Unable to resolve

fathead · October 12, 2019, 7:56pm

dig +dnssec cnn.com @1.0.0.1

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> +dnssec cnn.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31994
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com. IN A

;; ANSWER SECTION:
cnn.com. 59 IN A 151.101.129.67
cnn.com. 59 IN A 151.101.193.67
cnn.com. 59 IN A 151.101.1.67
cnn.com. 59 IN A 151.101.65.67

;; Query time: 119 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Fri Jul 05 08:10:18 CDT 2019
;; MSG SIZE rcvd: 100

As one can see from the date, the output looks similar.
How can I tell if the dnssec is valid?

jfb · October 12, 2019, 8:06pm

Let's go back to your original problem. If you dig a domain without going directly to the DNS server IP, are you able to resolve it?

dig microsoft.com returns an IP or SERVFAIL?

fathead · October 12, 2019, 8:15pm

SERVFAIL

dig microsoft.com

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> microsoft.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6115
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;microsoft.com. IN A

;; Query time: 650 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Oct 12 15:11:46 CDT 2019
;; MSG SIZE rcvd: 42

jfb · October 12, 2019, 8:28pm

The short term solution is to disable DNSSEC, since that's where your problem lies.

fathead · October 12, 2019, 11:41pm

Isp intercepting port 53 thus breaking dnssec.
Using other isp for now.

fathead · October 13, 2019, 5:59am

DoT and DoH would be a nice built-in feature to have.

system · November 3, 2019, 5:59am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.