0

DNSSEC and blocked domains

I tried to use NextDNS with DNSSEC configured on my Raspi with dnsmasq as local cache and for resolving local IPs. When i try to resolve a domain, that is blocked by NextDNS and forwarding 0.0.0.0 or :: to my dnsmasq, the clients get a SERVFAIL from my dnsmasq. When I disable DNSSEC, the clients get NOERROR and the 0.0.0.0 or :: address. Is this a faulty or an expected behaviour? Logfile from dnsmasq says, that the verification fails, since the IPs do not match.

16 replies

null
    • olivier
    • 3 yrs ago
    • Reported - view

    Yes it is expected. You need to disable DNSSEC client validation. The validation is already performed on the resolver side (nextdns servers).

      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey thank's for your answer. The log gave me:

      Feb 18 13:29:14 dnsmasq[108683]: forwarded www.ziffdavis.com to 45.90.30.137
      Feb 18 13:29:14 dnsmasq[108683]: dnssec-query[DS] ziffdavis.com to 45.90.30.137
      Feb 18 13:29:14 dnsmasq[108683]: reply ziffdavis.com is BOGUS DS
      Feb 18 13:29:14 dnsmasq[108683]: validation www.ziffdavis.com is BOGUS
      Feb 18 13:29:14 dnsmasq[108683]: reply www.ziffdavis.com is 0.0.0.0

      I'm not really happy disabling validation on my dnsmasq (10.0.1.1), since this breaks the whole sense of DNSSEC. Will SERVFAIL do anything bad to my clients other than not resolving? Latency? Loops?

      Server:        10.0.1.1
      Address:    10.0.1.1#53
      
      ** server can't find www.ziffdavis.com: SERVFAIL
      • olivier
      • 3 yrs ago
      • Reported - view

      Daniel Pernold dnssec ensures there is no dns cache poisoning on the resolver side. If you are using DoH or DoT with our servers, there is no need to double validate, it will just make things slower.

      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey ok thanks. Will give Stubby a try.

      • olivier
      • 3 yrs ago
      • Reported - view

      Daniel Pernold you will get best results with https://nextdns.io/cli

      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey nice thx. Will it be faster than DoT? I'm a bit concerned about double caching with this tool and dnsmasq.

      • olivier
      • 3 yrs ago
      • Reported - view

      Daniel Pernold you don’t need dnsmasq with the CLI.

      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey unfortunately there are a lot of features of dnsmasq the cli is not able to configure (dedicated hosts files, ...).

      • olivier
      • 3 yrs ago
      • Reported - view

      Daniel Pernold cli will read and serve the /etc/hosts file. If you really want dnsmasq, you can disable cli cache.

      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey thanks. It would be a nice feature to configure multiple host-files. Is it possible to configure dnsmasq to forward the client-ip-adress to use the different config-IDs for different client-subnets?

      • olivier
      • 3 yrs ago
      • Reported - view
      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey thanks, finally got this working. A big issue was the lack of detailed documentation of the config (parameters). Wasted 3 hours debugging requests, because the order of configs matter. Or did I miss that hint?

      Will NOT delegate subnet to conditional config:

      # LAN
      config <LAN-ID>
      
      # Guest
      config 10.255.0.0/16=<Guest-ID>
      config XXXX:XXXX:XXXX:ffff::/64=<Guest-ID>

      Will delegate correctly all Client in subnet to Guest-ID config:

      # Guest
      config 10.255.0.0/16=<Guest-ID>
      config XXXX:XXXX:XXXX:ffff::/64=<Guest-ID>
      
      # LAN
      config <LAN-ID>

      Finally went back to to DoT with Stubby and let do Dnsmasq the whole subnetting and caching, since there's no benefit for me using DoH with NextDNS CLI and Dnsmasq refuses to cache properly with add-subnet enabled. For me Dnsmasq with Stubby is the better and more simplistic stack.

      From Dnsmasq man-page:

      -add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
      ...
      Note that upstream nameservers may be configured to return different results based on this information, but the dnsmasq cache does not take account. Caching is therefore disabled for such replies, unless the subnet address being added is constant.
      
      • olivier
      • 3 yrs ago
      • Reported - view

      Daniel Pernold with stubby you can’t do per subnet config nor report LAN client info. With dynamic config like you show, caching at dnsmasq would not work either as you would mixup caches between configs: things block for one config would be randomly blocked (or not) for all config depending on who asked first.

      • Daniel_Pernold
      • 3 yrs ago
      • Reported - view

      Olivier Poitrey I'm logging client info with Dnsmasq. My setup now consists of two stubby instances and different dnsmasq configs, routing from each vlan. This works best for my setup. I also did a few benchmarks. The DoH solution adds a lot of latency, whereas DoT with Dnsmasq caching performs better overall. Thanks anyway.

    • Simon_Kong
    • 3 yrs ago
    • Reported - view

    @Olivier Poitrey 

    This does not happen when using the OpenDNS servers. i would like to leave dnssec on.

    when trying to access a blocked site, and "Enable Block Page" is turn on, my bind9 server is failing the dnssec validation. i.e when dnssec-validation yes; or dnssec-validation auto;

    only works when it is configured with dnssec-validation no;

     

    as per above, works fine on OpenDNS, and it redirects to the custom block page.

    roll back to OpenDNS for now.....

     

    Jul 20 11:08:03 dns-1 named[36895]: no valid DS resolving 'BLOCKSITE.com/AAAA/IN': 45.90.30.XXX#53
    Jul 20 11:08:03 dns-1 named[36895]: no valid DS resolving 'BLOCKSITE.com/A/IN': 45.90.30.XXX#53
    Jul 20 11:08:03 dns-1 named[36895]: no valid DS resolving 'BLOCKSITE.com/DS/IN': 45.90.30.XXX#53


    Jul 20 09:34:37 dns-1 named[36681]: validating blockpage.nextdns.io/A: bad cache hit (blockpage.nextdns.io/DS)
    Jul 20 09:34:37 dns-1 named[36681]: validating blockpage.nextdns.io/AAAA: bad cache hit (blockpage.nextdns.io/DS)
    Jul 20 09:34:37 dns-1 named[36681]: broken trust chain resolving 'blockpage.nextdns.io/A/IN': 2a07:a8c0::XX:XXXX#53
    Jul 20 09:34:37 dns-1 named[36681]: broken trust chain resolving 'blockpage.nextdns.io/AAAA/IN': 2a07:a8c0::XX:XXXX#53
     

      • Simon_Kong
      • 3 yrs ago
      • Reported - view

      Simon Kong p.s the blocked domain does not even have DNSSEC configured/enabled.

Content aside

  • 3 yrs agoLast active
  • 16Replies
  • 2191Views
  • 3 Following