DNSSEC not working?

Expected Behaviour:

Pi-hole Version v3.3 Web Interface Version v3.3 FTL Version v3.0
Log into pihole web interface. Go to settings. Select DNS. At the bottom of page, check Use DNSSEC checkbox. I'm using DNS.WATCH as my DNS forrwarder. Just below is a link to a test page

Actual Behaviour:

I expect the test page to return success. Instead, I get this:
No, your DNS resolver does NOT validate DNSSEC signatures.
Tried another test at http://www.dnssec-or-not.com/ and it reports the same:
Are you protected by DNSSEC? Or Not?

This page tests whether or not the DNS queries from your computer are protected with DNSSEC validation.
Sigh... the test indicates you are NOT protected.

Debug Token:.

[Replace this text with the debug token provided from running pihole -d (or running the debug script through the web interface]

I can't tell without your debug token, but some packaged versions of dnsmasq are not compiled with DNSSEC. You can usually see if this is the case with dnsmasq -v to see the compile time options.

I just completely reinstalled my pihole after first upgrading to stretch. I've been wanting to do that anyway. The DNSSEC still not working.

dnsmasq -v

Dnsmasq version 2.76 Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

This software comes with ABSOLUTELY NO WARRANTY.
Dnsmasq is free software, and you are welcome to redistribute it
under the terms of the GNU General Public License, version 2 or 3.

I apparently experience the same problem. I use alternative servers with DNSSEC capability but DNSSEC does not show up in the GUI.

@diameter What DNSSEC servers are you using?

I'm using DNS.Watch

I have verified that the dnsmasq I'm using is compiled with DNSSEC flag.

Dnsmasq version 2.76 Copyright © 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

Yet, the test page continues to show DNSSEC is not working. Here is a small sample from my log:

Can someone please help figure this out.

Thank you.

While this doesn't help @diameter, I can report that the DNSSEC test page gives me a positive result with my server setup (see post above).

Interestingly, the pi-hole sites themselves are currently classified as INSECURE.

1 Like

INSECURE means that the domain isn't set up with DNSSEC, and BOGUS means the record has been changed (doesn't match signature). Do you see any SECURE entries, or any domains which are supposed to be secure showing as INSECURE?

1 Like

Take a look here, too:

Thanks for the explanation. It is helpful. However, I fail the test here:
http://dnssec.vs.uni-due.de/

But I think I may have discovered the issue, but it's confusing. I have a VPN on my Asus router running Merlin. There is a DNS setting called "Accept DNS Configuration" and it's set to exclusive. To the best of my understanding this translates to "Exclusive = only the VPN-provided DNS servers are used"

The DNS settings in my router are set to the IP of the raspberry pi running pihole.

Now, here's the confusing part. The pihole still blocks ads and is active. Yet when I run a dnsleak test (https://dnsleaktest.com), it shows only the VPN DNS servers. Within pihole settings, my upstream DNS is set to DNS.WATCH.

Perhaps someone can shed light on what might be happening. If only the VPN DNS is being used, then why is the pihole still working and blocking ads?

If your VPN DNS supports DNSSEC, change the Pi-hole to use the VPN DNS server and set the router to hand out Pi-hole (however the VPN config does that).

Perhaps it is the VPN config that is forwarding my DNS calls to it's own DNS servers per my "exclusive" setting. And the router is set to hand out Pi-hole.

The behavior is exactly what I want, but I don't understand why it's working the way it is. If the VPN config is forcing VPN DNS exclusively, then why is the Pi-hole still blocking ads? I expect the Pi-hole to be completely bypassed via the VPN. But instead the Pi-hole must be the first one to get the DNS call and then then VPN takes over.

Perhaps you have both the Pi-hole and VPN servers set, so it randomly uses one or the other.

The Open VPN setting "Accept DNS Configuration" has a dropdown with several options.

Exclusive - Use only the DNS servers supplied by the OpenVPN server. Note that this can cause a problem if the VPN goes down, and your VPN server is set by url and not ip, and you don't have an unencrypted route to the VPN server. Now you can't resolve your server address and VPN will stay down. Some of these cases have been addressed in the latest Merlin, but I don't think all.

Strict - Add the DNS servers supplied by the OpenVPN servers at the top of a list of your normal DNS servers. The servers are then accessed top to bottom on this list, so the non-VPN servers are only accessed if there is an error with the VPN DNS servers. This prevents the problem above.

Relaxed - The server list is created the same way as Strict, except the servers are accessed round robin (or random or some 'responsiveness' algorithm, don't quite remember which). Both the VPN DNS servers and your normal DNS servers are always used.

Disabled - The VPN DNS servers aren't used, only the existing DNS servers.

If I chose relaxed, then it would use random DNS. However, it is set to "Exclusive" which forces to use the VPN DNS exclusively.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.