Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dnsmasq + dnssec: DNS resolution/conversion works only partially #956

Closed
cdr1981 opened this issue Oct 9, 2019 · 6 comments
Closed

dnsmasq + dnssec: DNS resolution/conversion works only partially #956

cdr1981 opened this issue Oct 9, 2019 · 6 comments

Comments

@cdr1981
Copy link

cdr1981 commented Oct 9, 2019

I have a very unusual problem with dnscrypt-proxy v2. The name conversion works only partially. The resolution of the domain name ending in .org does not work on the client. If I enter this directly at the console of pihole then the resolution works correctly.

SSH Console at Pihole:

root@pi-hole:/opt/dnscrypt-proxy# ./dnscrypt-proxy -resolve google.org
Resolving [google.org]

Domain exists: yes, 4 name servers found
Canonical name: google.org.
IP addresses: 216.239.32.27, 2001:4860:4802:32::1b
TXT records: v=spf1 include:_spf.google.com ~all
Resolver IP: 172.253.11.1

root@pi-hole:/opt/dnscrypt-proxy#

at Windows Client with Error:

C:\Users\Administrator>nslookup google.org
Server: pi-hole.intranet.lan
Address: 192.168.128.3
*** google.org wurde von pi-hole.intranet.lan nicht gefunden: Unspecified error.
C:\Users\Administrator>

On the other hand, the resolution of, for example, com domains works flawlessly.

C:\Users\Administrator>nslookup google.com
Server: pi-hole.intranet.lan
Address: 192.168.128.3

Nicht autorisierende Antwort:
Name: google.com
Addresses: 2a00:1450:400a:800::200e
216.58.215.238
C:\Users\Administrator>

If I deactivate dnscrypt proxy at the pihole and make the name resolution conventionally over pihole and port 53 let then work also the domains with the extension .org

C:\Users\Administrator>nslookup google.org
Server: pi-hole.intranet.lan
Address: 192.168.128.3

Nicht autorisierende Antwort:
Name: google.org
Addresses: 2001:4860:4802:32::1b
216.239.32.27
C:\Users\Administrator>

In dnscrypt proxy v2 I have no blacklist active. I have used version 2.0.19 and 2.0.27
Unfortunately I have no idea what causes this problem. That the resolution of .org domains works directly on pihole with dnscrypt. On the other hand, not on the client. On the other hand, domains with endings .com or .ch and so on also work on the client. I deleted the cache each time. The host file on the client is empty.

I hope someone can help in solving this problem. Thank you very much
@cdr1981 cdr1981 changed the title resolving works only partially DNS resolution/conversion works only partially Oct 9, 2019
@jedisct1
Copy link
Member

jedisct1 commented Oct 9, 2019

Can you try disabling DNSSEC on pi-hole (not in dnscrypt-proxy, but on fldns, dnsmasq or whatever it's called)?

@cdr1981
Copy link
Author

cdr1981 commented Oct 9, 2019

Now it works. In order to be able to resolve .org domains as well, DNSSEC must be deactivated in Pihole. Strangely, it only affected the .org domains. But now it works and thanks for the help.

@jedisct1 jedisct1 closed this as completed Oct 9, 2019
@cdr1981 cdr1981 mentioned this issue Oct 9, 2019
Open
@miquecg
Copy link

miquecg commented Oct 10, 2019
edited

Can you try disabling DNSSEC on pi-hole (not in dnscrypt-proxy, but on fldns, dnsmasq or whatever it's called)?

I've been experiencing similar issues when DNSSEC is active in dnsmasq, primarily with .org domains also. Is there any known problem on dnscrypt-proxy for this type of requests? With public servers like Cloudflare for example, DNSSEC seems to work fine.

I have the impression that it could be happening only with some resolvers in particular. The issue is not always reproducible and dnscrypt-proxy doesn't use the same server for every request, at least by default.

@jedisct1
Copy link
Member

When DNSSEC is enabled, the response for org is very large, and may be truncated. In which case the client is assumed to retry over TCP.

Maybe dnsmasq doesn't support that properly?

Truncated responses from dnscrypt-proxy don't have the DNSSEC bit set (only real responses), maybe this is what confuses dnsmasq.

@jedisct1 jedisct1 changed the title DNS resolution/conversion works only partially dnsmasq + dnssec: DNS resolution/conversion works only partially Oct 10, 2019
@miquecg
Copy link

miquecg commented Oct 10, 2019

I've found this that could mean a problem with some servers but not 1.1.1.1:

What appears to be happening is that the initial response from 8.8.8.8 is getting dropped, causing dnsmasq to timeout and fallback to using a smaller (1280 byte) maximum which is then too small for the response and results in truncation and subsequent fallback to TCP. Whereas the responses from 1.1.1.1 are truncated from the beginning, perhaps because that server supports a smaller maximum UDP response size that doesn't result in fragmentation. You could verify this with a packet capture if you were so inclined

https://serverfault.com/questions/979277/dnsmasq-dnssec-udp-issue-on-google-compute-engine/979341#979341

I've seen messages in dnsmasq logs about reduced packet size when sending queries through dnscrypt-proxy, which does load balancing between available servers. For the moment this is not the case if I use Cloudflare instead of the proxy.

oct 09 20:20:59 dnsmasq[618]: reducing DNS packet size for nameserver 127.0.0.1 to 1280

@miquecg
Copy link

miquecg commented Oct 16, 2019

Since 2.0.28 update the issue seems to be gone. Both dnsmasq and dnscrypt-proxy work fine together with DNSSEC enabled.

@DNSCrypt DNSCrypt locked and limited conversation to collaborators Nov 9, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jedisct1 @miquecg @cdr1981