Testing DNSSec validation using dig works with loopback only

Nicky_Nilson · May 18, 2020, 5:30pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

Operating System: Linux (ubuntu 18.04)
Two Docker Instances run on this machine
1- Pihole docker - Pihole - 172.90.0.5
2- mvance/unbound - Unbound - 172.90.0.6

Expected behavior is that when I run DNSSec validation test command using dig as per official guide with destination IP assigned to the docker Unbound instance or the PiHole instance I should receive a NOERROR response with resolved domain answer.
dig sigok.verteiltesysteme.net @172.90.0.6 -p 5335

Actual Behaviour:

When I run a DNSSec validation test command I receive a REFUSED response

;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 28175;; 
flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0`
`;; WARNING: recursion requested but not available`

When I perform the same testing with loopback address 127.0.0.1, it works with no issues.

Not only that but even in PiHole, all DNS queries sent to PiHole keep getting forwarded to Unbound but no response back as in the PiHole Log below
May 18 01:38:38 dnsmasq[539]: query[A] tesla.com.lan from X.X.X.X
May 18 01:38:38 dnsmasq[539]: forwarded tesla.com.lan to 172.90.0.6
May 18 01:38:38 dnsmasq[539]: query[A] tesla.com.lan from X.X.X.X
May 18 01:38:38 dnsmasq[539]: forwarded tesla.com.lan to 172.90.0.6

Debug Token:

https://tricorder.pi-hole.net/r75x026jni

Nicky_Nilson · May 18, 2020, 7:02pm

Thanks for your reply but I keep getting refused on all queries on Unbound assuming it should be handled with no issues (in terms of resolving part). And the main issue I am facing is why PiHole doesn't respond back to the DNS query made by any of the clients and shows requests being forwarded to Unbound and not returning back ?

Bucking_Horn · May 18, 2020, 7:20pm

These IPs do not match any private address range, specifically not 172.16.0.0/12 (which would only span addresses from 172.16.0.0 through 172.31.255.255) - which in turn means that you are using public IPs for your Pi-hole installation.

If you do not own 172.90.0.5 and 172.90.0.6, you should switch to use private IP addresses.

If you do indeed own those addresses, you may run an open resolver, which poses a potential threat for all Internet users, e.g. by serving as a multiplier in a DNS Amplification attack.

The Pi-hole team strongly discourages Pi-hole’s usage as an open resolver , and we won't provide support in that case.

Nicky_Nilson · May 18, 2020, 7:45pm

Thank you so much for the note. I have just fixed them
1- Pihole docker - Pihole- 172.20.0.5
2- mvance/unbound - Unbound - 172.20.0.6

I tested again, it still responds with Refused on any query on Unbound when using the command
dig sigok.verteiltesysteme.net @172.20.0.6 -p 5353

But works with the loopback
dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

I do have a feeling that it's related to a config file option, not sure, as the response is so fast

Nicky_Nilson · May 18, 2020, 9:56pm

I fixed it, it was an issue with Unbound config file, it should include access control. I understand it should be more specific but not including this line in config would refuse any requests not originating from the Loopback
access-control: 0.0.0.0/0 allow

Bucking_Horn · May 18, 2020, 10:37pm

Glad you got it sorted.

I also just noticed your usage of unbound port numbers has been inconsistently switching between 5353 and 5335.

The latter is the better choice - you may want to check your setup against the default config from our unbound community guide, just in case.

Nicky_Nilson · May 18, 2020, 10:40pm

Yep, my bad, thank you so much for the help.

system · June 8, 2020, 10:51pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.