[Dnsmasq-discuss] DNSSEC and domain in the hosts file
mmmfotografie
info at mmmfotografie.nl
Sat Oct 22 22:50:45 BST 2016
I want to revisit a problem I had three months ago with DNSSEC and some
external domains. I had no problem in that time until I tried to visit
raspberrypi.org and on my tablet I got a time out from DNSmasq. When I
tried on the server itself were DNSmasq is also running I got a instant
correct answer on a nslookup.
On the Win10 PC I got the following message:
Server: server-01
Address: 192.168.xxx.xxx
*** server-01 can't find raspberrypi.org: Unspecified error
On the server self:
;; Truncated, retrying in TCP mode.
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: raspberrypi.org
Address: 93.93.128.230
Name: raspberrypi.org
Address: 93.93.130.214
So I looked in the config files if I had anywhere defined
raspberrypi.org that was interfering and did not find it. So I looked in
/etc/hosts and there I had standing "127.0.0.1 raspberrypi" because that
is an alias for server-01. So I removed that alias and had to restart
DNSmasq to read the changed hosts file so testing if that was the
problem is not feasible anymore.
I think it has to do with time and DNSmasq was restarted a day before
and the problem occurs after a while so. What I am thinking (wild guess)
is that the DNSSEC is causing a problem in resolving the
raspberrypi.org. You see the name being split-up in steps and it reaches
the step of raspberrypi and then it is confused because that name is
also in the hosts file with an other IP.
After the restart of DNSmasq I have the following output and that is
working as intended:
dnsmasq: read /etc/hosts - 23 addresses
dnsmasq: query[PTR] 40.21.168.192.in-addr.arpa from 192.168.xxx.xxx
dnsmasq: /etc/hosts 192.168.xxx.xxx is server-01
dnsmasq: query[A] raspberrypi.org from 192.168.xxx.xxx
dnsmasq: forwarded raspberrypi.org to 194.109.9.99
dnsmasq: dnssec-query[DS] org to 194.109.9.99
dnsmasq: dnssec-query[DNSKEY] . to 194.109.9.99
dnsmasq: reply . is DNSKEY keytag 46551, algo 8
dnsmasq: reply . is DNSKEY keytag 19036, algo 8
dnsmasq: reply . is DNSKEY keytag 39291, algo 8
dnsmasq: reply org is DS keytag 9795, algo 7, digest 1
dnsmasq: reply org is DS keytag 9795, algo 7, digest 2
dnsmasq: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq: reply org is DNSKEY keytag 17883, algo 7
dnsmasq: reply org is DNSKEY keytag 9795, algo 7
dnsmasq: reply org is DNSKEY keytag 64353, algo 7
dnsmasq: reply org is DNSKEY keytag 48497, algo 7
dnsmasq: reply raspberrypi.org is DS keytag 17226, algo 10, digest 2
dnsmasq: reply raspberrypi.org is DS keytag 55146, algo 10, digest 2
dnsmasq: dnssec-query[DNSKEY] raspberrypi.org to 194.109.9.99
dnsmasq: reply raspberrypi.org is DNSKEY keytag 55146, algo 10
dnsmasq: reply raspberrypi.org is DNSKEY keytag 17226, algo 10
dnsmasq: reply raspberrypi.org is DNSKEY keytag 20216, algo 10
dnsmasq: reply raspberrypi.org is DNSKEY keytag 4976, algo 10
dnsmasq: validation result is SECURE
dnsmasq: reply raspberrypi.org is 93.93.130.214
dnsmasq: reply raspberrypi.org is 93.93.128.230
dnsmasq: query[AAAA] raspberrypi.org from 192.168.xxx.xxx
dnsmasq: forwarded raspberrypi.org to 194.109.9.99
dnsmasq: validation result is SECURE
dnsmasq: reply raspberrypi.org is 2a00:1098:0:82:1000:13:0:5
dnsmasq: reply raspberrypi.org is 2a00:1098:0:80:1000:13:0:5
I looked up the log when the problem on the tabled occurred and that
does not show anything special except I get CNAME to lb.raspberrypi.org :
query[A] raspberrypi.org from 192.168.xxx.xxx
dnsmasq[15846]: forwarded raspberrypi.org to 194.109.9.99
dnsmasq[15846]: query[A] sitecheck2.opera.com from 192.168.xxx.xxx
dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq[15846]: reply raspberrypi.org is 93.93.128.230
dnsmasq[15846]: reply raspberrypi.org is 93.93.130.214
dnsmasq[15846]: query[A] raspberrypi.org from 192.168.xxx.xxx
dnsmasq[15846]: forwarded raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq[15846]: reply raspberrypi.org is 93.93.128.230
dnsmasq[15846]: reply raspberrypi.org is 93.93.130.214
dnsmasq[15846]: query[A] www.raspberrypi.org from 192.168.xxx.xxx
dnsmasq[15846]: forwarded www.raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq[15846]: reply www.raspberrypi.org is <CNAME>
dnsmasq[15846]: reply lb.raspberrypi.org is 46.235.227.11
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.236
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.133
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.214
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.39
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.230
dnsmasq[15846]: query[A] www.raspberrypi.org from 192.168.xxx.xxx
dnsmasq[15846]: forwarded www.raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq[15846]: reply www.raspberrypi.org is <CNAME>
dnsmasq[15846]: reply lb.raspberrypi.org is 46.235.227.11
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.236
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.133
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.214
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.39
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.230
DNSmasq version 2.76
Cheers, Marcel
More information about the Dnsmasq-discuss
mailing list