Перейти к содержимому
  • 0

Router responds REFUSED for specific DNS via DoT


fl4co

Вопрос

Hello, I have a problem with DNS over TLS that I can't debug.

If I'm using 9.9.9.11 server from Quad9, I receive this output from dig, on Mac and on Linux:

└─$ dig cnn.com    

; <<>> DiG 9.16.13-Debian <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 37374
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 12882241105594ad (echoed)
;; QUESTION SECTION:
;cnn.com.                       IN      A

;; Query time: 1040 msec
;; SERVER: 10.88.0.2#53(10.88.0.2)
;; WHEN: gio apr 22 11:46:21 CEST 2021
;; MSG SIZE  rcvd: 48

host and nslookup work fine. Operating systems can resolve names (web browsers work), at least I tried a Mac and Linux with regular /etc/resolv.conf. However a Linux server with systemd-resolved can't resolve names when the upstream on the router is 9.9.9.11.

If I change to 9.9.9.9 everything works fine.

DoH works fine even for 9.9.9.11.

I tried a packet capture and it seems that queries don't go to the internet, it's the router that responds REFUSED to the local clients.

Truncated output from "show dns-proxy":

...

proxy-tls: 
               server-tls: 
                      address: 9.9.9.11
                         port: 
                          sni: dns11.quad9.net
                         spki: 
                    interface: 

               server-tls: 
                      address: 149.112.112.11
                         port: 
                          sni: dns11.quad9.net
                         spki: 
                    interface: 

...

Is this a bug? Why is it not working properly for just these two servers? I'd like to use these and not the regular Quad9 because they have EDNS Client Subnet.

Ссылка на комментарий
Поделиться на других сайтах

Рекомендуемые сообщения

  • 0
1 hour ago, Le ecureuil said:

Can you please capture dns requests on Home interface via 'monitor' component on page 'Diagnostics'? Use filter "udp port 53".

I'm attaching the capture file, as you can see the queries for google.com, facebook.com and twitter.com made with dig received REFUSED as a response. I have to point out that 10.88.0.1 is the Keenetic's private IP address.

capture-Bridge0-May 2 22-59-25.pcapng

Ссылка на комментарий
Поделиться на других сайтах

  • 0

Hello, I'd like to add new information regarding this issue.

9.9.9.11 is a DNS server with EDNS Client Subnet. This feature might be the one causing problems. If fact, if I try a query with

dig google.com +noedns

I get a succesful answer:

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> google.com +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23119
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             211     IN      A       142.250.180.142

;; Query time: 197 msec
;; SERVER: 10.88.0.1#53(10.88.0.1)
;; WHEN: dom giu 06 11:34:05 CEST 2021
;; MSG SIZE  rcvd: 55

Maybe the DNS proxy have problems forwarding EDNSClient Subnet information?

Ссылка на комментарий
Поделиться на других сайтах

  • 0
В 06.06.2021 в 12:36, fl4co сказал:

Hello, I'd like to add new information regarding this issue.

9.9.9.11 is a DNS server with EDNS Client Subnet. This feature might be the one causing problems. If fact, if I try a query with

dig google.com +noedns

I get a succesful answer:

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> google.com +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23119
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             211     IN      A       142.250.180.142

;; Query time: 197 msec
;; SERVER: 10.88.0.1#53(10.88.0.1)
;; WHEN: dom giu 06 11:34:05 CEST 2021
;; MSG SIZE  rcvd: 55

Maybe the DNS proxy have problems forwarding EDNSClient Subnet information?

I need to investigate it further.

Ссылка на комментарий
Поделиться на других сайтах

  • 0
23 минуты назад, fl4co сказал:

Were you able to reproduce this?

We are working on replacing DoT implementation right now, so it pretty useless until completion. But after we will back to this. I hope it will be autofixed.

Ссылка на комментарий
Поделиться на других сайтах

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Гость
Ответить на вопрос...

×   Вставлено в виде отформатированного текста.   Вставить в виде обычного текста

  Разрешено не более 75 смайлов.

×   Ваша ссылка была автоматически встроена.   Отобразить как ссылку

×   Ваш предыдущий контент был восстановлен.   Очистить редактор

×   Вы не можете вставить изображения напрямую. Загрузите или вставьте изображения по ссылке.

  • Сейчас на странице   0 пользователей

    • Нет пользователей, просматривающих эту страницу
×
×
  • Создать...