Seeing lots of DNS issues on OpenWRT

Philip Prindeville philipp_subx at redfish-solutions.com
Fri Sep 23 19:18:05 UTC 2022 

Hi all,

I've changed locations (moved houses) and consequently ISPs (now on Sparklight, used to have CTC) and I'm seeing a slew of DNS issues I didn't have before like:

Sep 23 11:42:13 OpenWrt3 named[28113]: timed out resolving 'wdatpsngatewaytmcacane.trafficmanager.net/A/IN': 9.9.9.9#53
Sep 23 11:42:21 OpenWrt3 named[28113]: timed out resolving 'ubuntu.com/DS/IN': 9.9.9.9#53
Sep 23 11:42:21 OpenWrt3 named[28113]: broken trust chain resolving 'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
Sep 23 11:42:31 OpenWrt3 named[28113]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Sep 23 11:42:44 OpenWrt3 named[28113]: timed out resolving 'visualstudio.com/DS/IN': 9.9.9.9#53
Sep 23 11:42:44 OpenWrt3 named[28113]: broken trust chain resolving 'dc.services.visualstudio.com/A/IN': 9.9.9.9#53
Sep 23 11:43:19 OpenWrt3 named[28113]: timed out resolving 'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
Sep 23 11:43:20 OpenWrt3 named[28113]: timed out resolving 'tp.b16066390-frontier.amazonalexa.com/A/IN': 9.9.9.9#53
Sep 23 11:43:22 OpenWrt3 named[28113]: timed out resolving 'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
Sep 23 11:43:22 OpenWrt3 named[28113]: timed out resolving 'fmfmobile.fe.apple-dns.net/A/IN': 9.9.9.9#53
Sep 23 11:43:26 OpenWrt3 named[28113]: timed out resolving 'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
Sep 23 11:43:26 OpenWrt3 named[28113]: timed out resolving 'tp.b16066390-frontier.amazonalexa.com/A/IN': 9.9.9.9#53
Sep 23 11:43:45 OpenWrt3 named[28113]: timed out resolving 'us-sandbox-courier-4.push-apple.com.akadns.net/A/IN': 9.9.9.9#53
Sep 23 11:43:45 OpenWrt3 named[28113]: timed out resolving 'e6858.dscx.akamaiedge.net/A/IN': 9.9.9.9#53
Sep 23 11:43:50 OpenWrt3 named[28113]: timed out resolving 'imap.gmail.com/A/IN': 9.9.9.9#53
Sep 23 11:43:50 OpenWrt3 named[28113]: timed out resolving 'mail.employees.org/A/IN': 9.9.9.9#53
Sep 23 11:43:55 OpenWrt3 named[28113]: timed out resolving 'swdist.apple.com/A/IN': 9.9.9.9#53
Sep 23 11:43:56 OpenWrt3 named[28113]:   validating x.incapdns.net/SOA: no valid signature found
Sep 23 11:44:08 OpenWrt3 named[28113]: timed out resolving '16.courier-push-apple.com.akadns.net/A/IN': 9.9.9.9#53
Sep 23 11:44:09 OpenWrt3 named[28113]: timed out resolving 'sdk.split.io/A/IN': 9.9.9.9#53
Sep 23 11:44:09 OpenWrt3 named[28113]: timed out resolving 'e3.shared.global.fastly.net/HTTPS/IN': 9.9.9.9#53
Sep 23 11:45:39 OpenWrt3 named[28113]: timed out resolving 's-0005.s-msedge.net/HTTPS/IN': 9.9.9.9#53
Sep 23 11:45:49 OpenWrt3 named[28113]: timed out resolving 'onedscolprdwus03.westus.cloudapp.azure.com/A/IN': 9.9.9.9#53
Sep 23 11:46:24 OpenWrt3 named[28113]: timed out resolving 'onedscolprdwus03.westus.cloudapp.azure.com/A/IN': 9.9.9.9#53
Sep 23 11:47:07 OpenWrt3 named[28113]: timed out resolving 'e6987.a.akamaiedge.net/A/IN': 9.9.9.9#53
Sep 23 11:49:05 OpenWrt3 named[28113]: timed out resolving 'teams.office.com/A/IN': 9.9.9.9#53
Sep 23 11:49:29 OpenWrt3 named[28113]: timed out resolving '2.courier-push-apple.com.akadns.net/A/IN': 9.9.9.9#53
Sep 23 11:49:29 OpenWrt3 named[28113]: timed out resolving 'gateway.fe.apple-dns.net/A/IN': 9.9.9.9#53
Sep 23 11:50:03 OpenWrt3 named[28113]: timed out resolving 'ak.privatelink.msidentity.com/A/IN': 9.9.9.9#53
Sep 23 11:50:19 OpenWrt3 named[28113]: timed out resolving 'safebrowsing.googleapis.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'netgear.com/DS/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving '_adsp._domainkey.netgear.com/TXT/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'image.e.netgear.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'netgear.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'netgear.com/NS/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'community.netgear.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'www.netgear.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'support-intelligence.net/DS/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'netgear.com.dob.sibl.support-intelligence.net/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'khoros-mail.com.dob.sibl.support-intelligence.net/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving '58.249.124.192.zen.spamhaus.org/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'ns3.dnsmadeeasy.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'ns4.dnsmadeeasy.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'ns0.dnsmadeeasy.com/A/IN': 9.9.9.9#53
Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'sendgrid.net/A/IN': 9.9.9.9#53
Sep 23 11:50:46 OpenWrt3 named[28113]: timed out resolving 'gateway.fe.apple-dns.net/A/IN': 9.9.9.9#53
Sep 23 11:51:23 OpenWrt3 named[28113]: timed out resolving 'amazonalexa.com/DS/IN': 9.9.9.9#53
Sep 23 11:51:23 OpenWrt3 named[28113]: broken trust chain resolving 'tp.b16066390-frontier.amazonalexa.com/AAAA/IN': 9.9.9.9#53
Sep 23 11:51:59 OpenWrt3 named[28113]: timed out resolving 'sdk.split.io/HTTPS/IN': 9.9.9.9#53
Sep 23 11:52:20 OpenWrt3 named[28113]: timed out resolving 'www-linkedin-com.l-0005.l-msedge.net/A/IN': 9.9.9.9#53
Sep 23 11:53:04 OpenWrt3 named[28113]: timed out resolving 'calendar.google.com/HTTPS/IN': 9.9.9.9#53
Sep 23 11:53:04 OpenWrt3 named[28113]: timed out resolving 'calendar.google.com/A/IN': 9.9.9.9#53
Sep 23 11:56:04 OpenWrt3 named[28113]: timed out resolving '113673-23.chat.api.drift.com/HTTPS/IN': 9.9.9.9#53
Sep 23 11:56:07 OpenWrt3 named[28113]: timed out resolving 'trouter2-azsc-usce-1-b.cloudapp.net/AAAA/IN': 9.9.9.9#53
Sep 23 11:57:46 OpenWrt3 named[28113]: timed out resolving 'azurewebsites.net/DS/IN': 9.9.9.9#53
Sep 23 11:57:46 OpenWrt3 named[28113]: broken trust chain resolving 'opensourcereposprod.azurewebsites.net/A/IN': 9.9.9.9#53
Sep 23 11:58:04 OpenWrt3 named[28113]: timed out resolving 'gateway.prod.us-east-1.forester.a2z.com/A/IN': 9.9.9.9#53
Sep 23 11:58:04 OpenWrt3 named[28113]: timed out resolving 'gateway.prod.us-east-1.forester.a2z.com/HTTPS/IN': 9.9.9.9#53
Sep 23 11:58:51 OpenWrt3 named[28113]: timed out resolving 'crateandbarrel.syf.com.edgekey.net/A/IN': 9.9.9.9#53
Sep 23 11:58:51 OpenWrt3 named[28113]: timed out resolving 'awsdns-40.net/DS/IN': 9.9.9.9#53
Sep 23 11:58:51 OpenWrt3 named[28113]: broken trust chain resolving 'ns-832.awsdns-40.net/A/IN': 9.9.9.9#53
Sep 23 11:59:04 OpenWrt3 named[28113]: timed out resolving 'pd-cdn.itunes-apple.com.akadns.net/HTTPS/IN': 9.9.9.9#53
Sep 23 11:59:13 OpenWrt3 named[28113]: timed out resolving 'prod.ocws1.live.com.akadns.net/A/IN': 9.9.9.9#53


As you can see, a LOT of noise.

And I can't use the ISP's name servers because they've disabled DNSSEC (which frankly terrifies me).

My config largely looks like:


// This is the primary configuration file for the BIND DNS server named.

options {
	directory "/tmp";

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	forwarders {
		// Sparklight
		// 24.116.0.53;
		// 24.116.2.50;
		9.9.9.9;
	};

	recursion yes;

	// note that all subnets are visible to each other;
	// if we wished to isolate them we could use "views".
	allow-query {
		localhost;
		192.168.6.0/24;
		192.168.7.0/24;
		192.168.8.0/24;
	};

	auth-nxdomain no;    # conform to RFC1035

	// added by philipp
	allow-transfer { none; };
	// dnssec-validation no;
	dnssec-validation auto;
	listen-on-v6 { none; };
};

include "/etc/bind/named-rndc.conf";

include "/tmp/bind/named.conf.local";

// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};


And /tmp/bind/named.conf.local relates to a couple of dynamically generated zones that ISC-DHCP writes:


zone "redfish-solutions.com" {
	type master;
	file "/tmp/bind/db.redfish-solutions.com";
	update-policy {
		grant local-ddns zonesub any;
	};
};

zone "168.192.in-addr.arpa" {
	type master;
	file "/tmp/bind/db.168.192.in-addr.arpa";
	update-policy {
		grant local-ddns zonesub any;
	};
};



Why all the timeouts and broken trust chains?

Is something wrong with my configuration?  My build is:


BIND 9.18.4 (Stable Release) <id:1712e5b>
running on Linux x86_64 5.10.75 #0 SMP Thu Oct 28 23:05:28 2021
built by make with  '--target=x86_64-openwrt-linux' '--host=x86_64-openwrt-linux' '--build=x86_64-pc-linux-gnu' '--program-prefix=' '--program-suffix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib' '--sysconfdir=/etc' '--datadir=/usr/share' '--localstatedir=/var' '--mandir=/usr/man' '--infodir=/usr/info' '--with-openssl=/home/philipp/lede/staging_dir/target-x86_64_musl/usr' '--without-lmdb' '--enable-epoll' '--without-gssapi' '--without-readline' '--sysconfdir=/etc/bind' '--with-json-c=no' '--with-libxml2=no' '--enable-doh' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-openwrt-linux' 'target_alias=x86_64-openwrt-linux' 'CC=x86_64-openwrt-linux-musl-gcc' 'CFLAGS=-Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -fmacro-prefix-map=/home/philipp/lede/build_dir/target-x86_64_musl/bind-9.18.4=bind-9.18.4 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY_SOURCE=1 -Wl,-z,now -Wl,-z,relro   ' 'LDFLAGS=-L/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/usr/lib -L/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/lib -znow -zrelro   -Wl,--gc-sections,--as-needed ' 'CPPFLAGS=-I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/usr/include -I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/include/fortify -I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/include   ' 'PKG_CONFIG=/home/philipp/lede/staging_dir/host/bin/pkg-config' 'PKG_CONFIG_PATH=/home/philipp/lede/staging_dir/target-x86_64_musl/usr/lib/pkgconfig:/home/philipp/lede/staging_dir/target-x86_64_musl/usr/share/pkgconfig' 'PKG_CONFIG_LIBDIR=/home/philipp/lede/staging_dir/target-x86_64_musl/usr/lib/pkgconfig:/home/philipp/lede/staging_dir/target-x86_64_musl/usr/share/pkgconfig'
compiled by GCC 11.3.0
compiled with OpenSSL version: OpenSSL 1.1.1q  5 Jul 2022
linked to OpenSSL version: OpenSSL 1.1.1l  24 Aug 2021
compiled with libuv version: 1.44.1
linked to libuv version: 1.41.1
compiled with libnghttp2 version: 1.44.0
linked to libnghttp2 version: 1.44.0
compiled with zlib version: 1.2.12
linked to zlib version: 1.2.11
threads support is enabled

default paths:
  named configuration:  /etc/bind/named.conf
  rndc configuration:   /etc/bind/rndc.conf
  DNSSEC root key:      /etc/bind/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock


And it gets fired up as:

/usr/sbin/named -u bind -f -c /etc/bind/named.conf

Via the init.d wrapper.

Probably should run it with -4 since my ISP didn't provide me an IPv6 address...   I'll look into an easy way of detecting IPv6 provisioning on public interfaces and add that argument if it's absent.

-Philip

More information about the bind-users mailing list