DNS on omnia not resolving duckdns.org, from client works

battika · December 28, 2018, 8:12pm

Hi guys and girls,
I have a strange problem. I have a DYNDNS registered at duckdns.org. The updater goes through Omnia and all works. But when I am trying to resolv directly from omnia, neither my domain nor the duckdns is resolved.
When I am doing it from a client connected to Omnia resolution works and I see with Wireshark, that Omnia has resolved the DNS query.

Resolution from my PC:
C:\Users\battika>nslookup duckdns.org
Server: UnKnown
Address: fde9:2709:5ccd::1
Non-authoritative answer:
Name: duckdns.org
Address: 52.26.169.94

Wireshark output of the response:

Resolution from Omnia:
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: duckdns.org
Address 1: 54.191.117.119
*** Can't find duckdns.org: No answer

Some more info:

I am running kresd
I don’t use forwarding if it is turned on to my ISP then I got problems with the resolution
DNSSEC is enabled
I have adblocker activated, tried to disable it, putting also duckdns.org to whitelist, no idea if matters

Thank you for any help or answer

battika · December 28, 2018, 8:17pm

Ok one more strange info if I do dig on the router I get the following response:

; <<>> DiG 9.11.5 <<>> duckdns.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60915
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;duckdns.org. IN A

;; ANSWER SECTION:
duckdns.org. 154 IN A 54.191.117.119

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 28 21:15:26 CET 2018
;; MSG SIZE rcvd: 56

root@batti-turris:~#

Now I am beeing totaly confused… shouldn’t nslookup and dig return the same info?

battika · December 28, 2018, 9:47pm

Ok additional info, after 2 hours suddenly I can’t reach duckdns at all neither form turris nor from my pc…

; <<>> DiG 9.11.5 <<>> duckdns.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13325
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;duckdns.org.                   IN      A

;; Query time: 560 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Dec 28 22:46:34 CET 2018
;; MSG SIZE  rcvd: 40

When I suspend adblock than suddenly the DNS query starts to work…

battika · December 29, 2018, 9:02am

Ok I am continuing in my monologue: I was trying to debug the problem using these instructions: https://doc.turris.cz/doc/en/howto/dnsdebug#gather_the_data. Again duckdns.org not reachable. I execute the resolver debugging, and bumm sudenly it resolvs the dns. I guess due to the restart of the kres.dns when I started debug. If anybody has any hints how to track it down I would be happy.

vcunat · December 29, 2018, 9:08am

It will keep generating verbose logs until kresd is restarted (doesn’t happen normally). So it should be enough to wait until a problem happens and look at the logs from that moment.

battika · December 29, 2018, 9:10am

Thank you will try that and see what happens… than post result…

vcunat · December 29, 2018, 9:19am

BTW, it’s quite well possible that there’s just some problem that makes it hard for kresd to get the answer. That may cause the result being different every time and especially possibility of success when retried (the success then gets cached for some time).

milos · January 5, 2019, 7:20pm

It may be related to adblock. Check with

# /etc/init.d/adblock query duckdns.org

battika · January 15, 2019, 9:59am

Update: after I truned on verbose logs for Kres, it worked all the time. I turned it off 4 days ago… it still works. I have no idea why. I even checked if there was any update in Omnia.

@Milos: I have checked with adblock query (but from Luci) and it was not blocked by it. I also whitelisted the whole DNS. Anyway I am happy now… let’s see when the problem comes back…

greetings
Attila

battika · January 22, 2019, 4:43pm

On the page I have https://dnsflagday.net/ I have checked the duckdns.org. It seems to me they have a problem with EDNS

Do you think kresd could have a trouble with it?

vcunat · January 22, 2019, 6:02pm

Complete non-support of TCP certainly can cause problems, as it serves as a “safe fallback” for various conditions, but usually TCP isn’t utilized so it’s hard to say just from this. Their EDNS problems shown there aren’t too bad and shouldn’t cause trouble around this flag day.