search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.22k stars 415 forks source link

Https returns ServerFailure #569

Closed prooshani closed 1 year ago

prooshani commented 1 year ago

Hi @ShreyasZare,

Hope you doing well.

I have several DNS servers which are using Technitium DNS Server. (2 on Version 10, one on Version 11.0.1) All of them have Forwarder with paid commercial services on DoT, DoH and DoQ, not public services like quad9 or cloudflare...

I have a problem with https type which returns ServerFailure on DoT like this:

Screenshot 2023-02-26 at 1 04 49 PM

As you can see, tls requests with https type returns ServerFailure while tcp requests seems ok.

As a reference, it is the error log for the serverfailure in the screenshot respectively:

[2023-02-26 09:36:54 Local] DNS Server failed to resolve the request with QNAME: clientstream.launchdarkly.com; QTYPE: HTTPS; QCLASS: IN; Forwarders: https://dns.controld.com/xxxxxxx (xx.xx.xx.xx); DnsServerCore.Dns.DnsServerException: DNS Server received a response with RCODE=NotImplemented from: https://dns.controld.com/xxxxxxxxx (xx.xx.xx.xx) at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2881 [2023-02-26 09:36:54 Local] [80.210.xx.xx:57273] [TLS] QNAME: clientstream.launchdarkly.com; QTYPE: HTTPS; QCLASS: IN; RCODE: ServerFailure; ANSWER: [] [2023-02-26 09:36:58 Local] DNS Server failed to resolve the request with QNAME: clientservices.googleapis.com; QTYPE: HTTPS; QCLASS: IN; Forwarders: https://dns.controld.com/xxxxxx (xx.xx.xx.xx); DnsServerCore.Dns.DnsServerException: DNS Server received a response with RCODE=NotImplemented from: https://dns.controld.com/xxxxx (xx.xx.xx.xx) at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2881 [2023-02-26 09:36:58 Local] [80.210.63.218:57273] [TLS] QNAME: clientservices.googleapis.com; QTYPE: HTTPS; QCLASS: IN; RCODE: ServerFailure; ANSWER: []

Any idea whats going on? Which is missing or misconfigured on DNS server or forwarder or ...?

I have 3 DNS servers on 3 different VPS with exact same situation.

Thanks in advance.

ShreyasZare commented 1 year ago

Thanks for the details.

DNS Server received a response with RCODE=NotImplemented from: https://dns.controld.com/xxxxxxxxx (xx.xx.xx.xx)

From the logs it looks like the upstream server that you are using is returning NotImplemented response code which is why the DNS server is returning ServerFailure response.

I am not sure why the upstream is returning that RCODE. It could be that they do not support the new HTTPS type on their DoH service or could be something else. Try using the DNS Client tab on the DNS server web panel to manually query to the upstream DoH server for any domain name with different record type and see what you get. This should give you clues if the RCODE is returned only for HTTPS type or even for A type.

prooshani commented 1 year ago

Thanks for the details.

DNS Server received a response with RCODE=NotImplemented from: https://dns.controld.com/xxxxxxxxx (xx.xx.xx.xx)

From the logs it looks like the upstream server that you are using is returning NotImplemented response code which is why the DNS server is returning ServerFailure response.

I am not sure why the upstream is returning that RCODE. It could be that they do not support the new HTTPS type on their DoH service or could be something else. Try using the DNS Client tab on the DNS server web panel to manually query to the upstream DoH server for any domain name with different record type and see what you get. This should give you clues if the RCODE is returned only for HTTPS type or even for A type.

Thank you for the response, Unfortunately, I still have the very same issue with all my DNS servers which are using Technitium as a service. I have used the DNS Client tab and also DNS Client web app to see the other types' response. All are fine except HTTPS which still receive the NotImpelemented RCODE which is bizarre!

I don't know what to do next to find the issue roots.

Also, I cannot see Https type in DNS Client tab to test it. I don't know if any of these items works as Https type or what:

Screenshot 2023-03-11 at 12 50 44 AM
ShreyasZare commented 1 year ago

Thanks for the details. DNS Server received a response with RCODE=NotImplemented from: https://dns.controld.com/xxxxxxxxx (xx.xx.xx.xx) From the logs it looks like the upstream server that you are using is returning NotImplemented response code which is why the DNS server is returning ServerFailure response. I am not sure why the upstream is returning that RCODE. It could be that they do not support the new HTTPS type on their DoH service or could be something else. Try using the DNS Client tab on the DNS server web panel to manually query to the upstream DoH server for any domain name with different record type and see what you get. This should give you clues if the RCODE is returned only for HTTPS type or even for A type.

Thank you for the response, Unfortunately, I still have the very same issue with all my DNS servers which are using Technitium as a service. I have used the DNS Client tab and also DNS Client web app to see the other types' response. All are fine except HTTPS which still receive the NotImpelemented RCODE which is bizarre!

I don't know what to do next to find the issue roots.

The problem is not with Technitium DNS Server but with your upstream DNS server. If you change your upstream to some other service then you will be able to resolve HTTPS records without any issues.

Also, I cannot see Https type in DNS Client tab to test it. I don't know if any of these items works as Https type or what: Screenshot 2023-03-11 at 12 50 44 AM

Yes, the dropdown list has only types that are editable on the DNS server. The next release is expected to include HTTPS & SVCB record types so that you can create and edit those records in your zones. With that release the DNS Client tab will add those new types too.

You can still query for HTTPS records if you know how to edit html source. Just right click on the DNS type dropdown and click on Inspect element. Then edit the html to add HTTPS item in there so that you can use it with the UI to query now. These changes will revert back when you refresh page so if you want persistence then you can edit the index.html page on the disk and add those html tags to make it work.

prooshani commented 1 year ago

Dear @ShreyasZare,

Thank you for your answer. I have checked with provider too. They claim this is by design to reject the HTTPS type requests because of a vulnerability by new iPhone 14's request resolver (65 queries).

Hi,

This is by design, to avoid this: https://community.cloudflare.com/t/apple-with-ios-14-pokes-a-hole-in-dns-filtering-with-query-type-65/225029

I have tested other providers and they are working as expected and I am pretty sure and agree with that this is not Technitium DNS Server the problem source.

Then I assume this issue can be flagged as RESOLVED and close it. Thanks again for your always kind and complete answer.

ShreyasZare commented 1 year ago

Thanks for posting the details here.