DNSSEC Loop/Timeout - Githubissues

Bodenhaltung commented 4 years ago

This is a: BUG

Details

I try to use pihole dnssec with a public, independent resolver with dnssec support.

pihole (localhost or internal ip doesn't matter):

dig @localhost un.resolve.bar

; <<>> DiG 9.16.4 <<>> @localhost un.resolve.bar
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

pihole Log:

Jun 23 16:09:11 dnsmasq[893]: forwarded un.resolve.bar to 185.233.106.232    
Jun 23 16:09:11 dnsmasq[893]: dnssec-query[DS] resolve.bar to 185.233.106.232                                                               
Jun 23 16:09:11 dnsmasq[893]: dnssec-query[DS] resolve.bar to 185.233.106.232
Jun 23 16:09:11 dnsmasq[893]: dnssec-query[DS] resolve.bar to 185.233.106.232                                                               
[.. 45 times more ...]
Jun 23 16:09:17 dnsmasq[893]: query[A] un.resolve.bar from 172.18.0.1
Jun 23 16:09:17 dnsmasq[893]: dnssec retry to 185.233.106.232
Jun 23 16:09:18 dnsmasq[893]: query[A] pi.hole from 127.0.0.1
Jun 23 16:09:18 dnsmasq[893]: /etc/pihole/local.list pi.hole is 192.168.0.251
Jun 23 16:09:18 dnsmasq[893]: query[A] un.resolve.bar from 172.18.0.1
Jun 23 16:09:18 dnsmasq[893]: dnssec retry to 185.233.106.232
Jun 23 16:09:23 dnsmasq[893]: query[A] un.resolve.bar from 172.18.0.1
Jun 23 16:09:23 dnsmasq[893]: dnssec retry to 185.233.106.232
Jun 23 16:09:24 dnsmasq[893]: query[A] un.resolve.bar from 172.18.0.1
Jun 23 16:09:24 dnsmasq[893]: dnssec retry to 185.233.106.232

Related Issues

[x] I have searched this repository/Pi-hole forums for existing issues and pull requests that look similar

How to reproduce the issue

Environment data
- Operating System: ArchLinux
- Hardware: RasPi 4B
- Kernel Architecture:
- Docker Install Info and version:
- Software source: Official from docker-compose
- Supplimentary Software:
- Hardware architecture: ARMv7

docker-compose.yml contents, docker run shell command, or paste a screenshot of any UI based configuration of containers here

version: "3"
services:
pihole:
container_name: pihole
image: pihole/pihole:latest
# For DHCP it is recommended to remove these ports and instead add: network_mode: "host"
ports:
  - "53:53/tcp"
  - "53:53/udp"
  - "67:67/udp"
  - "80:80/tcp"
  - "443:443/tcp"
environment:
  TZ: 'Europe/Berlin'
  WEBPASSWORD: '*****'
  ServerIP: '192.168.0.251'
  DNSSEC: 'true'
  DNS1: '185.233.106.232'
  DNS2: '185.233.107.4'
# Volumes store your data between container upgrades
volumes:
  - '/root/pihole-etc-pihole/:/etc/pihole/'
  - '/root/pihole-etc-dnsmasq.d/:/etc/dnsmasq.d/'
  # run `touch ./var-log/pihole.log` first unless you like errors
  - '/root/pihole-var/pihole.log:/var/log/pihole.log'
dns:
  - 127.0.0.1
cap_add:
  - NET_ADMIN
restart: unless-stopped

any additional info to help reproduce

These common fixes didn't work for my issue

[x] I have tried removing/destroying my container, and re-creating a new container
[x] I have tried fresh volume data by backing up and moving/removing the old volume data
[x] I have tried running the stock docker run example(s) in the readme (removing any customizations I added)
[ ] I have tried a newer or older version of Docker Pi-hole (depending what version the issue started in for me)
[ ] I have tried running without my volume data mounts to eliminate volumes as the cause

If the above debugging / fixes revealed any new information note it here. DNSSEC from the "other side" looks fine: https://dnssec-analyzer.verisignlabs.com/un.resolve.bar

Add any other debugging steps you've taken or theories on root cause that may help.

dschaper commented 4 years ago

It doesn't look like that upstream is responding?

dschaper@nanopi-r2s:~$ dig un.resolve.bar @185.223.106.232

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> un.resolve.bar @185.223.106.232
;; global options: +cmd
;; connection timed out; no servers could be reached

Edit: Sorry, typo...

dschaper@nanopi-r2s:~$ dig +dnssec un.resolve.bar @185.233.106.232

; <<>> DiG 9.11.5-P4-5.1+deb10u1-Debian <<>> +dnssec un.resolve.bar @185.233.106.232
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30848
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;un.resolve.bar.                        IN      A

;; ANSWER SECTION:
un.resolve.bar.         1800    IN      A       194.55.15.191
un.resolve.bar.         1800    IN      RRSIG   A 13 3 1800 20200702000000 20200611000000 27380 resolve.bar. h3cBZ1YSAE4DRXivsS8SpV5ez95ESmnJsjpUZLIA4RYM2H3BkhZiFZQG DGC8KhlVeb284TLNBrmp+g19S8ZnfA==

;; Query time: 167 msec
;; SERVER: 185.233.106.232#53(185.233.106.232)
;; WHEN: Tue Jun 23 18:25:53 UTC 2020
;; MSG SIZE  rcvd: 1669

Bodenhaltung commented 4 years ago

Is there a update on this?

dschaper commented 4 years ago

No, have you done any of the digs as shown in my reply?

Bodenhaltung commented 4 years ago

Oh, i didnt notice i had to do this...

root@56cc967fd69d:/# dig +dnssec un.resolve.bar @185.233.106.232

; <<>> DiG 9.10.3-P4-Debian <<>> +dnssec un.resolve.bar @185.233.106.232
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43364
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;un.resolve.bar.                        IN      A

;; ANSWER SECTION:
un.resolve.bar.         1800    IN      A       194.55.15.191
un.resolve.bar.         1800    IN      RRSIG   A 13 3 1800 20200910000000 20200820000000 27380 resolve.bar. LuuKSvMcF7TxBBAHmQtRnWxyaCWvT0/RltexvU5//QG1J3i+lfVCO6Bp Xr5L4f2utHPRgtbq6k3IK/B3zPE2kA==

;; Query time: 30 msec
;; SERVER: 185.233.106.232#53(185.233.106.232)
;; WHEN: Wed Sep 02 21:23:16 CEST 2020
;; MSG SIZE  rcvd: 166

dschaper commented 4 years ago

Okay, run dig +dnssec +trace un.resolve.bar @185.233.106.232 and see if the full trace works, and then try the same when pointing to the Pi-hole DNS IP address.

Bodenhaltung commented 4 years ago

Both traces looks good, but in pihole Logs i see:

Sep  2 22:07:04 dnsmasq[13479]: query[A] un.resolve.bar from 192.168.0.63      
Sep  2 22:07:04 dnsmasq[13479]: forwarded un.resolve.bar to 185.233.106.232    
Sep  2 22:07:04 dnsmasq[13479]: query[AAAA] un.resolve.bar from 192.168.0.63   
Sep  2 22:07:04 dnsmasq[13479]: forwarded un.resolve.bar to 185.233.106.232    
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] bar to 185.233.106.232        
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] bar to 185.233.106.232        
Sep  2 22:07:04 dnsmasq[13479]: reply bar is DS keytag 55406, algo 8, digest 1 
Sep  2 22:07:04 dnsmasq[13479]: reply bar is DS keytag 55406, algo 8, digest 2 
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: reply bar is DS keytag 55406, algo 8, digest 1 
Sep  2 22:07:04 dnsmasq[13479]: reply bar is DS keytag 55406, algo 8, digest 2 
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
Sep  2 22:07:04 dnsmasq[13479]: dnssec-query[DS] resolve.bar to 185.233.106.232
[...]

Bodenhaltung commented 4 years ago

✔ 22:14:45 ~ $ dig +dnssec +trace un.resolve.bar @185.233.106.232

; <<>> DiG 9.16.6 <<>> +dnssec +trace un.resolve.bar @185.233.106.232
;; global options: +cmd
.           84229   IN  NS  c.root-servers.net.
.           84229   IN  NS  h.root-servers.net.
.           84229   IN  NS  l.root-servers.net.
.           84229   IN  NS  a.root-servers.net.
.           84229   IN  NS  k.root-servers.net.
.           84229   IN  NS  f.root-servers.net.
.           84229   IN  NS  m.root-servers.net.
.           84229   IN  NS  g.root-servers.net.
.           84229   IN  NS  i.root-servers.net.
.           84229   IN  NS  j.root-servers.net.
.           84229   IN  NS  b.root-servers.net.
.           84229   IN  NS  e.root-servers.net.
.           84229   IN  NS  d.root-servers.net.
.           84229   IN  RRSIG   NS 8 0 518400 20200915170000 20200902160000 46594 . MGYG9G0BoU6ytvmEYKzTALi6iMlIsKbaWrvvwu4eTn426i+X/6OOB7CJ yI1U5Y4Vm8UYYbTyuAP8mdmOUsS7yK688bvKTSt0chRLj/Eit6nzH084 9uuh7V4Sd1qO+M7wh1Q/dY2npmMWj7uprZVLyEeTntuP3Fr/bV2McS8Y +pScRkOmKgiZEd+kpbaFP2awdGSi4xCjaoME9Y7G1Odf5a2xYh2HXKPG 66rH3FHzYbsnvjx7FRpW0MCslRisRLH4SC33MiNRB+mUt37MQuULI+fg 2bCVwzsvYbtE/yOi9DcaV+vUvn5eAOm4VszY+7JA1cqC51xY1aDiD+Hn Qhuadg==
;; Received 525 bytes from 185.233.106.232#53(185.233.106.232) in 20 ms

bar.            172800  IN  NS  a.nic.bar.
bar.            172800  IN  NS  b.nic.bar.
bar.            172800  IN  NS  c.nic.bar.
bar.            172800  IN  NS  d.nic.bar.
bar.            86400   IN  DS  55406 8 1 EECF54C6DAB2CF3FA76EFFCE97B78F432050DA9E
bar.            86400   IN  DS  55406 8 2 8E8E102E6751DA62E354BD322C9BDD42C29BF6A413B29DA5BDC579E2 ED3C8DA1
bar.            86400   IN  RRSIG   DS 8 1 86400 20200915170000 20200902160000 46594 . DY1Os++rnt2SaykeLoocKX5fwjRxHZ+Azh8TZrL8CKFVpc4U/h/b5EtK +Z5jVgO5gvZUcuPXyhL8qezRwyh6TRgeyT7etRcOB3re4KSciIUUzaPN 3ruOiNjY0+36QEK3P6wFvaeiUVUf2h/5WZKgyVEu8Vhb1DODQ6EOipHy y0ql+kQhOUcg+ZEPoQsW+h/Kxu/k3nKmrTUHWntPfBIEXjsQVOaPuVor zF5dvXtKgp5f61V8IkD40JrNuAm5j5tydXuFYAsw2HpfSaLgN9lbTiOd /7m3P7ihrwxCKC1mQZIcAPFU757Sch+jhE5o7DXT8apDdVP+iKoVHy7j z5uBTA==
;; Received 658 bytes from 199.7.83.42#53(l.root-servers.net) in 20 ms

resolve.bar.        3600    IN  NS  ns1.dnshome.de.
resolve.bar.        3600    IN  NS  ns2.dnshome.de.
resolve.bar.        3600    IN  DS  27380 13 2 D2333D5719D46D2C25BD45386EF45E0486C3AEA27AD0F2B4C59ADD3B CF9D23EB
resolve.bar.        3600    IN  RRSIG   DS 8 2 3600 20200929040047 20200829225952 35845 bar. qO+zHnfo16+UebWMdmgNdXoOlw+BxL1F4a0SJtVDkrcUyaOlY/dZmfEm fw++c/G7slupNflG+93w3dpRSwvvCqk0rXzM/DjoEIWGCdrL5rXC2yMw LnEzb0u9XknL0OFr2sAbeSaMXmhyXSyolqyKt7VIuIwCqnHmFvkBQlm8 tVo=
;; Received 328 bytes from 212.18.248.56#53(c.nic.bar) in 36 ms

un.resolve.bar.     1800    IN  RRSIG   A 13 3 1800 20200910000000 20200820000000 27380 resolve.bar. LuuKSvMcF7TxBBAHmQtRnWxyaCWvT0/RltexvU5//QG1J3i+lfVCO6Bp Xr5L4f2utHPRgtbq6k3IK/B3zPE2kA==
un.resolve.bar.     1800    IN  A   194.55.15.191
;; Received 166 bytes from 185.233.107.4#53(ns2.dnshome.de) in 30 ms

And asking pihole:

✔ 22:14:51 ~ $ dig +dnssec +trace un.resolve.bar @192.168.0.251

; <<>> DiG 9.16.6 <<>> +dnssec +trace un.resolve.bar @192.168.0.251
;; global options: +cmd
.           84996   IN  NS  j.root-servers.net.
.           84996   IN  NS  d.root-servers.net.
.           84996   IN  NS  b.root-servers.net.
.           84996   IN  NS  e.root-servers.net.
.           84996   IN  NS  m.root-servers.net.
.           84996   IN  NS  l.root-servers.net.
.           84996   IN  NS  k.root-servers.net.
.           84996   IN  NS  i.root-servers.net.
.           84996   IN  NS  h.root-servers.net.
.           84996   IN  NS  f.root-servers.net.
.           84996   IN  NS  g.root-servers.net.
.           84996   IN  NS  a.root-servers.net.
.           84996   IN  NS  c.root-servers.net.
.           84996   IN  RRSIG   NS 8 0 518400 20200915170000 20200902160000 46594 . MGYG9G0BoU6ytvmEYKzTALi6iMlIsKbaWrvvwu4eTn426i+X/6OOB7CJ yI1U5Y4Vm8UYYbTyuAP8mdmOUsS7yK688bvKTSt0chRLj/Eit6nzH084 9uuh7V4Sd1qO+M7wh1Q/dY2npmMWj7uprZVLyEeTntuP3Fr/bV2McS8Y +pScRkOmKgiZEd+kpbaFP2awdGSi4xCjaoME9Y7G1Odf5a2xYh2HXKPG 66rH3FHzYbsnvjx7FRpW0MCslRisRLH4SC33MiNRB+mUt37MQuULI+fg 2bCVwzsvYbtE/yOi9DcaV+vUvn5eAOm4VszY+7JA1cqC51xY1aDiD+Hn Qhuadg==
;; Received 525 bytes from 192.168.0.251#53(192.168.0.251) in 33 ms

bar.            172800  IN  NS  a.nic.bar.
bar.            172800  IN  NS  b.nic.bar.
bar.            172800  IN  NS  c.nic.bar.
bar.            172800  IN  NS  d.nic.bar.
bar.            86400   IN  DS  55406 8 1 EECF54C6DAB2CF3FA76EFFCE97B78F432050DA9E
bar.            86400   IN  DS  55406 8 2 8E8E102E6751DA62E354BD322C9BDD42C29BF6A413B29DA5BDC579E2 ED3C8DA1
bar.            86400   IN  RRSIG   DS 8 1 86400 20200915170000 20200902160000 46594 . DY1Os++rnt2SaykeLoocKX5fwjRxHZ+Azh8TZrL8CKFVpc4U/h/b5EtK +Z5jVgO5gvZUcuPXyhL8qezRwyh6TRgeyT7etRcOB3re4KSciIUUzaPN 3ruOiNjY0+36QEK3P6wFvaeiUVUf2h/5WZKgyVEu8Vhb1DODQ6EOipHy y0ql+kQhOUcg+ZEPoQsW+h/Kxu/k3nKmrTUHWntPfBIEXjsQVOaPuVor zF5dvXtKgp5f61V8IkD40JrNuAm5j5tydXuFYAsw2HpfSaLgN9lbTiOd /7m3P7ihrwxCKC1mQZIcAPFU757Sch+jhE5o7DXT8apDdVP+iKoVHy7j z5uBTA==
;; Received 658 bytes from 192.58.128.30#53(j.root-servers.net) in 13 ms

resolve.bar.        3600    IN  NS  ns2.dnshome.de.
resolve.bar.        3600    IN  NS  ns1.dnshome.de.
resolve.bar.        3600    IN  DS  27380 13 2 D2333D5719D46D2C25BD45386EF45E0486C3AEA27AD0F2B4C59ADD3B CF9D23EB
resolve.bar.        3600    IN  RRSIG   DS 8 2 3600 20200929040047 20200829225952 35845 bar. qO+zHnfo16+UebWMdmgNdXoOlw+BxL1F4a0SJtVDkrcUyaOlY/dZmfEm fw++c/G7slupNflG+93w3dpRSwvvCqk0rXzM/DjoEIWGCdrL5rXC2yMw LnEzb0u9XknL0OFr2sAbeSaMXmhyXSyolqyKt7VIuIwCqnHmFvkBQlm8 tVo=
;; Received 328 bytes from 212.18.248.56#53(c.nic.bar) in 40 ms

un.resolve.bar.     1800    IN  A   194.55.15.191
un.resolve.bar.     1800    IN  RRSIG   A 13 3 1800 20200910000000 20200820000000 27380 resolve.bar. EODNWRAHcflAl6hoYoIY8RlmXoXNIErhahkgAy7epr0gbRd1VWkGOePR LPE4xFlwtUGKPTsPzedpgSL8stnHkg==
;; Received 166 bytes from 185.233.107.4#53(ns2.dnshome.de) in 26 ms

dschaper commented 4 years ago

Everything looks like it's working fine?

github-actions[bot] commented 2 years ago

This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days.

pi-hole / docker-pi-hole

DNSSEC Loop/Timeout #642

Details

Related Issues

How to reproduce the issue

These common fixes didn't work for my issue