search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.4k stars 430 forks source link

Howto: Fix a broken caching upstream DNS using Technitium #1004

Closed the-moog closed 1 month ago

the-moog commented 2 months ago

Those familiar with Mikrotik routers will know their built in DNS has been lacking for a long time. In fact that's my reason for adopting this project.

Is there a way to get Technitium to refuse to reply to AAAA queries, but only for a single host?

I just found a new bug in Mikrotik, and I think Technitium can help work round it.

The issue is when the Mikrotik DNS has to be used as an upstream DNS as the immediate ISP DNS IP address may change at the whim of the ISP. You can turn off the DNS in Mikrotik but you can't turn off the cache. I could port forward it but but that is tricky as the address changes. (I've never tried it but I expect the non-supplied address will still work and this is just a form of load balancing by the ISP, but doing that means I am vulnerable to future changes by the ISP).

It seems Mikrotik is caching NXDOMAIN for 'AAAA' queries but then replying with that NXDOMAIN for later 'A' requests for the same domain name. This will be because some device or other (hard to find which one) has the Mikrotik gateway as it's DNS rather than one supplied by DHCP. It is making AAAA queries, getting NXDOMAIN but then as Mikrotik is upstream, it is poisoning later 'A' queries for every client.

ShreyasZare commented 2 months ago

Thanks for the post.

Is there a way to get Technitium to refuse to reply to AAAA queries, but only for a single host?

Yes, you can do that by installing Filter AAAA DNS app from the Apps section on the admin panel. This app will force clients to use IPv4 by forcing them to use A record.

The issue is when the Mikrotik DNS has to be used as an upstream DNS as the immediate ISP DNS IP address may change at the whim of the ISP. You can turn off the DNS in Mikrotik but you can't turn off the cache. I could port forward it but but that is tricky as the address changes. (I've never tried it but I expect the non-supplied address will still work and this is just a form of load balancing by the ISP, but doing that means I am vulnerable to future changes by the ISP).

You can run Technitium DNS server without configuring Mikrotik as the upstream and let it do recursive resolution. This will bypass this issue unless you want to use your ISP's DNS servers.

It seems Mikrotik is caching NXDOMAIN for 'AAAA' queries but then replying with that NXDOMAIN for later 'A' requests for the same domain name. This will be because some device or other (hard to find which one) has the Mikrotik gateway as it's DNS rather than one supplied by DHCP. It is making AAAA queries, getting NXDOMAIN but then as Mikrotik is upstream, it is poisoning later 'A' queries for every client.

This is technically correct since NXDOMAIN means that the domain does not exists so the cache should return NXDOMAIN for all query types for the same domain name. But, if Mikrotik is returning NXDOMAIN instead of NOERROR response when AAAA record does not exists then its clearly a bug.