search

getdnsapi / stubby

Stubby is the name given to a mode of using getdns which enables it to act as a local DNS Privacy stub resolver (using DNS-over-TLS).
https://dnsprivacy.org/dns_privacy_daemon_-_stubby/
BSD 3-Clause "New" or "Revised" License
1.18k stars 99 forks source link

GETDNS_RESPSTATUS_NO_NAME #187

Closed mahdi-ln closed 3 years ago

mahdi-ln commented 5 years ago

When I directly connect to the internet:

> getdns_query -s @127.0.0.1 www.example.com
{
  "answer_type": GETDNS_NAMETYPE_DNS,
  "canonical_name": <bindata for www.example.com.>,
  "just_address_answers": [],
  "replies_full":
  [
     <bindata of 0x41d38102000100000000000003777777...>,
     <bindata of 0xc74e8102000100000000000003777777...>
  ],
 "replies_tree":
  [
    {
      "additional": [],
      "answer": [],
      "answer_type": GETDNS_NAMETYPE_DNS,
      "authority": [],
      "canonical_name": <bindata for www.example.com.>,
      "header":
      {
        "aa": 0,
        "ad": 0,
        "ancount": 0,
        "arcount": 0,
        "cd": 0,
        "id": 16851,
        "nscount": 0,
        "opcode": GETDNS_OPCODE_QUERY,
        "qdcount": 1,
        "qr": 1,
        "ra": 0,
        "rcode": GETDNS_RCODE_SERVFAIL,
        "rd": 1,
        "tc": 0,
        "z": 0
      },
      "question":
      {
        "qclass": GETDNS_RRCLASS_IN,
        "qname": <bindata for www.example.com.>,
        "qtype": GETDNS_RRTYPE_AAAA
      }
    },
    {
      "additional": [],
      "answer": [],
      "answer_type": GETDNS_NAMETYPE_DNS,
      "authority": [],
      "canonical_name": <bindata for www.example.com.>,
      "header":
      {
        "aa": 0,
        "ad": 0,
        "ancount": 0,
        "arcount": 0,
        "cd": 0,
        "id": 51022,
        "nscount": 0,
        "opcode": GETDNS_OPCODE_QUERY,
        "qdcount": 1,
        "qr": 1,
        "ra": 0,
        "rcode": GETDNS_RCODE_SERVFAIL,
        "rd": 1,
        "tc": 0,
        "z": 0
      },
      "question":
      {
        "qclass": GETDNS_RRCLASS_IN,
        "qname": <bindata for www.example.com.>,
        "qtype": GETDNS_RRTYPE_A
      }
    }
  ],
  "status": GETDNS_RESPSTATUS_NO_NAME
}

But when I connect through an encrypted tunnel (which also change IP country):

> getdns_query -s @127.0.0.1 www.example.com
{
  "answer_type": GETDNS_NAMETYPE_DNS,
  "canonical_name": <bindata for www.example.com.>,
  "just_address_answers":
  [
    {
      "address_data": <bindata for 2606:2800:220:1:248:1893:25c8:1946>,
      "address_type": <bindata of "IPv6">
    },
    {
      "address_data": <bindata for 93.184.216.34>,
      "address_type": <bindata of "IPv4">
    }
  ],
.
.
.
  "status": GETDNS_RESPSTATUS_GOOD
}

Does an ISP can provide such situation or the DNS server doesn't cooperate with users from certain countries (In stubby.yml I only enabled a server with tls_pubkey_pinset)

saradickinson commented 4 years ago

It is possible that a resolver has a policy that selectively answers questions most likely depending on the client IP address or origin ASN. It might also be possible that the DNS is intercepted to return a SERVFAIL if you are not using encrypted transport but that seems unlikely for this query....

Do you see the same behaviour if dig to the server directly i..e you do something like:

dig @ example.com dig @8.8.8.8 example.com

As far as I know Google Public DNS (8.8.8.8) should answer from everywhere.

saradickinson commented 3 years ago

I'm reviewing old issues and am closing this now as there was no follow up to the response. Please re-open if needed.