matsduf
commented
11 months ago Could you run both with --version?
Open ihavenonickname opened 11 months ago
matsduf
commented
11 months ago Could you run both with --version?
ihavenonickname
commented
11 months ago @matsduf
Container:
$ docker run -it --entrypoint=bash zonemaster-problem
┌──(root㉿deb4ec2b1f1b)-[/]
└─# zonemaster-cli --version
Zonemaster-CLI version v6.0.2
Zonemaster-Engine version v4.7.3
Zonemaster-LDNS version 3.2.0
NL NetLabs LDNS version 1.8.3Host:
$ zonemaster-cli --version
Zonemaster-CLI version v6.0.2
Zonemaster-Engine version v4.7.2
Zonemaster-LDNS version 3.2.0
NL NetLabs LDNS version 1.8.3My installations have the same versions:
$ zonemaster-cli --version
Zonemaster-CLI version v6.0.3
Zonemaster-Engine version v4.7.3
Zonemaster-LDNS version 3.2.0
NL NetLabs LDNS version 1.8.3docker run --platform linux/amd64 -t --rm zonemaster/cli --version
Zonemaster-CLI version v6.0.3
Zonemaster-Engine version v4.7.3
Zonemaster-LDNS version 3.2.0
NL NetLabs LDNS version 1.8.3When I test example.com I get the same result:
$ zonemaster-cli example.com --level WARNING
Seconds Level Testcase Message
======= ======== ============== =======
11.63 WARNING CONNECTIVITY03 All authoritative nameservers have their IPv4 addresses in the same AS (26710).
11.63 WARNING CONNECTIVITY03 All authoritative nameservers have their IPv6 addresses in the same AS (26710).$ docker run --platform linux/amd64 -t --rm zonemaster/cli --no-ipv6 example.com --level WARNING
Seconds Level Message
======= ======== =======
21.65 WARNING All authoritative nameservers have their IPv4 addresses in the same AS (26710).
21.65 WARNING All authoritative nameservers have their IPv6 addresses in the same AS (26710).I get the same error using the zonemaster/cli image:
$ docker run --platform linux/amd64 -t --rm zonemaster/cli example.com
Seconds Level Message
======= ======== =======
0.06 WARNING The parent zone cannot be determined on name servers "".
0.07 ERROR "example.com" does not exist as a DNS zone. Try to test "com" instead.
0.14 CRITICAL Not enough data about example.com was found to be able to run tests.I haven't changed anything network-related in either my docker installation or host machine. I have no clue about what is going on. Could you suggest something for me to investigate?
matsduf
commented
11 months ago Can you test some other domain, such as zonemaster.net?
The following two lines in your output look strange:
63.22 ERROR Nameserver a.iana-servers.net/199.43.135.53 is a recursor.
63.84 ERROR Nameserver b.iana-servers.net/199.43.133.53 is a recursor.Are you sure that your environment has full access and that 199.43.135.53 and 199.43.133.53 are not "hijacked"? Those two are not recursors when I test with dig:
; <<>> DiG 9.18.14 <<>> @199.43.135.53 xn--nameservertest.iis.se +noidnin +noidnout +noedns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51236
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;xn--nameservertest.iis.se. IN A
;; Query time: 105 msec
;; SERVER: 199.43.135.53#53(199.43.135.53) (UDP)
;; WHEN: Sun Oct 08 08:57:28 UTC 2023
;; MSG SIZE rcvd: 43What version of the zonemaster/cli image did you use?
matsduf
commented
11 months ago Also the following look strange
40.89 WARNING Nameserver a.iana-servers.net has an IP address (199.43.135.53) without PTR configured.; <<>> DiG 9.18.14 <<>> -x 199.43.135.53 +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40759
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;53.135.43.199.in-addr.arpa. IN PTR
;; ANSWER SECTION:
53.135.43.199.in-addr.arpa. 232 IN PTR a.iana-servers.net.
;; Query time: 0 msec
;; SERVER: 172.31.0.2#53(172.31.0.2) (UDP)
;; WHEN: Sun Oct 08 09:02:54 UTC 2023
;; MSG SIZE rcvd: 76Can you test some other domain, such as zonemaster.net?
The container gives the same error output.
Host machine:
$ zonemaster-cli zonemaster.net --level WARNING
Seconds Level Message
======= ======== =======
40.21 WARNING Nameserver ns2.nic.fr has an IP address (192.93.0.4) without PTR configured.
56.29 WARNING Nameserver nsa.dnsnode.net has an IP address (194.58.192.46) without PTR configured.
56.95 WARNING Nameserver nsa.dnsnode.net has an IP address (2a01:3f1:46::53) without PTR configured.
57.45 WARNING Nameserver nsp.dnsnode.net has an IP address (194.58.198.32) without PTR configured.
58.28 WARNING Nameserver nsp.dnsnode.net has an IP address (2a01:3f1:3032::53) without PTR configured.
59.11 WARNING Nameserver nsu.dnsnode.net has an IP address (185.42.137.98) without PTR configured.
59.76 WARNING Nameserver nsu.dnsnode.net has an IP address (2a01:3f0:400::32) without PTR configured.
59.76 WARNING Nameserver ns2.nic.fr/192.93.0.4 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
59.76 WARNING Nameserver ns2.nic.fr/192.93.0.4 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
59.77 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
59.77 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
60.08 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
60.08 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
60.28 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
60.28 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
60.61 WARNING Nameserver ns2.nic.fr/192.93.0.4 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
60.61 WARNING Nameserver ns2.nic.fr/192.93.0.4 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
61.73 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
61.73 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
62.96 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
62.96 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
63.67 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
63.67 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
91.64 WARNING Nameserver ns2.nic.fr/192.93.0.4 response is not authoritative on UDP port 53.
91.64 WARNING Nameserver ns2.nic.fr/192.93.0.4 response is not authoritative on TCP port 53.
91.64 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 response is not authoritative on UDP port 53.
91.64 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 response is not authoritative on TCP port 53.
91.64 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 response is not authoritative on UDP port 53.
91.64 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 response is not authoritative on TCP port 53.
91.64 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 response is not authoritative on UDP port 53.
91.64 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 response is not authoritative on TCP port 53.
91.68 ERROR Nameserver ns2.nic.fr/192.93.0.4 is a recursor.
92.55 ERROR Nameserver nsa.dnsnode.net/194.58.192.46 is a recursor.
93.47 ERROR Nameserver nsp.dnsnode.net/194.58.198.32 is a recursor.
94.08 ERROR Nameserver nsu.dnsnode.net/185.42.137.98 is a recursor.
95.00 WARNING Erroneous response from nameserver ns2.nic.fr/192.93.0.4.
95.31 WARNING Erroneous response from nameserver nsa.dnsnode.net/194.58.192.46.
95.61 WARNING Erroneous response from nameserver nsp.dnsnode.net/194.58.198.32.
95.82 WARNING Erroneous response from nameserver nsu.dnsnode.net/185.42.137.98.
98.07 WARNING Nameserver ns2.nic.fr/192.93.0.4 answered A query with an unexpected rcode (REFUSED).
98.51 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 answered A query with an unexpected rcode (REFUSED).
99.00 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 answered A query with an unexpected rcode (REFUSED).
99.40 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 answered A query with an unexpected rcode (REFUSED).
106.37 WARNING Erroneous response from nameserver ns2.nic.fr/192.93.0.4.
106.67 WARNING Erroneous response from nameserver nsa.dnsnode.net/194.58.192.46.
106.98 WARNING Erroneous response from nameserver nsp.dnsnode.net/194.58.198.32.
107.18 WARNING Erroneous response from nameserver nsu.dnsnode.net/185.42.137.98.
107.49 WARNING Erroneous response from nameserver ns2.nic.fr/192.93.0.4.
107.80 WARNING Erroneous response from nameserver nsa.dnsnode.net/194.58.192.46.
108.10 WARNING Erroneous response from nameserver nsp.dnsnode.net/194.58.198.32.
108.30 WARNING Erroneous response from nameserver nsu.dnsnode.net/185.42.137.98.
110.90 WARNING SOA MNAME name server "nsa.dnsnode.net/194.58.192.46" gives unexpected RCODE name ("REFUSED") in response to an SOA query. What version of the zonemaster/cli image did you use?
$ docker image ls | grep zonemaster
zonemaster/cli latest c26e0e08f16c 4 weeks ago 61.8MBAre you sure that your environment has full access
After installing Docker I ran
sudo usermod -aG docker $USERso that I wouldn't need sudoevery time.
Not sure if that could cause problems.
and that 199.43.135.53 and 199.43.133.53 are not "hijacked"?
Sorry, I don't know how to answer this question...
matsduf
commented
11 months ago Do you have access to some computer somewhere else where you can run zonemaster-cli?
Can you repeat the dig query
$ dig @192.93.0.4 zonemaster.net soa +mult +noedns +norecThe expected response is
; <<>> DiG 9.18.14 <<>> @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52154
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;zonemaster.net. IN SOA
;; ANSWER SECTION:
zonemaster.net. 3600 IN SOA nsa.dnsnode.net. hostmaster.nic.se. (
1696747200 ; serial
14400 ; refresh (4 hours)
3600 ; retry (1 hour)
2592000 ; expire (4 weeks 2 days)
600 ; minimum (10 minutes)
)
;; Query time: 29 msec
;; SERVER: 192.93.0.4#53(192.93.0.4) (UDP)
;; WHEN: Sun Oct 08 10:51:08 UTC 2023
;; MSG SIZE rcvd: 100Do you have access to some computer somewhere else where you can run zonemaster-cli?
I do. The computer I'm using is a Kali Linux laptop. I also have a Windows desktop with WSL:
$ neofetch
.-/+oossssoo+/-. someone@somewhere
`:+ssssssssssssssssss+:` ----------------------
-+ssssssssssssssssssyyssss+- OS: Ubuntu 20.04.6 LTS on Windows 10 x86_64
.ossssssssssssssssssdMMMNysssso. Kernel: 4.19.128-microsoft-standard
/ssssssssssshdmmNNmmyNMMMMhssssss/ Uptime: 25 mins
+ssssssssshmydMMMMMMMNddddyssssssss+ Packages: 1283 (dpkg)
/sssssssshNMMMyhhyyyyhmNMMMNhssssssss/ Shell: bash 5.0.17
.ssssssssdMMMNhsssssssssshNMMMdssssssss. Terminal: /dev/pts/0
+sssshhhyNMMNyssssssssssssyNMMMysssssss+ CPU: AMD Ryzen 5 3600 (12) @ 3.593GHz
ossyNMMMNyMMhsssssssssssssshmmmhssssssso GPU: bc01:00:00.0 Microsoft Corporation Device 008e
ossyNMMMNyMMhsssssssssssssshmmmhssssssso Memory: 98MiB / 12730MiB
+sssshhhyNMMNyssssssssssssyNMMMysssssss+
.ssssssssdMMMNhsssssssssshNMMMdssssssss.
/sssssssshNMMMyhhyyyyhdNMMMNhssssssss/
+sssssssssdmydMMMMMMMMddddyssssssss+
/ssssssssssshdmNNNNmyNMMMMhssssss/
.ossssssssssssssssssdMMMNysssso.
-+sssssssssssssssssyyyssss+-
`:+ssssssssssssssssss+:`
.-/+oossssoo+/-.When I run zonemaster-cli on the WSL system I get:
$ zonemaster-cli zonemaster.net
Seconds Level Message
======= ========= =======
0.15 CRITICAL Nameservers for "." provided no NS records for tested zone. RCODE given was REFUSED.
0.15 CRITICAL Not enough data about zonemaster.net was found to be able to run tests.
$ zonemaster-cli example.com
Seconds Level Message
======= ========= =======
0.14 CRITICAL Nameservers for "." provided no NS records for tested zone. RCODE given was REFUSED.
0.15 CRITICAL Not enough data about example.com was found to be able to run tests.Both the Windows desktop and the Kali laptop are connected to the same wifi network, if that matters.
Can you repeat the dig query
Kali laptop:
$ dig @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; <<>> DiG 9.19.17-1-Debian <<>> @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 65395
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;zonemaster.net. IN SOA
;; Query time: 3 msec
;; SERVER: 192.93.0.4#53(192.93.0.4) (UDP)
;; WHEN: Sun Oct 08 22:31:56 -03 2023
;; MSG SIZE rcvd: 32Windows desktop WSL:
$ dig @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; <<>> DiG 9.16.1-Ubuntu <<>> @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 12800
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;zonemaster.net. IN SOA
;; Query time: 10 msec
;; SERVER: 192.93.0.4#53(192.93.0.4)
;; WHEN: Sun Oct 08 22:40:56 -03 2023
;; MSG SIZE rcvd: 32I see that the output is not expected, but unfortunately I don't know how to interpret it.
matsduf
commented
11 months ago Real 192.93.0.4 would not refuse to respond to the query about zonemaster.net. My interpretation is that there is something in between your wifi network and Internet that captures all traffic to DNS (port 53) and that something returns the REFUSED. The operator of the network should know what is going on.
Maybe you can bring your laptop to somewhere where you can find a more open network. Try at a café, a shopping center or a friends home (a friend not using the same broadband solution as yours). If you get a response on the query to 192.93.0.4 similar to mine, then you can try zonemaster-cli again.
With my question on a computer somewhere else I meant something outside your local network, e.g. a virtual server on AWS. On AWS you can get a small VPS for free for a year. Such a VPS is more than enough for a small installation of Zonemaster. There are other providers that offer free or very cheap VPSs.
ihavenonickname
commented
11 months ago I'll give it a try as soon as I have the chance.
Given the following dockerfile:
When I build the image and run the container:
The output I see is:
When I run the same command directly on the host machine, zonemaster-cli gives the expected output: