75/57456 reply debian.org is DS keytag 62260, algo 8, digest 2
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DS] security.debian.org to 2001:4860:4860::8844
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DNSKEY] debian.org to 2001:4860:4860::8844
dnsmasq[13032]: 23733 192.168.123.75/57456 validation security.debian.org is ABANDONED
dnsmasq[13032]: 23733 192.168.123.75/57456 reply security.debian.org is 195.20.242.89
dnsmasq[13032]: 23733 192.168.123.75/57456 reply security.debian.org is 212.211.132.250
dnsmasq[13032]: 23733 192.168.123.75/57456 reply security.debian.org is 212.211.132.32
dnsmasq[13032]: 23734 192.168.123.75/57456 query[AAAA] security.debian.org from 192.168.123.75
dnsmasq[13032]: 23734 192.168.123.75/57456 forwarded security.debian.org to 8.8.8.8
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DS] security.debian.org to 8.8.8.8
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DNSKEY] debian.org to 8.8.8.8
dnsmasq[13032]: 23734 192.168.123.75/57456 validation security.debian.org is ABANDONED
dnsmasq[13032]: 23734 192.168.123.75/57456 reply security.debian.org is 2001:a78:5::216:35ff:fe7f:be4f
dnsmasq[13032]: 23734 192.168.123.75/57456 reply security.debian.org is 2001:a78:5:1:216:35ff:fe7f:6ceb
dnsmasq[9650]: 23833 192.168.123.75/52398 query[A] security.debian.org.lan from 192.168.123.75
dnsmasq[9650]: 23833 192.168.123.75/52398 config security.debian.org.lan is NXDOMAIN
dnsmasq[9650]: 23834 192.168.123.75/52398 query[AAAA] security.debian.org.lan from 192.168.123.75
dnsmasq[9650]: 23834 192.168.123.75/52398 config security.debian.org.lan is NXDOMAIN
Again, does anybody know why this might happen? And more importantly,
how can I fix that?
Btw. while resolving security.debian.org fails, debian.org alone still
works fine. All very strange to me.
Thanks,
Timo
More information about the Dnsmasq-discuss
mailing list