[Dnsmasq-discuss] DNSSEC and domain in the hosts file

mmmfotografie info at mmmfotografie.nl
Tue Oct 25 21:42:36 BST 2016 

I had to wait three days before my tablet did get in trouble again with 
DNSmasq. I have now found out that er is a delay of more than six 
seconds before the raspberrypi.org webpage is finally show in my PC and 
that seems to be to long for the Opera browser on my Android. So no page 
because of a time-out on my tablet.

The output of DNSmasq when there is a time-out:

Tablet:

Oct 25 21:24:42 server01 dnsmasq[21862]: forwarded www.raspberrypi.org 
to 194.109.9.99
Oct 25 21:24:42 server01 dnsmasq[21862]: dnssec-query[DS] 
raspberrypi.org to 194.109.9.99
Oct 25 21:24:42 server01 dnsmasq[21862]: dnssec-query[DNSKEY] org to 
194.109.9.99
Oct 25 21:24:42 server01 dnsmasq[21862]: reply www.raspberrypi.org is 
<CNAME>
Oct 25 21:24:42 server01 dnsmasq[21862]: reply lb.raspberrypi.org is 
46.235.227.11
Oct 25 21:24:42 server01 dnsmasq[21862]: reply lb.raspberrypi.org is 
93.93.130.236
Oct 25 21:24:42 server01 dnsmasq[21862]: reply lb.raspberrypi.org is 
93.93.130.39
Oct 25 21:24:42 server01 dnsmasq[21862]: reply lb.raspberrypi.org is 
93.93.128.133
Oct 25 21:24:42 server01 dnsmasq[21862]: reply lb.raspberrypi.org is 
93.93.128.230
Oct 25 21:24:42 server01 dnsmasq[21862]: reply lb.raspberrypi.org is 
93.93.130.214

Tablet after restart DNSmasq:

Oct 25 22:16:14 server01 dnsmasq[11258]: dnssec-query[DS] 
raspberrypi.org to 194.109.9.99
Oct 25 22:16:14 server01 dnsmasq[11258]: dnssec-query[DNSKEY] org to 
194.109.9.99
Oct 25 22:16:14 server01 dnsmasq[11258]: reply org is DNSKEY keytag 
48497, algo 7
Oct 25 22:16:14 server01 dnsmasq[11258]: reply org is DNSKEY keytag 
64353, algo 7
Oct 25 22:16:14 server01 dnsmasq[11258]: reply org is DNSKEY keytag 
9795, algo 7
Oct 25 22:16:15 server01 dnsmasq[11258]: reply org is DNSKEY keytag 
17883, algo 7
Oct 25 22:16:15 server01 dnsmasq[11258]: reply raspberrypi.org is DS 
keytag 17226, algo 10, digest 2
Oct 25 22:16:15 server01 dnsmasq[11258]: reply raspberrypi.org is DS 
keytag 55146, algo 10, digest 2
Oct 25 22:16:15 server01 dnsmasq[11258]: dnssec-query[DNSKEY] 
raspberrypi.org to 194.109.9.99
Oct 25 22:16:15 server01 dnsmasq[11258]: reply raspberrypi.org is DNSKEY 
keytag 20216, algo 10
Oct 25 22:16:15 server01 dnsmasq[11258]: reply raspberrypi.org is DNSKEY 
keytag 5104, algo 10
Oct 25 22:16:15 server01 dnsmasq[11258]: reply raspberrypi.org is DNSKEY 
keytag 55146, algo 10
Oct 25 22:16:15 server01 dnsmasq[11258]: reply raspberrypi.org is DNSKEY 
keytag 17226, algo 10
Oct 25 22:16:15 server01 dnsmasq[11258]: validation result is SECURE
Oct 25 22:16:15 server01 dnsmasq[11258]: reply www.raspberrypi.org is 
<CNAME>
Oct 25 22:16:15 server01 dnsmasq[11258]: reply lb.raspberrypi.org is 
93.93.128.133
Oct 25 22:16:15 server01 dnsmasq[11258]: reply lb.raspberrypi.org is 
93.93.128.230
Oct 25 22:16:15 server01 dnsmasq[11258]: reply lb.raspberrypi.org is 
93.93.130.236
Oct 25 22:16:15 server01 dnsmasq[11258]: reply lb.raspberrypi.org is 
93.93.130.39
Oct 25 22:16:15 server01 dnsmasq[11258]: reply lb.raspberrypi.org is 
46.235.227.11
Oct 25 22:16:15 server01 dnsmasq[11258]: reply lb.raspberrypi.org is 
93.93.130.214

PC and tablet shows the page instantly now.

Cheers Marcel

On 22-10-2016 23:50, mmmfotografie wrote:
> I want to revisit a problem I had three months ago with DNSSEC and 
> some external domains. I had no problem in that time until I tried to 
> visit raspberrypi.org and on my tablet I got a time out from DNSmasq. 
> When I tried on the server itself were DNSmasq is also running I got a 
> instant correct answer on a nslookup.
>
> On the Win10 PC I got the following message:
> Server:  server-01
> Address:  192.168.xxx.xxx
> *** server-01 can't find raspberrypi.org: Unspecified error
>
> On the server self:
> ;; Truncated, retrying in TCP mode.
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> Non-authoritative answer:
> Name:   raspberrypi.org
> Address: 93.93.128.230
> Name:   raspberrypi.org
> Address: 93.93.130.214
>
> So I looked in the config files if I had anywhere defined 
> raspberrypi.org that was interfering and did not find it. So I looked 
> in /etc/hosts and there I had standing "127.0.0.1 raspberrypi" because 
> that is an alias for server-01. So I removed that alias and had to 
> restart DNSmasq to read the changed hosts file so testing if that was 
> the problem is not feasible anymore.
>
> I think it has to do with time and DNSmasq was restarted a day before 
> and the problem occurs after a while so. What I am thinking (wild 
> guess) is that the DNSSEC is causing a problem in resolving the 
> raspberrypi.org. You see the name being split-up in steps and it 
> reaches the step of raspberrypi and then it is confused because that 
> name is also in the hosts file with an other IP.
>
> After the restart of DNSmasq I have the following output and that is 
> working as intended:
>
> dnsmasq: read /etc/hosts - 23 addresses
> dnsmasq: query[PTR] 40.21.168.192.in-addr.arpa from 192.168.xxx.xxx
> dnsmasq: /etc/hosts 192.168.xxx.xxx is server-01
> dnsmasq: query[A] raspberrypi.org from 192.168.xxx.xxx
> dnsmasq: forwarded raspberrypi.org to 194.109.9.99
> dnsmasq: dnssec-query[DS] org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] . to 194.109.9.99
> dnsmasq: reply . is DNSKEY keytag 46551, algo 8
> dnsmasq: reply . is DNSKEY keytag 19036, algo 8
> dnsmasq: reply . is DNSKEY keytag 39291, algo 8
> dnsmasq: reply org is DS keytag 9795, algo 7, digest 1
> dnsmasq: reply org is DS keytag 9795, algo 7, digest 2
> dnsmasq: dnssec-query[DS] raspberrypi.org to 194.109.9.99
> dnsmasq: dnssec-query[DNSKEY] org to 194.109.9.99
> dnsmasq: reply org is DNSKEY keytag 17883, algo 7
> dnsmasq: reply org is DNSKEY keytag 9795, algo 7
> dnsmasq: reply org is DNSKEY keytag 64353, algo 7
> dnsmasq: reply org is DNSKEY keytag 48497, algo 7
> dnsmasq: reply raspberrypi.org is DS keytag 17226, algo 10, digest 2
> dnsmasq: reply raspberrypi.org is DS keytag 55146, algo 10, digest 2
> dnsmasq: dnssec-query[DNSKEY] raspberrypi.org to 194.109.9.99
> dnsmasq: reply raspberrypi.org is DNSKEY keytag 55146, algo 10
> dnsmasq: reply raspberrypi.org is DNSKEY keytag 17226, algo 10
> dnsmasq: reply raspberrypi.org is DNSKEY keytag 20216, algo 10
> dnsmasq: reply raspberrypi.org is DNSKEY keytag 4976, algo 10
> dnsmasq: validation result is SECURE
> dnsmasq: reply raspberrypi.org is 93.93.130.214
> dnsmasq: reply raspberrypi.org is 93.93.128.230
> dnsmasq: query[AAAA] raspberrypi.org from 192.168.xxx.xxx
> dnsmasq: forwarded raspberrypi.org to 194.109.9.99
> dnsmasq: validation result is SECURE
> dnsmasq: reply raspberrypi.org is 2a00:1098:0:82:1000:13:0:5
> dnsmasq: reply raspberrypi.org is 2a00:1098:0:80:1000:13:0:5
>
> I looked up the log when the problem on the tabled occurred and that 
> does not show anything special except I get CNAME to lb.raspberrypi.org :
>
> query[A] raspberrypi.org from 192.168.xxx.xxx
> dnsmasq[15846]: forwarded raspberrypi.org to 194.109.9.99
> dnsmasq[15846]: query[A] sitecheck2.opera.com from 192.168.xxx.xxx
> dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
> dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
> dnsmasq[15846]: reply raspberrypi.org is 93.93.128.230
> dnsmasq[15846]: reply raspberrypi.org is 93.93.130.214
> dnsmasq[15846]: query[A] raspberrypi.org from 192.168.xxx.xxx
> dnsmasq[15846]: forwarded raspberrypi.org to 194.109.9.99
> dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
> dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
> dnsmasq[15846]: reply raspberrypi.org is 93.93.128.230
> dnsmasq[15846]: reply raspberrypi.org is 93.93.130.214
> dnsmasq[15846]: query[A] www.raspberrypi.org from 192.168.xxx.xxx
> dnsmasq[15846]: forwarded www.raspberrypi.org to 194.109.9.99
> dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
> dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
> dnsmasq[15846]: reply www.raspberrypi.org is <CNAME>
> dnsmasq[15846]: reply lb.raspberrypi.org is 46.235.227.11
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.236
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.133
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.214
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.39
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.230
> dnsmasq[15846]: query[A] www.raspberrypi.org from 192.168.xxx.xxx
> dnsmasq[15846]: forwarded www.raspberrypi.org to 194.109.9.99
> dnsmasq[15846]: dnssec-query[DS] raspberrypi.org to 194.109.9.99
> dnsmasq[15846]: dnssec-query[DNSKEY] org to 194.109.9.99
> dnsmasq[15846]: reply www.raspberrypi.org is <CNAME>
> dnsmasq[15846]: reply lb.raspberrypi.org is 46.235.227.11
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.236
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.133
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.214
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.130.39
> dnsmasq[15846]: reply lb.raspberrypi.org is 93.93.128.230
>
> DNSmasq version 2.76
>
> Cheers, Marcel
>
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

More information about the Dnsmasq-discuss mailing list