search

TechnitiumSoftware / DnsServer

Technitium DNS Server
https://technitium.com/dns/
GNU General Public License v3.0
4.47k stars 431 forks source link

Cannot transfer root zone anymore #879

Closed ChristoffBo closed 8 months ago

ChristoffBo commented 8 months ago

UDP] QNAME: api.electricitymap.org; QTYPE: AAAA; QCLASS: IN; RCODE: NoError; ANSWER: [2606:4700:20::ac43:46b1, 2606:4700:20::681a:a4b, 2606:4700:20::681a:b4b] [2024-03-09 06:38:01 Local] DnsServerCore.Dns.DnsServerException: DNS Server failed to find SOA record for: at DnsServerCore.Dns.Zones.SecondaryZone.CreateAsync(DnsServer dnsServer, String name, String primaryNameServerAddresses, DnsTransportProtocol zoneTransferProtocol, String tsigKeyName) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\Zones\SecondaryZone.cs:line 150

ShreyasZare commented 8 months ago

Thanks for the post. Test this with the DNS Client tool on the admin panel. Use recursive-resolver as the server, enter . as the domain for root, select SOA type and resolve. The output should give you clues on what is wrong.

ChristoffBo commented 8 months ago

Hi

{ "Metadata": { "NameServer": "dns.google (8.8.8.8)", "Protocol": "Tcp", "DatagramSize": "103 bytes", "RoundTripTime": "754.99 ms" }, "EDNS": { "UdpPayloadSize": 1232, "ExtendedRCODE": "NoError", "Version": 0, "Flags": "None", "Options": [] }, "Identifier": 0, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "NoError", "QDCOUNT": 1, "ANCOUNT": 1, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "", "Type": "SOA", "Class": "IN" } ], "Answer": [ { "Name": "", "Type": "SOA", "Class": "IN", "TTL": "1631 (27 mins 11 sec)", "RDLENGTH": "64 bytes", "RDATA": { "PrimaryNameServer": "a.root-servers.net", "ResponsiblePerson": "nstld@verisign-grs.com", "Serial": 2024030900, "Refresh": 1800, "Retry": 900, "Expire": 604800, "Minimum": 86400 }, "DnssecStatus": "Disabled" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "0 (0 sec)", "RDLENGTH": "0 bytes", "RDATA": { "Options": [] }, "DnssecStatus": "Disabled" } ] }

but when i try with the ip 192.0.47.132 192.0.32.132 i get NX domain, made sure that those ip addresses are on the allow list. odd

ShreyasZare commented 8 months ago

Use the "recursive-resolver" as server again with DNSSEC validation option checked. Post the output here.

ChristoffBo commented 8 months ago

hi

{ "Metadata": { "NameServer": "B.ROOT-SERVERS.NET (170.247.170.2)", "Protocol": "Udp", "DatagramSize": "28 bytes", "RoundTripTime": "627.8 ms" }, "EDNS": { "UdpPayloadSize": 1232, "ExtendedRCODE": "Refused", "Version": 0, "Flags": "DNSSEC_OK", "Options": [] }, "DnsClientExtendedErrors": [ { "InfoCode": "NetworkError", "ExtraText": "B.ROOT-SERVERS.NET (170.247.170.2) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "F.ROOT-SERVERS.NET (192.5.5.241) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "M.ROOT-SERVERS.NET (202.12.27.33) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "H.ROOT-SERVERS.NET (198.97.190.53) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "I.ROOT-SERVERS.NET (192.36.148.17) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "G.ROOT-SERVERS.NET (192.112.36.4) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "L.ROOT-SERVERS.NET (199.7.83.42) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "A.ROOT-SERVERS.NET (198.41.0.4) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "E.ROOT-SERVERS.NET (192.203.230.10) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "C.ROOT-SERVERS.NET (192.33.4.12) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "J.ROOT-SERVERS.NET (192.58.128.30) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "K.ROOT-SERVERS.NET (193.0.14.129) returned RCODE=Refused for . SOA IN" }, { "InfoCode": "NetworkError", "ExtraText": "D.ROOT-SERVERS.NET (199.7.91.13) returned RCODE=Refused for . SOA IN" } ], "Identifier": 58146, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": false, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "Refused", "QDCOUNT": 1, "ANCOUNT": 0, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "", "Type": "SOA", "Class": "IN" } ], "Answer": [], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "32768 (9 hours 6 mins 8 sec)", "RDLENGTH": "0 bytes", "RDATA": { "Options": [] }, "DnssecStatus": "Indeterminate" } ] }

ShreyasZare commented 8 months ago

It looks like your ISP is hijacking DNS requests so you wont be able to create secondary root zone. Even your requests to 8.8.8.8 etc would be answered by your ISP. You need to use encrypted DNS forwarders to bypass this hijack.

ChristoffBo commented 8 months ago

Hi, im running through NordVPN on my opnsense firewall. Odd was working fine. will test. thank you

ShreyasZare commented 8 months ago

Hi, im running through NordVPN on my opnsense firewall. Odd was working fine. will test. thank you

You're welcome. In that case it your VPN provider doing the hijack. May be they started doing it now.

ChristoffBo commented 8 months ago

maby, thank you. will use HTTPS.

kind regards