Stubby: 'ad' flag missing for DNSSEC validation

Hello everyone,

hope you doing well!

Before I was updating OpenWrt to Version 19.07.7 on my router, I followed the steps from this German guide for installing and using stubby with OpenWrt: https://www.kuketz-blog.de/stubby-verschluesselte-dns-anfragen-openwrt-teil5/

Everything worked until the update. After the update, I reinstalled all packages and than imported by backup with all configuration files. So far, so good.

When I now run the dig command to check DNSSEC Validation, the 'ad' flag is missing. The ad flag signals that dnsmasq considers the DNS server's response to be authentic or that validation via DNSSEC is working.
Here the output:

$ dig dnssectest.sidn.nl +dnssec +multi @192.168.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> dnssectest.sidn.nl +dnssec +multi @192.168.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45546
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssectest.sidn.nl.    IN A

;; ANSWER SECTION:
dnssectest.sidn.nl.     3600 IN A 212.114.120.64
dnssectest.sidn.nl.     3600 IN RRSIG A 8 3 3600 (
                                20210409081101 20210310081101 42033 sidn.nl.
                                Gctii9oIoMCSAlwDXAh6Y1AflOZ7+gYO/KKaDTk6Gx2B
                                GSpZ2zON5X12Cx91ReM7j1+sA2mAPDBcKQ/Zl1KtxEme
                                HvlylfX8JS3I4cvAMIZUAV0V+T9OZfw2IWOCXS0/c3/z
                                nMv8hm1z4/RV73MQ+EGqQwgfw/nnENZwTs8Bb4k= )

;; Query time: 535 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mi Mär 10 14:30:58 CET 2021
;; MSG SIZE  rcvd: 266

Any Ideas why? DNS itself works. Also the correct DNS servers are shown at https://dnsleaktest.com:

If you need any specific configuration file, please let me know.

Thank you very much.

Cheers,
Lasko

My working stubby DNS over TLS (Cloudflare) failed this morning. I think either Cloudflare got rid of the free service or it is down.

Works for me on OpenWrt 19.07.7 with both Google DNS and Cloudflare DNS:

# dig @::1 -p 5453 -q example.org +dnssec | grep -e flags: -e RRSIG
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags: do; udp: 512
example.org.		4001	IN	RRSIG	A 8 2 86400 20210331211002 20210310092539 34480 example.org. nIIXlY2uSI3uJdqCMfeBPGPeUA9qMAH+/axCJsvfpS4Y/INW/TcAQ4uk fCpul/XqLOkYpMb1Rs/heqv3r1pVoJy+XV933u3+40pwnM4nBWkjBY61 66hV9D2KRwUT2EMulnpntwrZLZvfiMsukIa9PqlPp4JY3WMG7ZQ+H2XC G4w=

https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby

mhh interesting. I have just checked https://dnssec.vs.uni-due.de/ and the result is 'Yes, your DNS resolver validates DNSSEC signatures.'

So is this Flag really necessary?
I am not using either google or cloudfare. I am using the DNS of digitalcourage and dismail. Both are no logging and supporting DNS over TLS and DNSSEC.

On the Link you send it says: Check your DNS provider. Make sure there is no DNS leak: https://dnsleaktest.com/
Whats does it in this case means, that both my configured DNS server are listed there? (Picture in the initial question)

When running your dig command, I get no output.

I believe it is necessary if you want to perform DNSSEC validation yourself.
E.g. when you don't trust the DoT provider, or they don't validate DNSSEC.

So, your DoT provider likely validates DNSSEC.

That means your DNS is using load balancing.

You can try to temporary change the DoT provider to Google DNS skipping the commit command:
https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby#dot_provider

1 Like

Thank you for explaining. I will try to reset my whole configuration to google / cloudflare on the weekend and keep this post updated, if the problem still exists.

1 Like

So now I have reset my router and only setup PPPOE and also installed stubby. The DNSSEC validation was now correct and the 'ad' flag was shown. So I think there is something wrong, cause when I re-import my saved settings.
My current steps when updating or reset the router:

  • Import my basic configuration for PPPOE
  • Installing all necessary packages
  • Import my full backup configuration

Maybe that is not the way how to normally do it. But after updating, I do not want to make all my interface and Firewall settings again.
Do you have any better suggestions? Or can I remove the dnsmasq and stubby configurations from the backup file?

You should be able to simply import the backup config and reinstall the packages.

1 Like

Thank you. I will try it when the next update will be released.

What would be the best way to undo my current dnsmasq and stubby settings? Cause when I make all steps on the wiki again, DNS is no longer working and I need to re-import my settings again and the flag is still missing.

uci -q delete dhcp.@dnsmasq[0].server
uci -q delete dhcp.@dnsmasq[0].noresolv
uci commit dhcp
/etc/init.d/dnsmasq restart
1 Like

Thank you. This works until I came to the point for the DNSSEC settings. When I do the following steps, DNS is no longer working:

uci set dhcp.@dnsmasq[-1].dnssec=1
uci set dhcp.@dnsmasq[-1].dnsseccheckunsigned=1
uci commit && reload_config 

Am I missing something?

uci -q delete dhcp.@dnsmasq[0].dnssec
uci -q delete dhcp.@dnsmasq[0].dnsseccheckunsigned
uci commit dhcp
/etc/init.d/dnsmasq restart

Those are Dnsmasq-specific settings unrelated to Stubby.

Unfortunately after running those commands and setting everything up new, there are no changes, DNS is not working and after reboot, I am no longer able to connect to the router.
I think I will reset the router again tomorrow and delete any dnsmasq & stubby configuration from the backup file to import only my interfaces, wireless, firewall and adblock and make the DNS over TLS setting from scratch, as this was working this morning.

Thank you very much for your help & time.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.