DNS lookup failing

Nick Howitt nick at howitts.co.uk
Wed Mar 20 12:26:35 UTC 2024 


On 20/03/2024 11:02, Renaud Allard via Unbound-users wrote:
> 
> 
> On 3/20/24 11:36 AM, Nick Howitt via Unbound-users wrote:
>> I am having a problem with a particular DNS lookup and I am not even 
>> sure how to formulate the question, so please bear with me.
>>
>> My setup is Internet – IPFire with Unbound 1.19.0 – ClearOS7. ClearOS 
>> runs a system called Gateway Management which is a branding of 
>> AdamNetworks’ Adam:one, a DNS filtering tool.
>>
>> IPFire is currently running as a recursive resolver but the same 
>> problem exists when running as a Caching DNS server. All other boxes 
>> are empty on the DNS setup screen in IPFire. SSL and TLS are not being 
>> used. I should be able to dig out the configs, if needed.
>>
>> With Gateway Management running, in ClearOS I can resolve 1024 and 
>> 2048 bit domainkeys (1024._domainkey.howitts.co.uk and 
>> 2048_domainkey.howitts.co.uk) with nslookup. I can resolve 4096 bit 
>> domainkeys using the dig command "dig txt 
>> 202403._domainkey.howitts.co.uk" but with nslookup I get:
>>
>>     [root at server ~]# nslookup -q=txt 202403._domainkey.howitts.co.uk
>>     Server:         127.0.0.1
>>     Address:        127.0.0.1#53
>>
>>     Non-authoritative answer:
>>     *** Can't find 202403._domainkey.howitts.co.uk: No answer
>>
>>     Authoritative answers can be found from:
>>     howitts.co.uk
>>              origin = achiel.ns.cloudflare.com
>>              mail addr = dns.cloudflare.com
>>              serial = 2336336559
>>              refresh = 10000
>>              retry = 2400
>>              expire = 604800
>>              minimum = 1800
>>
>> Without Gateway Management on ClearOS 7, it all works. This may lead 
>> you to thinking it is Gateway Management but if I change ClearOS’s 
>> upstream resolver from IPFire/Unbound to Cloudflare, all lookups work. 
>> This leads me to believe Unbound is doing an invalid lookup or giving 
>> an invalid response to a particular query formatted by Gateway 
>> Managament.
>>
>> I have pcap files of the working and non-working lookups between 
>> ClearOS and IPFire but I don’t know how to interpret them.
>>
>> Can anyone please help me?
> 
> I get the exact same answer from unbound and cloudflare. Note that there 
> is no authoritative answer. You might also have something like 
> systemd-resolved in the way. Systemd-resolved is known to give bogus 
> answers in certain cases, so you might want to disable it while testing.
> 
> isildur$ nslookup -q=txt 202403._domainkey.howitts.co.uk
> Server:         127.0.0.1
> Address:        127.0.0.1#53
> 
> Non-authoritative answer:
> 202403._domainkey.howitts.co.uk text = "v=DKIM1; 
> p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzvkHMnL2cPPUzm6gXBIsaiRMAj7wpajI1cQ3VPsIzIYfBTYgU7xX50tDZnTT4SiE/2+z87gMFSRcFiM9gaejAgV+YFse2AEId2t0+xYXuNwG35dqS6WWlwZY3Rr5IIebcPSeXouuYR3nCdzgK/FCT8Y2vvKTkIDXYsJMQJulxdDAewb9/V7pNZ7J8wky6RRIKnbAEdqO" "zJ9nDEe6wUGXhrMxB2ZjM6sQLJzAgz7VE0Z52eBk/TZgdzJwLxHzeclsWVES3Mw0tdDoUKT2QLd0SB9MsOwFcR6ph/h9VERhMAtjAmUG5YlQQ1bC8nznAwHdY2IP3RUdFZOYcUlv5yPzrRvBAjfi/CmR2zHVQs7gA7b67DaMy67dURWHDhMwqXgWVNrZ4iTInWr1vLEPoNBjppn1GOkXrb+FdNoWnFM5laAEmcFK2Sie5wpzCItFjWs3f3IQZxB" "lzJHIpkvR2ZTMJ5g3DWUU3ZK1rW1kNvGLjZkox7EZH3lFfkyS6lPnfIX5XS5YYeP0RmSAWNaKinCdQq8m8SdjWDIsRJ1aohq/Qx/O1sfQMDdrwetOn6KJqOFg7dcFtvKlRrHQYyujH3dapJ10Err/xAv3iyh9B7x8C6N+qjTMjRoIfPTyLeFnAtUrFQigpj70mbZPaw9AKglDafXvnXJwn8r5/Oq3mjVKKWkCAwEAAQ=="
> 
> Authoritative answers can be found from:
> 
> isildur$ nslookup -q=txt 202403._domainkey.howitts.co.uk 1.1.1.1
> ;; Truncated, retrying in TCP mode.
> Server:         1.1.1.1
> Address:        1.1.1.1#53
> 
> Non-authoritative answer:
> 202403._domainkey.howitts.co.uk text = "v=DKIM1; 
> p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAzvkHMnL2cPPUzm6gXBIsaiRMAj7wpajI1cQ3VPsIzIYfBTYgU7xX50tDZnTT4SiE/2+z87gMFSRcFiM9gaejAgV+YFse2AEId2t0+xYXuNwG35dqS6WWlwZY3Rr5IIebcPSeXouuYR3nCdzgK/FCT8Y2vvKTkIDXYsJMQJulxdDAewb9/V7pNZ7J8wky6RRIKnbAEdqO" "zJ9nDEe6wUGXhrMxB2ZjM6sQLJzAgz7VE0Z52eBk/TZgdzJwLxHzeclsWVES3Mw0tdDoUKT2QLd0SB9MsOwFcR6ph/h9VERhMAtjAmUG5YlQQ1bC8nznAwHdY2IP3RUdFZOYcUlv5yPzrRvBAjfi/CmR2zHVQs7gA7b67DaMy67dURWHDhMwqXgWVNrZ4iTInWr1vLEPoNBjppn1GOkXrb+FdNoWnFM5laAEmcFK2Sie5wpzCItFjWs3f3IQZxB" "lzJHIpkvR2ZTMJ5g3DWUU3ZK1rW1kNvGLjZkox7EZH3lFfkyS6lPnfIX5XS5YYeP0RmSAWNaKinCdQq8m8SdjWDIsRJ1aohq/Qx/O1sfQMDdrwetOn6KJqOFg7dcFtvKlRrHQYyujH3dapJ10Err/xAv3iyh9B7x8C6N+qjTMjRoIfPTyLeFnAtUrFQigpj70mbZPaw9AKglDafXvnXJwn8r5/Oq3mjVKKWkCAwEAAQ=="
> 
> Authoritative answers can be found from:
> 
> 
> 
IPFire doesn't use systemd. It is still using init.d (SysVInit?). I 
suspect an unbound config where the supplied configs are missing someting.

More information about the Unbound-users mailing list