DNS lookup failing

nickh · 20 March 2024 10:14

I am having a problem with DNS lookups and I am not even sure how to formulate the question, so please bear with me.

My setup is Internet – IPFire – ClearOS7. ClearOS runs a system called Gateway Management which is a branding of AdamNetworks’ Adam:one, a DNS filtering tool.

IPFire is currently running as a recursive resolver but the same problem exists when running as a Caching DNS server. All other boxes are empty on the DNS setup screen.

With Gateway Management running, in ClearOS I can resolve 1024 and 2048 bit domainkeys (1024._domainkey.howitts.co.uk and 2048_domainkey.howitts.co.uk) with nslookup. I can resolve 4096 bit domainkeys using the dig command dig txt 202403._domainkey.howitts.co.uk but with nslookup I get:

[root@server ~]# nslookup -q=txt 202403._domainkey.howitts.co.uk
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
*** Can't find 202403._domainkey.howitts.co.uk: No answer

Authoritative answers can be found from:
howitts.co.uk
        origin = achiel.ns.cloudflare.com
        mail addr = dns.cloudflare.com
        serial = 2336336559
        refresh = 10000
        retry = 2400
        expire = 604800
        minimum = 1800

Without Gateway Management on ClearOS 7 it all works. This may lead you to thinking it is Gateway Management but if I change ClearOS’s upstream resolver from IPFire to Cloudflare, all lookups work. This leads me to believe Unbound is doing an invalid lookup or giving an invalid response to a particular query formatted by Gateway Managament.

I have pcap files of the working and non-working lookups between ClearOS and IPFire but I don’t know how to interpret them.

Can anyone please help me?

nickh · 20 March 2024 22:15

I’ve dropped the unbound cache and run tcpdump on all interfaces. I can see the correct response coming back in from upstream to Red but it doesn’t get passed onto Green.

jon · 20 March 2024 22:40

I am guessing since your descriptions include ClearOS and Gateway Management you may not get any responses.

Can you recreate the issue without those? And describe your tests, with just IPFire, and the results?

If it helps, feel free to start a new thread and I can delete this thread.

EDIT: I entered the same command and I a got this response:

[root@ipfire ~] # nslookup -q=txt 202403._domainkey.howitts.co.uk
;; Truncated, retrying in TCP mode.
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
202403._domainkey.howitts.co.uk	text = "v=DKIM1; p=MIICIjANBgkqhkiG9w0BAAAOCAg8AMIICCgKCAgEAzvkHMnL2cPPUzm6gXBIsaiRpajI1cQ3VPsE/2+z87gMFSRcFiM9gaejAgV+YFse2AEId2t0+xYXuNwG35dqS6WWlwZY3Rr5IIebcPSeXouuYR3nCdzgK/FCT8Y2vvKTkIDXYsJMQJulxdDAewb9/V7pNZ7J8wky6RRIKnbAEdqO" "zJ9nDEe6wUGXhrMxB20Z52eBk/TZgdzJwLxHzeclsWVES3Mw0tdDoUKT2QLd0SB9MsOwFcR6ph/h9VERhMAtjAmUG5YlQQ1bC8nznAwHdY2IP3RUdFZO5yPzrRvBAjfi/CmR2zHVQs7gA7b67DaMy67dURWHDhMwqXgWVNrZ4iTInWr1vLEPoNBjppn1GOkXrb+FdNoWnFM5laAEmcFK2Sie5wpzCItFjWs3f3IQZxB" "lzJHIpkvR2ZTMJ5g3DWUU3ZK1rW1kNvGLjZkox7EZH3lFfkyS6lPnfIX5XS5YYeP0RmSAWNaKinCdQq8m8SetOn6KJqOFg7dcFtvKlRrHQYyujH3dapJ10Err/xAv3iyh9B7x8C6N+qjTMjRoIfPTyLeFnAtUrFQigpj70mbZPaw9AKglDafXvnXJwn8r5/Oq3mjVKKWkCAwEAAQ=="

Authoritative answers can be found from:

[root@ipfire ~] #

nickh · 21 March 2024 09:35

It is difficult. Without Gateway Management on ClearOS, everything works as expected from any machine behind IPFire (including ClearOS) and from IPFire. With Gateway Management, the lookup goes from ClearOS to IPFire and onto the internet. It comes back with valid data to IPFire, but then does not make it to ClearOS.

If I change ClearOS’s upstream resolver to Cloudflare, then ClearOS receives an answer back.

This suggests ClearOS/Gateway Management is formulating the DNS request in a valid way, but Unbound can’t handle it.

I can do packet sniffing but don’t know how to interpret the results and see what is different with the ClearOS/Gateway Management DNS request. I then don’t know the protocol enough to know what is doing wrong.

The part of the reply starting 202403._.... is (IIRC) 822 bytes long so should easily be inside allowable packet sizes and should be common to the reply bypassing Unbound. This suggests to me that there is something else going on here in the lookup request.

jon · 21 March 2024 14:57

I venture to guess the unbound users mailing list would be able to offer better answers then we would. Let us know what happens!

nickh · 21 March 2024 15:11

I am trying them but not getting too much help. It is too easy to blame the other system. I have some pcap files but it needs someone who can understand them and that person isn’t me.

bbitsch · 21 March 2024 15:13

Another approach would be to describe the installation exactly.

physical connection, wires between NICs of the devices
a ClearOS machine can be configured as gateway, is your device gateway for your LAN to IPFire as gateway to the WAN?
if yes, how have you configured the DNS part of ClearOS?
why is the two-stage gateway necessary?

hvacguy · 21 March 2024 15:43

My only thought is unbound validates DNSSEC to itself (IPFire) but does not forward the DNSSEC response to client
Possible unbound setting?

If Client is validating DNSSEC.
Than why use IPFire DNS?

nickh · 21 March 2024 15:58

ClearOS does not use DNSSEC. Also 2048 bit keys are looked up OK, just not 4096 bit keys.

To answer @bbitsch is complicated. Until a month ago ClearOS was my gateway to the internet. I demoted it to a standalone server behind IPFire. Then it came to my attention that Gateway Management v3 was going to die on 27th March. While I have no love left for my former employer, Clearcenter, who are screwing everyone over, I feel sorry for the company who produces Gateway Management (GM), ADAMnetworks, and they will lose a revenue stream so I am trying to test an update to v4 of GM for them. To do that, I’ve put ClearOS back into Gateway mode and re-enabled GM but it is on my LAN and I have set up a 1 PC LAN behind ClearOS just for testing.
For ClearOS DNS, I have been trying to use the IPFire DNS as its upstream resolver as I was doing while it was standalone on my LAN. It is trivial to revert it to using Cloudflare as its upstream DNS but then I have to replicate the IPFire Hosts in ClearOS. It was while using IPFire upstream of that I bumped into this issue when updating Amavis…
The 2 stage gateway is not normal and is just for testing GM, but it should work. All the rest of my home net is on the IPFire LAN…