search

DNSCrypt / dnscrypt-resolvers

Lists of public DNSCrypt / DoH DNS servers and DNS relays
https://dnscrypt.info
1.19k stars 259 forks source link

Not all servers labelled as supporting DNSSEC actually do #872

Closed unbeatable-101 closed 4 months ago

unbeatable-101 commented 8 months ago

I have require_dnsssec = true set in my config and am only using dnscrypt servers from the default server list, yet when I use https://dnscheck.tools/ to check DNSSEC support, I'll sometimes get it saying DNSSEC is supported, and sometimes it will say it isn't. Here is an example of when it isn't.

Screenshot 2024-01-16 at 13 41 34
unbeatable-101 commented 8 months ago

Sorry, that was a bad example, for some reason iCloud private relay turned itself back on (though that really should support DNSSEC), though it does happen with it actually disabled like here:

Screenshot 2024-01-16 at 13 49 03
jedisct1 commented 8 months ago

I can't read images, sorry.

DNSSEC support is reported by dnscrypt-proxy -resolve:

$ dnscrypt-proxy -resolve example.com

./dnscrypt-proxy -resolve example.com
Resolving [example.com] using 127.0.0.1 port 53

Resolver      : 74.125.47.9
...
Name servers  : a.iana-servers.net., b.iana-servers.net.
DNSSEC signed : yes

What resolvers did you find not supporting DNSSEC while they had the DNSSEC bit set in their stamp?

demarcush commented 4 months ago

Does the current workflow tests if the stamp is advertising the resolver as DNSSEC-enabled but we couldn't get the response for example.com with DNSSEC signed : yes?

jedisct1 commented 4 months ago

It doesn't. Maybe we can use -list -json to get the DNSSEC information from the stamp, and indeed compare that to the output of -resolve.

jedisct1 commented 4 months ago

Added this to my regular check scripts. And sure enough, it quickly detected quite a few resolvers that advertise DNSSEC but don't support it.

I'm going to add it to prcheck and to the status monitor.

c3d1c06c-bf26-477e-b0eb-c50ef4477ba6 commented 4 months ago

Probably I'm doing it wrong but both with https://dnscheck.tools/ ("Great! Your DNS responses are authenticated with DNSSEC") and using dnscrypt-proxy -resolve example.com ("DNSSES signed : yes") I get positive results for e.g. UncensoredDNS.

How to get the correct result?

jedisct1 commented 4 months ago

Probably I'm doing it wrong but both with https://dnscheck.tools/ ("Great! Your DNS responses are authenticated with DNSSEC") and using dnscrypt-proxy -resolve example.com ("DNSSES signed : yes") I get positive results for e.g. UncensoredDNS.

I just set server_names = ['uncensoreddns-dk-ipv4'], and ran dnscrypt-proxy -resolve example.com:

Resolving [example.com] using 127.0.0.1 port 53

Resolver      : 89.233.43.71 (unicast.censurfridns.dk.)
Lying         : no
DNSSEC        : no, the resolver doesn't support DNSSEC
ECS           : ignored or selective
c3d1c06c-bf26-477e-b0eb-c50ef4477ba6 commented 4 months ago

Thanks, so:

  1. Only 1 server is allowed in server_names.
  2. One needs to look at "DNSSEC", not "DNSSEC signed".
  3. https://dnscheck.tools/ checks the response, i.e. gives the same result as "DNSSEC signed".
jedisct1 commented 4 months ago

"DNSSEC signed" is printed in the section about the domain name you are querying, not the server properties.

demarcush commented 4 months ago

@c3d1c06c-bf26-477e-b0eb-c50ef4477ba6

How to get the correct result?

Manually I'd use this to verify resolver's functionality

$ dnslookup go.dnscheck.tools [stamp]

and

$ dnslookup badsig.go.dnscheck.tools [stamp]

to verify it's DNSSEC; It should return SERVFAIL if DNSSEC.

demarcush commented 4 months ago

It would be useful to do the test in reverse too; When a resolver doesn't advertise DNSSEC (human error during addition) but it indeed does support DNSSEC. @jedisct1