search

qdm12 / dns

Docker DNS server on steroids to access DNS-over-TLS from Cloudflare, Google, Quad9, Quadrant or CleanBrowsing
https://hub.docker.com/r/qmcgaw/cloudflare-dns-server
MIT License
219 stars 37 forks source link

Inconsistent DNS responses #89

Closed kromit closed 2 years ago

kromit commented 2 years ago

Hello,

I am using docker image qmcgaw/cloudflare-dns-server for my private dns server.

when using an android device, google tries to validate the private dns server so it tries do resolve something like 2b9437c0-dnsotls-ds.metric.gstatic.com

those dns requests are getting inconsistent responses from the container.

sometimes its is ok

➜  ~ dig @10.5.0.3 2b9437c0-dnsotls-ds.metric.gstatic.com

; <<>> DiG 9.16.1-Ubuntu <<>> @10.5.0.3 2b9437c0-dnsotls-ds.metric.gstatic.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50264
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2b9437c0-dnsotls-ds.metric.gstatic.com.        IN A

;; ANSWER SECTION:
2b9437c0-dnsotls-ds.metric.gstatic.com. 3359 IN A 142.250.186.99

;; Query time: 4 msec
;; SERVER: 10.5.0.3#53(10.5.0.3)
;; WHEN: Thu Sep 23 21:37:23 CEST 2021
;; MSG SIZE  rcvd: 83

sometimes it is not

➜  ~ dig @10.5.0.3 2b9437c0-dnsotls-ds.metric.gstatic.com

; <<>> DiG 9.16.1-Ubuntu <<>> @10.5.0.3 2b9437c0-dnsotls-ds.metric.gstatic.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58061
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2b9437c0-dnsotls-ds.metric.gstatic.com.        IN A

;; Query time: 0 msec
;; SERVER: 10.5.0.3#53(10.5.0.3)
;; WHEN: Thu Sep 23 21:37:22 CEST 2021
;; MSG SIZE  rcvd: 67

using 1.1.1.1 directly always works.

qdm12 commented 2 years ago

I'm not sure, it's likely an Unbound config issue. What DoT providers do you have setup? Only one or multiple?

You could also try qmcgaw/dns:v2.0.0-beta (see the v2.0.0-beta branch) which is my own implementation with a bunch of better things, although it's lacking dnssec validation for now (that's why it's in beta)

kromit commented 2 years ago

thank you. I did not realized quad9 was in the list. removing it fixed the issue.