Jump to content
  • 0

Router responds REFUSED for specific DNS via DoT

fl4co

Asked by fl4co,

 Share

Question

fl4co Member

fl4co

Posted
Posted

Hello, I have a problem with DNS over TLS that I can't debug.

If I'm using 9.9.9.11 server from Quad9, I receive this output from dig, on Mac and on Linux: 

└─$ dig cnn.com    

; <<>> DiG 9.16.13-Debian <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37374
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 12882241105594ad (echoed)
;; QUESTION SECTION:
;cnn.com.                       IN      A

;; Query time: 1040 msec
;; SERVER: 10.88.0.2#53(10.88.0.2)
;; WHEN: gio apr 22 11:46:21 CEST 2021
;; MSG SIZE  rcvd: 48

host and nslookup work fine. Operating systems can resolve names (web browsers work), at least I tried a Mac and Linux with regular /etc/resolv.conf. However a Linux server with systemd-resolved can't resolve names when the upstream on the router is 9.9.9.11.

If I change to 9.9.9.9 everything works fine.

DoH works fine even for 9.9.9.11.

I tried a packet capture and it seems that queries don't go to the internet, it's the router that responds REFUSED to the local clients.

Truncated output from "show dns-proxy": 

...

proxy-tls: 
               server-tls: 
                      address: 9.9.9.11
                         port: 
                          sni: dns11.quad9.net
                         spki: 
                    interface: 

               server-tls: 
                      address: 149.112.112.11
                         port: 
                          sni: dns11.quad9.net
                         spki: 
                    interface: 

...

Is this a bug? Why is it not working properly for just these two servers? I'd like to use these and not the regular Quad9 because they have EDNS Client Subnet.

  • Need more info 1

8 answers to this question

Recommended Posts

  • 0
fl4co Member

fl4co

Posted
  • Author
Posted
1 hour ago, Le ecureuil said:

Can you please capture dns requests on Home interface via 'monitor' component on page 'Diagnostics'? Use filter "udp port 53".

I'm attaching the capture file, as you can see the queries for google.com, facebook.com and twitter.com made with dig received REFUSED as a response. I have to point out that 10.88.0.1 is the Keenetic's private IP address.

capture-Bridge0-May 2 22-59-25.pcapng

  • 0
fl4co Member

fl4co

Posted
  • Author
Posted

Hello, I'd like to add new information regarding this issue.

9.9.9.11 is a DNS server with EDNS Client Subnet. This feature might be the one causing problems. If fact, if I try a query with 

dig google.com +noedns

I get a succesful answer: 

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> google.com +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23119
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             211     IN      A       142.250.180.142

;; Query time: 197 msec
;; SERVER: 10.88.0.1#53(10.88.0.1)
;; WHEN: dom giu 06 11:34:05 CEST 2021
;; MSG SIZE  rcvd: 55

Maybe the DNS proxy have problems forwarding EDNSClient Subnet information?

  • 0
Le ecureuil Honored Flooder

Le ecureuil

Posted
Posted
В 06.06.2021 в 12:36, fl4co сказал:

Hello, I'd like to add new information regarding this issue.

9.9.9.11 is a DNS server with EDNS Client Subnet. This feature might be the one causing problems. If fact, if I try a query with 

dig google.com +noedns

I get a succesful answer: 

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> google.com +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23119
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             211     IN      A       142.250.180.142

;; Query time: 197 msec
;; SERVER: 10.88.0.1#53(10.88.0.1)
;; WHEN: dom giu 06 11:34:05 CEST 2021
;; MSG SIZE  rcvd: 55

Maybe the DNS proxy have problems forwarding EDNSClient Subnet information?

I need to investigate it further.

  • Thanks 1
  • 0
Le ecureuil Honored Flooder

Le ecureuil

Posted
Posted
23 минуты назад, fl4co сказал:

Were you able to reproduce this?

We are working on replacing DoT implementation right now, so it pretty useless until completion. But after we will back to this. I hope it will be autofixed.

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...