I am having a problem with DNS lookups and I am not even sure how to formulate the question, so please bear with me.
My setup is Internet – IPFire – ClearOS7. ClearOS runs a system called Gateway Management which is a branding of AdamNetworks’ Adam:one, a DNS filtering tool.
IPFire is currently running as a recursive resolver but the same problem exists when running as a Caching DNS server. All other boxes are empty on the DNS setup screen.
With Gateway Management running, in ClearOS I can resolve 1024 and 2048 bit domainkeys (1024._domainkey.howitts.co.uk and 2048_domainkey.howitts.co.uk) with nslookup. I can resolve 4096 bit domainkeys using the dig command dig txt 202403._domainkey.howitts.co.uk but with nslookup I get:
[root@server ~]# nslookup -q=txt 202403._domainkey.howitts.co.uk
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
*** Can't find 202403._domainkey.howitts.co.uk: No answer
Authoritative answers can be found from:
howitts.co.uk
origin = achiel.ns.cloudflare.com
mail addr = dns.cloudflare.com
serial = 2336336559
refresh = 10000
retry = 2400
expire = 604800
minimum = 1800
Without Gateway Management on ClearOS 7 it all works. This may lead you to thinking it is Gateway Management but if I change ClearOS’s upstream resolver from IPFire to Cloudflare, all lookups work. This leads me to believe Unbound is doing an invalid lookup or giving an invalid response to a particular query formatted by Gateway Managament.
I have pcap files of the working and non-working lookups between ClearOS and IPFire but I don’t know how to interpret them.
I’ve dropped the unbound cache and run tcpdump on all interfaces. I can see the correct response coming back in from upstream to Red but it doesn’t get passed onto Green.
It is difficult. Without Gateway Management on ClearOS, everything works as expected from any machine behind IPFire (including ClearOS) and from IPFire. With Gateway Management, the lookup goes from ClearOS to IPFire and onto the internet. It comes back with valid data to IPFire, but then does not make it to ClearOS.
If I change ClearOS’s upstream resolver to Cloudflare, then ClearOS receives an answer back.
This suggests ClearOS/Gateway Management is formulating the DNS request in a valid way, but Unbound can’t handle it.
I can do packet sniffing but don’t know how to interpret the results and see what is different with the ClearOS/Gateway Management DNS request. I then don’t know the protocol enough to know what is doing wrong.
The part of the reply starting 202403._.... is (IIRC) 822 bytes long so should easily be inside allowable packet sizes and should be common to the reply bypassing Unbound. This suggests to me that there is something else going on here in the lookup request.
I am trying them but not getting too much help. It is too easy to blame the other system. I have some pcap files but it needs someone who can understand them and that person isn’t me.
ClearOS does not use DNSSEC. Also 2048 bit keys are looked up OK, just not 4096 bit keys.
To answer @bbitsch is complicated. Until a month ago ClearOS was my gateway to the internet. I demoted it to a standalone server behind IPFire. Then it came to my attention that Gateway Management v3 was going to die on 27th March. While I have no love left for my former employer, Clearcenter, who are screwing everyone over, I feel sorry for the company who produces Gateway Management (GM), ADAMnetworks, and they will lose a revenue stream so I am trying to test an update to v4 of GM for them. To do that, I’ve put ClearOS back into Gateway mode and re-enabled GM but it is on my LAN and I have set up a 1 PC LAN behind ClearOS just for testing.
For ClearOS DNS, I have been trying to use the IPFire DNS as its upstream resolver as I was doing while it was standalone on my LAN. It is trivial to revert it to using Cloudflare as its upstream DNS but then I have to replicate the IPFire Hosts in ClearOS. It was while using IPFire upstream of that I bumped into this issue when updating Amavis…
The 2 stage gateway is not normal and is just for testing GM, but it should work. All the rest of my home net is on the IPFire LAN…