Dns anomaly, how to confirm?

Installing and Using OpenWrt Network and Wireless Configuration
1

On my router I run unbound as recursive resolver, together with dnsmasq for local names. After moving to Germany and getting a DSL line at home, once I figured out how to run the ISP-supplied router as a passthrough modem it was working fine for 2 months.

In the last couple of days, however, unbound would simply not work at all. In addition on my desktop:

AFAIK, "trace" serves to emulate recursion normally done in the server on the client side, correct?
In that case, I think we may safely assume that the ISP is now mucking with my dns queries.
Related question for Germans: how common is this behaviour? I take it my only options are a DoT and DoH, right? A VPN is already used from lan clients whenever good for your health :slight_smile:

2

I'm not sure how you've reached that conclusion from the very limited testing you seem to have done. I'd also be surprised if your ISP had some sort of mechanism that only selectively intercepted DNS queries while letting others through unimpeded.

Have you done any testing on the router itself? Can it reach external DNS servers? What about root nameservers?

3

Queries on the router match queries done on the desktop, I can reach both "normal" external nameservers and root.
What fails is only recursion, be that performed by unbound or via dig +trace.
With trace-level debugging on unbound I see that the queries go out but no reply is received, so eventually a timeout is returned to the client (me on the router or on the desktop, same story)
EDIT: for example the steps outlined here work (please note the "norec" flag)

Also, since I do not have DNSSEC enabled or DoT or DoH, this is the only failure mode I could think of because the configuration on my side has been unchanged for weeks, the root.hints are current...

4

What response do you get when you try dig +trace?

5

Timeout, same as in unbound logs

6

So the only output you get after running the command is a single line saying nothing but 'timeout'?

7

correct, tried with 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.1.1.2, same story.

Example:

communications error to 1.1.1.1#53: timed out

8

what do you get if you try IPV4 query ?

dig -4 @8.8.8.8 +trace www.google.com

9 
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out
;; communications error to 8.8.8.8#53: timed out

; <<>> DiG 9.18.12-1-Debian <<>> -4 @8.8.8.8 +trace www.google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached
10

Can you try these 2?

dig -4 @8.8.8.8 google.com
dig -4 @8.8.8.8 +tcp google.com
11

They both work, no surprises: I am asking a recursive server to give me an answer and do the recursion on my behalf, just like with the ISP.

Super funny but recursion combined with tcp seems to work fine over IPV4:

dig -4 @1.1.1.2 +trace +tcp www.google.com

; <<>> DiG 9.18.12-1-Debian <<>> -4 @1.1.1.2 +trace +tcp www.google.com
; (1 server found)
;; global options: +cmd
.                       515122  IN      NS      a.root-servers.net.
.                       515122  IN      NS      b.root-servers.net.
.                       515122  IN      NS      c.root-servers.net.
.                       515122  IN      NS      d.root-servers.net.
.                       515122  IN      NS      e.root-servers.net.
.                       515122  IN      NS      f.root-servers.net.
.                       515122  IN      NS      g.root-servers.net.
.                       515122  IN      NS      h.root-servers.net.
.                       515122  IN      NS      i.root-servers.net.
.                       515122  IN      NS      j.root-servers.net.
.                       515122  IN      NS      k.root-servers.net.
.                       515122  IN      NS      l.root-servers.net.
.                       515122  IN      NS      m.root-servers.net.
.                       515122  IN      RRSIG   NS 8 0 518400 20230406050000 20230324040000 951 . H2hzUgTadxsnKFxfyKW0JSwiAVJ9zXvETuDLk0EiwNMAaPpI6UXdUwfj V7bGhfbyOz+feJ2isukVucK+f8Fk/iEAsuv6nLhv2PI6QzypgQ282/LN orzNyC0ZdW7jpRdpEbOd/0HjaUOyreSlimtbzBCuPOSznSDfc+aBf39W WuxQGu2O4pRzfd1Gm1DXrDih755DhBIM2nn64aNzPVjuSufeJ89HVfzg aaEWo9eOsvXpOAzdg2kSOGpkAzHt8s4Wa2WrgZl4oy1rCRku20LBY+0n fuVU8tkMt4WcsZ7g6bB1r8y1WIcsNYjHcygOZqhb4IWfvoxArgcPnIXo VadhdQ==
;; Received 1097 bytes from 1.1.1.2#53(1.1.1.2) in 19 ms

com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20230406170000 20230324160000 951 . M3mThl+dN1n7qW+XFCbhQAZ2kvcRMUJYWSddmmk/PD/BQ/hloHm6J25G wM5F9FeUe9YnBo2OSYsGwJFCy2PqCuqBI7W/WBHQvPLd4PRjRhH0cKXV o6GgLjUC+3LLcrPNgNh6IoDN/nyGU8wT/Ue5si1/dDnWfBMCPiDziV1E i5fIgM2dzeidwsEfaQ5Z7xLCM6kGIzX0ZxOzV9ClKGQh5yDzFYaxugPy JHY6hYQLukdGPGAcGfTlrKLQGbu+gMukZUVGVni/d0GG5Rg83sSsqCjM x5zDPE4xEz1eYMIGEtXOVrjGw1dIHU0D4LbZMhpDnqEupYAtSO9vFMOu vSQxdQ==
;; Received 1205 bytes from 192.33.4.12#53(c.root-servers.net) in 7 ms

google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20230331042255 20230324031255 36739 com. VuCMIh+c5DfRjij/K4fkRPEFyAPx5mB/+57+Gt+nGx+eOiyIZYUJoJxY FzEI/r+M91bJo2q/t1iB+DdX22WpxWAJsp5zDQjinXQMih/u/ps+oaDc mjWakvEwWrreOnoaRFWV3tYCE52i77p29YBE02gsdDY2gwNLQLoxEaW6 PwIQD+7i28EkXcBn7mxbCmeR8oI5iNFDUsmRdQqIydZiow==
S84BKCIBC38P58340AKVNFN5KR9O59QC.com. 86400 IN NSEC3 1 1 0 - S84BUO64GQCVN69RJFUO6LVC7FSLUNJ5 NS DS RRSIG
S84BKCIBC38P58340AKVNFN5KR9O59QC.com. 86400 IN RRSIG NSEC3 8 2 86400 20230328050141 20230321035141 36739 com. dPIKZG+gV54zK5b/Jo1MIPzPcsetCB8WS6sb9p8lZPiB+Ik38fwn3T08 6/0uILvWgLl6E2WFi2fWaI9zga1pnuuapZFUAgSBC5I+lo6N5qs+qqka sstAIUY/KC3xISytqIS+xrkLZErXxU7T5rV50X5txZz5sF37VAT3UT0o 9jMYBS9EcInQOQz7ZWd75mSqxov7DXYkDu2QQ/D+TKXhBQ==
;; Received 840 bytes from 192.31.80.30#53(d.gtld-servers.net) in 27 ms

www.google.com.         300     IN      A       142.250.186.132
;; Received 59 bytes from 216.239.36.10#53(ns3.google.com) in 15 ms

and also over IPV6:

dig -6 @dns.google.com +trace +tcp www.google.com

; <<>> DiG 9.18.12-1-Debian <<>> -6 @dns.google.com +trace +tcp www.google.com
; (2 servers found)
;; global options: +cmd
.                       85776   IN      NS      e.root-servers.net.
.                       85776   IN      NS      h.root-servers.net.
.                       85776   IN      NS      l.root-servers.net.
.                       85776   IN      NS      i.root-servers.net.
.                       85776   IN      NS      a.root-servers.net.
.                       85776   IN      NS      d.root-servers.net.
.                       85776   IN      NS      c.root-servers.net.
.                       85776   IN      NS      b.root-servers.net.
.                       85776   IN      NS      j.root-servers.net.
.                       85776   IN      NS      k.root-servers.net.
.                       85776   IN      NS      g.root-servers.net.
.                       85776   IN      NS      m.root-servers.net.
.                       85776   IN      NS      f.root-servers.net.
.                       85776   IN      RRSIG   NS 8 0 518400 20230406050000 20230324040000 951 . H2hzUgTadxsnKFxfyKW0JSwiAVJ9zXvETuDLk0EiwNMAaPpI6UXdUwfj V7bGhfbyOz+feJ2isukVucK+f8Fk/iEAsuv6nLhv2PI6QzypgQ282/LN orzNyC0ZdW7jpRdpEbOd/0HjaUOyreSlimtbzBCuPOSznSDfc+aBf39W WuxQGu2O4pRzfd1Gm1DXrDih755DhBIM2nn64aNzPVjuSufeJ89HVfzg aaEWo9eOsvXpOAzdg2kSOGpkAzHt8s4Wa2WrgZl4oy1rCRku20LBY+0n fuVU8tkMt4WcsZ7g6bB1r8y1WIcsNYjHcygOZqhb4IWfvoxArgcPnIXo VadhdQ==
;; Received 525 bytes from 2001:4860:4860::8888#53(dns.google.com) in 40 ms

com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20230406170000 20230324160000 951 . M3mThl+dN1n7qW+XFCbhQAZ2kvcRMUJYWSddmmk/PD/BQ/hloHm6J25G wM5F9FeUe9YnBo2OSYsGwJFCy2PqCuqBI7W/WBHQvPLd4PRjRhH0cKXV o6GgLjUC+3LLcrPNgNh6IoDN/nyGU8wT/Ue5si1/dDnWfBMCPiDziV1E i5fIgM2dzeidwsEfaQ5Z7xLCM6kGIzX0ZxOzV9ClKGQh5yDzFYaxugPy JHY6hYQLukdGPGAcGfTlrKLQGbu+gMukZUVGVni/d0GG5Rg83sSsqCjM x5zDPE4xEz1eYMIGEtXOVrjGw1dIHU0D4LbZMhpDnqEupYAtSO9vFMOu vSQxdQ==
;; Received 1174 bytes from 2001:500:2f::f#53(f.root-servers.net) in 20 ms

google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20230331042255 20230324031255 36739 com. VuCMIh+c5DfRjij/K4fkRPEFyAPx5mB/+57+Gt+nGx+eOiyIZYUJoJxY FzEI/r+M91bJo2q/t1iB+DdX22WpxWAJsp5zDQjinXQMih/u/ps+oaDc mjWakvEwWrreOnoaRFWV3tYCE52i77p29YBE02gsdDY2gwNLQLoxEaW6 PwIQD+7i28EkXcBn7mxbCmeR8oI5iNFDUsmRdQqIydZiow==
S84BKCIBC38P58340AKVNFN5KR9O59QC.com. 86400 IN NSEC3 1 1 0 - S84BUO64GQCVN69RJFUO6LVC7FSLUNJ5 NS DS RRSIG
S84BKCIBC38P58340AKVNFN5KR9O59QC.com. 86400 IN RRSIG NSEC3 8 2 86400 20230328050141 20230321035141 36739 com. dPIKZG+gV54zK5b/Jo1MIPzPcsetCB8WS6sb9p8lZPiB+Ik38fwn3T08 6/0uILvWgLl6E2WFi2fWaI9zga1pnuuapZFUAgSBC5I+lo6N5qs+qqka sstAIUY/KC3xISytqIS+xrkLZErXxU7T5rV50X5txZz5sF37VAT3UT0o 9jMYBS9EcInQOQz7ZWd75mSqxov7DXYkDu2QQ/D+TKXhBQ==
;; Received 840 bytes from 2001:503:eea3::30#53(g.gtld-servers.net) in 8 ms

www.google.com.         300     IN      A       172.217.18.100
;; Received 59 bytes from 2001:4860:4802:38::a#53(ns4.google.com) in 20 ms

I'm going to try tcp with unbound, should be fun if it works :smiley:

12

it works, the fix is simple, add the following to /etc/config/unbound or relevat config:
do-udp: no

13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.