DNS over TLS with stubby - troubleshooting? Some domains don't resolve

TheLinuxGuy · December 27, 2021, 2:10am

I'm seeing some advertising domains not resolving all of a sudden (setup has been working fine for awhile). Any pointers on the proper way to troubleshoot this?

Below is my naive way of debugging - you can see the upstream DNS server 1.1.1.1 (cloudflare) is able to resolve the DNS query. Yet localhost is not.

root@r4s-prod:~# nslookup www.ojrq.net 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find www.ojrq.net: NXDOMAIN

root@r4s-prod:~# nslookup www.ojrq.net 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   www.ojrq.net
Address: 34.95.127.121

root@r4s-prod:~# nslookup www.ojrq.net 1.0.0.1
Server:         1.0.0.1
Address:        1.0.0.1#53

Non-authoritative answer:
Name:   www.ojrq.net
Address: 34.95.127.121

root@r4s-prod:~# uci show stubby
stubby.global=stubby
stubby.global.manual='0'
stubby.global.trigger='wan'
stubby.global.dns_transport='GETDNS_TRANSPORT_TLS'
stubby.global.tls_authentication='1'
stubby.global.tls_query_padding_blocksize='128'
stubby.global.appdata_dir='/var/lib/stubby'
stubby.global.edns_client_subnet_private='1'
stubby.global.idle_timeout='10000'
stubby.global.round_robin_upstreams='1'
stubby.global.listen_address='127.0.0.1@5453' '0::1@5453'
stubby.@resolver[0]=resolver
stubby.@resolver[0].address='2606:4700:4700::1111'
stubby.@resolver[0].tls_auth_name='cloudflare-dns.com'
stubby.@resolver[1]=resolver
stubby.@resolver[1].address='2606:4700:4700::1001'
stubby.@resolver[1].tls_auth_name='cloudflare-dns.com'
stubby.@resolver[2]=resolver
stubby.@resolver[2].address='1.1.1.1'
stubby.@resolver[2].tls_auth_name='cloudflare-dns.com'
stubby.@resolver[3]=resolver
stubby.@resolver[3].address='1.0.0.1'
stubby.@resolver[3].tls_auth_name='cloudflare-dns.com'

other

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      14875/dnsmasq
tcp        0      0 192.168.12.131:53       0.0.0.0:*               LISTEN      14875/dnsmasq
tcp        0      0 192.168.100.1:53        0.0.0.0:*               LISTEN      14875/dnsmasq
tcp        0      0 192.168.32.1:53         0.0.0.0:*               LISTEN      14875/dnsmasq
tcp        0      0 172.66.6.1:53           0.0.0.0:*               LISTEN      14875/dnsmasq
tcp        0      0 172.100.0.1:53          0.0.0.0:*               LISTEN      14875/dnsmasq
tcp        0      0 10.100.100.10:53        0.0.0.0:*               LISTEN      14875/dnsmasq
tcp        0      0 10.8.8.4:53             0.0.0.0:*               LISTEN      14875/dnsmasq
tcp        0      0 172.17.0.1:53           0.0.0.0:*               LISTEN      14875/dnsmasq
tcp        0      0 2607:fb90:90ee:d306:59d1:d3a3:31d9:a4ae:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      14875/dnsmasq
tcp        0      0 2607:fb90:90ee:d306:6a27:19ff:feac:a5fa:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 2607:fb90:90ee:d306:656d:6f6c:0:499:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 fe80::6a27:19ff:feac:a5fa:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 fd08:771f:2745::1:53    :::*                    LISTEN      14875/dnsmasq
tcp        0      0 fe80::6827:19ff:feac:a5fa:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 fd08:771f:2745:10::1:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 fe80::6827:19ff:feac:a5fa:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 fe80::6827:19ff:feac:a5fa:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 fd08:771f:2745:11::1:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 fe80::6827:19ff:feac:a5fa:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 2605:6404:2fa:100::10:53 :::*                    LISTEN      14875/dnsmasq
tcp        0      0 fe80::ddeb:1556:d45a:fc2b:53 :::*                    LISTEN      14875/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           14875/dnsmasq
udp        0      0 192.168.12.131:53       0.0.0.0:*                           14875/dnsmasq
udp        0      0 192.168.100.1:53        0.0.0.0:*                           14875/dnsmasq
udp        0      0 192.168.32.1:53         0.0.0.0:*                           14875/dnsmasq
udp        0      0 172.66.6.1:53           0.0.0.0:*                           14875/dnsmasq
udp        0      0 172.100.0.1:53          0.0.0.0:*                           14875/dnsmasq
udp        0      0 10.100.100.10:53        0.0.0.0:*                           14875/dnsmasq
udp        0      0 10.8.8.4:53             0.0.0.0:*                           14875/dnsmasq
udp        0      0 172.17.0.1:53           0.0.0.0:*                           14875/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           14875/dnsmasq
udp        0      0 2607:fb90:90ee:d306:59d1:d3a3:31d9:a4ae:53 :::*                                14875/dnsmasq
udp        0      0 ::1:53                  :::*                                14875/dnsmasq
udp        0      0 2607:fb90:90ee:d306:6a27:19ff:feac:a5fa:53 :::*                                14875/dnsmasq
udp        0      0 2607:fb90:90ee:d306:656d:6f6c:0:499:53 :::*                                14875/dnsmasq
udp        0      0 fe80::6a27:19ff:feac:a5fa:53 :::*                                14875/dnsmasq
udp        0      0 fd08:771f:2745::1:53    :::*                                14875/dnsmasq
udp        0      0 fe80::6827:19ff:feac:a5fa:53 :::*                                14875/dnsmasq
udp        0      0 fd08:771f:2745:10::1:53 :::*                                14875/dnsmasq
udp        0      0 fe80::6827:19ff:feac:a5fa:53 :::*                                14875/dnsmasq
udp        0      0 fe80::6827:19ff:feac:a5fa:53 :::*                                14875/dnsmasq
udp        0      0 fd08:771f:2745:11::1:53 :::*                                14875/dnsmasq
udp        0      0 fe80::6827:19ff:feac:a5fa:53 :::*                                14875/dnsmasq
udp        0      0 2605:6404:2fa:100::10:53 :::*                                14875/dnsmasq
udp        0      0 fe80::ddeb:1556:d45a:fc2b:53 :::*                                14875/dnsmasq

more

root@r4s-prod:~# pgrep -f -a dnsmasq; pgrep -f -a stubby
14875 /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg01411c -k -x /var/run/dnsmasq/dnsmasq.cfg01411c.pid
6861 /usr/sbin/stubby -C /var/etc/stubby/stubby.yml

root@r4s-prod:~# head -v -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
==> /etc/resolv.conf <==
# Interface wan
nameserver 192.168.12.1
search lan
# Interface wan6
nameserver 2607:fb90:90ee:d306:656d:6f6c:5864:d94f

==> /tmp/resolv.conf <==
# Interface wan
nameserver 192.168.12.1
search lan
# Interface wan6
nameserver 2607:fb90:xe:d306:xx:6f6c:5864:d94f

==> /tmp/resolv.conf.d <==
head: /tmp/resolv.conf.d: I/O error

==> /tmp/resolv.conf.d/resolv.conf.auto <==
# Interface wan
nameserver 192.168.12.1
search lan
# Interface wan6
nameserver 2607:xxx0:90ee:d306:x:5864:d94f
root@r4s-prod:~# uci show dhcp; uci show stubby
dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].boguspriv='1'
dhcp.@dnsmasq[0].filterwin2k='0'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].nonegcache='0'
dhcp.@dnsmasq[0].authoritative='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].resolvfile='/tmp/resolv.conf.d/resolv.conf.auto'
dhcp.@dnsmasq[0].nonwildcard='1'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].ednspacket_max='1232'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.@dnsmasq[0].domain='gfm'
dhcp.@dnsmasq[0].local='/gfm/'
dhcp.@dnsmasq[0].noresolv='1'
dhcp.@dnsmasq[0].server='127.0.0.1#5453' '0::1#5453'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.leasetime='12h'
dhcp.lan.dhcpv4='server'
dhcp.lan.dhcpv6='server'
dhcp.lan.ra='server'
dhcp.lan.ra_slaac='1'
dhcp.lan.ra_flags='managed-config' 'other-config'
dhcp.lan.ra_default='1'
dhcp.lan.start='20'
dhcp.lan.limit='50'
dhcp.lan.ra_management='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.wan.ra_flags='none'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
dhcp.vpn_privacy=dhcp
dhcp.vpn_privacy.interface='vpn_privacy'
dhcp.vpn_privacy.start='200'
dhcp.vpn_privacy.limit='220'
dhcp.vpn_privacy.leasetime='12h'
dhcp.wglan=dhcp
dhcp.wglan.leasetime='12h'
dhcp.wglan.ra_default='1'
dhcp.wglan.start='20'
dhcp.wglan.dhcpv6='server'
dhcp.wglan.limit='50'
dhcp.wglan.ra='server'
dhcp.wglan.interface='wglan'
dhcp.wglan.ra_management='1'
dhcp.isolated=dhcp
dhcp.isolated.leasetime='12h'
dhcp.isolated.ra_default='1'
dhcp.isolated.start='20'
dhcp.isolated.dhcpv6='server'
dhcp.isolated.limit='50'
dhcp.isolated.ra='server'
dhcp.isolated.interface='isolated'
dhcp.isolated.ra_management='1'
stubby.global=stubby
stubby.global.manual='0'
stubby.global.trigger='wan'
stubby.global.dns_transport='GETDNS_TRANSPORT_TLS'
stubby.global.tls_authentication='1'
stubby.global.tls_query_padding_blocksize='128'
stubby.global.appdata_dir='/var/lib/stubby'
stubby.global.edns_client_subnet_private='1'
stubby.global.idle_timeout='10000'
stubby.global.round_robin_upstreams='1'
stubby.global.listen_address='127.0.0.1@5453' '0::1@5453'
stubby.@resolver[0]=resolver
stubby.@resolver[0].address='2606:4700:4700::1111'
stubby.@resolver[0].tls_auth_name='cloudflare-dns.com'
stubby.@resolver[1]=resolver
stubby.@resolver[1].address='2606:4700:4700::1001'
stubby.@resolver[1].tls_auth_name='cloudflare-dns.com'
stubby.@resolver[2]=resolver
stubby.@resolver[2].address='1.1.1.1'
stubby.@resolver[2].tls_auth_name='cloudflare-dns.com'
stubby.@resolver[3]=resolver
stubby.@resolver[3].address='1.0.0.1'
stubby.@resolver[3].tls_auth_name='cloudflare-dns.com'
root@r4s-prod:~# nslookup www.ojrq.net 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find www.ojrq.net: NXDOMAIN

root@r4s-prod:~#  /etc/init.d/dnsmasq restart
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@r4s-prod:~# /etc/init.d/stubby restart

Those errors seem to be expected though: [SOLVED] Dnsmasq restart shows DHCP error

Still don't know why this DNS resolution keeps failing. Am I doing something wrong?

nslookup www.ojrq.net 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find www.ojrq.net: NXDOMAIN

vgaetera · December 27, 2021, 2:44am

ls -l /tmp/dnsmasq.d
grep -r -e ojrq.net /tmp/dnsmasq.d
netstat -l -n -p | grep -e stubby
nslookup www.ojrq.net localhost
nslookup -p5453 www.ojrq.net localhost

TheLinuxGuy · December 27, 2021, 3:04am

 -----------------------------------------------------
 OpenWrt 21.02-SNAPSHOT, r16399-c67509efd7
 -----------------------------------------------------

TheLinuxGuy build@2021.12.09

root@r4s-prod:~# nslookup www.ojrq.net 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find www.ojrq.net: NXDOMAIN

root@r4s-prod:~# date
Sun Dec 26 22:01:54 EST 2021
root@r4s-prod:~# /etc/init.d/dnsmasq restart
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
udhcpc: started, v1.33.2
udhcpc: sending discover
udhcpc: no lease, failing
root@r4s-prod:~# /etc/init.d/stubby restart
root@r4s-prod:~# ls -l /tmp/dnsmasq.d
-rw-r--r--    1 dnsmasq  root       1232689 Dec 26 04:05 adb_list.overall
root@r4s-prod:~# grep -r -e ojrq.net /tmp/dnsmasq.d
/tmp/dnsmasq.d/adb_list.overall:address=/ojrq.net/
root@r4s-prod:~# netstat -l -n -p | grep -e stubby
tcp        0      0 127.0.0.1:5453          0.0.0.0:*               LISTEN      32137/stubby
tcp        0      0 ::1:5453                :::*                    LISTEN      32137/stubby
udp        0      0 127.0.0.1:5453          0.0.0.0:*                           32137/stubby
udp        0      0 ::1:5453                :::*                                32137/stubby
root@r4s-prod:~# nslookup www.ojrq.net localhost
Server:         localhost
Address:        ::1#53

** server can't find www.ojrq.net: NXDOMAIN

root@r4s-prod:~# nslookup www.ojrq.net localhost#5453
nslookup: couldn't get address for 'localhost#5453': not found

Seems to be blacklisted in /tmp/dnsmasq.d/adb_list.overall -- thanks!

found out the adblock luci was enabled (thought I had it disabled)

system · January 6, 2022, 3:05am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.