[Dnsmasq-discuss] Dnsmasq responses broken for Linux and Mac clients, but working on Windows and Android clients

Timo Sigurdsson

2016-10-19 23:47:19 UTC

Hi again,

I have more details to add to my question - the issue just occured
again and I was able to capture a failed DNS query on the router. Full
details below the cited original message...

Post by Timo Sigurdsson
Hi,
I have a weird issue with Dnsmasq which I think is related to DNSSEC, but I
don't exactly understand why or what is happening and how to fix it.
I'm currently running Dnsmasq 2.76 on my router powered by a fairly recent
build of LEDE (r1792, Kernel 4.4.23). DNSSEC validation and
DNSSEC-check-unsigned are both turned on.
Sometimes, the Linux and Mac clients in my network cannot resolve random domain
names. But at the same time, resolution of the exact same names works on
Windows clients as well as my Android devices - and even on the router itself.
When I restart Dnsmasq everything works again.
For example, just now, my Debian machine could not resolve the domain
;; Truncated, retrying in TCP mode.
Server: 192.168.123.1
Address: 192.168.123.1#53
** server can't find security.debian.org: SERVFAIL

<snip>

So, the query for security.debian.org happened to fail again.
Apparently Dnsmasq declares ABANDONS the DNSSEC validation. I also
think that my initial assesment that my Windows clients are still able
to resolve the name was wrong. Because now a quick test on a Windows
machine shows the same error for the same domain - probably the results
during my previous tests were still cached on the machine itself.
Anyway, so here is the log of the caputerd DNS query (timestamps
removed for better readability - but it all happens within 5 seconds):

dnsmasq[9650]: 23525 192.168.123.75/52394 query[A] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23525 192.168.123.75/52394 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: 23525 192.168.123.75/52394 forwarded security.debian.org to 8.8.8.8
dnsmasq[9650]: 23526 192.168.123.75/52394 query[AAAA] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23526 192.168.123.75/52394 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: 23527 192.168.123.75/52395 query[A] ftp.de.debian.org from 192.168.123.75
dnsmasq[9650]: 23527 192.168.123.75/52395 forwarded ftp.de.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: 23528 192.168.123.75/52395 query[AAAA] ftp.de.debian.org from 192.168.123.75
dnsmasq[9650]: 23528 192.168.123.75/52395 forwarded ftp.de.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52394 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52395 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52394 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52395 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52394 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52395 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52394 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52395 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: 23525 192.168.123.75/52394 reply security.debian.org is 212.211.132.32
dnsmasq[9650]: 23525 192.168.123.75/52394 reply security.debian.org is 195.20.242.89
dnsmasq[9650]: 23525 192.168.123.75/52394 reply security.debian.org is 212.211.132.250
dnsmasq[13030]: 23529 192.168.123.75/57452 query[A] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23528 192.168.123.75/52395 reply ftp.de.debian.org is NODATA-IPv6
dnsmasq[9650]: 23527 192.168.123.75/52395 reply ftp.de.debian.org is 141.76.2.4
dnsmasq[9650]: 23526 192.168.123.75/52394 reply security.debian.org is 2001:a78:5::216:35ff:fe7f:be4f
dnsmasq[9650]: 23526 192.168.123.75/52394 reply security.debian.org is 2001:a78:5:1:216:35ff:fe7f:6ceb
dnsmasq[13031]: 23629 192.168.123.75/57453 query[A] ftp.de.debian.org from 192.168.123.75
dnsmasq[13030]: 23529 192.168.123.75/57452 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[13031]: 23629 192.168.123.75/57453 forwarded ftp.de.debian.org to 2001:4860:4860::8844
dnsmasq[13031]: * 192.168.123.75/57453 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[13031]: * 192.168.123.75/57453 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[13030]: * 192.168.123.75/57452 reply org is DNSKEY keytag 17883, algo 7
dnsmasq[13030]: * 192.168.123.75/57452 reply org is DNSKEY keytag 48497, algo 7
dnsmasq[13030]: * 192.168.123.75/57452 reply org is DNSKEY keytag 9795, algo 7
dnsmasq[13030]: * 192.168.123.75/57452 reply org is DNSKEY keytag 64353, algo 7
dnsmasq[13030]: * 192.168.123.75/57452 reply debian.org is DS keytag 62260, algo 8, digest 2
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DS] security.debian.org to 2001:4860:4860::8844
dnsmasq[13031]: * 192.168.123.75/57453 reply org is DNSKEY keytag 48497, algo 7
dnsmasq[13031]: * 192.168.123.75/57453 reply org is DNSKEY keytag 17883, algo 7
dnsmasq[13031]: * 192.168.123.75/57453 reply org is DNSKEY keytag 9795, algo 7
dnsmasq[13031]: * 192.168.123.75/57453 reply org is DNSKEY keytag 64353, algo 7
dnsmasq[13031]: * 192.168.123.75/57453 reply debian.org is DS keytag 62260, algo 8, digest 2
dnsmasq[13031]: * 192.168.123.75/57453 dnssec-query[DNSKEY] debian.org to 2001:4860:4860::8844
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DNSKEY] debian.org to 2001:4860:4860::8844
dnsmasq[13031]: * 192.168.123.75/57453 reply debian.org is DNSKEY keytag 22800, algo 8
dnsmasq[13031]: * 192.168.123.75/57453 reply debian.org is DNSKEY keytag 62260, algo 8
dnsmasq[13031]: * 192.168.123.75/57453 reply debian.org is DNSKEY keytag 7866, algo 8
dnsmasq[13031]: 23629 192.168.123.75/57453 validation result is SECURE
dnsmasq[13031]: 23629 192.168.123.75/57453 reply ftp.de.debian.org is 141.76.2.4
dnsmasq[13031]: 23630 192.168.123.75/57453 query[AAAA] ftp.de.debian.org from 192.168.123.75
dnsmasq[13030]: 23529 192.168.123.75/57452 validation security.debian.org is ABANDONED
dnsmasq[13030]: 23529 192.168.123.75/57452 reply security.debian.org is 195.20.242.89
dnsmasq[13030]: 23529 192.168.123.75/57452 reply security.debian.org is 212.211.132.32
dnsmasq[13030]: 23529 192.168.123.75/57452 reply security.debian.org is 212.211.132.250
dnsmasq[13030]: 23530 192.168.123.75/57452 query[AAAA] security.debian.org from 192.168.123.75
dnsmasq[13030]: 23530 192.168.123.75/57452 forwarded security.debian.org to 8.8.8.8
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DS] security.debian.org to 8.8.8.8
dnsmasq[13031]: 23630 192.168.123.75/57453 forwarded ftp.de.debian.org to 8.8.8.8
dnsmasq[13031]: 23630 192.168.123.75/57453 validation result is SECURE
dnsmasq[13031]: 23630 192.168.123.75/57453 reply ftp.de.debian.org is NODATA-IPv6
dnsmasq[13030]: * 192.168.123.75/57452 dnssec-query[DNSKEY] debian.org to 8.8.8.8
dnsmasq[13030]: 23530 192.168.123.75/57452 validation security.debian.org is ABANDONED
dnsmasq[13030]: 23530 192.168.123.75/57452 reply security.debian.org is 2001:a78:5::216:35ff:fe7f:be4f
dnsmasq[13030]: 23530 192.168.123.75/57452 reply security.debian.org is 2001:a78:5:1:216:35ff:fe7f:6ceb
dnsmasq[9650]: 23729 192.168.123.75/52396 query[A] security.debian.org.lan from 192.168.123.75
dnsmasq[9650]: 23729 192.168.123.75/52396 config security.debian.org.lan is NXDOMAIN
dnsmasq[9650]: 23730 192.168.123.75/52396 query[AAAA] security.debian.org.lan from 192.168.123.75
dnsmasq[9650]: 23730 192.168.123.75/52396 config security.debian.org.lan is NXDOMAIN
dnsmasq[9650]: 23731 192.168.123.75/52397 query[A] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23731 192.168.123.75/52397 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: 23732 192.168.123.75/52397 query[AAAA] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23732 192.168.123.75/52397 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52397 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52397 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52397 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: * 192.168.123.75/52397 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[9650]: 23731 192.168.123.75/52397 reply security.debian.org is 195.20.242.89
dnsmasq[9650]: 23731 192.168.123.75/52397 reply security.debian.org is 212.211.132.32
dnsmasq[9650]: 23731 192.168.123.75/52397 reply security.debian.org is 212.211.132.250
dnsmasq[13032]: 23733 192.168.123.75/57456 query[A] security.debian.org from 192.168.123.75
dnsmasq[9650]: 23732 192.168.123.75/52397 reply security.debian.org is 2001:a78:5:1:216:35ff:fe7f:6ceb
dnsmasq[9650]: 23732 192.168.123.75/52397 reply security.debian.org is 2001:a78:5::216:35ff:fe7f:be4f
dnsmasq[13032]: 23733 192.168.123.75/57456 forwarded security.debian.org to 2001:4860:4860::8844
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DS] debian.org to 2001:4860:4860::8844
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DNSKEY] org to 2001:4860:4860::8844
dnsmasq[13032]: * 192.168.123.75/57456 reply org is DNSKEY keytag 17883, algo 7
dnsmasq[13032]: * 192.168.123.75/57456 reply org is DNSKEY keytag 48497, algo 7
dnsmasq[13032]: * 192.168.123.75/57456 reply org is DNSKEY keytag 9795, algo 7
dnsmasq[13032]: * 192.168.123.75/57456 reply org is DNSKEY keytag 64353, algo 7
dnsmasq[13032]: * 192.168.123.75/57456 reply debian.org is DS keytag 62260, algo 8, digest 2
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DS] security.debian.org to 2001:4860:4860::8844
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DNSKEY] debian.org to 2001:4860:4860::8844
dnsmasq[13032]: 23733 192.168.123.75/57456 validation security.debian.org is ABANDONED
dnsmasq[13032]: 23733 192.168.123.75/57456 reply security.debian.org is 195.20.242.89
dnsmasq[13032]: 23733 192.168.123.75/57456 reply security.debian.org is 212.211.132.250
dnsmasq[13032]: 23733 192.168.123.75/57456 reply security.debian.org is 212.211.132.32
dnsmasq[13032]: 23734 192.168.123.75/57456 query[AAAA] security.debian.org from 192.168.123.75
dnsmasq[13032]: 23734 192.168.123.75/57456 forwarded security.debian.org to 8.8.8.8
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DS] security.debian.org to 8.8.8.8
dnsmasq[13032]: * 192.168.123.75/57456 dnssec-query[DNSKEY] debian.org to 8.8.8.8
dnsmasq[13032]: 23734 192.168.123.75/57456 validation security.debian.org is ABANDONED
dnsmasq[13032]: 23734 192.168.123.75/57456 reply security.debian.org is 2001:a78:5::216:35ff:fe7f:be4f
dnsmasq[13032]: 23734 192.168.123.75/57456 reply security.debian.org is 2001:a78:5:1:216:35ff:fe7f:6ceb
dnsmasq[9650]: 23833 192.168.123.75/52398 query[A] security.debian.org.lan from 192.168.123.75
dnsmasq[9650]: 23833 192.168.123.75/52398 config security.debian.org.lan is NXDOMAIN
dnsmasq[9650]: 23834 192.168.123.75/52398 query[AAAA] security.debian.org.lan from 192.168.123.75
dnsmasq[9650]: 23834 192.168.123.75/52398 config security.debian.org.lan is NXDOMAIN

Again, does anybody know why this might happen? And more importantly,
how can I fix that?

Btw. while resolving security.debian.org fails, debian.org alone still
works fine. All very strange to me.

Thanks,

Timo