FS#3006 - dnsmasq-full fails to resolve Cloudflare domains if DNSSEC is enabled #7768
Labels
core packages
pull request/issue for core (in-tree) packages
flyspray
release/19.07
pull request/issue targeted (also) for OpenWrt 19.07 release
bjoernv:
dnsmasq fails to resolve Cloudflare domains if DNSSEC is enabled.
# ping www.galeria.de ping: bad address 'www.galeria.de'
nslookup www.galeria.de
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find www.galeria.de: SERVFAIL
Name: www.galeria.de
www.galeria.de canonical name = www.galeria.de.cdn.cloudflare.net
/etc/config/dhcp
# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option expandhosts '1'
option nonegcache 0
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option domain 'fritz.box'
option local '/box/'
option nonegcache '0'
option dnssec '1'
option dnsseccheckunsigned '1'
option logqueries '1'
option logfacility '/tmp/dnsmasq.log'
config dhcp 'lan'
option interface 'lan'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
option start '2'
option ra_management '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1
This is the generated dnsmasq configuration file
cat /var/etc/dnsmasq.conf.cfg01411c
auto-generated config file from /etc/config/dhcp
conf-file=/etc/dnsmasq.conf
dhcp-authoritative
domain-needed
log-queries=extra
localise-queries
read-ethers
enable-ubus
expand-hosts
bind-dynamic
local-service
log-facility=/tmp/dnsmasq.log
domain=fritz.box
server=/box/
dhcp-leasefile=/tmp/dhcp.leases
resolv-file=/tmp/resolv.conf.auto
stop-dns-rebind
rebind-localhost-ok
conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec
dnssec-no-timecheck
dnssec-check-unsigned
dhcp-broadcast=tag:needs-broadcast
addn-hosts=/tmp/hosts
conf-dir=/tmp/dnsmasq.d
user=dnsmasq
group=dnsmasq
dhcp-ignore-names=tag:dhcp_bogus_hostname
conf-file=/usr/share/dnsmasq/dhcpbogushostname.conf
bogus-priv
conf-file=/usr/share/dnsmasq/rfc6761.conf
dhcp-range=set:lan,192.168.222.2,192.168.222.151,255.255.255.0,12h
For additional debugging I also compiled the dnsmasq package from https://github.com/openwrt/openwrt/tree/v19.07.2/package/network/services/dnsmasq on Linux (openSUSE Tumbleweed) and there dnsmasq works without problems.
# cat /etc/os-release | head -n2 NAME="openSUSE Tumbleweed" # VERSION="20200410" # sudo src/dnsmasq --version Dnsmasq version 2.80 Copyright (c) 2000-2018 Simon Kelley Compile time options: IPv6 GNU-getopt DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify dumpfile
This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.
nslookup www.galeria.de
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
www.galeria.de canonical name = www.galeria.de.cdn.cloudflare.net.
Name: www.galeria.de.cdn.cloudflare.net
Address: 104.16.230.136
Name: www.galeria.de.cdn.cloudflare.net
Address: 104.16.231.136
I use OpenWrt 19.07.2 r10947-65030d81f3 with dnsmasq-full - 2.80-16 on a Linksys 1900ACS router.
The text was updated successfully, but these errors were encountered: