search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
3.84k stars 400 forks source link

DNS App Store go.technitium.com 404 Not Found #821

Closed onlineapps-cloud closed 5 months ago

onlineapps-cloud commented 6 months ago

hi, in app store i get error: Error! HttpClient could not resolve IP address for host: go.technitium.com image in browser http://go.technitium.com/ return 404 Not Found, also is not configured https!

Technitium Version 11.5.3

ShreyasZare commented 6 months ago

Thanks for the post. The App Store is working well as expected. Its just a local issue that the domain name is not resolving.

Use the DNS Client tab on the admin web panel to check go.technitium.com domain and see if it resolves or are there any extended DNS errors reported. Post any error you see in there.

The website go.technitium.com is a redirection service and it will give 404 when you visit it without any parameters. It works on both HTTP & HTTPS.

onlineapps-cloud commented 5 months ago

hi, DNS client results:

{
  "Metadata": {
    "NameServer": "technitiumdns (127.0.0.1)",
    "Protocol": "Udp",
    "DatagramSize": "109 bytes",
    "RoundTripTime": "23.44 ms"
  },
  "EDNS": {
    "UdpPayloadSize": 1232,
    "ExtendedRCODE": "ServerFailure",
    "Version": 0,
    "Flags": "None",
    "Options": [
      {
        "Code": "EXTENDED_DNS_ERROR",
        "Length": "53 bytes",
        "Data": {
          "InfoCode": "NSECMissing",
          "ExtraText": "Missing non-existence proof (No Data) for com. A IN"
        }
      },
      {
        "Code": "EXTENDED_DNS_ERROR",
        "Length": "2 bytes",
        "Data": {
          "InfoCode": "CachedError",
          "ExtraText": null
        }
      }
    ]
  },
  "DnsClientExtendedErrors": [
    {
      "InfoCode": "NetworkError",
      "ExtraText": "technitiumdns (127.0.0.1) returned RCODE=ServerFailure for go.technitium.com. A IN"
    }
  ],
  "Identifier": 10967,
  "IsResponse": true,
  "OPCODE": "StandardQuery",
  "AuthoritativeAnswer": false,
  "Truncation": false,
  "RecursionDesired": true,
  "RecursionAvailable": true,
  "Z": 0,
  "AuthenticData": false,
  "CheckingDisabled": true,
  "RCODE": "ServerFailure",
  "QDCOUNT": 1,
  "ANCOUNT": 0,
  "NSCOUNT": 0,
  "ARCOUNT": 1,
  "Question": [
    {
      "Name": "go.technitium.com",
      "Type": "A",
      "Class": "IN"
    }
  ],
  "Answer": [],
  "Authority": [],
  "Additional": [
    {
      "Name": "",
      "Type": "OPT",
      "Class": "1232",
      "TTL": "0 (0 sec)",
      "RDLENGTH": "63 bytes",
      "RDATA": {
        "Options": [
          {
            "Code": "EXTENDED_DNS_ERROR",
            "Length": "53 bytes",
            "Data": {
              "InfoCode": "NSECMissing",
              "ExtraText": "Missing non-existence proof (No Data) for com. A IN"
            }
          },
          {
            "Code": "EXTENDED_DNS_ERROR",
            "Length": "2 bytes",
            "Data": {
              "InfoCode": "CachedError",
              "ExtraText": null
            }
          }
        ]
      },
      "DnssecStatus": "Disabled"
    }
  ]
}

i intstaled Technitium using this script: https://github.com/tteck/Proxmox/raw/main/ct/technitiumdns.sh

onlineapps-cloud commented 5 months ago

problem is in LXC container, i tried from console to ping any server, but no results, most like that this issue is not caused by your software.

onlineapps-cloud commented 5 months ago

image image

ShreyasZare commented 5 months ago

Thanks for the details. The domain name is failing to resolve due to DNSSEC validation failures. 

"Data": {
          "InfoCode": "NSECMissing",
          "ExtraText": "Missing non-existence proof (No Data) for com. A IN"
        }

The above error message means that the DNS server is receiving a response claiming that com zone does not have any records and its failing to prove that with DNSSEC validation being done.

You need to change your forwarder (upstream) or switch to using encrypted DNS protocol. If you are not using any forwarders then you need to switch to one that supports encrypted DNS protocol.

onlineapps-cloud commented 5 months ago

i disabled this checkbox, and DNS apps started working image

ShreyasZare commented 5 months ago

This Server i.e. the local DNS server does DNSSEC validation by default which is why you see that NSECMissing error.

image

When you test with cloudflare, check the "Enable DNSSEC Validation" option and try again. If that fails then it means that something in your network is hijacking DNS requests, most likely your ISP.

image

ShreyasZare commented 5 months ago

i disabled this checkbox, and DNS apps started working image

If you disable DNSSEC validation then it will obviously work but you are removing the security check which was detecting that someone is hijacking your DNS requests. Which is why its not recommended to disable DNSSEC validation.

onlineapps-cloud commented 5 months ago

i think that this option in my router can cause this problems: image

ShreyasZare commented 5 months ago

If enabling that option hijacks all DNS requests then yes, it will interfere with all outbound requests. Also another thing is that the router does not know how to respond to DNSSEC requests which is creating this issue.

i think that this option in my router can cause this problems: image

onlineapps-cloud commented 5 months ago

hi again, i tried to understand about hijacking, and if the router does not know how to respond to DNSSEC, i executed these commands in technitium lxc container and i get:

root@technitiumdns:~#delv go.technitium.com
; fully validated
go.technitium.com.      86400   IN      CNAME   technitium.com.
go.technitium.com.      86400   IN      RRSIG   CNAME 13 3 86400 20240110151000 20231231141000 58323 technitium.com. n8DQbkMeeF7jp33drhA2kcuETC2USCKArRV2bFnHeaZ9LKoZa0iM0UeK rH26VTYjTjM1pOr7/0wJwof7KV0Pcg==
technitium.com.         14305   IN      A       139.59.3.235
technitium.com.         14305   IN      RRSIG   A 13 2 14400 20240110151000 20231231141000 58323 technitium.com. b5uBUlQ7EvVsncI/5yPCw/qzSm4TnU1vBolAvgo0UCkFWmkx71UZYRLV cfKbCURMQQHMGdJQFnpDgVLv/PcmJg==
root@technitiumdns:~# dig DNSKEY go.technitium.com

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> DNSKEY go.technitium.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37668
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;go.technitium.com.             IN      DNSKEY

;; ANSWER SECTION:
go.technitium.com.      86128   IN      CNAME   technitium.com.
technitium.com.         3328    IN      DNSKEY  257 3 13 kQKG+ben13CmaKJKYGHtrhfXZt8VT34ZVIC4o1wIS0SwhHllP+7by+/J 6Z1UKQoGF64xbPTySK/BrDJHGf5/3w==
technitium.com.         3328    IN      DNSKEY  256 3 13 XQmqaQ/yUDB8TFseG56aHBhNyTuRXZ1b10mnJcxL2kLR+OdxQsQ4TINt dgkfThKaAoaoO4doQYLZ4n3Sc/sWlA==

;; Query time: 180 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Jan 04 16:41:06 EET 2024
;; MSG SIZE  rcvd: 220
root@technitiumdns:~# dig go.technitium.com +dnssec +multi

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> go.technitium.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62077
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;go.technitium.com.     IN A

;; ANSWER SECTION:
go.technitium.com.      85526 IN CNAME technitium.com.
go.technitium.com.      85526 IN RRSIG CNAME 13 3 86400 (
                                20240110151000 20231231141000 58323 technitium.com.
                                n8DQbkMeeF7jp33drhA2kcuETC2USCKArRV2bFnHeaZ9
                                LKoZa0iM0UeKrH26VTYjTjM1pOr7/0wJwof7KV0Pcg== )
technitium.com.         13527 IN A 139.59.3.235
technitium.com.         13527 IN RRSIG A 13 2 14400 (
                                20240110151000 20231231141000 58323 technitium.com.
                                b5uBUlQ7EvVsncI/5yPCw/qzSm4TnU1vBolAvgo0UCkF
                                Wmkx71UZYRLVcfKbCURMQQHMGdJQFnpDgVLv/PcmJg== )

;; Query time: 344 msec
;; SERVER: 192.168.1.1#53(192.168.1.1) (UDP)
;; WHEN: Thu Jan 04 16:49:32 EET 2024
;; MSG SIZE  rcvd: 296

question is: DNSSEC query work as expected on this machine? if yes, why i get error Error! HttpClient could not resolve IP address for host: go.technitium.com, but with disabling DNSSEC all work as expected?

onlineapps-cloud commented 5 months ago 
dig DS go.technitium.com +trace

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> DS go.technitium.com +trace
;; global options: +cmd
.                       61978   IN      NS      l.root-servers.net.
.                       61978   IN      NS      m.root-servers.net.
.                       61978   IN      NS      a.root-servers.net.
.                       61978   IN      NS      j.root-servers.net.
.                       61978   IN      NS      d.root-servers.net.
.                       61978   IN      NS      h.root-servers.net.
.                       61978   IN      NS      e.root-servers.net.
.                       61978   IN      NS      b.root-servers.net.
.                       61978   IN      NS      g.root-servers.net.
.                       61978   IN      NS      c.root-servers.net.
.                       61978   IN      NS      i.root-servers.net.
.                       61978   IN      NS      f.root-servers.net.
.                       61978   IN      NS      k.root-servers.net.
.                       61978   IN      RRSIG   NS 8 0 518400 20240117050000 20240104040000 30903 . NG0lAPqTSOmSW02oV6+f62WF6tTlnlVozhdRPo40JBED0AViqQL348xX q5gTWrejUE0Dp0x0Pp8H5/NZMCVeYtyBBUxcmwLRs7IhltMNQjkOXH2y DYyXi+bup7KMSthEHDiVdE3e2B58mFHEumemZxPfnKOEMrpAdnb15LvF ZkfqSE4Ld4CzpXXWO/fAWtD3NnmPlAc9LX7+woKsPquK40CLQQg3sY9/ wcoIa3Z3VTr32o9R4iBFZD5eAhCBl3gPabR7KQF1XR9Fnu9l0kREXt5g u8SN/a26KuhTb51bN9xiqivTJnZZ3YIQEts/aJehRbDDzpMh5U+eAEje 8KRjYw==
;; Received 525 bytes from 192.168.1.1#53(192.168.1.1) in 68 ms

;; UDP setup with 2001:500:2f::f#53(2001:500:2f::f) for go.technitium.com failed: network unreachable.
;; UDP setup with 2001:500:2f::f#53(2001:500:2f::f) for go.technitium.com failed: network unreachable.
;; UDP setup with 2001:500:2f::f#53(2001:500:2f::f) for go.technitium.com failed: network unreachable.
;; UDP setup with 2001:500:a8::e#53(2001:500:a8::e) for go.technitium.com failed: network unreachable.
;; Received 35 bytes from 192.5.5.241#53(f.root-servers.net) in 144 ms
onlineapps-cloud commented 5 months ago 
dig DS go.technitium.com +trace @1.1.1.1

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> DS go.technitium.com +trace @1.1.1.1
;; global options: +cmd
.                       61871   IN      NS      d.root-servers.net.
.                       61871   IN      NS      h.root-servers.net.
.                       61871   IN      NS      e.root-servers.net.
.                       61871   IN      NS      b.root-servers.net.
.                       61871   IN      NS      g.root-servers.net.
.                       61871   IN      NS      c.root-servers.net.
.                       61871   IN      NS      i.root-servers.net.
.                       61871   IN      NS      f.root-servers.net.
.                       61871   IN      NS      k.root-servers.net.
.                       61871   IN      NS      l.root-servers.net.
.                       61871   IN      NS      m.root-servers.net.
.                       61871   IN      NS      a.root-servers.net.
.                       61871   IN      NS      j.root-servers.net.
.                       61871   IN      RRSIG   NS 8 0 518400 20240117050000 20240104040000 30903 . NG0lAPqTSOmSW02oV6+f62WF6tTlnlVozhdRPo40JBED0AViqQL348xX q5gTWrejUE0Dp0x0Pp8H5/NZMCVeYtyBBUxcmwLRs7IhltMNQjkOXH2y DYyXi+bup7KMSthEHDiVdE3e2B58mFHEumemZxPfnKOEMrpAdnb15LvF ZkfqSE4Ld4CzpXXWO/fAWtD3NnmPlAc9LX7+woKsPquK40CLQQg3sY9/ wcoIa3Z3VTr32o9R4iBFZD5eAhCBl3gPabR7KQF1XR9Fnu9l0kREXt5g u8SN/a26KuhTb51bN9xiqivTJnZZ3YIQEts/aJehRbDDzpMh5U+eAEje 8KRjYw==
;; Received 525 bytes from 1.1.1.1#53(1.1.1.1) in 56 ms

;; Received 35 bytes from 202.12.27.33#53(m.root-servers.net) in 312 ms
ShreyasZare commented 5 months ago

Thanks for those details. But since that I do not know your network config or your DNS server's config, I cannot figure out much from these details and have to make a lot of assumptions.

Are you using any forwarder with your DNS server? The resolution and DNSSEC validation totally depends on your forwarder. If there is no forwarder then the DNS server will do recursive resolution and any DNSSEC validation issue will indicate response tampering.

Also, try replicating the same tests from the DNS Client tab on the admin panel with DNSSEC validation option enabled. This will give a bit better picture since it will give the DNS server's perspective.