Resolution problem with some domains

[belgotux]

Hello,

I've got some troubles with dns resolution with your image. Example with fastmirror.pp.ua (debian image or libreoffice download).
The docker file is simple, one service for DoT and one with pihole on top.
I doing my test inside my pihole docker (most easy to install debug tools with apt). I ask the DNS request directly to the DoT container with the image qmcgaw/dns.
I've change the PROVIDERS: from 'cloudflare,quad9' to 'cloudflare' do simplify the test.

The test is reproducible, I've try on a fresh vps in another datacenter directly with the docker-compose file and same results.

My tests :

• try directly with kdig command WORK : kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com fastmirror.pp.ua
• try with cloudflare directly WORK : dig fastmirror.pp.ua @1.1.1.1
• try to as to the DoT container FAIL : dig fastmirror.pp.ua @10.10.10.34
• try with another domain WORK : dig perdu.com @10.10.10.34

The output :

root@234060bb9e9c:/# kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com  fastmirror.pp.ua
;; DEBUG: Querying for owner(fastmirror.pp.ua.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 137 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 54904
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 403 B

;; QUESTION SECTION:
;; fastmirror.pp.ua.            IN      A

;; ANSWER SECTION:
fastmirror.pp.ua.       13578   IN      A       93.126.105.202

---------

root@234060bb9e9c:/# dig fastmirror.pp.ua @1.1.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; ANSWER SECTION:
fastmirror.pp.ua.       12202   IN      A       93.126.105.202

;; Query time: 12 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Mar 29 12:51:55 CEST 2022
;; MSG SIZE  rcvd: 61

-------------

root@234060bb9e9c:/# dig fastmirror.pp.ua @10.10.10.34

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11466
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; Query time: 0 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Tue Mar 29 12:53:11 CEST 2022
;; MSG SIZE  rcvd: 45

-----------

root@234060bb9e9c:/# dig perdu.com @10.10.10.34

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> perdu.com @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46343
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;perdu.com.                     IN      A

;; ANSWER SECTION:
perdu.com.              9000    IN      A       208.97.177.124

;; Query time: 151 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Tue Mar 29 12:59:55 CEST 2022
;; MSG SIZE  rcvd: 54

The docker-compose :

version: '3.7'

networks:
  dnsnet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.10.10.32/29
  proxy-net:
    external: true

services:

  dot:
    image: qmcgaw/dns:latest
    container_name: pihole-unbound-DoT
    environment:
      #PROVIDERS: 'cloudflare,quad9'
      PROVIDERS: 'cloudflare'
      CACHING: 'off'
    networks:
      dnsnet:
        ipv4_address: 10.10.10.34
    restart: unless-stopped


  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    environment:
      TZ: 'Europe/Paris'
      ADMIN_EMAIL: 'xxx@yyy.tld'
      WEBPASSWORD: 'tttttt'
      DNS1: 10.10.10.34
      DNS2: 10.10.10.34
      VIRTUAL_HOST: pihole.xxx.com
    depends_on:
      - dot
    networks:
      proxy-net:
      dnsnet:
          ipv4_address: 10.10.10.35
    restart: unless-stopped

[qdm12]

Maybe try with qmcgaw/dns:v2.0.0-beta? The latest image based on Unbound will be not supported anymore quite soon.

[qdm12]

Also maybe fastmirror.pp.ua is blocked. By default BLOCK_MALICIOUS=on so you might want to turn it off.

[belgotux]

Hello Quentin,
Thanks for your quick reply. Yes it's blocking, just try with the BLOCK_MALICIOUS='off'.

But the logs don't put any information about that, just retry and only have this is the logs, maybe need to add something about block in the logs ?

pihole-unbound-DoT | 2022/03/31 13:41:43 INFO [1648734103] unbound[18:0] debug: using localzone pp.ua. static

With the verbosity at max :

VERBOSITY: 5
VERBOSITY_DETAILS: 4

http://fastmirror.pp.ua is a mirror for open-source big projects, how can I check or pull request for this ?

For the beta, I see that it works, it's not the same malicious link ? dcdown and dcupd with both stable and beta with the BLOCK_MALICIOUS: 'on' and the beta work unlike the stable

  dot:
    image: qmcgaw/dns:latest
    container_name: pihole-unbound-DoT
    environment:
      PROVIDERS: 'cloudflare'
      CACHING: 'off'
      BLOCK_MALICIOUS: 'on'
      VERBOSITY: 2
      VERBOSITY_DETAILS: 1
    networks:
      dnsnet:
        ipv4_address: 10.10.10.34
    restart: unless-stopped

  dot2:
    image: qmcgaw/dns:v2.0.0-beta
    container_name: pihole-unbound-DoT2
    environment:
      PROVIDERS: 'cloudflare'
      CACHING: 'off'
      BLOCK_MALICIOUS: 'on'
      VERBOSITY: 1
      VERBOSITY_DETAILS: 1
    networks:
      dnsnet:
        ipv4_address: 10.10.10.36
    restart: unless-stopped

root@9a19adbf2353:/# dig fastmirror.pp.ua @10.10.10.34

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57706
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; Query time: 43 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Thu Mar 31 16:11:53 CEST 2022
;; MSG SIZE  rcvd: 45

root@9a19adbf2353:/# dig fastmirror.pp.ua @10.10.10.36

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.36
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55536
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; ANSWER SECTION:
fastmirror.pp.ua.       13535   IN      A       93.126.105.202

;; Query time: 17 msec
;; SERVER: 10.10.10.36#53(10.10.10.36)
;; WHEN: Thu Mar 31 16:11:56 CEST 2022
;; MSG SIZE  rcvd: 77

[qdm12]

Sorry for the huge delay answering. v2.0.0-beta is a totally different program really, it's coded from scratch and doesn't use Unbound. Maybe that was a bug back then? Try pulling the newer image? I also don't see fastmirror.pp.ua in https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated so maybe it's no longer blocked 🤔

With the v2.0.0-beta image, you can also log all requests and/or responses using MIDDLEWARE_LOG_ENABLED=on with MIDDLEWARE_LOG_REQUESTS=on and MIDDLEWARE_LOG_RESPONSES=on if you want, and there is also #123 which could be fun to watch. There are also Prometheus metrics available although that is not PER domain.

EDIT: Also v2.0.0-beta is about to come out of beta and be the newer stable version.