[Dnsmasq-discuss] DNSSEC and domain in the hosts file

mmmfotografie info at mmmfotografie.nl
Sat Oct 22 22:50:45 BST 2016


I want to revisit a problem I had three months ago with DNSSEC and some 
external domains. I had no problem in that time until I tried to visit 
raspberrypi.org and on my tablet I got a time out from DNSmasq. When I 
tried on the server itself were DNSmasq is also running I got a instant 
correct answer on a nslookup.

On the Win10 PC I got the following message:
Server:  server-01
Address:  192.168.xxx.xxx
*** server-01 can't find raspberrypi.org: Unspecified error

On the server self:
;; Truncated, retrying in TCP mode.
Server:         127.0.0.1
Address:        127.0.0.1#53
Non-authoritative answer:
Name:   raspberrypi.org
Address: 93.93.128.230
Name:   raspberrypi.org
Address: 93.93.130.214

So I looked in the config files if I had anywhere defined 
raspberrypi.org that was interfering and did not find it. So I looked in 
/etc/hosts and there I had standing "127.0.0.1 raspberrypi" because that 
is an alias for server-01. So I removed that alias and had to restart 
DNSmasq to read the changed hosts file so testing if that was the 
problem is not feasible anymore.

I think it has to do with time and DNSmasq was restarted a day before 
and the problem occurs after a while so. What I am thinking (wild guess) 
is that the DNSSEC is causing a problem in resolving the 
raspberrypi.org. You see the name being split-up in steps and it reaches 
the step of raspberrypi and then it is confused because that name is 
also in the hosts file with an other IP.

After the restart of DNSmasq I have the following output and that is 
working as intended:

dnsmasq: read /etc/hosts - 23 addresses
dnsmasq: query[PTR] 40.21.168.192.in-addr.arpa from 192.168.xxx.xxx
dnsmasq: /etc/hosts 192.168.xxx.xxx is server-01
dnsmasq: query[A] raspberrypi.org from 192.168.xxx.xxx
dnsmasq: forwarded raspberrypi.org to 194.109.9.99
dnsmasq: dnssec-query[DS] org to 194.109.9.99
dnsmasq: dnssec-query[DNSKEY] . to 194.109.9.99
dnsmasq: reply . is DNSKEY keytag 46551, algo 8
dnsmasq: reply . is DNSKEY keytag 19036, algo 8
dnsmasq: reply . is DNSKEY keytag 39291, algo 8
dnsmasq: reply org is DS keytag 9795, algo 7, digest 1
dnsmasq: reply org is DS keytag 9795, algo 7, digest 2
dnsmasq: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq: reply org is DNSKEY keytag 17883, algo 7
dnsmasq: reply org is DNSKEY keytag 9795, algo 7
dnsmasq: reply org is DNSKEY keytag 64353, algo 7
dnsmasq: reply org is DNSKEY keytag 48497, algo 7
dnsmasq: reply raspberrypi.org is DS keytag 17226, algo 10, digest 2
dnsmasq: reply raspberrypi.org is DS keytag 55146, algo 10, digest 2
dnsmasq: dnssec-query[DNSKEY] raspberrypi.org to 194.109.9.99
dnsmasq: reply raspberrypi.org is DNSKEY keytag 55146, algo 10
dnsmasq: reply raspberrypi.org is DNSKEY keytag 17226, algo 10
dnsmasq: reply raspberrypi.org is DNSKEY keytag 20216, algo 10
dnsmasq: reply raspberrypi.org is DNSKEY keytag 4976, algo 10
dnsmasq: validation result is SECURE
dnsmasq: reply raspberrypi.org is 93.93.130.214
dnsmasq: reply raspberrypi.org is 93.93.128.230
dnsmasq: query[AAAA] raspberrypi.org from 192.168.xxx.xxx
dnsmasq: forwarded raspberrypi.org to 194.109.9.99
dnsmasq: validation result is SECURE
dnsmasq: reply raspberrypi.org is 2a00:1098:0:82:1000:13:0:5
dnsmasq: reply raspberrypi.org is 2a00:1098:0:80:1000:13:0:5

I looked up the log when the problem on the tabled occurred and that 
does not show anything special except I get CNAME to lb.raspberrypi.org :

query[A] raspberrypi.org from 192.168.xxx.xxx
dnsmasq[15846]: forwarded raspberrypi.org to 194.109.9.99
dnsmasq[15846]: query[A] sitecheck2.opera.com from 192.168.xxx.xxx
dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq[15846]: reply raspberrypi.org is 93.93.128.230
dnsmasq[15846]: reply raspberrypi.org is 93.93.130.214
dnsmasq[15846]: query[A] raspberrypi.org from 192.168.xxx.xxx
dnsmasq[15846]: forwarded raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq[15846]: reply raspberrypi.org is 93.93.128.230
dnsmasq[15846]: reply raspberrypi.org is 93.93.130.214
dnsmasq[15846]: query[A] www.raspberrypi.org from 192.168.xxx.xxx
dnsmasq[15846]: forwarded www.raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq[15846]: reply www.raspberrypi.org is <CNAME>
dnsmasq[15846]: reply lb.raspberrypi.org is 46.235.227.11
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.236
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.133
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.214
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.39
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.230
dnsmasq[15846]: query[A] www.raspberrypi.org from 192.168.xxx.xxx
dnsmasq[15846]: forwarded www.raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
dnsmasq[15846]: reply www.raspberrypi.org is <CNAME>
dnsmasq[15846]: reply lb.raspberrypi.org is 46.235.227.11
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.236
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.133
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.214
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.39
dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.230

DNSmasq version 2.76

Cheers, Marcel





More information about the Dnsmasq-discuss mailing list