AdguardTeam / AdGuardDNS

Public DNS resolver that protects you from ad trackers
https://adguard-dns.io/
GNU Affero General Public License v3.0
788 stars 62 forks source link

DNSSEC fails to validate when using my profile #826

Open asdfjkluiop opened 2 months ago

asdfjkluiop commented 2 months ago

Platform

Linux

Protocol

DNS-over-TLS

Do you use AdGuard app?

No I don't

Your configuration

Stubby is used to handle DoT but this happens when using dedicated IPv6 addresses too

Traceroute to AdGuard DNS

First two hops with my IPs have been removed

traceroute to 2a10:50c0::ded:ff (2a10:50c0::ded:ff), 30 hops max, 80 byte packets
 3  * * *
 4  vl198-ds1-j2-c35r106-b.sea3.constant.com (2001:19f0:fc01:b::6464:c801)  6.486 ms  6.479 ms vl199-c8-7-b2-1.pnj1.constant.com (2001:19f0:fc01:a::6464:6401)  6.538 ms
 5  ethernetet-0-0-27-sr1.lax3.constant.com (2001:19f0:fc00::a44:3fd)  7.012 ms ethernetet-0-0-26-sr1.lax3.constant.com (2001:19f0:fc00::a44:3f5)  6.937 ms ethernetet-3-0-26-sr2.lax3.constant.com (2001:19f0:fc00::a44:401)  7.129 ms
 6  ethernetae1-er1.lax3.constant.com (2001:19f0:fc00::a44:109)  7.300 ms ethernetae2-er2.lax3.constant.com (2001:19f0:fc00::a44:115)  19.216 ms  19.190 ms
 7  et-0-0-61.cr3-lax2.ip6.gtt.net (2001:668:0:3:ffff:2:0:18f1)  5.341 ms  5.076 ms xe-0-4-3-1.a04.lsanca07.us.bb.gin.ntt.net (2001:418:0:5000::1015)  49.421 ms
 8  2001:418:1400:5000::10e2 (2001:418:1400:5000::10e2)  4.776 ms 2001:418:1400:5000::10ea (2001:418:1400:5000::10ea)  5.414 ms  5.407 ms
 9  vl223.lax-cs2-dist-2.cdn77.com (2a02:6ea0:1:1::91)  5.364 ms vl224.lax-cs2-dist-2.cdn77.com (2a02:6ea0:1:1::93)  5.051 ms  5.070 ms
10  2a10:50c0::ded:ff (2a10:50c0::ded:ff)  5.143 ms vl221.lax-cs2-dist-1.cdn77.com (2a02:6ea0:1:1::87)  4.891 ms 2a10:50c0::ded:ff (2a10:50c0::ded:ff)  5.446 ms

Issue Details

delv aaaa cloudflare.com fails when using my adguard profile, it DOES NOT fail when using the public non-profile IP 2a10:50c0::ded:ff. This started happening a few months ago and I've had to stop using adguard as a result, no changes were made to my profile setup, it just started to fail. I can provide the dedicated IP address of a test device on my profile to assist with debugging. See output below when using my profile

;; broken trust chain resolving 'cloudflare.com/DS/IN': 
;; broken trust chain resolving 'cloudflare.com/DNSKEY/IN': 
;; broken trust chain resolving 'cloudflare.com/AAAA/IN': 
;; resolution failed: broken trust chain

Expected Behavior

DNSSEC domains should successfully verify when using my profile

Actual Behavior

DNSSEC domains fail to verify using my profile, they only verify successfully when using the public IP with no profile.

Screenshots

No response

Additional Information

No response

Chinaski1 commented 2 months ago

Hello there!

We'll need more information to determine the issue:

  1. Provide information about which server you are connected to: https://dns.adguard.com/info.txt
  2. What is used for the DNS-over-TLS forward?
  3. Does the problem recur when using the DoH?
asdfjkluiop commented 2 months ago

Sure 1) dns2-dp-la-2 2) I mentioned it in the issue but it's stubby 3) yes DoH has the issue as well. So do dedicated IPs over UDP/53

asdfjkluiop commented 1 week ago

@Chinaski1 Not sure if you meant to delete your comment but yes, it still happens