Has DNSSEC improved in 139?

Networking DNS
1

Has DNSSEC been improved in Core 139 ?

Since the DNSSEC changes (I think Core 136-137) has been implemented I had to stop using IPFIRE because it became unworkable : too many DNS-errors (in my mail-server.)

Let me explain the situation:

  • Provider -> FritzBox (DNS-ip=DNS Provider) -> IPFIRE (DNS-ip=DNS FritzBox) -> MailServer (DNS-ip=DNS IPFIRE)
    The Mail-server reports a lot connection-errors due to "DNS-server seems to have a technical problem"

When I remove IPFIRE:

  • Provider -> FritzBox (DNS-ip=DNS Provider) -> MailServer (DNS-ip=DNS FritzBox)
    The Mail-server reports NO ERRORS at all
2

I am not aware of any DNS problems like that.

It might be that DNSSEC is indeed filtering spoofed or broken records because the signatures do not match. Your FritzBox router does not do that and might let the malicious ones pass.

3

In case of spoofed / broken records, I would suppose they would always been filtered. But that’s not the case !

Sometimes there no errors for a couple of hours, sometimes there are a series of errors followed by some correct connections and then again some errors.

It’s happening for different IMAP/POP-servers, I couldn’t find any “rule” in what’s happening.

Very weird and very annoying as I had to stop using IPFIRE due to that.

4

Are you sure that you just didn’t have upstream name servers that didn’t work very well?

5

Sure, no. But I did notice some other connectivity problems with other sites (in my browser a.s.o) but they were probably also DNS-related as they disappeared too. I have been patient and continued using IPFIRE till 138.

6

I have been working on loads of DNS changes this week, but unfortunately won’t find the time to finish it. Stefan is helping out a lot here: https://git.ipfire.org/?p=people/ms/ipfire-2.x.git;a=shortlog;h=refs/heads/next-dns-ng

Core Update 139 also has a new version of the DNS proxy. Maybe you ran into a bug that was solved here.

7

Ok, I’ll give 139 a try and see what’s happening (and feedback my findings)

8

No good, tried 139 for a couple of hours, the same problem is occurring

9

Which DNS-Server do you using?

10

There are only problems when the IPFIRE DNS is part of the DNS upstream-chain. Without IPFIRE everything is working fine

11

Hello Walter,

please give us some input. Which nameservers (IP addresses) are you using ?

Thanks in advance,

-Stefan

12

When the IPFIRE is in use, it’s DNS is the DNS of the FritzBox.
The DNS of the FritzBox are those of my provider Pri:212.71.0.2 Sec:212.71.8.11
And remember, the problem I have, is only when IPFIRE is active in the upstream-chain. In other words, there are NO problems without IPFIRE, so I wonder why knowing the nameservers of my provider can be of any use (IMHO IPFIRE does not talk to it)

13

Maybee because no system check that the dns answers are modified. This is the reason why IPFire use DNSSec.

I’m not sure if a fritz box dns cache correct pass through the signatures. Configure the DNS Servers on the IPFire.

14

When I find the time I’ll insert IPFIRE again in the upstream-chain (which is not done in 1-2-3).
But if I remember well I have already tested with the provider-DNS specified in IPFIRE, and AFIK this didn’t change anything.
Problems like these are the reasons why it should (as a workaround) be possible to disable DNSsec completely.
Now I have to remove IPFIRE completely and loose also all the other protections provided by IPFIRE.
I know this has been asked before by others, and the answer was NO.
The result is NO IPFIRE at all
Don’t know what is best :worried:

15

in my case:

fritz box->ipfire->systems

ipfire red ->static with DNS of LWL and Digitalcourage, no problems.

https://wiki.ipfire.org/dns/public-servers

Give it a try :slight_smile:

16

The upcoming release of IPFire get a new cgi for DNS servers but both of your ISP’s servers as not working from here so try other servers.

Bildschirmfoto%20vom%202020-01-15%2001-36-13
Bildschirmfoto%20vom%202020-01-15%2001-36-131366×768 93.1 KB

Why. There is no default rule that prevents you from using an other DNS Servers in your network. You can simply set an other IP as DNS via DHCP. And an Upstream Proxy for pakfire. In this case the DNS of the IPFire is not used at all.

17

interesting i use a local pi-hole as dns server i hope that will still work without problems

dnssec has always worked great and is green

all my dns requests are sent to my pi hole and then forwarded to an external dns

18

Because Arne wrote that my ISP’s servers didn’t work, I changed the DNS-servers in my Fritz!Box (see situation explanation in an earlier post) to 1.1.1.1 & 1.0.0.1.

And indeed that worked without problems in 139 till … I installed 141 a couple of days ago !
Now the same (identical) problems (also) with those DNS-servers in 141

I’m really getting annoyed with that ongoing DNSSEC story, the more not all specialists are convinced about the effectivity / need for it, which seems to be the reason not many DNS-servers seem to be DNSSEC-enabled

19

in my case:

fritz box->ipfire->systems

ipfire red ->static with DNS of LWL and Digitalcourage, no problems.

https://wiki.ipfire.org/dns/public-servers

Give it a try maybe a clean install of core 141 helps.

20

Those two 1.1.1.1 & 1.0.0.1 are the Cloudflare I got from that wiki-list