BOGUS domain which is not BOGUS?

Please follow the below template, it will help us to help you!

Expected Behaviour:

www.teleman.pl should not be listed as BOGUS domain when DNSSEC is activated in piHole

Actual Behaviour:

piHole shows “BOGUS” status for domain www.teleman.pl. Trying to “dig” the domain with either pdns-recursor or Google’s upstream server does not indicate any DNSSEC problems. Here is the output:

resolution with piHole: dig www.teleman.pl @127.0.0.1 +dnssec +multi

; <<>> DiG 9.9.5-9+deb8u17-Raspbian <<>> www.teleman.pl @127.0.0.1 +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22447
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.teleman.pl.                IN A

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Apr 30 10:03:31 CEST 2019
;; MSG SIZE  rcvd: 43

resolution with pdns-recursor: dig www.teleman.pl @127.0.0.1 -p 5454 +dnssec +multi

; <<>> DiG 9.9.5-9+deb8u17-Raspbian <<>> www.teleman.pl @127.0.0.1 -p 5454 +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.teleman.pl.                IN A

;; ANSWER SECTION:
www.teleman.pl.         2161 IN A 195.201.153.25

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5454(127.0.0.1)
;; WHEN: Tue Apr 30 10:04:21 CEST 2019
;; MSG SIZE  rcvd: 59

resolution with Google: dig www.teleman.pl @8.8.8.8 +dnssec +multi

; <<>> DiG 9.9.5-9+deb8u17-Raspbian <<>> www.teleman.pl @8.8.8.8 +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2653
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;www.teleman.pl.                IN A

;; ANSWER SECTION:
www.teleman.pl.         232 IN A 195.201.153.25

;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 30 10:05:01 CEST 2019
;; MSG SIZE  rcvd: 59

So it seems to me that there is something going wrong on piHole side…

Debug Token:

https://tricorder.pi-hole.net/iqm2dts12r!

Thanks for help!

Bye

DNSSEC Analyzer test result.

For me everything is green besides the last section (which includes red entries in almost all domains I tested). Funny thing is that the first time I tried that there were some timeouts listed in first and second sections.

Can you try to repeat the query on posted page? Maybe this is something related to temporary unavailability…?

Thanks!

Bye

One more information that might be important:

My local pdns-recursor is configured in the following way:

dnssec=validate
hint-file=/etc/powerdns/named.root
local-address=127.0.0.1
local-port=5454
query-local-address6=::

That means it also validates dnssec entries. In case of www.teleman.pl it returns a valid entry (as posted above). In case DNSSEC would fail, it would also return a SRVFAIL. So why is piHole behaving different here?

Thanks!

Bye

OK the DNSSEC implementation in Pihole using DNSmasq is troublesome.

If you use a DNSSEC aware upstream recursor then disable DNSSEC in Pihole because it won’t add anything and is prone for bogus replies.

I went from DNSmasq to Pihole to find the same problem again. I am now using Unbound in front of Pihole and never looked back.

Thanks for the answer!

The disadvantage here is that in the query log of piHole we will never see the dns security status any more, but I guess this is something I can live with :slight_smile:

Bye

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.