Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3006 - dnsmasq-full fails to resolve Cloudflare domains if DNSSEC is enabled #7768

Open
openwrt-bot opened this issue Apr 13, 2020 · 2 comments
Labels
core packages pull request/issue for core (in-tree) packages flyspray release/19.07 pull request/issue targeted (also) for OpenWrt 19.07 release

Comments

@openwrt-bot
Copy link

bjoernv:

dnsmasq fails to resolve Cloudflare domains if DNSSEC is enabled.

# ping www.galeria.de ping: bad address 'www.galeria.de'

nslookup www.galeria.de

Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find www.galeria.de: SERVFAIL
Name: www.galeria.de
www.galeria.de canonical name = www.galeria.de.cdn.cloudflare.net

/etc/config/dhcp

# cat /etc/config/dhcp

config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option nonegcache 0
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option domain 'fritz.box'
option local '/box/'
option nonegcache '0'
option dnssec '1'
option dnsseccheckunsigned '1'
option logqueries '1'
option logfacility '/tmp/dnsmasq.log'

config dhcp 'lan'
option interface 'lan'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option start '2'
option ra_management '1'

config dhcp 'wan'
option interface 'wan'
option ignore '1

This is the generated dnsmasq configuration file

cat /var/etc/dnsmasq.conf.cfg01411c

auto-generated config file from /etc/config/dhcp

conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
log-queries=extra
localise-queries
read-ethers
enable-ubus
expand-hosts
bind-dynamic
local-service
log-facility=/tmp/dnsmasq.log
domain=fritz.box
server=/box/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dnssec-no-timecheck
dnssec-check-unsigned
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq

dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf

bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.222.2,192.168.222.151,255.255.255.0,12h

For additional debugging I also compiled the dnsmasq package from https://github.com/openwrt/openwrt/tree/v19.07.2/package/network/services/dnsmasq on Linux (openSUSE Tumbleweed) and there dnsmasq works without problems.

# cat /etc/os-release | head -n2 NAME="openSUSE Tumbleweed" # VERSION="20200410" # sudo src/dnsmasq --version Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley Compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

nslookup www.galeria.de

Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
www.galeria.de canonical name = www.galeria.de.cdn.cloudflare.net.
Name: www.galeria.de.cdn.cloudflare.net
Address: 104.16.230.136
Name: www.galeria.de.cdn.cloudflare.net
Address: 104.16.231.136

I use OpenWrt 19.07.2 r10947-65030d81f3 with dnsmasq-full - 2.80-16 on a Linksys 1900ACS router.

@openwrt-bot
Copy link
Author

bjoernv:

Upgrading to OpenWRT 19.07.3 did not fix the problem.

("fix DNSSEC+NTP chicken-and-egg workaround in dnsmasq" was mentioned in the OpenWRT 19.07.3 release notes.)

@openwrt-bot
Copy link
Author

android-tucnak:

Same issue on OpenWRT 19.07.8.
Workaround: disable DNSSEC and enable it in Stubby, follow https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby#dnssec_validation

@aparcar aparcar added release/19.07 pull request/issue targeted (also) for OpenWrt 19.07 release core packages pull request/issue for core (in-tree) packages labels Feb 22, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core packages pull request/issue for core (in-tree) packages flyspray release/19.07 pull request/issue targeted (also) for OpenWrt 19.07 release
Projects
None yet
Development

No branches or pull requests

2 participants