search

qdm12 / dns

Docker DNS server on steroids to access DNS-over-TLS from Cloudflare, Google, Quad9, Quadrant or CleanBrowsing
https://hub.docker.com/r/qmcgaw/cloudflare-dns-server
MIT License
226 stars 38 forks source link

Resolution problem with some domains #108

Open belgotux opened 2 years ago

belgotux commented 2 years ago

Hello,

I've got some troubles with dns resolution with your image. Example with fastmirror.pp.ua (debian image or libreoffice download). The docker file is simple, one service for DoT and one with pihole on top. I doing my test inside my pihole docker (most easy to install debug tools with apt). I ask the DNS request directly to the DoT container with the image qmcgaw/dns. I've change the PROVIDERS: from 'cloudflare,quad9' to 'cloudflare' do simplify the test.

The test is reproducible, I've try on a fresh vps in another datacenter directly with the docker-compose file and same results.

My tests :

The output : 

root@234060bb9e9c:/# kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com  fastmirror.pp.ua
;; DEBUG: Querying for owner(fastmirror.pp.ua.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 137 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 54904
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 403 B

;; QUESTION SECTION:
;; fastmirror.pp.ua.            IN      A

;; ANSWER SECTION:
fastmirror.pp.ua.       13578   IN      A       93.126.105.202

---------

root@234060bb9e9c:/# dig fastmirror.pp.ua @1.1.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; ANSWER SECTION:
fastmirror.pp.ua.       12202   IN      A       93.126.105.202

;; Query time: 12 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Mar 29 12:51:55 CEST 2022
;; MSG SIZE  rcvd: 61

-------------

root@234060bb9e9c:/# dig fastmirror.pp.ua @10.10.10.34

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11466
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; Query time: 0 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Tue Mar 29 12:53:11 CEST 2022
;; MSG SIZE  rcvd: 45

-----------

root@234060bb9e9c:/# dig perdu.com @10.10.10.34

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> perdu.com @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46343
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;perdu.com.                     IN      A

;; ANSWER SECTION:
perdu.com.              9000    IN      A       208.97.177.124

;; Query time: 151 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Tue Mar 29 12:59:55 CEST 2022
;; MSG SIZE  rcvd: 54

The docker-compose : 

version: '3.7'

networks:
  dnsnet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.10.10.32/29
  proxy-net:
    external: true

services:

  dot:
    image: qmcgaw/dns:latest
    container_name: pihole-unbound-DoT
    environment:
      #PROVIDERS: 'cloudflare,quad9'
      PROVIDERS: 'cloudflare'
      CACHING: 'off'
    networks:
      dnsnet:
        ipv4_address: 10.10.10.34
    restart: unless-stopped

  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    environment:
      TZ: 'Europe/Paris'
      ADMIN_EMAIL: 'xxx@yyy.tld'
      WEBPASSWORD: 'tttttt'
      DNS1: 10.10.10.34
      DNS2: 10.10.10.34
      VIRTUAL_HOST: pihole.xxx.com
    depends_on:
      - dot
    networks:
      proxy-net:
      dnsnet:
          ipv4_address: 10.10.10.35
    restart: unless-stopped
qdm12 commented 2 years ago

Maybe try with qmcgaw/dns:v2.0.0-beta? The latest image based on Unbound will be not supported anymore quite soon.

qdm12 commented 2 years ago

Also maybe fastmirror.pp.ua is blocked. By default BLOCK_MALICIOUS=on so you might want to turn it off.

belgotux commented 2 years ago

Hello Quentin, Thanks for your quick reply. Yes it's blocking, just try with the BLOCK_MALICIOUS='off'.

But the logs don't put any information about that, just retry and only have this is the logs, maybe need to add something about block in the logs ?

pihole-unbound-DoT | 2022/03/31 13:41:43 INFO [1648734103] unbound[18:0] debug: using localzone pp.ua. static

With the verbosity at max :

VERBOSITY: 5
VERBOSITY_DETAILS: 4

http://fastmirror.pp.ua is a mirror for open-source big projects, how can I check or pull request for this ? image

For the beta, I see that it works, it's not the same malicious link ? dcdown and dcupd with both stable and beta with the BLOCK_MALICIOUS: 'on' and the beta work unlike the stable

  dot:
    image: qmcgaw/dns:latest
    container_name: pihole-unbound-DoT
    environment:
      PROVIDERS: 'cloudflare'
      CACHING: 'off'
      BLOCK_MALICIOUS: 'on'
      VERBOSITY: 2
      VERBOSITY_DETAILS: 1
    networks:
      dnsnet:
        ipv4_address: 10.10.10.34
    restart: unless-stopped

  dot2:
    image: qmcgaw/dns:v2.0.0-beta
    container_name: pihole-unbound-DoT2
    environment:
      PROVIDERS: 'cloudflare'
      CACHING: 'off'
      BLOCK_MALICIOUS: 'on'
      VERBOSITY: 1
      VERBOSITY_DETAILS: 1
    networks:
      dnsnet:
        ipv4_address: 10.10.10.36
    restart: unless-stopped
root@9a19adbf2353:/# dig fastmirror.pp.ua @10.10.10.34

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57706
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; Query time: 43 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Thu Mar 31 16:11:53 CEST 2022
;; MSG SIZE  rcvd: 45

root@9a19adbf2353:/# dig fastmirror.pp.ua @10.10.10.36

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.36
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55536
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; ANSWER SECTION:
fastmirror.pp.ua.       13535   IN      A       93.126.105.202

;; Query time: 17 msec
;; SERVER: 10.10.10.36#53(10.10.10.36)
;; WHEN: Thu Mar 31 16:11:56 CEST 2022
;; MSG SIZE  rcvd: 77
qdm12 commented 1 year ago

Sorry for the huge delay answering. v2.0.0-beta is a totally different program really, it's coded from scratch and doesn't use Unbound. Maybe that was a bug back then? Try pulling the newer image? I also don't see fastmirror.pp.ua in https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated so maybe it's no longer blocked 🤔

With the v2.0.0-beta image, you can also log all requests and/or responses using MIDDLEWARE_LOG_ENABLED=on with MIDDLEWARE_LOG_REQUESTS=on and MIDDLEWARE_LOG_RESPONSES=on if you want, and there is also #123 which could be fun to watch. There are also Prometheus metrics available although that is not PER domain.

EDIT: Also v2.0.0-beta is about to come out of beta and be the newer stable version.