DNS lookup failing
Renaud Allard
renaud at allard.it
Wed Mar 20 11:02:50 UTC 2024
On 3/20/24 11:36 AM, Nick Howitt via Unbound-users wrote:
> I am having a problem with a particular DNS lookup and I am not even
> sure how to formulate the question, so please bear with me.
>
> My setup is Internet – IPFire with Unbound 1.19.0 – ClearOS7. ClearOS
> runs a system called Gateway Management which is a branding of
> AdamNetworks’ Adam:one, a DNS filtering tool.
>
> IPFire is currently running as a recursive resolver but the same problem
> exists when running as a Caching DNS server. All other boxes are empty
> on the DNS setup screen in IPFire. SSL and TLS are not being used. I
> should be able to dig out the configs, if needed.
>
> With Gateway Management running, in ClearOS I can resolve 1024 and 2048
> bit domainkeys (1024._domainkey.howitts.co.uk and
> 2048_domainkey.howitts.co.uk) with nslookup. I can resolve 4096 bit
> domainkeys using the dig command "dig txt
> 202403._domainkey.howitts.co.uk" but with nslookup I get:
>
> [root at server ~]# nslookup -q=txt 202403._domainkey.howitts.co.uk
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> Non-authoritative answer:
> *** Can't find 202403._domainkey.howitts.co.uk: No answer
>
> Authoritative answers can be found from:
> howitts.co.uk
> origin = achiel.ns.cloudflare.com
> mail addr = dns.cloudflare.com
> serial = 2336336559
> refresh = 10000
> retry = 2400
> expire = 604800
> minimum = 1800
>
> Without Gateway Management on ClearOS 7, it all works. This may lead you
> to thinking it is Gateway Management but if I change ClearOS’s upstream
> resolver from IPFire/Unbound to Cloudflare, all lookups work. This leads
> me to believe Unbound is doing an invalid lookup or giving an invalid
> response to a particular query formatted by Gateway Managament.
>
> I have pcap files of the working and non-working lookups between ClearOS
> and IPFire but I don’t know how to interpret them.
>
> Can anyone please help me?
I get the exact same answer from unbound and cloudflare. Note that there
is no authoritative answer. You might also have something like
systemd-resolved in the way. Systemd-resolved is known to give bogus
answers in certain cases, so you might want to disable it while testing.
isildur$ nslookup -q=txt 202403._domainkey.howitts.co.uk
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
202403._domainkey.howitts.co.uk text = "v=DKIM1;
p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzvkHMnL2cPPUzm6gXBIsaiRMAj7wpajI1cQ3VPsIzIYfBTYgU7xX50tDZnTT4SiE/2+z87gMFSRcFiM9gaejAgV+YFse2AEId2t0+xYXuNwG35dqS6WWlwZY3Rr5IIebcPSeXouuYR3nCdzgK/FCT8Y2vvKTkIDXYsJMQJulxdDAewb9/V7pNZ7J8wky6RRIKnbAEdqO"
"zJ9nDEe6wUGXhrMxB2ZjM6sQLJzAgz7VE0Z52eBk/TZgdzJwLxHzeclsWVES3Mw0tdDoUKT2QLd0SB9MsOwFcR6ph/h9VERhMAtjAmUG5YlQQ1bC8nznAwHdY2IP3RUdFZOYcUlv5yPzrRvBAjfi/CmR2zHVQs7gA7b67DaMy67dURWHDhMwqXgWVNrZ4iTInWr1vLEPoNBjppn1GOkXrb+FdNoWnFM5laAEmcFK2Sie5wpzCItFjWs3f3IQZxB"
"lzJHIpkvR2ZTMJ5g3DWUU3ZK1rW1kNvGLjZkox7EZH3lFfkyS6lPnfIX5XS5YYeP0RmSAWNaKinCdQq8m8SdjWDIsRJ1aohq/Qx/O1sfQMDdrwetOn6KJqOFg7dcFtvKlRrHQYyujH3dapJ10Err/xAv3iyh9B7x8C6N+qjTMjRoIfPTyLeFnAtUrFQigpj70mbZPaw9AKglDafXvnXJwn8r5/Oq3mjVKKWkCAwEAAQ=="
Authoritative answers can be found from:
isildur$ nslookup -q=txt 202403._domainkey.howitts.co.uk 1.1.1.1
;; Truncated, retrying in TCP mode.
Server: 1.1.1.1
Address: 1.1.1.1#53
Non-authoritative answer:
202403._domainkey.howitts.co.uk text = "v=DKIM1;
p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzvkHMnL2cPPUzm6gXBIsaiRMAj7wpajI1cQ3VPsIzIYfBTYgU7xX50tDZnTT4SiE/2+z87gMFSRcFiM9gaejAgV+YFse2AEId2t0+xYXuNwG35dqS6WWlwZY3Rr5IIebcPSeXouuYR3nCdzgK/FCT8Y2vvKTkIDXYsJMQJulxdDAewb9/V7pNZ7J8wky6RRIKnbAEdqO"
"zJ9nDEe6wUGXhrMxB2ZjM6sQLJzAgz7VE0Z52eBk/TZgdzJwLxHzeclsWVES3Mw0tdDoUKT2QLd0SB9MsOwFcR6ph/h9VERhMAtjAmUG5YlQQ1bC8nznAwHdY2IP3RUdFZOYcUlv5yPzrRvBAjfi/CmR2zHVQs7gA7b67DaMy67dURWHDhMwqXgWVNrZ4iTInWr1vLEPoNBjppn1GOkXrb+FdNoWnFM5laAEmcFK2Sie5wpzCItFjWs3f3IQZxB"
"lzJHIpkvR2ZTMJ5g3DWUU3ZK1rW1kNvGLjZkox7EZH3lFfkyS6lPnfIX5XS5YYeP0RmSAWNaKinCdQq8m8SdjWDIsRJ1aohq/Qx/O1sfQMDdrwetOn6KJqOFg7dcFtvKlRrHQYyujH3dapJ10Err/xAv3iyh9B7x8C6N+qjTMjRoIfPTyLeFnAtUrFQigpj70mbZPaw9AKglDafXvnXJwn8r5/Oq3mjVKKWkCAwEAAQ=="
Authoritative answers can be found from:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4484 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20240320/4c435627/attachment.bin>
More information about the Unbound-users
mailing list