search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
3.86k stars 401 forks source link

How to configure as recursive-resolver #775

Closed liang-hiwin closed 7 months ago

liang-hiwin commented 7 months ago

How to configure as recursive-resolver? Is the "Forwarders" option set to empty? When set to empty it was found that nothing could be parsed.

liang-hiwin commented 7 months ago

When I set the "Forwarders" option to empty and use "This Server {this-server}" under the "DNS Client" menu, I tested and found that it could not be resolved. But when I switch to "Recursive Query {recursive-resolver}", the DNS resolves normally.

ShreyasZare commented 7 months ago

Thanks for the post. It mostly seems to be DNSSEC validation issue as the DNSSEC validation is by default enabled in Settings. The DNS Client tool is totally independent of the DNS server and by default the "Enable DNSSEC Validation" option is unchecked which is why it works with it.

Check the DNS logs from the admin panel and see the error description in there. Post any error logs here if you need help.

liang-hiwin commented 7 months ago

Thanks for the post. It mostly seems to be DNSSEC validation issue as the DNSSEC validation is by default enabled in Settings. The DNS Client tool is totally independent of the DNS server and by default the "Enable DNSSEC Validation" option is unchecked which is why it works with it.

Check the DNS logs from the admin panel and see the error description in there. Post any error logs here if you need help.

I recorded a video and sent it to your email, please check it. Thanks

ShreyasZare commented 7 months ago

I recorded a video and sent it to your email, please check it. Thanks

Thanks for the video. From the video its 100% clear that your ISP is hijacking DNS requests which is why you are getting answer when you select recursive resolver in DNS Client. If you check the response for "NameServer" field, you will see that you received the answer from ROOT server directly for "google.com", which is a clear indication of hijack.

When you query to "This Server" from the DNS Client, the error response has extended error which says "Waiting for resolver" which means the recursive resolver is still running and you should retry query again after few more seconds. The reason for this is that the DNS server is going to reject direct answers from the ROOT server and is thus trying to query the next ROOT server of the total 13 ROOT servers.

So, running recursive resolver in your setup is not going to work as expected. If you still wish to try using recursive resolution then disable the "QNAME Minimization" option from Settings > Recursion section and it will mostly work. But remember that whatever answers your DNS server received were spoofed responses from your ISP's DNS server. It would be better to just use your ISP's DNS server IP addresses as the forwarder in your DNS server as it would work much better and give same results.

liang-hiwin commented 7 months ago

I recorded a video and sent it to your email, please check it. Thanks

Thanks for the video. From the video its 100% clear that your ISP is hijacking DNS requests which is why you are getting answer when you select recursive resolver in DNS Client. If you check the response for "NameServer" field, you will see that you received the answer from ROOT server directly for "google.com", which is a clear indication of hijack.

When you query to "This Server" from the DNS Client, the error response has extended error which says "Waiting for resolver" which means the recursive resolver is still running and you should retry query again after few more seconds. The reason for this is that the DNS server is going to reject direct answers from the ROOT server and is thus trying to query the next ROOT server of the total 13 ROOT servers.

So, running recursive resolver in your setup is not going to work as expected. If you still wish to try using recursive resolution then disable the "QNAME Minimization" option from Settings > Recursion section and it will mostly work. But remember that whatever answers your DNS server received were spoofed responses from your ISP's DNS server. It would be better to just use your ISP's DNS server IP addresses as the forwarder in your DNS server as it would work much better and give same results.

Yes, it worked your way.

liang-hiwin commented 7 months ago

Yes, it worked your way.

Shreyas Zare @.***> 于2023年11月11日周六 21:30写道:

I recorded a video and sent it to your email, please check it. Thanks

Thanks for the video. From the video its 100% clear that your ISP is hijacking DNS requests which is why you are getting answer when you select recursive resolver in DNS Client. If you check the response for "NameServer" field, you will see that you received the answer from ROOT server directly for "google.com", which is a clear indication of hijack.

When you query to "This Server" from the DNS Client, the error response has extended error which says "Waiting for resolver" which means the recursive resolver is still running and you should retry query again after few more seconds. The reason for this is that the DNS server is going to reject direct answers from the ROOT server and is thus trying to query the next ROOT server of the total 13 ROOT servers.

So, running recursive resolver in your setup is not going to work as expected. If you still wish to try using recursive resolution then disable the "QNAME Minimization" option from Settings > Recursion section and it will mostly work. But remember that whatever answers your DNS server received were spoofed responses from your ISP's DNS server. It would be better to just use your ISP's DNS server IP addresses as the forwarder in your DNS server as it would work much better and give same results.

— Reply to this email directly, view it on GitHub https://github.com/TechnitiumSoftware/DnsServer/issues/775#issuecomment-1806817845, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEF4NCFLLSO3WBG5XWYR3L3YD54V5AVCNFSM6AAAAAA7GIFXQCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQMBWHAYTOOBUGU . You are receiving this because you authored the thread.Message ID: @.***>

bcookatpcsd commented 7 months ago

Can you share the video?

I do things at work to hijack dns and ntp outbound.. So technically I'm doing the same thing; with a different intention..

liang-hiwin commented 7 months ago

Can you share the video?

I do things at work to hijack dns and ntp outbound.. So technically I'm doing the same thing; with a different intention..

Sorry, there are some private records in this video that are inconvenient to share. Thank you for your understanding.