Seeing lots of DNS issues on OpenWRT

Ed Daniel esdaniel at esdaniel.com
Fri Sep 23 19:59:49 UTC 2022 

As per your previous email 17:54 where you share Sparklight response, 
Quad9 uses strict DNS checking iirc, you should add another couple of 
cloud DNS resolvers like 1.1.1.1 and 8.8.8.8 that fall back to resolve 
when DNSSEC is broken at destination.

forwarders {
  		// Sparklight
  		// 24.116.0.53;
  		// 24.116.2.50;
  		9.9.9.9;
  		8.8.8.8;
  		1.1.1.1;

Others will probably have smarter thoughts to share than this but it 
should get you working again.

HTH,
Ed.


On 23/09/2022 20:18, Philip Prindeville wrote:
> Hi all,
> 
> I've changed locations (moved houses) and consequently ISPs (now on Sparklight, used to have CTC) and I'm seeing a slew of DNS issues I didn't have before like:
> 
> Sep 23 11:42:13 OpenWrt3 named[28113]: timed out resolving 'wdatpsngatewaytmcacane.trafficmanager.net/A/IN': 9.9.9.9#53
> Sep 23 11:42:21 OpenWrt3 named[28113]: timed out resolving 'ubuntu.com/DS/IN': 9.9.9.9#53
> Sep 23 11:42:21 OpenWrt3 named[28113]: broken trust chain resolving 'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
> Sep 23 11:42:31 OpenWrt3 named[28113]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
> Sep 23 11:42:44 OpenWrt3 named[28113]: timed out resolving 'visualstudio.com/DS/IN': 9.9.9.9#53
> Sep 23 11:42:44 OpenWrt3 named[28113]: broken trust chain resolving 'dc.services.visualstudio.com/A/IN': 9.9.9.9#53
> Sep 23 11:43:19 OpenWrt3 named[28113]: timed out resolving 'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
> Sep 23 11:43:20 OpenWrt3 named[28113]: timed out resolving 'tp.b16066390-frontier.amazonalexa.com/A/IN': 9.9.9.9#53
> Sep 23 11:43:22 OpenWrt3 named[28113]: timed out resolving 'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
> Sep 23 11:43:22 OpenWrt3 named[28113]: timed out resolving 'fmfmobile.fe.apple-dns.net/A/IN': 9.9.9.9#53
> Sep 23 11:43:26 OpenWrt3 named[28113]: timed out resolving 'connectivity-check.ubuntu.com/A/IN': 9.9.9.9#53
> Sep 23 11:43:26 OpenWrt3 named[28113]: timed out resolving 'tp.b16066390-frontier.amazonalexa.com/A/IN': 9.9.9.9#53
> Sep 23 11:43:45 OpenWrt3 named[28113]: timed out resolving 'us-sandbox-courier-4.push-apple.com.akadns.net/A/IN': 9.9.9.9#53
> Sep 23 11:43:45 OpenWrt3 named[28113]: timed out resolving 'e6858.dscx.akamaiedge.net/A/IN': 9.9.9.9#53
> Sep 23 11:43:50 OpenWrt3 named[28113]: timed out resolving 'imap.gmail.com/A/IN': 9.9.9.9#53
> Sep 23 11:43:50 OpenWrt3 named[28113]: timed out resolving 'mail.employees.org/A/IN': 9.9.9.9#53
> Sep 23 11:43:55 OpenWrt3 named[28113]: timed out resolving 'swdist.apple.com/A/IN': 9.9.9.9#53
> Sep 23 11:43:56 OpenWrt3 named[28113]:   validating x.incapdns.net/SOA: no valid signature found
> Sep 23 11:44:08 OpenWrt3 named[28113]: timed out resolving '16.courier-push-apple.com.akadns.net/A/IN': 9.9.9.9#53
> Sep 23 11:44:09 OpenWrt3 named[28113]: timed out resolving 'sdk.split.io/A/IN': 9.9.9.9#53
> Sep 23 11:44:09 OpenWrt3 named[28113]: timed out resolving 'e3.shared.global.fastly.net/HTTPS/IN': 9.9.9.9#53
> Sep 23 11:45:39 OpenWrt3 named[28113]: timed out resolving 's-0005.s-msedge.net/HTTPS/IN': 9.9.9.9#53
> Sep 23 11:45:49 OpenWrt3 named[28113]: timed out resolving 'onedscolprdwus03.westus.cloudapp.azure.com/A/IN': 9.9.9.9#53
> Sep 23 11:46:24 OpenWrt3 named[28113]: timed out resolving 'onedscolprdwus03.westus.cloudapp.azure.com/A/IN': 9.9.9.9#53
> Sep 23 11:47:07 OpenWrt3 named[28113]: timed out resolving 'e6987.a.akamaiedge.net/A/IN': 9.9.9.9#53
> Sep 23 11:49:05 OpenWrt3 named[28113]: timed out resolving 'teams.office.com/A/IN': 9.9.9.9#53
> Sep 23 11:49:29 OpenWrt3 named[28113]: timed out resolving '2.courier-push-apple.com.akadns.net/A/IN': 9.9.9.9#53
> Sep 23 11:49:29 OpenWrt3 named[28113]: timed out resolving 'gateway.fe.apple-dns.net/A/IN': 9.9.9.9#53
> Sep 23 11:50:03 OpenWrt3 named[28113]: timed out resolving 'ak.privatelink.msidentity.com/A/IN': 9.9.9.9#53
> Sep 23 11:50:19 OpenWrt3 named[28113]: timed out resolving 'safebrowsing.googleapis.com/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'netgear.com/DS/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving '_adsp._domainkey.netgear.com/TXT/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'image.e.netgear.com/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'netgear.com/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'netgear.com/NS/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'community.netgear.com/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'www.netgear.com/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'support-intelligence.net/DS/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'netgear.com.dob.sibl.support-intelligence.net/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: broken trust chain resolving 'khoros-mail.com.dob.sibl.support-intelligence.net/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving '58.249.124.192.zen.spamhaus.org/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'ns3.dnsmadeeasy.com/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'ns4.dnsmadeeasy.com/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'ns0.dnsmadeeasy.com/A/IN': 9.9.9.9#53
> Sep 23 11:50:20 OpenWrt3 named[28113]: timed out resolving 'sendgrid.net/A/IN': 9.9.9.9#53
> Sep 23 11:50:46 OpenWrt3 named[28113]: timed out resolving 'gateway.fe.apple-dns.net/A/IN': 9.9.9.9#53
> Sep 23 11:51:23 OpenWrt3 named[28113]: timed out resolving 'amazonalexa.com/DS/IN': 9.9.9.9#53
> Sep 23 11:51:23 OpenWrt3 named[28113]: broken trust chain resolving 'tp.b16066390-frontier.amazonalexa.com/AAAA/IN': 9.9.9.9#53
> Sep 23 11:51:59 OpenWrt3 named[28113]: timed out resolving 'sdk.split.io/HTTPS/IN': 9.9.9.9#53
> Sep 23 11:52:20 OpenWrt3 named[28113]: timed out resolving 'www-linkedin-com.l-0005.l-msedge.net/A/IN': 9.9.9.9#53
> Sep 23 11:53:04 OpenWrt3 named[28113]: timed out resolving 'calendar.google.com/HTTPS/IN': 9.9.9.9#53
> Sep 23 11:53:04 OpenWrt3 named[28113]: timed out resolving 'calendar.google.com/A/IN': 9.9.9.9#53
> Sep 23 11:56:04 OpenWrt3 named[28113]: timed out resolving '113673-23.chat.api.drift.com/HTTPS/IN': 9.9.9.9#53
> Sep 23 11:56:07 OpenWrt3 named[28113]: timed out resolving 'trouter2-azsc-usce-1-b.cloudapp.net/AAAA/IN': 9.9.9.9#53
> Sep 23 11:57:46 OpenWrt3 named[28113]: timed out resolving 'azurewebsites.net/DS/IN': 9.9.9.9#53
> Sep 23 11:57:46 OpenWrt3 named[28113]: broken trust chain resolving 'opensourcereposprod.azurewebsites.net/A/IN': 9.9.9.9#53
> Sep 23 11:58:04 OpenWrt3 named[28113]: timed out resolving 'gateway.prod.us-east-1.forester.a2z.com/A/IN': 9.9.9.9#53
> Sep 23 11:58:04 OpenWrt3 named[28113]: timed out resolving 'gateway.prod.us-east-1.forester.a2z.com/HTTPS/IN': 9.9.9.9#53
> Sep 23 11:58:51 OpenWrt3 named[28113]: timed out resolving 'crateandbarrel.syf.com.edgekey.net/A/IN': 9.9.9.9#53
> Sep 23 11:58:51 OpenWrt3 named[28113]: timed out resolving 'awsdns-40.net/DS/IN': 9.9.9.9#53
> Sep 23 11:58:51 OpenWrt3 named[28113]: broken trust chain resolving 'ns-832.awsdns-40.net/A/IN': 9.9.9.9#53
> Sep 23 11:59:04 OpenWrt3 named[28113]: timed out resolving 'pd-cdn.itunes-apple.com.akadns.net/HTTPS/IN': 9.9.9.9#53
> Sep 23 11:59:13 OpenWrt3 named[28113]: timed out resolving 'prod.ocws1.live.com.akadns.net/A/IN': 9.9.9.9#53
> 
> 
> As you can see, a LOT of noise.
> 
> And I can't use the ISP's name servers because they've disabled DNSSEC (which frankly terrifies me).
> 
> My config largely looks like:
> 
> 
> // This is the primary configuration file for the BIND DNS server named.
> 
> options {
> 	directory "/tmp";
> 
> 	// If your ISP provided one or more IP addresses for stable
> 	// nameservers, you probably want to use them as forwarders.
> 	// Uncomment the following block, and insert the addresses replacing
> 	// the all-0's placeholder.
> 
> 	forwarders {
> 		// Sparklight
> 		// 24.116.0.53;
> 		// 24.116.2.50;
> 		9.9.9.9;
> 	};
> 
> 	recursion yes;
> 
> 	// note that all subnets are visible to each other;
> 	// if we wished to isolate them we could use "views".
> 	allow-query {
> 		localhost;
> 		192.168.6.0/24;
> 		192.168.7.0/24;
> 		192.168.8.0/24;
> 	};
> 
> 	auth-nxdomain no;    # conform to RFC1035
> 
> 	// added by philipp
> 	allow-transfer { none; };
> 	// dnssec-validation no;
> 	dnssec-validation auto;
> 	listen-on-v6 { none; };
> };
> 
> include "/etc/bind/named-rndc.conf";
> 
> include "/tmp/bind/named.conf.local";
> 
> // prime the server with knowledge of the root servers
> zone "." {
> 	type hint;
> 	file "/etc/bind/db.root";
> };
> 
> // be authoritative for the localhost forward and reverse zones, and for
> // broadcast zones as per RFC 1912
> 
> zone "localhost" {
> 	type master;
> 	file "/etc/bind/db.local";
> };
> 
> zone "127.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.127";
> };
> 
> zone "0.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.0";
> };
> 
> zone "255.in-addr.arpa" {
> 	type master;
> 	file "/etc/bind/db.255";
> };
> 
> 
> And /tmp/bind/named.conf.local relates to a couple of dynamically generated zones that ISC-DHCP writes:
> 
> 
> zone "redfish-solutions.com" {
> 	type master;
> 	file "/tmp/bind/db.redfish-solutions.com";
> 	update-policy {
> 		grant local-ddns zonesub any;
> 	};
> };
> 
> zone "168.192.in-addr.arpa" {
> 	type master;
> 	file "/tmp/bind/db.168.192.in-addr.arpa";
> 	update-policy {
> 		grant local-ddns zonesub any;
> 	};
> };
> 
> 
> 
> Why all the timeouts and broken trust chains?
> 
> Is something wrong with my configuration?  My build is:
> 
> 
> BIND 9.18.4 (Stable Release) <id:1712e5b>
> running on Linux x86_64 5.10.75 #0 SMP Thu Oct 28 23:05:28 2021
> built by make with  '--target=x86_64-openwrt-linux' '--host=x86_64-openwrt-linux' '--build=x86_64-pc-linux-gnu' '--program-prefix=' '--program-suffix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib' '--sysconfdir=/etc' '--datadir=/usr/share' '--localstatedir=/var' '--mandir=/usr/man' '--infodir=/usr/info' '--with-openssl=/home/philipp/lede/staging_dir/target-x86_64_musl/usr' '--without-lmdb' '--enable-epoll' '--without-gssapi' '--without-readline' '--sysconfdir=/etc/bind' '--with-json-c=no' '--with-libxml2=no' '--enable-doh' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-openwrt-linux' 'target_alias=x86_64-openwrt-linux' 'CC=x86_64-openwrt-linux-musl-gcc' 'CFLAGS=-Os -pipe -fno-caller-saves -fno-plt -fhonour-copts -Wno-error=unused-but-set-variable -Wno-error=unused-result -fmacro-prefix-map=/home/philipp/lede/build_dir/target-x86_64_musl/bind-9.18.4=bind-9.18.4 -Wformat -Werror=format-security -fstack-protector -D_FORTIFY
>   _SOURCE=1 -Wl,-z,now -Wl,-z,relro   ' 'LDFLAGS=-L/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/usr/lib -L/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/lib -znow -zrelro   -Wl,--gc-sections,--as-needed ' 'CPPFLAGS=-I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/usr/include -I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/include/fortify -I/home/philipp/lede/staging_dir/toolchain-x86_64_gcc-11.3.0_musl/include   ' 'PKG_CONFIG=/home/philipp/lede/staging_dir/host/bin/pkg-config' 'PKG_CONFIG_PATH=/home/philipp/lede/staging_dir/target-x86_64_musl/usr/lib/pkgconfig:/home/philipp/lede/staging_dir/target-x86_64_musl/usr/share/pkgconfig' 'PKG_CONFIG_LIBDIR=/home/philipp/lede/staging_dir/target-x86_64_musl/usr/lib/pkgconfig:/home/philipp/lede/staging_dir/target-x86_64_musl/usr/share/pkgconfig'
> compiled by GCC 11.3.0
> compiled with OpenSSL version: OpenSSL 1.1.1q  5 Jul 2022
> linked to OpenSSL version: OpenSSL 1.1.1l  24 Aug 2021
> compiled with libuv version: 1.44.1
> linked to libuv version: 1.41.1
> compiled with libnghttp2 version: 1.44.0
> linked to libnghttp2 version: 1.44.0
> compiled with zlib version: 1.2.12
> linked to zlib version: 1.2.11
> threads support is enabled
> 
> default paths:
>    named configuration:  /etc/bind/named.conf
>    rndc configuration:   /etc/bind/rndc.conf
>    DNSSEC root key:      /etc/bind/bind.keys
>    nsupdate session key: /var/run/named/session.key
>    named PID file:       /var/run/named/named.pid
>    named lock file:      /var/run/named/named.lock
> 
> 
> And it gets fired up as:
> 
> /usr/sbin/named -u bind -f -c /etc/bind/named.conf
> 
> Via the init.d wrapper.
> 
> Probably should run it with -4 since my ISP didn't provide me an IPv6 address...   I'll look into an easy way of detecting IPv6 provisioning on public interfaces and add that argument if it's absent.
> 
> -Philip
>

More information about the bind-users mailing list