Cant resolve mynetname.net when DNSSEC validation is enabled

PatricF · Tue Mar 05, 2019 1:51 pm

Hi,

I recently enabled DNSSEC validation on our DNS server internally and just as I enabled it I can't resolve any Cloud IP addresses anymore and it is Only this domain I have problem with.
When I do a nslookup for xxxxxxxxx.sn.mynetname.net I just get a Server failed
as a response. When I disable DNSSEC validation it works fine.

If I check the DNS Servers for mynetname.net I get that the PTR records are kind of misconfigured, they are not accessible over TCP on port 53 and ns1.kissthenet.net and ns2.kissthenet.net doesn't seem to be entirely synced as they have different SOA serials.

You can check it out here: https://zonemaster.iis.se/?resultid=3423360351d8ad66

There are no records for DNSSEC for this domain so I'm not really sure why it fails when enabling it, unless the queries goes over TCP when validation is enabled.

Can anyone confirm that they can lookup IP Cloud addresses when then have DNSSEC verification enabled on a Windows Server DNS?

There has been hundreds of lookups to other domains without any problem so something is not right here.

R1CH · Tue Mar 05, 2019 6:12 pm

Seems to work OK here behind a DNSSEC-validating PowerDNS recursor.

No TCP support though is a problem that Mikrotik need to fix.

PatricF · Wed Mar 06, 2019 4:01 pm

This seems really weird.
If I use nslookup on my Windows 10 machine like this, I get an answer:

C:\>nslookup xxxxxxxxxx.sn.mynetname.net ns1.kissthenet.net
Server:  UnKnown
Address:  159.148.147.201

Name:    xxxxxxxxxx.sn.mynetname.net
Address:  111.222.333.444

However if I look it up like this I get:

C:\>nslookup
Default Server:  internal.dns.domain.local
Address:  192.168.1.2

> server ns1.kissthenet.net
Default Server:  ns1.kissthenet.net
Addresses:  2a02:610:7501:1000::201
          159.148.147.201

> xxxxxxxxxx.sn.mynetname.net
Server:  ns1.kissthenet.net
Addresses:  2a02:610:7501:1000::201
          159.148.147.201

*** ns1.kissthenet.net can't find xxxxxxxxxx.sn.mynetname.net: No response from server

If I try the exact same on a Linux machine it works just fine so I'm not sure why there is a problem here.
And if I just ping the address it works just fine but as soon as I enable DNSSEC validation on my Windows DNS Server it stops working just like with nslookup.

Can anyone try this with nslookup on their own machines and see if you get the same result?
I'm not really sure if it's a Windows DNS issue or an issue the the ns1.kissthenet.net nameserver but since I can only reproduce this problem with this nameserver it feels like it's leaning more towards something wrong with the nameserver. And the problem might as well be that the nameserver doesn't accept TCP on port 53 in the end.

EDIT:

So this specific issue with nslookup seems to be a bug in the Windows version as I get the same error when trying to query google.com to ns1.google.com as well.

The issue still stands with the Windows DNS Server not being able to lookup the domain when DNSSEC validation is enabled for some reason and I think it's because TCP on port 53 isn't open.

woobilicious · Mon Mar 25, 2024 5:14 am

systemd-resolved also bugs out and firefox throws a non-descript error due to this...probably won't be buying a mikrotik next, after IPv6 being manged and corrupted on v7 firmware, UPnP has fixable security issues (like not validate clients IP against the requested IP, adding port 0 as a rule), RouterOS seems more of a liability at this point. Probably flash openWRT to get functioning IPv6 and CODEL/CAKE working.

You can see here the router throws a SERVFAIL, and then second request works without DNSSEC stuff. dig directly to the configured server works fine as per the last query:

❯ dig -t DNSKEY docs.gtk.org @192.168.88.1

; <<>> DiG 9.18.21 <<>> -t DNSKEY docs.gtk.org @192.168.88.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27036
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;docs.gtk.org.                  IN      DNSKEY

;; Query time: 1004 msec
;; SERVER: 192.168.88.1#53(192.168.88.1) (UDP)
;; WHEN: Mon Mar 25 15:42:01 NZDT 2024
;; MSG SIZE  rcvd: 30

❯ dig -t DNSKEY docs.gtk.org @192.168.88.1

; <<>> DiG 9.18.21 <<>> -t DNSKEY docs.gtk.org @192.168.88.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24893
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;docs.gtk.org.                  IN      DNSKEY

;; ANSWER SECTION:
docs.gtk.org.           599     IN      CNAME   ocp-ingress.fastly.gnome.org.

;; Query time: 460 msec
;; SERVER: 192.168.88.1#53(192.168.88.1) (UDP)
;; WHEN: Mon Mar 25 15:55:02 NZDT 2024
;; MSG SIZE  rcvd: 69

❯ dig -t DNSKEY docs.gtk.org @192.168.88.1

; <<>> DiG 9.18.21 <<>> -t DNSKEY docs.gtk.org @192.168.88.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28783
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;docs.gtk.org.                  IN      DNSKEY

;; Query time: 8 msec
;; SERVER: 192.168.88.1#53(192.168.88.1) (UDP)
;; WHEN: Mon Mar 25 15:56:36 NZDT 2024
;; MSG SIZE  rcvd: 30

Cant resolve mynetname.net when DNSSEC validation is enabled

Cant resolve mynetname.net when DNSSEC validation is enabled

Re: Cant resolve mynetname.net when DNSSEC validation is enabled

Re: Cant resolve mynetname.net when DNSSEC validation is enabled

Re: Cant resolve mynetname.net when DNSSEC validation is enabled

Who is online