Unbound+Adguard do not resolve any .sx domain Topic is solved

Having issues with your DietPi installation or found a bug? Post it here.
Post Reply
tr0ner
Posts: 5
Joined: Thu Sep 09, 2021 8:29 am

Unbound+Adguard do not resolve any .sx domain

Post by tr0ner »

Hello all,

I installed dietpi yesterday because I wanted to try Adguard in combination with unbound. (I have been using Pihole before).
Everything works out of the box and setup was really easy - I encountered a strange problem though.
Any domain ending in .sx is not being resolved. Adguard shows this reply: SERVFAIL.
I just noticed it because my company uses an .sx domain for their vpn server.
The same problem with this page for example:
http://www.registry.sx

Code: Select all

dig registry.sx @127.0.0.1 -p 5335

; <<>> DiG 9.16.15-Raspbian <<>> registry.sx @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 62978
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;registry.sx.                   IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Sep 09 09:08:36 CEST 2021
;; MSG SIZE  rcvd: 40
If I set the client to use Google DNS the domain gets resolved.
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Unbound+Adguard do not resolve any .sx domain

Post by Joulinar »

Hi,

the issue seems to be with the domain itself as it looks like they are rated as insecure, because the domain doesn't seems to have a valid DNSKEY.

I did some tracing and found following

1st test was to ask Quad9 public DNS server

Code: Select all

10:33:35.300433 eth0  Out IP 192.168.0.79.48107 > 9.9.9.9.53: 23302+ [1au] A? registry.sx. (52)
10:33:40.306411 eth0  Out IP 192.168.0.79.48107 > 9.9.9.9.53: 23302+ [1au] A? registry.sx. (52)
10:33:40.334514 eth0  In  IP 9.9.9.9.53 > 192.168.0.79.48107: 23302$ 1/0/1 A 98.129.229.208 (56)
You see the request going out from my system and is getting an answer a couple of seconds later with IP 98.129.229.208
That's fine even if it takes quite long

2nd test is to ask unbound

Code: Select all

10:33:58.748844 lo    In  IP 127.0.0.1.56432 > 127.0.0.1.5335: UDP, length 52
10:33:58.748995 lo    In  IP 127.0.0.1.5335 > 127.0.0.1.56432: UDP, length 40
10:33:58.749073 eth0  Out IP 192.168.0.79.25940 > 185.159.198.10.53: 6319% [1au] A? REGIstRy.Sx. (40)
10:33:58.773714 eth0  In  IP 185.159.198.10.53 > 192.168.0.79.25940: 6319*- 2/0/1 A 98.129.229.208, RRSIG (238)
10:33:58.774006 eth0  Out IP 192.168.0.79.57719 > 185.159.198.10.53: 48290% [1au] DNSKEY? sx. (31)
10:33:58.797434 eth0  In  IP 185.159.198.10.53 > 192.168.0.79.57719: 48290*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:33:58.797767 eth0  Out IP 192.168.0.79.59599 > 185.159.197.10.53: 56369% [1au] DNSKEY? sx. (31)
10:33:58.829119 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.59599: 56369*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:33:58.829391 eth0  Out IP 192.168.0.79.29279 > 185.159.197.10.53: 11324% [1au] DNSKEY? Sx. (31)
10:33:58.864997 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.29279: 11324*- 3/0/1 DNSKEY, DNSKEY, RRSIG (747)
10:33:58.865928 eth0  Out IP 192.168.0.79.33957 > 185.159.197.10.53: 7497% [1au] DNSKEY? sX. (31)
10:33:58.902094 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.33957: 7497*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
10:33:58.902432 eth0  Out IP 192.168.0.79.51425 > 185.159.197.10.53: 10905% [1au] DNSKEY? sx. (31)
10:33:58.937879 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.51425: 10905*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
First lines you see my system asking unbound and later on unbound is going to check with rootDNS server. There I'm getting the answer 98.129.229.208 as well. However unbound is not accepting it and continue to ask the rootDNS server for a valid DNSKEY. As this doesn't happen, unbound is not able to complete your request and will print SERVFAIL as shown on your dig request.

Question is now how to overcome this. There are a couple of options provide on unbound documentation https://www.nlnetlabs.nl/documentation/ ... ff-dnssec/

To avoid to disable DNSSEC completely, you could go with option 4 and exclude your insecure domain from being checked. This can be done as follow.

Code: Select all

echo -e 'server:\n    domain-insecure: "registry.sx"' > /etc/unbound/unbound.conf.d/domain-insecure.conf
systemctl restart unbound
Now the request should complete successfully

Code: Select all

11:02:43.759920 lo    In  IP 127.0.0.1.57623 > 127.0.0.1.5335: UDP, length 52
11:02:43.760092 eth0  Out IP 192.168.0.79.17909 > 192.112.36.4.53: 28289% [1au] NS? . (28)
11:02:43.791020 eth0  In  IP 192.112.36.4.53 > 192.168.0.79.17909: 28289*- 14/0/27 NS k.root-servers.net., NS d.root-servers.net., NS m.root-servers.net., NS l.root-servers.net., NS i.root-servers.net., NS b.root-servers.net., NS h.root-servers.net., NS c.root-servers.net., NS f.root-servers.net., NS a.root-servers.net., NS e.root-servers.net., NS j.root-servers.net., NS g.root-servers.net., RRSIG (1097)
11:02:43.791272 eth0  Out IP 192.168.0.79.38750 > 199.9.14.201.53: 45631% [1au] A? sx. (31)
11:02:43.791340 eth0  Out IP 192.168.0.79.27435 > 192.203.230.10.53: 21767% [1au] DNSKEY? . (28)
11:02:43.818873 eth0  In  IP 192.203.230.10.53 > 192.168.0.79.27435: 21767*- 3/0/1 DNSKEY, DNSKEY, RRSIG (864)
11:02:43.818873 eth0  In  IP 199.9.14.201.53 > 192.168.0.79.38750: 45631- 0/6/5 (577)
11:02:43.819133 eth0  Out IP 192.168.0.79.35284 > 185.159.197.10.53: 42768% [1au] A? rEGiStRY.sX. (40)
11:02:43.819281 eth0  Out IP 192.168.0.79.51463 > 185.159.198.10.53: 56618% [1au] DNSKEY? Sx. (31)
11:02:43.844495 eth0  In  IP 185.159.198.10.53 > 192.168.0.79.51463: 56618*- 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
11:02:43.851249 eth0  In  IP 185.159.197.10.53 > 192.168.0.79.35284: 42768*- 2/0/1 A 98.129.229.208, RRSIG (238)
11:02:43.851338 lo    In  IP 127.0.0.1.5335 > 127.0.0.1.57623: UDP, length 56

Code: Select all

root@DietPi:~# dig registry.sx @127.0.0.1 -p 5335

; <<>> DiG 9.16.15-Debian <<>> registry.sx @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35269
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;registry.sx.                   IN      A

;; ANSWER SECTION:
registry.sx.            300     IN      A       98.129.229.208

;; Query time: 91 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Sep 09 11:02:43 CEST 2021
;; MSG SIZE  rcvd: 56

root@DietPi:~#
But honestly it would be better if the domain would be able to provide a valid DNSKEY.
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
tr0ner
Posts: 5
Joined: Thu Sep 09, 2021 8:29 am

Re: Unbound+Adguard do not resolve any .sx domain

Post by tr0ner »

Thank you very much for this detailed reply.
The problem seems to be there with all .sx domains though - I only put the registry.sx as an example because I cannot post my work related domains here. Another example would be whois.sx. I cannot imagine that all sx domains have problems with their DNSKEY

There seem to be some changes concerning dnssec in the new unbound version which is not in the repos yet:
https://www.nlnetlabs.nl/projects/unbou ... und-1-13-2

Maybe the problem will be solved once the new version becomes available.
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Unbound+Adguard do not resolve any .sx domain

Post by Joulinar »

Not sure why unbound did not like the .sx domain but probably something you could report to NLnetLabs directly https://github.com/NLnetLabs/unbound/issues

I activated some tracing on unbound and it looks like unbound could not establish a chain of trust to keys for .sx domain

Code: Select all

Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: reply from <sx.> 185.159.198.10#53
Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: query response was ANSWER
Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: Did not match a DS to a DNSKEY, thus bogus.
Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: Could not establish a chain of trust to keys for sx. DNSKEY IN
Sep 09 11:44:51 DietPi unbound[1824]: [1631180691] unbound[1824:0] info: 127.0.0.1 registry.sx. A IN SERVFAIL 0.246066 0 40
At least you could work around by excluding all .sx domains from being checked be setting domain-insecure: "sx"
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
tr0ner
Posts: 5
Joined: Thu Sep 09, 2021 8:29 am

Re: Unbound+Adguard do not resolve any .sx domain

Post by tr0ner »

Thank you again!
Can you maybe tell me how I would set this up the correct way? Sorry I am a total noob with unbound.
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Unbound+Adguard do not resolve any .sx domain

Post by Joulinar »

I posted it already above

Code: Select all

echo -e 'server:\n    domain-insecure: "sx"' > /etc/unbound/unbound.conf.d/domain-insecure.conf
systemctl restart unbound
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
tr0ner
Posts: 5
Joined: Thu Sep 09, 2021 8:29 am

Re: Unbound+Adguard do not resolve any .sx domain

Post by tr0ner »

You are right, thank you again it now works.
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Unbound+Adguard do not resolve any .sx domain

Post by Joulinar »

ok perfect. Just for completeness I will link your created issue at NLnetLabs. Let's see if someone is reacting on it :)

https://github.com/NLnetLabs/unbound/issues/539
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
tr0ner
Posts: 5
Joined: Thu Sep 09, 2021 8:29 am

Re: Unbound+Adguard do not resolve any .sx domain

Post by tr0ner »

I just noticed that this does not help for subdomains: xyz.xyz.sx still does not get resovled while xyz.sx does get resolved.
echo -e 'server:\n domain-insecure: "sx"' > /etc/unbound/unbound.conf.d/domain-insecure.conf
systemctl restart unbound
User avatar
Joulinar
Posts: 5619
Joined: Sat Nov 16, 2019 12:49 am

Re: Unbound+Adguard do not resolve any .sx domain

Post by Joulinar »

I guess you would need to add these sub domains as well to the config file
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
Post Reply