As the subject says, I noticed that some domains, in my own country, fail to get resolved when forwarding is off. Using any other public DNS works, but I’d rather diagnose the issue as my ISP doesn’t support DNSSEC.
Domain list follows: what can be done to investigate more?
Thanks.
My observations: Neither domain is DNSSEC signed, so it’s probably not a DNSSEC issue. It’s responses are short, so it’s not probably MTU/fragmentation issue either.
All mentioned zones are hosted on a similar set of IPv4-only authoritative DNS servers. Does your ISP employ some kind of IPv4 Carrier Grade NAT?
This usually happens when many DNS resolvers are concentrated behind an IPv4 address, the authoritative servers then employ some rate-limit, so they stop responding to the specific IP address.
If this is the case, you can try to reach out for the operator of broken zones to loose the limits for your public facing address. Other option is to forward DNS queries to some public DNSSEC-aware DNS resolver like Google Public DNS or Verisign Public DNS. Preferably via IPv6 so you avoid possible ratelimitting there.
All mentioned zones are hosted on a similar set of IPv4-only authoritative DNS servers. Does your ISP employ some kind of IPv4 Carrier Grade NAT?
Correct, it has a ISP-wide NAT (MAN, Metropolitan Area Network). I was able to get hold of a “public address”, except it isn’t, it’s just DMZ to my ISP-supplied private address.
Other option is to forward DNS queries to some public DNSSEC-aware DNS resolver like Google Public DNS or Verisign Public DNS. Preferably via IPv6 so you avoid possible ratelimitting there.
What are the configuration options of the resolver I can use to have the Omnia do that?
You can set it up as DNS servers for the wan and/or wan6 interfaces. You can either use LuCI, or edit /etc/config/network
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option peerdns '0'
config interface 'wan6'
option ifname '@wan'
option proto 'dhcpv6'
option peerdns '0'
list dns '2001:4860:4860::8888'
list dns '2001:4860:4860::8844'
Make sure to turn off the peerdns option so DNS servers of your ISP don’t get added to the list. You can check current list of upstream DNS servers by looking into file /tmp/resolv.conf.auto.
And that did the trick. Many thanks!
Hmm, with knot-resolver-1.1.1 I can sometimes reproduce that www.atocittametropolitanadimilano.it failure (without forwarding). With our development version I can’t reproduce any failure for any of the listed domains, so I believe this will be fixed in 1.2.0 release.
Hey,
after few days (2-3 days) i am running in to same issue as discribed above, some domains are not resolved. My ISP also doesn’t support DNSSEC so DNS forwarding is off.
Any news?
Thanks
We have released 1.2.0 (upstream) and all known domain resolution problems were fixed in there, except for some cases that have very broken nameservers. That version isn’t yet the default on Omnia, though testing packages should exist for it somewhere.