1

Access to Duckduckgo fails once safe search is enforced whereas safe.duckduckgo.com exists

Once safe search is enforced, access to duckduckgo.com is blocked.

However safe.duckduckgo.com exists and then should not be blocked but used.

cf https://help.duckduckgo.com/duckduckgo-help-pages/features/safe-search/

8 replies

null
    • Pro subscriber ✓
    • DynamicNotSlow
    • 3 yrs ago
    • Reported - view
    • NextDNs
    • 3 yrs ago
    • Reported - view

    Can you please show the result of a dig on duckduckgo.com when blocked?

      • nsteinmetz
      • 3 yrs ago
      • Reported - view

      NextDNS just reenabled and I got:

      ❯ dig www.duckduckgo.com
      ; <<>> DiG 9.16.18-RH <<>> www.duckduckgo.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16745
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 65494
      ;; QUESTION SECTION:
      ;www.duckduckgo.com.        IN    A
      ;; Query time: 147 msec
      ;; SERVER: 127.0.0.53#53(127.0.0.53)
      ;; WHEN: jeu. juil. 15 18:44:17 CEST 2021
      ;; MSG SIZE  rcvd: 47
      

      For duckduckgo.com, I have answer this time - If I remember well, I didn't yesterday.

      My router is based on ipfire which use unbound and enforce dnssec if I'm correct. Could it be related ?

      ❯ dig www.duckduckgo.com @10.251.0.1
      ; <<>> DiG 9.16.18-RH <<>> www.duckduckgo.com @10.251.0.1
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62329
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;www.duckduckgo.com.        IN    A
      ;; Query time: 192 msec
      ;; SERVER: 10.251.0.1#53(10.251.0.1)
      ;; WHEN: jeu. juil. 15 18:47:03 CEST 2021
      ;; MSG SIZE  rcvd: 47
          ~
      ❯ dig duckduckgo.com @10.251.0.1
      ; <<>> DiG 9.16.18-RH <<>> duckduckgo.com @10.251.0.1
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32116
      ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;duckduckgo.com.            IN    A
      ;; ANSWER SECTION:
      duckduckgo.com.        60    IN    A    40.114.177.246
      ;; Query time: 2 msec
      ;; SERVER: 10.251.0.1#53(10.251.0.1)
      ;; WHEN: jeu. juil. 15 18:47:07 CEST 2021
      ;; MSG SIZE  rcvd: 59
      
      • nsteinmetz
      • 3 yrs ago
      • Reported - view

      That's it, in unbound logs from ipfire:

      18:40:30unbound: [18949:0]info: validation failure <www.duckduckgo.com. A IN>: DS got unsigned CNAME answ er from 45.90.28.26 and 45.90.30.26 for DS duckduckgo.com. while building chain of trust
      
      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 yrs ago
      • Reported - view

      nsteinmetz disable DNSSEC in unbound and re-test.

      NextDNS already use DNSSEC so using it twice will end in problems.

      • nsteinmetz
      • 3 yrs ago
      • Reported - view

      DynamicNotSlow thanks, indeed disabling dnssec at ipfire level make it work again as expected.

      Only issue I have is that I will have to disable it manually after each ipfire upgrade :-/

      • Pro subscriber ✓
      • DynamicNotSlow
      • 3 yrs ago
      • Reported - view

      nsteinmetz you should report this to ipfire team then.

      Or don't use it at all.

      • nsteinmetz
      • 3 yrs ago
      • Reported - view

      DynamicNotSlow Yep, just saw that opnsense allows via the gui to enable/disable dnssec validation. Will migrate to it later this summer

Content aside

  • 1 Likes
  • 3 yrs agoLast active
  • 8Replies
  • 286Views
  • 2 Following