ServerFailure - all dns lookups failing

[paulmorabito]

Hi,

I've installed the latest version (via latest tag) of this via docker on a Debian host. In summary I have configured as follows:

• Settings - > Recursion to allow recursion
• Settings -> Proxy & forwarders. Enabled Adguard and also tested with others.
• Settings -> Cache. Save cache to disk enabled.
• I've enabled DNS over HTTP and am accessing this via a reverse proxy (traefik). It's accessible and seems to be working fine.

The problem is that all DNS lookups are failing as below in the logs:

[2023-11-15 11:32:20 Local] [192.168.1.1:0] [HTTPS] QNAME: bbc.com; QTYPE: AAAA; QCLASS: IN; RCODE: ServerFailure; ANSWER: [] 

When I look in the cache, I can see the following for the same domain:

[
  {
    "name": "bbc.com",
    "type": "A",
    "ttl": "0 (0 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "FailureCache: ServerFailure; NetworkError: 192.168.1.1 returned RCODE=Refused for . DNSKEY IN, DNSKEYMissing: 192.168.1.1 returned RCODE=Refused for . DNSKEY IN, NetworkError: Socket error for bbc.com. A IN: ConnectionRefused"
    },
    "dnssecStatus": "Unknown",
    "lastUsedOn": "2023-11-15T11:37:20.1429083Z"
  },
  {
    "name": "bbc.com",
    "type": "AAAA",
    "ttl": "0 (0 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "FailureCache: ServerFailure; NetworkError: 192.168.1.1 returned RCODE=Refused for . DNSKEY IN, DNSKEYMissing: 192.168.1.1 returned RCODE=Refused for . DNSKEY IN, NetworkError: Socket error for bbc.com. AAAA IN: ConnectionRefused"
    },
    "dnssecStatus": "Unknown",
    "lastUsedOn": "2023-11-15T11:37:20.1422233Z"
  },
  {
    "name": "bbc.com",
    "type": "HTTPS",
    "ttl": "0 (0 sec)",
    "rData": {
      "dataType": "DnsSpecialCacheRecordData",
      "data": "FailureCache: ServerFailure; NetworkError: Socket error for bbc.com. HTTPS IN: ConnectionRefused"
    },
    "dnssecStatus": "Unknown",
    "lastUsedOn": "2023-11-15T11:37:20.1364783Z"
  }
]

I can see that when I set DNS to that of my router it refused connection and similar also for Adguard (I've tried several others - Quad9 etc). When I get a terminal in the container, I can curl to any URL so the connection itself seems fine.

I'm at a loss as to what could be causing this. Any help would be very appreciated and am happy to provide additional info as needed.

[ShreyasZare]

Thanks for the post and details. I would suggest that you test such issues using the DNS Client tab on the admin web panel and see what extended DNS errors are shown in there.

From the cache record details, it looks like you have configured 192.168.1.1 as your upstream/forwarder in the DNS server's Settings and that the upstream is refusing to respond to certain requests that are needed for DNSSEC validation.

I would suggest that you change to a different upstream and check again. If the issue still is the same then use an upstream server with encrypted DNS protocol and test again.

Let me know if the issue is still there.

[paulmorabito]

I've changed to several others and apart from DNS over HTTP and via TLS (which all give errors on all services - Adguard etc.). It's working now. Anything specific I should enable/disable to get these working? There's no error info in the DNS Client tab.

[ShreyasZare]

I've changed to several others and apart from DNS over HTTP and via TLS (which all give errors on all services - Adguard etc.). It's working now. Anything specific I should enable/disable to get these working? There's no error info in the DNS Client tab.

There is no specific option to enable/disable since it works directly. From the cache records you posted earlier, it was due to the upstream you configured that does not support DNSSEC which is why domain names were failing to resolve. Its not recommended to disable DNSSEC validation, instead you should switch to a different forwarder that supports DNSSEC.

[paulmorabito]

OK, yes, I understand. The problem is when I select say Adguard via TLS or HTTPS as the upstream I get a ServerError. Choosing Quic works fine. I've got DNSSEC enabled. Though regardless of the present upstream DNS providers listed, any that are via TLS or HTTPS are failing.

[ShreyasZare]

OK, yes, I understand. The problem is when I select say Adguard via TLS or HTTPS as the upstream I get a ServerError. Choosing Quic works fine. I've got DNSSEC enabled. Though regardless of the present upstream DNS providers listed, any that are via TLS or HTTPS are failing.

Check the DNS logs from the admin web panel and post any errors you see here. The logs will give correct reason for the issue.

[paulmorabito]

There's nothing listed in the logs but in the browser (Firefox) I get:

Possible security risk looking up this domain

Firefox can’t protect your request for this site’s address through our trusted DNS resolver. Here’s why:
This website wasn’t found by xxxxx.nbbbb.net.

Learn more…

You can continue with your default DNS resolver. However, a third-party might be able to see what websites you visit.

Accessing a domain already in the cache works fine. As does changing the upstream DNS to Adguard Quic.

[ShreyasZare]

The Firefox message is not related to this issue. Its just wants you to know that you are not using their trusted DoH resolver and that the domain could be blocked by the one you are using. You should test domain names using the DNS Client tab to get clear picture of the issue since it will show you extended DNS error messages when there are issues with domain resolution.

If you do not see any resolution related error logs in the DNS logs section then the resolution is working fine and any response in cache is coming from the upstream you have configured.

[paulmorabito]

I'm not sure I understand how it is not related. I get the above error in the browser only when select DNS over HTTPS or over TLS endpoints. The site is then unable to load.

If I try with the same endpoint in the DNS client then I get "Error! DnsClient failed to resolve the request 'dns.adguard-dns.com. A IN'. Received a response with RCODE: ServerFailure".

If I use DNS over QUIC or standard port 53 DNS there is no errors when resolving via browser or via the DNS client.

Similarly, Adguard Home, on the same host but with different port mappings, works fine with HTTPS and TLS based DNS endpoints so there has to be something here that make it not work?

[ShreyasZare]

The primary issue you have is that the DNS server is returning ServerFailure response which needs to be fixed first before you can test for the secondary issue that you have with Firefox.

You have provided bits and pieces of info which are not sufficient to understand the reason for the issue. Also, its not clear how you have the DNS server setup which is important to fix the issue.

• Where do you have the DNS server setup? Is it in your local network, directly on your computer, or on a public server?
• When you get ServerFailure response, is that for all domain names or only certain ones?
• Which all public DNS server you tried as forwarders and which DNS protocols you had with them? Which ones worked and which did not? Note that when you switch forwarder then you should flush the DNS cache too since cache will have records with ServerFailure so it wont resolve with new forwarder until the cached records expire.
• Have you configured Firefox to use DoH with your DNS server's URL?
• Test with DNS Client for domain names you have issue with and post complete output of DNS Client response where you see ServerFailure response code since partial error snippets do not convey complete info.

[paulmorabito]

Hi,

Yes, you are correct. Let me give you full answers to all of your questions.

Where do you have the DNS server setup? Is it in your local network, directly on your computer, or on a public server? The server is running on a Debian 12 host on my local network via docker. I am exposing only the port that is being used for DNS over HTTPS. This is being reverse proxied through Traefik to my domain. I can access this via the domain fine, internally and externally to the local network.

When you get ServerFailure response, is that for all domain names or only certain ones? All domains that are not already in the cache.

Which all public DNS server you tried as forwarders and which DNS protocols you had with them? Which ones worked and which did not? Note that when you switch forwarder then you should flush the DNS cache too since cache will have records with ServerFailure so it wont resolve with new forwarder until the cached records expire.

OK, this is where the problem lies. I wasn't flushing the cache so the Server Errors were cached too. Everything is now working via all protocols.

Have you configured Firefox to use DoH with your DNS server's URL?

Yes.

Test with DNS Client for domain names you have issue with and post complete output of DNS Client response where you see ServerFailure response code since partial error snippets do not convey complete info.

N/A As this is now fixed. I'll mark a closed. Thanks for your help.

[ShreyasZare]

Good to know that you got it working.