DNS TLS Cloufare

Today my DNS redirect to TLS Cloudfare has fallen out of my work - I solved it by disabling forvarding.

Restart with re-attempt to revert settings to forward TLS Cloudfare did not work.

# /etc/resolver/resolver-debug.sh start
Start debug
== enable verbose logging (reboot to disable it) ==
> [count] => 0
[id] => 1
[cb] => function: 0xb4a25978

> > nil

> resolver.common=resolver
resolver.common.interface='0.0.0.0' '::0'
resolver.common.port='53'
resolver.common.keyfile='/etc/root.keys'
resolver.common.verbose='0'
resolver.common.msg_buffer_size='4096'
resolver.common.msg_cache_size='20M'
resolver.common.net_ipv6='1'
resolver.common.net_ipv4='1'
resolver.common.prefered_resolver='kresd'
resolver.common.prefetch='yes'
resolver.common.dynamic_domains='1'
resolver.common.ignore_root_key='0'
resolver.common.forward_upstream='1'
resolver.common.forward_custom='99_cloudflare'
resolver.kresd=resolver
resolver.kresd.rundir='/tmp/kresd'
resolver.kresd.forks='1'
resolver.kresd.keep_cache='0'
resolver.kresd.rpz_file='/etc/kresd/adb_list.overall'
resolver.kresd.log_stderr='1'
resolver.kresd.log_stdout='1'
resolver.unbound=resolver
resolver.unbound.outgoing_range='60'
resolver.unbound.outgoing_num_tcp='1'
resolver.unbound.incoming_num_tcp='1'
resolver.unbound.msg_cache_slabs='1'
resolver.unbound.num_queries_per_thread='30'
resolver.unbound.rrset_cache_size='100K'
resolver.unbound.rrset_cache_slabs='1'
resolver.unbound.infra_cache_slabs='1'
resolver.unbound.infra_cache_numhosts='200'
resolver.unbound.access_control='0.0.0.0/0 allow' '::0/0 allow'
resolver.unbound.pidfile='/var/run/unbound.pid'
resolver.unbound.root_hints='/etc/unbound/named.cache'
resolver.unbound.target_fetch_policy='2 1 0 0 0'
resolver.unbound.harden_short_bufsize='yes'
resolver.unbound.harden_large_queries='yes'
resolver.unbound.key_cache_size='100k'
resolver.unbound.key_cache_slabs='1'
resolver.unbound.neg_cache_size='10k'
resolver.unbound.prefetch_key='yes'
resolver.unbound_remote_control=resolver
resolver.unbound_remote_control.control_interface='127.0.0.1'
resolver.unbound_remote_control.control_enable='yes'
resolver.unbound_remote_control.control_use_cert='no'
== resolv.conf* ==
/etc/resolv.conf:search lan
/etc/resolv.conf:nameserver 127.0.0.1
/tmp/resolv.conf:search lan
/tmp/resolv.conf:nameserver 127.0.0.1
/tmp/resolv.conf.auto:# Interface wan
/tmp/resolv.conf.auto:nameserver 10.108.10.109
/tmp/resolv.conf.auto:nameserver 10.108.10.108
== DNSSEC root key file ==
3398ee3b8d9530982125f3d6f74788db  /etc/root.keys
/etc/root.keys:.                   	172800	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ; Valid: ; KeyTag:20326
.                   	172800	DNSKEY	257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ; Valid: ; KeyTag:20326
== resolver process ==
10180 root      1108 S    grep kresd
== configured trust anchors ==
== enable verbose logging (reboot to disable it) ==
== resolution attempts ==

; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec api.turris.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23164
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;api.turris.cz.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 42


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33613
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.google.com.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 43


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41173
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.facebook.com.		IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 45


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6305
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 44


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec www.rhybar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42924
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.rhybar.cz.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 42


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec *.wilda.rhybar.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 50484
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wilda.rhybar.0skar.cz.	IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 52


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec *.wilda.nsec.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5393
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wilda.nsec.0skar.cz.		IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 50


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec *.wild.nsec.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25839
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wild.nsec.0skar.cz.		IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 49


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec *.wilda.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33398
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wilda.0skar.cz.		IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 45


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec *.wild.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53844
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wild.0skar.cz.		IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 44


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec www.wilda.nsec.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8753
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.wilda.nsec.0skar.cz.	IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 52


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec www.wilda.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2321
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.wilda.0skar.cz.		IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 47


; <<>> DiG 9.12.3-P4 <<>> @127.0.0.1 +dnssec *.wilda.rhybar.ecdsa.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22766
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;*.wilda.rhybar.ecdsa.0skar.cz.	IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Apr 26 13:33:01 CEST 2019
;; MSG SIZE  rcvd: 58

Debug stated
2019/04/26 13:32:55 socat[10098] E connect(5, AF=1 "/tmp/kresd/tty/8971", 21): No such file or directory
2019/04/26 13:32:56 socat[10193] E connect(5, AF=1 "/tmp/kresd/tty/", 17): Connection refused
2019/04/26 13:32:56 socat[10202] E connect(5, AF=1 "/tmp/kresd/tty/", 17): Connection refused

I have the same issue on my Turris Omnia router.

DNS redirect to TLS Cloudfare and CZ.NIC servers doesn’t work well.

TLS CloudFlare seems fine when I switch my stable Omnia to it

Did the system log get some lines starting with this?

2019-04-26 14:27:26 info kresd

Now Cloudfare is OK … Log in SZ

The same problem on my MOX too (DNS forwarding to CZ.NIC (TLS) servers)

I sent my log via SZ.

OK, wrt. CZ.NIC (TLS): can you try these commands?

kdig +tls turris.cz @217.31.204.133
kdig +tls turris.cz @2001:1488:800:400::2:133

It’s enough to run them from any device in the network, but Turris devices might be easiest (even 1.x) – there it’s enough to install the small knot-dig package.

Forward to Cloudfare test DNS a DNSSEC now working

Forward to CZ.NIC test DNS a DNSSEC not response

Forward to Google test DNS a DNSSEC now working

Forward to providera test DNS a DNSSEC now working

Non-forward test DNS and DNSSEC now working

Responding to commands always the same

root@Omnia:~# kdig +tls turris.cz @217.31.204.133
;; WARNING: connection timeout for 217.31.204.133@853(TCP)
;; ERROR: failed to query server 217.31.204.133@853(TCP)
root@Omnia:~# kdig +tls turris.cz @2001:1488:800:400::2:133
;; WARNING: can't connect to 2001:1488:800:400::2:133@853(TCP)
;; ERROR: failed to query server 2001:1488:800:400::2:133@853(TCP)
root@Omnia:~#

The same on my Omnia and MOX routers.

That gives

# kdig +tls turris.cz @217.31.204.133 ;; WARNING: connection timeout for 217.31.204.133@853(TCP) ;; ERROR: failed to query server 217.31.204.133@853(TCP)

Right, there’s most likely a problem in cz.nic network (or close to there) that prevents connections to this server-set over port 853 from some networks. I think I can say there are “new servers” in testing that don’t seem to be affected, and they should be used on Turris OS “soon” as well. You can try the connection test easily already:

kdig +tls turris.cz @odvr.nic.cz

(the command assumes you do have working DNS to resolve odvr.nic.cz)

root@Omnia:~# kdig +tls turris.cz @odvr.nic.cz
;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 3709
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 410 B

;; QUESTION SECTION:
;; turris.cz.                   IN      A

;; ANSWER SECTION:
turris.cz.              764     IN      A       217.31.192.69

;; Received 468 B
;; Time 2019-04-27 15:58:00 CEST
;; From 185.43.135.1@853(TCP) in 19.5 ms
root@Omnia:~#

That does work

[code]# kdig +tls turris.cz @odvr.nic.cz
;; TLS session (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 36464
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR
;; PADDING: 410 B

;; QUESTION SECTION:
;; turris.cz. IN A

;; ANSWER SECTION:
turris.cz. 1800 IN A 217.31.192.69

;; Received 468 B
;; Time 2019-04-27 16:20:08 CEST
;; From 185.43.135.1@853(TCP) in 63.1 ms
[/code]