OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Packages
  • Assigned To No-one
  • Operating System All
  • Severity Medium
  • Priority Very Low
  • Reported Version openwrt-19.07
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Björn Voigt - 13.04.2020

FS#3006 - dnsmasq-full fails to resolve Cloudflare domains if DNSSEC is enabled

dnsmasq fails to resolve Cloudflare domains if DNSSEC is enabled.

# ping www.galeria.de
ping: bad address 'www.galeria.de'

# nslookup www.galeria.de
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find www.galeria.de: SERVFAIL
Name:      www.galeria.de
www.galeria.de  canonical name = www.galeria.de.cdn.cloudflare.net

/etc/config/dhcp

# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option expandhosts '1'
        option nonegcache       0
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option domain 'fritz.box'
        option local '/box/'
        option nonegcache '0'
        option dnssec '1'
        option dnsseccheckunsigned '1'
        option logqueries '1'
        option logfacility '/tmp/dnsmasq.log'

config dhcp 'lan'
        option interface 'lan'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option start '2'
        option ra_management '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1

This is the generated dnsmasq configuration file

# cat /var/etc/dnsmasq.conf.cfg01411c
# auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
log-queries=extra
localise-queries
read-ethers
enable-ubus
expand-hosts
bind-dynamic
local-service
log-facility=/tmp/dnsmasq.log
domain=fritz.box
server=/box/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dnssec-no-timecheck
dnssec-check-unsigned
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq

dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf

bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.222.2,192.168.222.151,255.255.255.0,12h

For additional debugging I also compiled the dnsmasq package from https://github.com/openwrt/openwrt/tree/v19.07.2/package/network/services/dnsmasq on Linux (openSUSE Tumbleweed) and there dnsmasq works without problems.

# cat /etc/os-release | head -n2
NAME="openSUSE Tumbleweed"
# VERSION="20200410"
# sudo src/dnsmasq --version
Dnsmasq version 2.80  Copyright (c) 2000-2018 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

# nslookup www.galeria.de
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
www.galeria.de  canonical name = www.galeria.de.cdn.cloudflare.net.
Name:   www.galeria.de.cdn.cloudflare.net
Address: 104.16.230.136
Name:   www.galeria.de.cdn.cloudflare.net
Address: 104.16.231.136

I use OpenWrt 19.07.2 r10947-65030d81f3 with dnsmasq-full - 2.80-16 on a Linksys 1900ACS router.

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing