Unbound+Adguard do not resolve any .sx domain

tr0ner · 9 September 2021 06:38

Hello all,

I installed dietpi yesterday because I wanted to try Adguard in combination with unbound. (I have been using Pihole before).
Everything works out of the box and setup was really easy - I encountered a strange problem though.
Any domain ending in .sx is not being resolved. Adguard shows this reply: SERVFAIL.
I just noticed it because my company uses an .sx domain for their vpn server.
The same problem with this page for example:
http://www.registry.sx

dig registry.sx @127.0.0.1 -p 5335

; <<>> DiG 9.16.15-Raspbian <<>> registry.sx @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62978
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;registry.sx.                   IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Sep 09 09:08:36 CEST 2021
;; MSG SIZE  rcvd: 40

If I set the client to use Google DNS the domain gets resolved.

Joulinar · 9 September 2021 08:57

Hi,

the issue seems to be with the domain itself as it looks like they are rated as insecure, because the domain doesn’t seems to have a valid DNSKEY.

I did some tracing and found following

1st test was to ask Quad9 public DNS server

10:33:35.300433 eth0  Out IP 192.168.0.79.48107 > 9.9.9.9.53: 23302+ [1au] A? registry.sx. (52)
10:33:40.306411 eth0  Out IP 192.168.0.79.48107 > 9.9.9.9.53: 23302+ [1au] A? registry.sx. (52)
10:33:40.334514 eth0  In  IP 9.9.9.9.53 > 192.168.0.79.48107: 23302$ 1/0/1 A 98.129.229.208 (56)

You see the request going out from my system and is getting an answer a couple of seconds later with IP 98.129.229.208
That’s fine even if it takes quite long

2nd test is to ask unbound

10:33:58.748844 lo    In  IP 127.0.0.1.56432 > 127.0.0.1.5335: UDP, length 52
10:33:58.748995 lo    In  IP 127.0.0.1.5335 > 127.0.0.1.56432: UDP, length 40
10:33:58.749073 eth0  Out IP 192.168.0.79.25940 > 185.159.198.10.53: 6319% [1au] A? REGIstRy.Sx. (40)
10:33:58.773714 eth0  In  IP 185.159.198.10.53 > 192.168.0.79.25940: 6319*- 2/0/1 A 98.129.229.208, RRSIG (238)
10:33:58.774006 eth0  Out IP 192.168.0.79.57719 > 185.159.198.10.53: 48290% [1au] DNSKEY? sx. (31)
10:33:58.797434 eth0  In  IP 185.159.198.10.53 > 192.168.0.79.57719: 48290*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:33:58.797767 eth0  Out IP 192.168.0.79.59599 > 185.159.197.10.53: 56369% [1au] DNSKEY? sx. (31)
10:33:58.829119 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.59599: 56369*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:33:58.829391 eth0  Out IP 192.168.0.79.29279 > 185.159.197.10.53: 11324% [1au] DNSKEY? Sx. (31)
10:33:58.864997 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.29279: 11324*- 3/0/1 DNSKEY, DNSKEY, RRSIG (747)
10:33:58.865928 eth0  Out IP 192.168.0.79.33957 > 185.159.197.10.53: 7497% [1au] DNSKEY? sX. (31)
10:33:58.902094 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.33957: 7497*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:33:58.902432 eth0  Out IP 192.168.0.79.51425 > 185.159.197.10.53: 10905% [1au] DNSKEY? sx. (31)
10:33:58.937879 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.51425: 10905*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)

First lines you see my system asking unbound and later on unbound is going to check with rootDNS server. There I’m getting the answer 98.129.229.208 as well. However unbound is not accepting it and continue to ask the rootDNS server for a valid DNSKEY. As this doesn’t happen, unbound is not able to complete your request and will print SERVFAIL as shown on your dig request.

Question is now how to overcome this. There are a couple of options provide on unbound documentation https://www.nlnetlabs.nl/documentation/unbound/howto-turnoff-dnssec/

To avoid to disable DNSSEC completely, you could go with option 4 and exclude your insecure domain from being checked. This can be done as follow.

echo -e 'server:\n    domain-insecure: "registry.sx"' > /etc/unbound/unbound.conf.d/domain-insecure.conf
systemctl restart unbound

Now the request should complete successfully

11:02:43.759920 lo    In  IP 127.0.0.1.57623 > 127.0.0.1.5335: UDP, length 52
11:02:43.760092 eth0  Out IP 192.168.0.79.17909 > 192.112.36.4.53: 28289% [1au] NS? . (28)
11:02:43.791020 eth0  In  IP 192.112.36.4.53 > 192.168.0.79.17909: 28289*- 14/0/27 NS k.root-servers.net., NS d.root-servers.net., NS m.root-servers.net., NS l.root-servers.net., NS i.root-servers.net., NS b.root-servers.net., NS h.root-servers.net., NS c.root-servers.net., NS f.root-servers.net., NS a.root-servers.net., NS e.root-servers.net., NS j.root-servers.net., NS g.root-servers.net., RRSIG (1097)
11:02:43.791272 eth0  Out IP 192.168.0.79.38750 > 199.9.14.201.53: 45631% [1au] A? sx. (31)
11:02:43.791340 eth0  Out IP 192.168.0.79.27435 > 192.203.230.10.53: 21767% [1au] DNSKEY? . (28)
11:02:43.818873 eth0  In  IP 192.203.230.10.53 > 192.168.0.79.27435: 21767*- 3/0/1 DNSKEY, DNSKEY, RRSIG (864)
11:02:43.818873 eth0  In  IP 199.9.14.201.53 > 192.168.0.79.38750: 45631- 0/6/5 (577)
11:02:43.819133 eth0  Out IP 192.168.0.79.35284 > 185.159.197.10.53: 42768% [1au] A? rEGiStRY.sX. (40)
11:02:43.819281 eth0  Out IP 192.168.0.79.51463 > 185.159.198.10.53: 56618% [1au] DNSKEY? Sx. (31)
11:02:43.844495 eth0  In  IP 185.159.198.10.53 > 192.168.0.79.51463: 56618*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
11:02:43.851249 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.35284: 42768*- 2/0/1 A 98.129.229.208, RRSIG (238)
11:02:43.851338 lo    In  IP 127.0.0.1.5335 > 127.0.0.1.57623: UDP, length 56

root@DietPi:~# dig registry.sx @127.0.0.1 -p 5335

; <<>> DiG 9.16.15-Debian <<>> registry.sx @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35269
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;registry.sx.                   IN      A

;; ANSWER SECTION:
registry.sx.            300     IN      A       98.129.229.208

;; Query time: 91 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Sep 09 11:02:43 CEST 2021
;; MSG SIZE  rcvd: 56

root@DietPi:~#

But honestly it would be better if the domain would be able to provide a valid DNSKEY.

tr0ner · 9 September 2021 09:26

Thank you very much for this detailed reply.
The problem seems to be there with all .sx domains though - I only put the registry.sx as an example because I cannot post my work related domains here. Another example would be whois.sx. I cannot imagine that all sx domains have problems with their DNSKEY

There seem to be some changes concerning dnssec in the new unbound version which is not in the repos yet:
https://www.nlnetlabs.nl/projects/unbound/download/#unbound-1-13-2

Maybe the problem will be solved once the new version becomes available.

Joulinar · 9 September 2021 09:53

Not sure why unbound did not like the .sx domain but probably something you could report to NLnetLabs directly https://github.com/NLnetLabs/unbound/issues

I activated some tracing on unbound and it looks like unbound could not establish a chain of trust to keys for .sx domain

Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: reply from <sx.> 185.159.198.10#53
Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: query response was ANSWER
Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: Did not match a DS to a DNSKEY, thus bogus.
Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: Could not establish a chain of trust to keys for sx. DNSKEY IN
Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: 127.0.0.1 registry.sx. A IN SERVFAIL 0.246066 0 40

At least you could work around by excluding all .sx domains from being checked be setting domain-insecure: “sx”

tr0ner · 9 September 2021 10:29

Thank you again!
Can you maybe tell me how I would set this up the correct way? Sorry I am a total noob with unbound.

Joulinar · 9 September 2021 11:28

I posted it already above

echo -e 'server:\n    domain-insecure: "sx"' > /etc/unbound/unbound.conf.d/domain-insecure.conf
systemctl restart unbound

tr0ner · 9 September 2021 13:28

You are right, thank you again it now works.

Joulinar · 9 September 2021 17:28

ok perfect. Just for completeness I will link your created issue at NLnetLabs. Let’s see if someone is reacting on it

https://github.com/NLnetLabs/unbound/issues/539

tr0ner · 13 September 2021 06:12

I just noticed that this does not help for subdomains: xyz.xyz.sx still does not get resovled while xyz.sx does get resolved.
echo -e ‘server:\n domain-insecure: “sx”’ > /etc/unbound/unbound.conf.d/domain-insecure.conf
systemctl restart unbound

Joulinar · 13 September 2021 08:10

I guess you would need to add these sub domains as well to the config file

tr0ner · 20 October 2021 13:34

Joulinar someone reacted to the unbound issue…maybe you can take over because my knowledge is somewhat limited =)
He says that sx domains work fine for him - so maybe it is a problem with the dietpi config after all?

Joulinar · 21 October 2021 08:46

Hi,

I did a test today and for me this is working now ootb without any hack needed

dig test succeed

root@DietPi4:~# dig registry.sx @127.0.0.1 -p 53

; <<>> DiG 9.16.15-Debian <<>> registry.sx @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41766
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;registry.sx.                   IN      A

;; ANSWER SECTION:
registry.sx.            300     IN      A       98.129.229.208

;; Query time: 99 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Oct 21 10:44:28 CEST 2021
;; MSG SIZE  rcvd: 56

root@DietPi4:~#

As well tcpdump shows no issues

root@DietPi4:~# tcpdump -i any -c200 -nn port 53
tcpdump: data link type LINUX_SLL2
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
10:44:28.574748 lo    In  IP 127.0.0.1.59160 > 127.0.0.1.53: 41766+ [1au] A? registry.sx. (52)
10:44:28.575112 eth0  Out IP 192.168.0.17.20658 > 192.58.128.30.53: 63813% [1au] A? Sx. (31)
10:44:28.593544 eth0  In  IP 192.58.128.30.53 > 192.168.0.17.20658: 63813- 0/4/5 (493)
10:44:28.593796 eth0  Out IP 192.168.0.17.11200 > 185.159.197.10.53: 55525% [1au] A? RegISTrY.sx. (40)
10:44:28.593908 eth0  Out IP 192.168.0.17.50555 > 185.159.198.10.53: 55204% [1au] DNSKEY? sX. (31)
10:44:28.613288 eth0  In  IP 185.159.198.10.53 > 192.168.0.17.50555: 55204*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:44:28.624255 eth0  In  IP 185.159.197.10.53 > 192.168.0.17.11200: 55525*- 2/0/1 A 98.129.229.208, RRSIG (227)
10:44:28.625029 eth0  Out IP 192.168.0.17.63945 > 185.159.198.10.53: 63614% [1au] DS? REgISTRy.Sx. (40)
10:44:28.642515 eth0  In  IP 185.159.198.10.53 > 192.168.0.17.63945: 63614*- 5/0/1 DS, DS, DS, DS, RRSIG (370)
10:44:28.643059 eth0  Out IP 192.168.0.17.51084 > 185.159.197.10.53: 48383% [1au] DNSKEY? reGIstry.SX. (40)
10:44:28.671504 eth0  In  IP 185.159.197.10.53 > 192.168.0.17.51084: 48383*- 4/0/1 DNSKEY, DNSKEY, RRSIG, RRSIG (934)
10:44:28.672025 lo    In  IP 127.0.0.1.53 > 127.0.0.1.59160: 41766$ 1/0/1 A 98.129.229.208 (56)
^C
12 packets captured
16 packets received by filter
0 packets dropped by kernel
root@DietPi4:~#

tr0ner · 21 October 2021 09:34

You are right - now it works for me too! Maybe it was a cache thing yesterday.
Thank you very much