DNSSEC and blocked domains

I tried to use NextDNS with DNSSEC configured on my Raspi with dnsmasq as local cache and for resolving local IPs. When i try to resolve a domain, that is blocked by NextDNS and forwarding or :: to my dnsmasq, the clients get a SERVFAIL from my dnsmasq. When I disable DNSSEC, the clients get NOERROR and the or :: address. Is this a faulty or an expected behaviour? Logfile from dnsmasq says, that the verification fails, since the IPs do not match.

16replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Yes it is expected. You need to disable DNSSEC client validation. The validation is already performed on the resolver side (nextdns servers).

    • Olivier Poitrey thank's for your answer. The log gave me:

      Feb 18 13:29:14 dnsmasq[108683]: forwarded www.ziffdavis.com to
      Feb 18 13:29:14 dnsmasq[108683]: dnssec-query[DS] ziffdavis.com to
      Feb 18 13:29:14 dnsmasq[108683]: reply ziffdavis.com is BOGUS DS
      Feb 18 13:29:14 dnsmasq[108683]: validation www.ziffdavis.com is BOGUS
      Feb 18 13:29:14 dnsmasq[108683]: reply www.ziffdavis.com is

      I'm not really happy disabling validation on my dnsmasq (, since this breaks the whole sense of DNSSEC. Will SERVFAIL do anything bad to my clients other than not resolving? Latency? Loops?

      ** server can't find www.ziffdavis.com: SERVFAIL
    • Daniel Pernold dnssec ensures there is no dns cache poisoning on the resolver side. If you are using DoH or DoT with our servers, there is no need to double validate, it will just make things slower.

    • Olivier Poitrey ok thanks. Will give Stubby a try.

    • Daniel Pernold you will get best results with https://nextdns.io/cli

    • Olivier Poitrey nice thx. Will it be faster than DoT? I'm a bit concerned about double caching with this tool and dnsmasq.

    • Daniel Pernold you don’t need dnsmasq with the CLI.

    • Olivier Poitrey unfortunately there are a lot of features of dnsmasq the cli is not able to configure (dedicated hosts files, ...).

    • Daniel Pernold cli will read and serve the /etc/hosts file. If you really want dnsmasq, you can disable cli cache.

    • Olivier Poitrey thanks. It would be a nice feature to configure multiple host-files. Is it possible to configure dnsmasq to forward the client-ip-adress to use the different config-IDs for different client-subnets?

    • Olivier Poitrey thanks, finally got this working. A big issue was the lack of detailed documentation of the config (parameters). Wasted 3 hours debugging requests, because the order of configs matter. Or did I miss that hint?

      Will NOT delegate subnet to conditional config:

      # LAN
      config <LAN-ID>
      # Guest
      config XXXX:XXXX:XXXX:ffff::/64=<Guest-ID>

      Will delegate correctly all Client in subnet to Guest-ID config:

      # Guest
      config XXXX:XXXX:XXXX:ffff::/64=<Guest-ID>
      # LAN
      config <LAN-ID>

      Finally went back to to DoT with Stubby and let do Dnsmasq the whole subnetting and caching, since there's no benefit for me using DoH with NextDNS CLI and Dnsmasq refuses to cache properly with add-subnet enabled. For me Dnsmasq with Stubby is the better and more simplistic stack.

      From Dnsmasq man-page:

      -add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
      Note that upstream nameservers may be configured to return different results based on this information, but the dnsmasq cache does not take account. Caching is therefore disabled for such replies, unless the subnet address being added is constant.
    • Daniel Pernold with stubby you can’t do per subnet config nor report LAN client info. With dynamic config like you show, caching at dnsmasq would not work either as you would mixup caches between configs: things block for one config would be randomly blocked (or not) for all config depending on who asked first.

    • Olivier Poitrey I'm logging client info with Dnsmasq. My setup now consists of two stubby instances and different dnsmasq configs, routing from each vlan. This works best for my setup. I also did a few benchmarks. The DoH solution adds a lot of latency, whereas DoT with Dnsmasq caching performs better overall. Thanks anyway.

  • @Olivier Poitrey 

    This does not happen when using the OpenDNS servers. i would like to leave dnssec on.

    when trying to access a blocked site, and "Enable Block Page" is turn on, my bind9 server is failing the dnssec validation. i.e when dnssec-validation yes; or dnssec-validation auto;

    only works when it is configured with dnssec-validation no;


    as per above, works fine on OpenDNS, and it redirects to the custom block page.

    roll back to OpenDNS for now.....


    Jul 20 11:08:03 dns-1 named[36895]: no valid DS resolving 'BLOCKSITE.com/AAAA/IN': 45.90.30.XXX#53
    Jul 20 11:08:03 dns-1 named[36895]: no valid DS resolving 'BLOCKSITE.com/A/IN': 45.90.30.XXX#53
    Jul 20 11:08:03 dns-1 named[36895]: no valid DS resolving 'BLOCKSITE.com/DS/IN': 45.90.30.XXX#53

    Jul 20 09:34:37 dns-1 named[36681]: validating blockpage.nextdns.io/A: bad cache hit (blockpage.nextdns.io/DS)
    Jul 20 09:34:37 dns-1 named[36681]: validating blockpage.nextdns.io/AAAA: bad cache hit (blockpage.nextdns.io/DS)
    Jul 20 09:34:37 dns-1 named[36681]: broken trust chain resolving 'blockpage.nextdns.io/A/IN': 2a07:a8c0::XX:XXXX#53
    Jul 20 09:34:37 dns-1 named[36681]: broken trust chain resolving 'blockpage.nextdns.io/AAAA/IN': 2a07:a8c0::XX:XXXX#53

      • Simon Kong
      • Simon_Kong
      • 2 mths ago
      • Reported - view

      Simon Kong p.s the blocked domain does not even have DNSSEC configured/enabled.

Like Follow
  • 2 mths agoLast active
  • 16Replies
  • 283Views
  • 3 Following