TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.46k stars 430 forks source link

DNS_PROBE_FINISHED_BAD_CONFIG #1032

Closed REZAFatf closed 1 month ago

REZAFatf commented 2 months ago

Hi

I just installed the technitium dns server on Ubuntu 22.04 . I set google dns servers as my forwarders but when I want to open most websites the error "DNS_PROBE_FINISHED_BAD_CONFIG" appears. I had this issue with google.com , bing.com and many of them. How can i solve that? Thanks.

"Metadata": { "NameServer": "technitium (127.0.0.1)", "Protocol": "Udp", "DatagramSize": "174 bytes", "RoundTripTime": "42.4 ms" }, "EDNS": { "UdpPayloadSize": 1232, "ExtendedRCODE": "ServerFailure", "Version": 0, "Flags": "None", "Options": [ { "Code": "EXTENDED_DNS_ERROR", "Length": "39 bytes", "Data": { "InfoCode": "DnssecIndeterminate", "ExtraText": "8.8.8.8 returned no DS for GOOgle.coM" } }, { "Code": "EXTENDED_DNS_ERROR", "Length": "2 bytes", "Data": { "InfoCode": "CachedError", "ExtraText": null } }, { "Code": "EXTENDED_DNS_ERROR", "Length": "39 bytes", "Data": { "InfoCode": "DnssecIndeterminate", "ExtraText": "8.8.8.8 returned no DS for gOogLe.CoM" } }, { "Code": "EXTENDED_DNS_ERROR", "Length": "39 bytes", "Data": { "InfoCode": "DnssecIndeterminate", "ExtraText": "8.8.8.8 returned no DS for gOoglE.cOM" } } ] }, "DnsClientExtendedErrors": [ { "InfoCode": "NetworkError", "ExtraText": "technitium (127.0.0.1) returned RCODE=ServerFailure for google.com. A IN" } ], "Identifier": 58278, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "ServerFailure", "QDCOUNT": 1, "ANCOUNT": 0, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "google.com", "Type": "A", "Class": "IN" } ], "Answer": [], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "0 (0 sec)", "RDLENGTH": "135 bytes", "RDATA": { "Options": [ { "Code": "EXTENDED_DNS_ERROR", "Length": "39 bytes", "Data": { "InfoCode": "DnssecIndeterminate", "ExtraText": "8.8.8.8 returned no DS for GOOgle.coM" } }, { "Code": "EXTENDED_DNS_ERROR", "Length": "2 bytes", "Data": { "InfoCode": "CachedError", "ExtraText": null } }, { "Code": "EXTENDED_DNS_ERROR", "Length": "39 bytes", "Data": { "InfoCode": "DnssecIndeterminate", "ExtraText": "8.8.8.8 returned no DS for gOogLe.CoM" } }, { "Code": "EXTENDED_DNS_ERROR", "Length": "39 bytes", "Data": { "InfoCode": "DnssecIndeterminate", "ExtraText": "8.8.8.8 returned no DS for gOoglE.cOM" } } ] }, "DnssecStatus": "Disabled" } ]

ShreyasZare commented 2 months ago

Thanks for the details. It seems that your upstream is not responding correctly to DNSSEC requests. Since you are using public DNS providers that support DNSSEC, it looks like your requests are being hijacked and being responded by different DNS server.

I would suggest that you configure to use encrypted DNS protocols with your forwarders and see if that makes any difference.

REZAFatf commented 2 months ago

I tried all dns servers with encryption but no success. I disabled dnssec in setting and it opened all websites. is that ok?

ShreyasZare commented 2 months ago

I tried all dns servers with encryption but no success. I disabled dnssec in setting and it opened all websites. is that ok?

Disabling DNSSEC is like disabling fire alarm and thinking all is well now. Its not recommended to disable DNSSEC especially when you get DNSSEC validation error, which means that DNSSEC is working as expected to protect you.

It seems more like you have some misconfiguration causing this issue. You need to share screenshots of the Zones section, Apps section, and Settings > Proxy & Forwarders section. You can send these to support@technitium.com and you will get help on how to get it working.

REZAFatf commented 1 month ago

I sent the screenshots via Email.

ShreyasZare commented 1 month ago

Thanks for the screenshots. The forwarder config is not using encrypted DNS forwarders. Change them to use DNS-over-HTTPS, flush the cache, and then test it again using the DNS Client tab on the panel. Share the response you get in there.

REZAFatf commented 1 month ago

Here is the output of this server and recursive Query:

{ "Metadata": { "NameServer": "ns1.....org (192.168.0.46)", "Protocol": "Udp", "DatagramSize": "157 bytes", "RoundTripTime": "114.96 ms" }, "EDNS": { "UdpPayloadSize": 1232, "ExtendedRCODE": "ServerFailure", "Version": 0, "Flags": "None", "Options": [ { "Code": "EXTENDED_DNS_ERROR", "Length": "108 bytes", "Data": { "InfoCode": "Other", "ExtraText": "Resolver exception for google.com. A IN: The SSL connection could not be established, see inner exception." } }, { "Code": "EXTENDED_DNS_ERROR", "Length": "2 bytes", "Data": { "InfoCode": "CachedError", "ExtraText": null } } ] }, "DnsClientExtendedErrors": [ { "InfoCode": "NetworkError", "ExtraText": "ns1.....org (192.168.0.46) returned RCODE=ServerFailure for google.com. A IN" } ], "Identifier": 59930, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "ServerFailure", "QDCOUNT": 1, "ANCOUNT": 0, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "google.com", "Type": "A", "Class": "IN" } ], "Answer": [], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "0 (0 sec)", "RDLENGTH": "118 bytes", "RDATA": { "Options": [ { "Code": "EXTENDED_DNS_ERROR", "Length": "108 bytes", "Data": { "InfoCode": "Other", "ExtraText": "Resolver exception for google.com. A IN: The SSL connection could not be established, see inner exception." } }, { "Code": "EXTENDED_DNS_ERROR", "Length": "2 bytes", "Data": { "InfoCode": "CachedError", "ExtraText": null } } ] }, "DnssecStatus": "Disabled" } ] }


{ "Metadata": { "NameServer": "f.gtld-servers.net (192.35.51.30)", "Protocol": "Udp", "DatagramSize": "44 bytes", "RoundTripTime": "33.21 ms" }, "Identifier": 0, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": false, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "NoError", "QDCOUNT": 1, "ANCOUNT": 1, "NSCOUNT": 0, "ARCOUNT": 0, "Question": [ { "Name": "google.com", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "google.com", "Type": "A", "Class": "IN", "TTL": "418 (6 mins 58 sec)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "216.239.38.120" }, "DnssecStatus": "Disabled" } ], "Authority": [], "Additional": [] }

ShreyasZare commented 1 month ago

Thanks for the details. The output has this extended DNS error:

Resolver exception for google.com. A IN: The SSL connection could not be established, see inner exception.

Which means that for some reason, the DNS-over-HTTPS request failed. You need to check the DNS Logs from the admin panel to get the full error message which will explain what went wrong. Post that error log here to help understand the issue.

ShreyasZare commented 1 month ago

Your second DNS Client response indicates that your ISP is 100% hijacking DNS requests. See that the .COM TLD server f.gtld-servers.net (192.35.51.30) is giving you an answer for google.com instead of giving NS delegation records.

It may also be possible that your ISP is blocking DoT and DoH protocols for popularly known public DNS providers which is why you see SSL connection errors with DoH forwarders.

REZAFatf commented 1 month ago

I have attached log as txt file.

DNS.txt

ShreyasZare commented 1 month ago

Thanks for the logs.

[2024-09-18 07:47:27 UTC] DNS Server failed to resolve the request 'www.google.com. A IN' using forwarders: https://dns.google/dns-query (8.8.8.8), https://dns.google/dns-query (8.8.4.4).
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.IO.IOException: Unable to read data from the transport connection: Connection reset by peer.
 ---> System.Net.Sockets.SocketException (104): Connection reset by peer

Your ISP is blocking these requests. So you cannot use these popular encrypted DNS providers.

You have now the following options:

REZAFatf commented 1 month ago

Thanks. is there any tutorial on how to setup tor as a SOCKS5 proxy? because maybe I want to use proxy for some domains.

ShreyasZare commented 1 month ago

Thanks. is there any tutorial on how to setup tor as a SOCKS5 proxy? because maybe I want to use proxy for some domains.

You can check this blog post where it explains how to configure Cloudflare's hidden Tor DNS service. You can also use any other public DNS service when you have Tor proxy configured, just not that UDP will not work over Tor so you will need to use TCP or encrypted DNS protocols (excluding QUIC which also uses UDP).

Before you configure Tor proxy, you will need to manually install Tor on the server that runs the DNS server.

REZAFatf commented 1 month ago

I am confused. Should I install tor proxy or use Cloudflare's hidden tor ?

ShreyasZare commented 1 month ago

I am confused. Should I install tor proxy or use Cloudflare's hidden tor ?

You need to install Tor and configure it as a proxy in the DNS server settings to be able to access Cloudflare's hidden Tor service.

REZAFatf commented 1 month ago

Thanks. can I bypass censorship with this method?

ShreyasZare commented 1 month ago

Thanks. can I bypass censorship with this method?

Mostly no. Since your ISP may be blocking websites with other methods too not just with DNS. Its better to use Tor Browser in such cases.

REZAFatf commented 1 month ago

Can i install tor with proxychains on same server as technitium and bypass censorship on my local network?

ShreyasZare commented 1 month ago

Can i install tor with proxychains on same server as technitium and bypass censorship on my local network?

If you do not have understanding about networking concepts then avoid doing such things. Its better to just use VPN or Tor Browser.

REZAFatf commented 1 month ago

Hi

I enabled DNSSEC validation and used cisco umbrella dns server as you can see on attached screenshot. I tested the dnssec with dns client and i got this log. does dnssec is working or not?

Screenshot 2024-09-22 101258


{ "Metadata": { "NameServer": "ns1.tukait.org (192.168.0.46)", "Protocol": "Udp", "DatagramSize": "55 bytes", "RoundTripTime": "0.57 ms" }, "EDNS": { "UdpPayloadSize": 1232, "ExtendedRCODE": "NoError", "Version": 0, "Flags": "None", "Options": [] }, "Identifier": 0, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "NoError", "QDCOUNT": 1, "ANCOUNT": 1, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "google.com", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "google.com", "Type": "A", "Class": "IN", "TTL": "213 (3 mins 33 sec)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "192.178.24.206" }, "DnssecStatus": "Disabled" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "0 (0 sec)", "RDLENGTH": "0 bytes", "RDATA": { "Options": [] }, "DnssecStatus": "Disabled" } ] }

ShreyasZare commented 1 month ago

I enabled DNSSEC validation and used cisco umbrella dns server as you can see on attached screenshot. I tested the dnssec with dns client and i got this log. does dnssec is working or not?

If you have DNSSEC enabled in the Technitium DNS server and you get a response then its always validated. DNSSEC will only cause bogus responses to fail to validate and resolve.

Note that Umbrella may also block domain names and if those are DNSSEC signed then you will get DNSSEC validation errors.

REZAFatf commented 1 month ago

so what is DbssecStatus: Disabled ?

ShreyasZare commented 1 month ago

so what is DbssecStatus: Disabled ?

It just says that you did not select the "Enable DNSSEC Validation" option in DNS Client. DNS Client is an independent tool even though its available on the same admin panel and can do its own DNSSEC validation if you enable that option.

REZAFatf commented 1 month ago

it get this when i enable dnssec validation.

{ "Metadata": { "NameServer": "ns1.tukait.org (192.168.0.46)", "Protocol": "Udp", "DatagramSize": "468 bytes", "RoundTripTime": "246.68 ms" }, "EDNS": { "UdpPayloadSize": 1232, "ExtendedRCODE": "NoError", "Version": 0, "Flags": "DNSSEC_OK", "Options": [ { "Code": "PADDING", "Length": "410 bytes", "Data": { "Data": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" } } ] }, "Identifier": 0, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": true, "RCODE": "NoError", "QDCOUNT": 1, "ANCOUNT": 1, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "apple.com", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "apple.com", "Type": "A", "Class": "IN", "TTL": "38 (38 sec)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "17.253.144.10" }, "DnssecStatus": "Insecure" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "32768 (9 hours 6 mins 8 sec)", "RDLENGTH": "414 bytes", "RDATA": { "Options": [ { "Code": "PADDING", "Length": "410 bytes", "Data": { "Data": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" } } ] }, "DnssecStatus": "Indeterminate" } ] }

ShreyasZare commented 1 month ago

That's correct response. The Insecure status means that the domain name is not signed with DNSSEC. Try testing with example.com and see.

REZAFatf commented 1 month ago

{ "Metadata": { "NameServer": "ns1.tukait.org (192.168.0.46)", "Protocol": "Udp", "DatagramSize": "66 bytes", "RoundTripTime": "1998.36 ms" }, "EDNS": { "UdpPayloadSize": 1232, "ExtendedRCODE": "ServerFailure", "Version": 0, "Flags": "DNSSEC_OK", "Options": [ { "Code": "EXTENDED_DNS_ERROR", "Length": "22 bytes", "Data": { "InfoCode": "Other", "ExtraText": "Waiting for resolver" } } ] }, "DnsClientExtendedErrors": [ { "InfoCode": "NetworkError", "ExtraText": "ns1.tukait.org (192.168.0.46) returned RCODE=ServerFailure for example.com. A IN" } ], "Identifier": 7954, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": true, "RCODE": "ServerFailure", "QDCOUNT": 1, "ANCOUNT": 0, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "example.com", "Type": "A", "Class": "IN" } ], "Answer": [], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "32768 (9 hours 6 mins 8 sec)", "RDLENGTH": "26 bytes", "RDATA": { "Options": [ { "Code": "EXTENDED_DNS_ERROR", "Length": "22 bytes", "Data": { "InfoCode": "Other", "ExtraText": "Waiting for resolver" } } ] }, "DnssecStatus": "Indeterminate" } ] }

ShreyasZare commented 1 month ago

The response says Waiting for resolver so you need to try again. It looks like your DoH upstream is quite slow to respond.

REZAFatf commented 1 month ago

{ "Metadata": { "NameServer": "ns1.tukait.org (192.168.0.46)", "Protocol": "Udp", "DatagramSize": "468 bytes", "RoundTripTime": "195.62 ms" }, "EDNS": { "UdpPayloadSize": 1232, "ExtendedRCODE": "NoError", "Version": 0, "Flags": "DNSSEC_OK", "Options": [ { "Code": "PADDING", "Length": "301 bytes", "Data": { "Data": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" } } ] }, "Identifier": 0, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": true, "CheckingDisabled": true, "RCODE": "NoError", "QDCOUNT": 1, "ANCOUNT": 2, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "example.com", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "example.com", "Type": "A", "Class": "IN", "TTL": "756 (12 mins 36 sec)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "93.184.215.14" }, "DnssecStatus": "Secure" }, { "Name": "example.com", "Type": "RRSIG", "Class": "IN", "TTL": "756 (12 mins 36 sec)", "RDLENGTH": "95 bytes", "RDATA": { "TypeCovered": "A", "Algorithm": "ECDSAP256SHA256", "Labels": 2, "OriginalTtl": 3600, "SignatureExpiration": "2024-10-04T19:34:03Z", "SignatureInception": "2024-09-13T09:42:53Z", "KeyTag": 19367, "SignersName": "example.com", "Signature": "i58J0XADDeC8XJTOr6N1hj/YXyp/QS8xAIKi7LnRACTJSg5BdD3kArlcuhpGjjIedmnQ+Ax/tzPGJgWzkVpmlQ==" }, "DnssecStatus": "Secure" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "32768 (9 hours 6 mins 8 sec)", "RDLENGTH": "305 bytes", "RDATA": { "Options": [ { "Code": "PADDING", "Length": "301 bytes", "Data": { "Data": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==" } } ] }, "DnssecStatus": "Indeterminate" } ] }

ShreyasZare commented 1 month ago

Status is Secure now since the domain is signed and was validated successfully.

REZAFatf commented 1 month ago

how can i install two technitium servers to either do failover or load balance?

ShreyasZare commented 1 month ago

how can i install two technitium servers to either do failover or load balance?

If you are referring to local DNS server then just install it on two different computers and assign both the IP addresses to client.

Note that its up to client which server to query. Usually, the primary DNS server is queried first and if no response is received in time then the secondary DNS server is queried. But there is no guarantee about this sequence.