1

Access to Duckduckgo fails once safe search is enforced whereas safe.duckduckgo.com exists

Once safe search is enforced, access to duckduckgo.com is blocked.

However safe.duckduckgo.com exists and then should not be blocked but used.

cf https://help.duckduckgo.com/duckduckgo-help-pages/features/safe-search/

8replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Can you please show the result of a dig on duckduckgo.com when blocked?

    Like 1
    • NextDNS just reenabled and I got:

      ❯ dig www.duckduckgo.com
      ; <<>> DiG 9.16.18-RH <<>> www.duckduckgo.com
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16745
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 65494
      ;; QUESTION SECTION:
      ;www.duckduckgo.com.        IN    A
      ;; Query time: 147 msec
      ;; SERVER: 127.0.0.53#53(127.0.0.53)
      ;; WHEN: jeu. juil. 15 18:44:17 CEST 2021
      ;; MSG SIZE  rcvd: 47
      

      For duckduckgo.com, I have answer this time - If I remember well, I didn't yesterday.

      My router is based on ipfire which use unbound and enforce dnssec if I'm correct. Could it be related ?

      ❯ dig www.duckduckgo.com @10.251.0.1
      ; <<>> DiG 9.16.18-RH <<>> www.duckduckgo.com @10.251.0.1
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62329
      ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;www.duckduckgo.com.        IN    A
      ;; Query time: 192 msec
      ;; SERVER: 10.251.0.1#53(10.251.0.1)
      ;; WHEN: jeu. juil. 15 18:47:03 CEST 2021
      ;; MSG SIZE  rcvd: 47
          ~
      ❯ dig duckduckgo.com @10.251.0.1
      ; <<>> DiG 9.16.18-RH <<>> duckduckgo.com @10.251.0.1
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32116
      ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 1232
      ;; QUESTION SECTION:
      ;duckduckgo.com.            IN    A
      ;; ANSWER SECTION:
      duckduckgo.com.        60    IN    A    40.114.177.246
      ;; Query time: 2 msec
      ;; SERVER: 10.251.0.1#53(10.251.0.1)
      ;; WHEN: jeu. juil. 15 18:47:07 CEST 2021
      ;; MSG SIZE  rcvd: 59
      
      Like
    • That's it, in unbound logs from ipfire:

      18:40:30unbound: [18949:0]info: validation failure <www.duckduckgo.com. A IN>: DS got unsigned CNAME answ er from 45.90.28.26 and 45.90.30.26 for DS duckduckgo.com. while building chain of trust
      
      Like
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 2 wk ago
      • 1
      • Reported - view

      nsteinmetz disable DNSSEC in unbound and re-test.

      NextDNS already use DNSSEC so using it twice will end in problems.

      Like 1
      • nsteinmetz
      • nsteinmetz
      • 11 days ago
      • 1
      • Reported - view

      DynamicNotSlow thanks, indeed disabling dnssec at ipfire level make it work again as expected.

      Only issue I have is that I will have to disable it manually after each ipfire upgrade :-/

      Like 1
      • DynamicNotSlow
      • Pro subscriber ✓
      • DynamicNotSlow
      • 11 days ago
      • Reported - view

      nsteinmetz you should report this to ipfire team then.

      Or don't use it at all.

      Like
      • nsteinmetz
      • nsteinmetz
      • 11 days ago
      • 1
      • Reported - view

      DynamicNotSlow Yep, just saw that opnsense allows via the gui to enable/disable dnssec validation. Will migrate to it later this summer

      Like 1
Like1 Follow
  • 1 Likes
  • 11 days agoLast active
  • 8Replies
  • 60Views
  • 3 Following