Open TeaqariaWTF opened 1 month ago
ShreyasZare
commented
1 month ago Thanks for the post. It not clear on how you have setup the DNS server. Are you running the DNS server on a VPS? Are you running it in recursive resolver mode or have you configured any forwarders in the settings?
Also, do confirm if your client is indeed configured to use the DNS server's IP address. You can test that by creating a test zone on the DNS server and query it with nslookup command.
TeaqariaWTF
commented
1 month ago I set up on vps and successfully connected my domain address
I do not use any Forwarders
ShreyasZare
commented
1 month ago Your config looks good. You need to check your client network config to make sure you are using the correct IP address for DNS server.
Another thing to note is that to make sure you have disabled Encrypted DNS on your web browser. Your web browser may have enabled the option by default causing all your requests to go to the preconfigured DNS providers.
TeaqariaWTF
commented
1 month ago I tested this and when I do not use the DNS service, I see the dns addresses of my Internet service provider, but when I activate my own dns service, it works through cloudflare and Google dns instead of my server.
ShreyasZare
commented
1 month ago I tested this and when I do not use the DNS service, I see the dns addresses of my Internet service provider, but when I activate my own dns service, it works through cloudflare and Google dns instead of my server.
Unless you have configured any specific forwarder in Settings or have created Conditional Forwarder zone, the DNS server will do recursive resolution.
You can test to find out the IP address that is used to resolve by your DNS server. You need to use the DNS Client tab on the DNS admin panel and resolver "mydns.home.zare.im" domain name. The domain name will return the IP address that was used to resolve it. This IP address should match with your VPS server's IP address.
Mostly, it does not seems to be an issue with your DNS server but how your clients are configured. But do the above test once and let me know if you see something different.
TeaqariaWTF
commented
1 month ago the system has no specific forwarder and no .onditional forwarder zone. The system resolves just fine, just not with root-dns as it should with no specific forwarder configured.
"If no forwarders are configured then the DNS server will use preconfigured ROOT SERVERS to perform recursive resolution." <-- This is not the case.
mcmufffin
commented
1 month ago Dear Team,
we installed the system for @TeaqariaWTF.
The issue seems to be that the DNS does not honor any configured forwarder in the forwarder configuration. According to documentation it should use root dns if no forwarder is configured (make sense..), however, it falls back to Google DoT and Cloudflare DoT instead.
We tried to put various external resolvers there, none were honored.
Also please let me confirm that recursion is enabled and no conditional forwarder zone configured.
Any idea what might cause this?
Also please let me confirm that we test with dig directly on the corresponding system and check with TCPDump which DNS are queried by Technitium. The client configuration should be outruled.
Feedback would be appreciated.
ShreyasZare
commented
1 month ago Thanks for the details. Please follow the steps below to do a test:
This test will confirm how the DNS server is resolving the domain name. The output should give you the IP address of your VPS server.
mcmufffin
commented
1 month ago Hi,
thank you very much for the input.
Here is the output as requested. As expected it does NOT match the VPS address but is using DoT instead:
{ "Metadata": { "NameServer": "dns ([::1])", "Protocol": "Udp", "DatagramSize": "63 bytes", "RoundTripTime": "447.01 ms" }, "EDNS": { "UdpPayloadSize": 1232, "ExtendedRCODE": "NoError", "Version": 0, "Flags": "None", "Options": [] }, "Identifier": 0, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": false, "Truncation": false, "RecursionDesired": true, "RecursionAvailable": true, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "NoError", "QDCOUNT": 1, "ANCOUNT": 1, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "mydns.home.zare.im", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "mydns.home.zare.im", "Type": "A", "Class": "IN", "TTL": "3600 (1 hour)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "173.194.170.21" }, "DnssecStatus": "Disabled" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "1232", "TTL": "0 (0 sec)", "RDLENGTH": "0 bytes", "RDATA": { "Options": [] }, "DnssecStatus": "Disabled" } ] }
Zone config is empty: https://imgur.com/a/DAKN9Ct
Forwarders aswell: https://imgur.com/a/x5sGMJz
Hope this helps.
Thanks
ShreyasZare
commented
1 month ago Thanks for the details. There is another couple of tests to confirm if DNS requests are being hijacked on your network.
First test: use the DNS Client tab on the admin panel, enter "1.2.3.4" as the Server, enter any domain name for the test, and click on the Resolve button.
Second test: use the DNS Client tab again and select "Recursive Query {recursive-resolver}" as the server, enter any domain name for the test, and click on the Resolver button.
Please share the complete output for both the tests here or over email.
mcmufffin
commented
1 month ago Hi,
thanks for the input.
We control our own network with ASN. No hijacks done on network side.
Output as requested for 1.2.3.4 (i assume to test if an IP that should not answer on DNS, is answering - e.g. hijacking on 53):
Error! DnsClient failed to resolve the request 'google.de. A IN': request timed out. Connection timed out
Recursive Query {recursive-resolver}:
{ "Metadata": { "NameServer": "ns4.google.com (216.239.38.10)", "Protocol": "Udp", "DatagramSize": "54 bytes", "RoundTripTime": "11.5 ms" }, "EDNS": { "UdpPayloadSize": 512, "ExtendedRCODE": "NoError", "Version": 0, "Flags": "None", "Options": [] }, "Identifier": 0, "IsResponse": true, "OPCODE": "StandardQuery", "AuthoritativeAnswer": true, "Truncation": false, "RecursionDesired": false, "RecursionAvailable": false, "Z": 0, "AuthenticData": false, "CheckingDisabled": false, "RCODE": "NoError", "QDCOUNT": 1, "ANCOUNT": 1, "NSCOUNT": 0, "ARCOUNT": 1, "Question": [ { "Name": "google.de", "Type": "A", "Class": "IN" } ], "Answer": [ { "Name": "google.de", "Type": "A", "Class": "IN", "TTL": "300 (5 mins)", "RDLENGTH": "4 bytes", "RDATA": { "IPAddress": "142.250.203.99" }, "DnssecStatus": "Disabled" } ], "Authority": [], "Additional": [ { "Name": "", "Type": "OPT", "Class": "512", "TTL": "0 (0 sec)", "RDLENGTH": "0 bytes", "RDATA": { "Options": [] }, "DnssecStatus": "Disabled" } ] }
Also, if dns cache is flushed and any domain quried after flushing, you can verify that DoT is used in the cache view:
[ { "name": "", "type": "DNSKEY", "ttl": "3110 (51 mins 50 sec)", "rData": { "flags": "ZoneKey", "protocol": 3, "algorithm": "RSASHA256", "publicKey": "AwEAAdSiy6sslYrcZSGcuMEK4DtE8DZZY1A08kAsviAD49tocYO5m37AvIOyzeiKBWuPuJ4m9u5HonCM/ntxklZKYFyMftv8XoRwbiXdpSjfdpNHiMYTTV2oDUNMjdLFnF6HYSY48xrPbevQOYbAFGHpxqcXAQT0+BaBiAx3Ls6lXBQ3/hSVOprvDWJCQiI2OT+9+saKLddSIX6DwTVy0S5T4YY4EGg5R3c/eKUb2/8XgKWUzlOIZsVAZZUSTKW0tX54ccAALO7Grvsx/NW62jc1xv6wWAXocOEVgB7+4Lzb7q9p5o30+sYoGpOsKgFvMSy4oCZTQMQx2Sjd/NG2bMMw6nM=", "computedKeyTag": 20038 }, "dnssecStatus": "Secure", "dnssecRecords": [ ". 3112 IN RRSIG 48 8 0 172800 1724198400 1722384000 20326 . nHDuf7nmTPAArgH6GxJh+0CAcNGGE1HHuhyChRZ+eWA27Bz4nYrOaUTpMfMP0jfj0m55OqzO9duKE1lz3SubXXUa0pINMRv5GOngAsL9YVJ7UgK+aCnDycWszawA5zuhgaZC7Z0QT/cqKkGr0nA34BrGeFQFhASD+T9ZzD4xsZXvFHiXDAvYRacPf+ITTB5FhATEFgWLjgAMXrOTkDl8x5x/b4qaVkQRg2AUVnjW/Sgsln4depa02M9qdKNYhb1JmcvfYTI1sx5ILRvnxL2t6DiuFIbzXW4iGx6oXM2tYZPFdRJv+V/ujR4nfiAxSNJ0YiaoDlnR72B6oZCAoHfmJA==" ], "responseMetadata": { "nameServer": "1.1.1.1:853", "protocol": "Tls", "datagramSize": "936 bytes", "roundTripTime": "5.56 ms" }, "lastUsedOn": "2024-08-07T12:26:11.2729558Z" }, { "name": "", "type": "DNSKEY", "ttl": "3110 (51 mins 50 sec)", "rData": { "flags": "SecureEntryPoint, ZoneKey", "protocol": 3, "algorithm": "RSASHA256", "publicKey": "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=", "computedKeyTag": 20326 }, "dnssecStatus": "Secure", "responseMetadata": { "nameServer": "1.1.1.1:853", <------------------ should be root dns instead "protocol": "Tls", "datagramSize": "936 bytes", "roundTripTime": "5.56 ms" }, "lastUsedOn": "2024-08-07T12:26:11.2729558Z" } ]
This does not make any sense to me.
Hope this helps.
ShreyasZare
commented
1 month ago Thanks for the details. Do you have "Advanced Forwarding" DNS app installed by any chance? Its the only possible way that this could be occurring.
mcmufffin
commented
1 month ago Hi,
thanks again for the amazingly fast feedback.
Advanced Forwarding is indeed installed. And yup, that was the issue!
Thank you very much! Root DNS used now.
Curious: we did not install the app but it was installed by default, just using the curl script.. This should not be the case i assume?
ShreyasZare
commented
1 month ago You're welcome. Good to know that was causing the issue.
There is no provision to automatically install DNS apps either on install or during any process. The app can only be installed manually.
mcmufffin
commented
1 month ago Hi,
thanks for the input. Can certainly deny that we did not install this any way. Also there 3 other apps installed.
We never visited the appstore.
mcmufffin
commented
1 month ago Hi,
just spun up a dev environment. No apps.. Perhaps @TeaqariaWTF installed it.
Please excuse the confusion.
Thanks again for the help. Consider the situation resolved.
ShreyasZare
commented
1 month ago You're welcome. Yes, most probably someone on the team tried to check the apps earlier and forgot to remove them.
I provide usage through my own domain address
dns.my-domain.com
I did the necessary setup on the server and I am using it without any problems.
When I check on dnscheck.tools, it uses Google and Cloudflare dns addresses instead of my own server. How can I ensure that my own server is used instead of Google and cloudflare dns?