Dnsmasq/https-dns-proxy fail to resolve state.gov due to dnssec

I am having trouble getting resolve this website state.gov
It gives me this error.

 nslookup state.gov
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server:         ::1
Address:        ::1#53

** server can't find state.gov: SERVFAIL
r can't find state.gov: SERVFAIL
nslookup state.gov 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   state.gov
Address: 34.233.79.178
Name:   state.gov
Address: 2600:1f18:4659:1600:5c0e:d4cf:ce29:54c8

All other websites work fine. When I switch to google dns on my android, it works fine. Only this website has the issue so far. I have disabled simple-adblock and banIP

 cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option dnsforwardmax '2300'
        option min_cache_ttl '270'
        list address '/router/192.168.1.2'
        option nohosts '1'
        option dnssec '1'
        option port '53'
        option noresolv '1'
        option localuse '1'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5054'
        list server '127.0.0.1#5053'
        option rebind_protection '0'
        option cachesize '5000'
        option serversfile '/var/run/simple-adblock/dnsmasq.servers'
        option doh_backup_noresolv '1'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '1.1.1.1'
        option allservers '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        list dhcp_option '6,192.168.1.2'
        list dhcp_option '3,192.168.1.2'
        list dns 'fd74:3bca:1fc1::1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

I am using DNS over HTTPS.

cat /etc/config/https-dns-proxy

config main 'config'
        option dnsmasq_config_update '*'
        option canary_domains_icloud '1'
        option canary_domains_mozilla '1'
        option force_dns '1'
        list force_dns_port '53'
        list force_dns_port '853'
        option update_dnsmasq_config '*'

config https-dns-proxy
        option resolver_url 'https://cloudflare-dns.com/dns-query'
        option listen_addr '127.0.0.1'
        option listen_port '5054'
        option user 'nobody'
        option group 'nogroup'
        option bootstrap_dns '1.1.1.1,1.0.0.1,2606:4700:4700::1111,2606:4700:4700::1001'

config https-dns-proxy
        option bootstrap_dns '8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844'
        option resolver_url 'https://dns.google/dns-query'
        option listen_addr '127.0.0.1'
        option listen_port '5053'

[root@dca632 / 55°]# cat /etc/config/https-dns-proxy-opkg
config main 'config'
        option update_dnsmasq_config '*'
        option force_dns '1'
        list force_dns_port '53'
        list force_dns_port '853'
# ports listed below are used by some
# of the dnscrypt-proxy v1 resolvers
#       list force_dns_port '553'
#       list force_dns_port '1443'
#       list force_dns_port '4343'
#       list force_dns_port '4434'
#       list force_dns_port '5443'
#       list force_dns_port '8443'

config https-dns-proxy
        option bootstrap_dns '1.1.1.1,1.0.0.1'
        option resolver_url 'https://cloudflare-dns.com/dns-query'
        option listen_addr '127.0.0.1'
        option listen_port '5054'
        option user 'nobody'
        option group 'nogroup'

config https-dns-proxy
        option bootstrap_dns '8.8.8.8,8.8.4.4'
        option resolver_url 'https://dns.google/dns-query'
        option listen_addr '127.0.0.1'
        option listen_port '5053'
        option user 'nobody'
        option group 'nogroup'
cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd74:3bca:1fc1::/48'
        option packet_steering '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.2'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '10'
        option name 'eth1.10'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '20'
        option name 'eth1.20'

config interface 'WAN'
        option proto 'pppoe'
        option device 'eth1.10'
        option username '*******'
        option password '*********'
        option ipv6 'auto'
        option peerdns '0'
        list dns '8.8.8.8'
        list dns '8.8.4.4'
        option mtu '1500'
        option ac '**************'

config interface 'IPTV'
        option proto 'static'
        option device 'eth1.20'
        option ipaddr '10.10.10.1'
        option netmask '255.255.255.0'

config interface 'modem'
        option proto 'static'
        option device 'eth1'
        option ipaddr '192.168.10.5'
        option netmask '255.255.255.0'

config device
        option name 'eth1'

config interface 'wan6'
        option proto 'dhcpv6'
        option device '@WAN'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2001:4860:4860::8888'
        list dns '2001:4860:4860::8844'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'WAN'
        list network 'IPTV'
        list network 'modem'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'
        option reload '1'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/pbr.firewall.include'

Disabled? Neither of those is standard, so disabling them just means returning back to normal...
What else non-standard DNS and firewall related you are running?

Just one address being problematic hints toward DNS cache or blocklist problems. It may well be that one of your DNS providers has state.gov on a blocklist or similar.

You might revert to the default config, with unencrypted DNS etc., And then start adding/enabling one non-standard component at a time in order to see, which component (or DNS server) causes the problem.

2 Likes

I have tried adding state.gov to allowed list and white list for simple-adblock and banIP
But it doesn't work.
And when domains are blocked by simple-adblock
I get this error.

nslookup t.co
Server:         127.0.0.1
Address:        127.0.0.1#53

** server can't find t.co: NXDOMAIN

but for state.gov servfail error.

nslookup state.gov
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server:         ::1
Address:        ::1#53

** server can't find state.gov: SERVFAIL

Again you are adding complexity, instead of removing it for debugging purposes.

Start by removing all extra stuff, and start with the plain DNS without "over HTTPS", without banip, without adblock, without ...
Then add a single new feature at a time and see when it fails.

3 Likes

First, I tried it with disabling simple-adblock
still same servfail error.
then banIP
still same servfail error.
and after disabling https-dns-proxy
its resolving fine.

Ok, you got the first real debuggin item. Culprit might be https-dns-proxy
Then you can start checking the DNS provides there (as you have several)...

1 Like

Yes, but I don't understand what is causing this issue. Thats why asking here for help.

You may manually configure each of the DNS servers one by one to an end device in order to check which one is failing to resolve the address.

I think something is wrong with https-dns-proxy all dns servers work and resolve state.gov when I use them as normal dns servers in dhcp and dns setting. But I get servfail error with https-dns-proxy

This solved the issue.

With https-dns-proxy running can you test these:

nslookup -port=5053 state.gov 127.0.0.1
nslookup -port=5054 state.gov 127.0.0.1

You have a lot of DNS-related configs outside of https-dns-proxy, would be better if you could query it directly.

I don't use Google's DNS but I don't have any issue with Cloudflare resolving state.gov.

1 Like
nslookup -port=5053 state.gov 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#5053

Non-authoritative answer:
Name:   state.gov
Address: 34.233.79.178
Name:   state.gov
Address: 2600:1f18:4659:1600:5c0e:d4cf:ce29:54c8

[root@dca632 / 54°]# nslookup -port=5054 state.gov 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#5054

Non-authoritative answer:
Name:   state.gov
Address: 34.233.79.178
Name:   state.gov
Address: 2600:1f18:4659:1600:5c0e:d4cf:ce29:54c8

it's the issue with dnsmasq?
when these two settings are enabled.

option dnssec '1'
option dnsseccheckunsigned '1'

I mean it looks like it's not the issue with https-dns-proxy. :wink:

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.