search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.27k stars 418 forks source link

Secure DNS doesn't work without specifying its IP address #623

Closed agneevX closed 1 year ago

agneevX commented 1 year ago

Hello.

I get an error when using any secure DNS that has a hostname.

[2023-05-08 15:50:48 UTC] DNS Server failed to resolve the request 'a1834.dscw80.akamai.net. A IN' using forwarders: https://one.one.one.one/dns-query.
TechnitiumLibrary.Net.Dns.DnsClientException: No IP address was found for name server: one.one.one.one
   at TechnitiumLibrary.Net.Dns.NameServerAddress.RecursiveResolveIPAddressAsync(IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Int32 retries, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\NameServerAddress.cs:line 710
   at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean conditionalForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2896
[2023-05-08 15:50:52 UTC] DNS Server failed to resolve the request 'hases.akamaized.net. A IN' using forwarders: https://one.one.one.one/dns-query.
TechnitiumLibrary.Net.Dns.DnsClientException: No IP address was found for name server: one.one.one.one
   at TechnitiumLibrary.Net.Dns.NameServerAddress.RecursiveResolveIPAddressAsync(IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Int32 retries, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\NameServerAddress.cs:line 710
   at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean conditionalForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2896
[2023-05-08 15:51:06 UTC] DNS Server config file was saved: /etc/dns/dns.config
[2023-05-08 15:51:06 UTC] [10.0.0.114:50883] [admin] DNS Settings were updated successfully.
[2023-05-08 15:51:08 UTC] DNS Server failed to resolve the request 'hases.akamaized.net. A IN' using forwarders: one.one.one.one:853.
TechnitiumLibrary.Net.Dns.DnsClientException: No IP address was found for name server: one.one.one.one
   at TechnitiumLibrary.Net.Dns.NameServerAddress.RecursiveResolveIPAddressAsync(IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Int32 retries, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\NameServerAddress.cs:line 710
   at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean conditionalForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2896
[2023-05-08 15:51:12 UTC] DNS Server failed to resolve the request 'haseas.akamaized.net. A IN' using forwarders: one.one.one.one:853.
TechnitiumLibrary.Net.Dns.DnsClientException: No IP address was found for name server: one.one.one.one
   at TechnitiumLibrary.Net.Dns.NameServerAddress.RecursiveResolveIPAddressAsync(IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Int32 retries, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\NameServerAddress.cs:line 710
   at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean conditionalForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2896
[2023-05-08 15:55:22 UTC] [10.0.0.114:50935] Check for update was done {updateAvailable: False; updateVersion: 11.1.1; updateTitle: New Update (v11.1.1) Available!; updateMessage: Follow the instructions from the link below to update the DNS server to the latest version. Read the change logs before installing this update to know if there are any breaking changes.; instructionsLink: https://blog.technitium.com/2017/11/running-dns-server-on-ubuntu-linux.html; changeLogLink: https://github.com/TechnitiumSoftware/DnsServer/blob/master/CHANGELOG.md;}
[2023-05-08 15:55:22 UTC] DNS Server failed to resolve the request '1.2.19.172.in-addr.arpa. PTR IN' using forwarders: one.one.one.one:853.
TechnitiumLibrary.Net.Dns.DnsClientException: No IP address was found for name server: one.one.one.one
   at TechnitiumLibrary.Net.Dns.NameServerAddress.RecursiveResolveIPAddressAsync(IDnsCache cache, NetProxy proxy, Boolean preferIPv6, UInt16 udpPayloadSize, Boolean randomizeName, Int32 retries, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\NameServerAddress.cs:line 710
   at DnsServerCore.Dns.DnsServer.RecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean conditionalForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 2896

It works if I specify the IP address of the resolver in ().

Obviously the point of a hostname is that the underlying IP can change anytime, so specifying IPs after doing a manual lookup is not appropriate.

ShreyasZare commented 1 year ago

Thanks for the post. When you use domain name as the forwarder then the DNS server will perform recursive resolution to try to resolve it to IP address. But, in your case, the recursive resolution is not working due to network issues which is why you see this in the error:

TechnitiumLibrary.Net.Dns.DnsClientException: No IP address was found for name server: one.one.one.one

Recursive resolution does not work for many networks since ISPs keep hijacking/filtering DNS requests.

It works if I specify the IP address of the resolver in ().

Which is why you will need to enter the IP addresses manually in those round brackets.

Obviously the point of a hostname is that the underlying IP can change anytime, so specifying IPs after doing a manual lookup is not appropriate.

The IP address for the service you are using is static (1.1.1.1) in this case. Also, IP addresses used for DNS server are always static and all DNS server config anywhere always requires an IP address otherwise its chicken or the egg issue when resolving a domain name.

Being able to configure a domain name as a forwarder is a special feature that the DNS server supports since it has built in capability to perform recursive resolution.

agneevX commented 1 year ago

Recursive resolution does not work for many networks since ISPs keep hijacking/filtering DNS requests.

That is true in my case, however shouldn't it still be able to still resolve the domain, even if hijacked?

The IP address for the service you are using is static (1.1.1.1) in this case.

Yeah, that was an example I provided. The actual name servers I intend to use change their IPs.

ShreyasZare commented 1 year ago

Recursive resolution does not work for many networks since ISPs keep hijacking/filtering DNS requests.

That is true in my case, however shouldn't it still be able to still resolve the domain, even if hijacked?

It depends on how your ISP is restricting DNS. They may be dropping requests that go to root servers for example which will cause issues with recursive resolution.

The IP address for the service you are using is static (1.1.1.1) in this case.

Yeah, that was an example I provided. The actual name servers I intend to use change their IPs.

Its a strange thing to host DNS on dynamic IP address. Since your ISP is giving issues with recursive resolution, you can use a conditional forwarder zone to resolve the domain name in the DoH URL.

For example, if your DoH URL that you use as forwarder is https://doh.example.com/dns-query, then create a conditional forwarder zone for doh.example.com with DNSSEC validation disabled and IP address of any DNS server as the forwarder that works from your network. You may use 1.1.1.1, 8.8.8.8, or DNS servers provided by your ISP itself. With this setup, the DNS server will resolve the doh.example.com using the conditional forwarder and then resolve all other domain names using the DoH forwarder.

agneevX commented 1 year ago

Ok, thanks!