[Dnsmasq-discuss] DNSSEC query sent upstream despite local domain

Geert Stappers stappers at stappers.nl
Mon May 5 06:58:12 UTC 2025 

On Sun, May 04, 2025 at 07:29:14PM +0200, Dominik Derigs wrote:
> 
>  .... seeing an interesting report,
> 
> Relevant config lines are:
> 
> no-resolv
> bogus-priv
> server=8.8.8.8
> server=8.8.4.4
> rev-server=10.0.1.0/24,10.0.1.1
> server=/fritz.box/10.0.1.1
> dnssec
> trust-anchor=.,<the default value)
>
>  .... log file:
> Apr 21 19:00:01 dnsmasq[310194]: query[PTR] 1.1.0.10.in-addr.arpa from 127.0.0.1
> Apr 21 19:00:01 dnsmasq[310194]: forwarded 1.1.0.10.in-addr.arpa to 10.0.1.1
> Apr 21 19:00:01 dnsmasq[310194]: dnssec-query[DS] 10.in-addr.arpa to 8.8.4.4
> Apr 21 19:00:01 dnsmasq[310194]: Insecure DS reply received for 10.in-addr.arpa, check domain configuration and upstream DNS server DNSSEC support
> Apr 21 19:00:01 dnsmasq[310194]: reply 10.in-addr.arpa is BOGUS DS - not secure
> Apr 21 19:00:01 dnsmasq[310194]: validation 1.1.0.10.in-addr.arpa is BOGUS
> 
> In the context of bogus-priv - is it actually expected that DNSSEC-related
> queries are sent to non-local servers? My interpretation is that they
> shouldn't be sent upstream here...

I do understand the concern.  I don't understand the (assumed?) relation
between dnsmasq option bogus-priv and DNSSEC.

I would like to see a completer log file. So I did a reproduce attempt.

Config:
rev-server=172.24.0.0/26,172.24.0.1
server=/fritz.box/172.24.0.1


Query:
$ host 172.24.0.1
1.0.24.172.in-addr.arpa domain name pointer fritz.box.
$

Logfile:
mei 05 07:55:44 alpaca systemd[1]: Stopping dnsmasq - A lightweight DHCP and caching DNS server...
mei 05 07:55:44 alpaca dnsmasq[717]: exiting on receipt of SIGTERM
mei 05 07:55:45 alpaca systemd[1]: dnsmasq.service: Succeeded.
mei 05 07:55:45 alpaca systemd[1]: Stopped dnsmasq - A lightweight DHCP and caching DNS server.
mei 05 07:55:45 alpaca systemd[1]: Starting dnsmasq - A lightweight DHCP and caching DNS server...
mei 05 07:55:45 alpaca dnsmasq[23365]: started, version 2.92test1-1-ge8781a4 cachesize 150
mei 05 07:55:45 alpaca dnsmasq[23365]: DNS service limited to local subnets
mei 05 07:55:45 alpaca dnsmasq[23365]: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n no-IDN DHCP DHCP>
mei 05 07:55:45 alpaca dnsmasq[23365]: warning: using interface eth0 instead
mei 05 07:55:45 alpaca dnsmasq[23365]: warning: using interface eth0 instead
mei 05 07:55:45 alpaca dnsmasq-dhcp[23365]: DHCP, IP range 172.24.0.40 -- 172.24.0.47, lease time 15m
mei 05 07:55:45 alpaca dnsmasq-tftp[23365]: TFTP root is /srv/tftp
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 0.0.24.172.in-addr.arpa
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 1.0.24.172.in-addr.arpa
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 2.0.24.172.in-addr.arpa
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 3.0.24.172.in-addr.arpa
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 4.0.24.172.in-addr.arpa
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 5.0.24.172.in-addr.arpa
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 6.0.24.172.in-addr.arpa
      ....
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 27.0.24.172.in-addr.arpa
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 28.0.24.172.in-addr.arpa
mei 05 07:55:45 alpaca dnsmasq[23365]: using nameserver 172.24.0.1#53 for domain 29.0.24.172.in-addr.arpa
mei 05 07:55:45 alpaca dnsmasq[23365]: more servers are defined but not logged
mei 05 07:55:45 alpaca dnsmasq[23365]: read /etc/hosts - 22 names
mei 05 07:55:45 alpaca dnsmasq-dhcp[23365]: read /etc/ethers - 14 addresses
mei 05 07:55:45 alpaca systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.
mei 05 07:56:03 alpaca dnsmasq[23365]: query[PTR] 1.0.24.172.in-addr.arpa from 172.24.0.9
mei 05 07:56:03 alpaca dnsmasq[23365]: forwarded 1.0.24.172.in-addr.arpa to 172.24.0.1
mei 05 07:56:03 alpaca dnsmasq[23365]: reply 172.24.0.1 is fritz.box
mei 05 07:56:08 alpaca dnsmasq[23365]: query[PTR] re.dac.t.ed.in-addr.arpa from 172.24.0.9
mei 05 07:56:08 alpaca dnsmasq[23365]: forwarded re.dac.t.ed.in-addr.arpa to 127.0.0.1#35353


Oh, that is without `dnssec` in the configurtion.  New attempt. Same query.

mei 05 08:26:00 alpaca dnsmasq[23449]: started, version 2.92test1-1-ge8781a4 cachesize 150
mei 05 08:26:00 alpaca dnsmasq[23449]: DNS service limited to local subnets
mei 05 08:26:00 alpaca dnsmasq[23449]: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n no-IDN DHCP DHCP>
mei 05 08:26:00 alpaca dnsmasq[23449]: DNSSEC validation enabled
mei 05 08:26:00 alpaca dnsmasq[23449]: configured with trust anchor for <root> keytag 20326
mei 05 08:26:00 alpaca dnsmasq[23449]: warning: using interface eth0 instead
mei 05 08:26:00 alpaca dnsmasq[23449]: warning: using interface eth0 instead
mei 05 08:26:00 alpaca dnsmasq-dhcp[23449]: DHCP, IP range 172.24.0.40 -- 172.24.0.47, lease time 15m
mei 05 08:26:00 alpaca dnsmasq-tftp[23449]: TFTP root is /srv/tftp
mei 05 08:26:00 alpaca dnsmasq[23449]: using nameserver 172.24.0.1#53 for domain 0.0.24.172.in-addr.arpa

mei 05 08:28:36 alpaca dnsmasq[23449]: query[PTR] 1.0.24.172.in-addr.arpa from 172.24.0.9
mei 05 08:28:36 alpaca dnsmasq[23449]: forwarded 1.0.24.172.in-addr.arpa to 172.24.0.1
mei 05 08:28:36 alpaca dnsmasq[23449]: dnssec-query[DS] 172.in-addr.arpa to 127.0.0.1#35353
mei 05 08:28:36 alpaca dnsmasq[23449]: reply 172.in-addr.arpa is DS for keytag 8719, algo 8, digest 2
mei 05 08:28:36 alpaca dnsmasq[23449]: dnssec-query[DS] 24.172.in-addr.arpa to 127.0.0.1#35353
mei 05 08:28:36 alpaca dnsmasq[23449]: dnssec-query[DNSKEY] 172.in-addr.arpa to 127.0.0.1#35353
mei 05 08:28:36 alpaca dnsmasq[23449]: reply 172.in-addr.arpa is truncated
mei 05 08:28:36 alpaca dnsmasq[23475]: dnssec-query[DNSKEY] 172.in-addr.arpa to 127.0.0.1#35353
mei 05 08:28:36 alpaca dnsmasq[23475]: reply 172.in-addr.arpa is DNSKEY keytag 8719, algo 8
mei 05 08:28:36 alpaca dnsmasq[23475]: reply 172.in-addr.arpa is DNSKEY keytag 17836, algo 8
mei 05 08:28:36 alpaca dnsmasq[23475]: reply 172.in-addr.arpa is DNSKEY keytag 52701, algo 8
mei 05 08:28:36 alpaca dnsmasq[23475]: reply 172.in-addr.arpa is DNSKEY keytag 38739, algo 8
mei 05 08:28:36 alpaca dnsmasq[23449]: reply 24.172.in-addr.arpa is no DS
mei 05 08:28:36 alpaca dnsmasq[23449]: validation result is INSECURE
mei 05 08:28:36 alpaca dnsmasq[23449]: reply 172.24.0.1 is fritz.box


Chips, a third attempt is needed. One with `bogus-priv` active.

mei 05 08:38:13 alpaca dnsmasq[23511]: started, version 2.92test1-1-ge8781a4 cachesize 150
mei 05 08:38:13 alpaca dnsmasq[23511]: DNS service limited to local subnets
mei 05 08:38:13 alpaca dnsmasq[23511]: compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n no-IDN DHCP DHCP>
mei 05 08:38:13 alpaca dnsmasq[23511]: DNSSEC validation enabled
mei 05 08:38:13 alpaca dnsmasq[23511]: configured with trust anchor for <root> keytag 20326
mei 05 08:38:13 alpaca dnsmasq[23511]: warning: using interface eth0 instead
mei 05 08:38:13 alpaca dnsmasq[23511]: warning: using interface eth0 instead
mei 05 08:38:13 alpaca dnsmasq-dhcp[23511]: DHCP, IP range 172.24.0.40 -- 172.24.0.47, lease time 15m
mei 05 08:38:13 alpaca dnsmasq-tftp[23511]: TFTP root is /srv/tftp
mei 05 08:38:13 alpaca dnsmasq[23511]: using nameserver 172.24.0.1#53 for domain 0.0.24.172.in-addr.arpa
 
mei 05 08:39:27 alpaca dnsmasq[23511]: query[PTR] 1.0.24.172.in-addr.arpa from 172.24.0.9
mei 05 08:39:27 alpaca dnsmasq[23511]: forwarded 1.0.24.172.in-addr.arpa to 172.24.0.1
mei 05 08:39:27 alpaca dnsmasq[23511]: dnssec-query[DS] 172.in-addr.arpa to 127.0.0.1#35353
mei 05 08:39:27 alpaca dnsmasq[23511]: reply 172.in-addr.arpa is DS for keytag 8719, algo 8, digest 2
mei 05 08:39:27 alpaca dnsmasq[23511]: dnssec-query[DS] 24.172.in-addr.arpa to 127.0.0.1#35353
mei 05 08:39:27 alpaca dnsmasq[23511]: dnssec-query[DNSKEY] 172.in-addr.arpa to 127.0.0.1#35353
mei 05 08:39:27 alpaca dnsmasq[23511]: reply 172.in-addr.arpa is truncated
mei 05 08:39:27 alpaca dnsmasq[23542]: dnssec-query[DNSKEY] 172.in-addr.arpa to 127.0.0.1#35353
mei 05 08:39:27 alpaca dnsmasq[23542]: reply 172.in-addr.arpa is DNSKEY keytag 17836, algo 8
mei 05 08:39:27 alpaca dnsmasq[23542]: reply 172.in-addr.arpa is DNSKEY keytag 8719, algo 8
mei 05 08:39:27 alpaca dnsmasq[23542]: reply 172.in-addr.arpa is DNSKEY keytag 52701, algo 8
mei 05 08:39:27 alpaca dnsmasq[23542]: reply 172.in-addr.arpa is DNSKEY keytag 38739, algo 8
mei 05 08:39:27 alpaca dnsmasq[23511]: reply 24.172.in-addr.arpa is no DS
mei 05 08:39:27 alpaca dnsmasq[23511]: validation result is INSECURE
mei 05 08:39:27 alpaca dnsmasq[23511]: reply 172.24.0.1 is fritz.box


My current interpretation is that `bogus-priv` is ignored.


> Best,
> Dominik


Groeten
Geert Stappers



DNSMASQ(8)          System Manager's Manual         DNSMASQ(8)

NAME
       dnsmasq - A lightweight DHCP and caching DNS server.

SYNOPSIS
       dnsmasq [OPTION]...

DESCRIPTION
       dnsmasq  is a lightweight DNS, TFTP, PXE, router adver‐
       tisement and DHCP server. It  is  intended  to  provide
       coupled DNS and DHCP service to a LAN.

     ....

       -b, --bogus-priv
              Bogus   private  reverse  lookups.  All  reverse
              lookups for private IP ranges  (ie  192.168.x.x,
              etc)  which  are  not found in /etc/hosts or the
              DHCP leases file are answered with "no such  do‐
              main"  rather than being forwarded upstream. The
              set of prefixes affected is the  list  given  in
              RFC6303, for IPv4 and IPv6.

-- 
Silence is hard to parse

More information about the Dnsmasq-discuss mailing list