Good luck. I've been using Ubiquiti stuff as well and used to hang out at their forum. The amount of official and useful support as well as the speed they apply fixes is... astonishing. But maybe this time we will be taught better....
1 Like
.... update .... but no news....
Ticket is now at level/tier 2... but no solution so far...
I sent u huge bunch of logs and support files so far....
liebe grüße
Andy
1 Like
UI Support (Ubiquiti Help Center)
Nov 8, 2021, 19:24 MST
Hi,
Thank you for your patience.
I checked the details and as per the packet capture, it seems that there is no response from the upstream server when using dnssec.
Also, as the issue only occurs when enabling the dnssec I suspect the issue could be on the pi end as DNS works when dnssec is disabled.
Thanks!
Best,
UI Support
Ubiquiti Inc.
my answer:
Hi Ubiquiti,
how can you then explain that it work with a different router fine? Just with the UDM the problem is there....
Regards
Andreas
... also consider this:
The issue looks similar to this:
https://community.ui.com/questions/DNSSEC-fails-when-WAN-in-PPPoE-mode/ee2d6999-5a6e-48ba-ba72-8e0b6949f865
More informations are also here (this is my case):
Since today DNSSEC is not working - #19 by yubiuser
I'm sorry to hear you had to wait so long for this answer. I'm amazed (not in the good way) about their reply because it is just wrong.
This is correct.
Wait, what? You are not receiving a reply from upstream. This suggests the upstream is really either not responding (unlikely because you also tried Google's and Telekom's DNS servers as alternative upstream) or, well, blocked away by the router. How should the pi influence what the router's behavior?
Sorry to say this but I guess you have to write them again. The problem you want to get solved here is not that the Pi-hole is not sending out any other queries upstream but rather that you see no reply from any upstream for the DNSKEY root lookups. This prevents the entirety of DNSSEC to work at all.
I try to explain that to them, with my German English.... hope it helps....
Hi Guy's,
I need your help - I don't know how I should them better explain the situation. I mentioned very often that it is working with a different router. I can share a dump with the support.lua from the fritzbox but I guess that won't help. I can also share the hole ticket via pdf but the forum don't allow me an upload here of an pdf....
Thank you for the update and the details.
We checked the details and in the packet captures we are seeing that the traffic is successfully forwarded to the DNS servers, however, there is no reply coming back (example packet 184 on br0 which corresponds with 1585 on ppp0) in the packet captures that are shared. There also does not appear to be any indication that the traffic is corrupted by the UDM-Pro in transit.
thanks in advanced
Andy
I don't think you did anything wrong.
Yes. Another correct statement but not what you need as
So I'm not sure why they refuse to see the issue:
- Their router -> it doesn't work
- Other router -> it works
Conclusion? Well ... isn't it pretty obvious? If it were me, I'd very likely have replaced the router even earlier. Sadly I have no other suggestion than to get back to them once more and tell them (like literaly!):
I can receive upstream responses when using a different router like a Fritzbox. However, when using the UDM-Pro I do not receive upstream responses. Looking at your previous investigations, this strongly suggests that the UDM-Pro is doing something that is not obvious in the packet capture. Whether this is a modification of the outgoing traffic (so the upstream really never responds) or any kind of dropping the inbound traffic is something I cannot say.
Can you give me additional advise on what data I can provide so you can investigate why the UDM-Pro is behaving this way?
Hopefully this will help them to give you helpful assistance.
1 Like
meanwhile my ubiquiti ticket was escalated to tier 3 - but the answer is still the same
The product team has analyzed the provided support files and packet captures, but unfortunately we did >not find any evidence that the DNSSEC traffic was dropped or altered on the UDM-Pro.
We suspect that this issue is related to the Pihole and not the UniFi OS Console.
after this update the ticket was closed by ubiquiti and I get ask for an rating. I gave a bad rating and reopened the ticket. but no feed back since mid of December.
cheers
Andy
Thanks for your persistence. I fear there won't be any reaction from their side.