1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[384.11_2] New DNS errors in log

Discussion in 'Asuswrt-Merlin' started by RocketJSquirrel, May 21, 2019.

  1. RocketJSquirrel

    RocketJSquirrel Senior Member

    Joined:
    Jul 25, 2012
    Messages:
    233
    Location:
    California, USA
    Since updating to 384.11, I've been seeing lots of DNS errors. I have enabled DNS-over-TLS, but don't really understand optimal setup. What happens with the other DNS server fields in the web GUI? Are they ignored? Not knowing what else to do with them, I've set them the same as my DoT servers. I'm using Cloudflare and Google for both IPv4 and v6.

    Anyway, here are a few of the log errors; just a sample, there are dozens. Can anyone clue me in to what I have misconfigured?

    May 20 13:46:15 dnsmasq[208]: Insecure DS reply received for d3a13n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May 20 16:45:23 dnsmasq[208]: Insecure DS reply received for 168.192.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May 20 17:35:41 dnsmasq[208]: Insecure DS reply received for 10.in-addr.arpa, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,547
    Location:
    UK
  3. Swistheater

    Swistheater Very Senior Member

    Joined:
    Jul 8, 2017
    Messages:
    982
    Location:
    Florida
    yes it has to do with using DNSMASQ DNSSEC--- it will not pass any DS and signing algorithms that your resolver does not validate. so it will create a serve fail and the page will not load.

    this is due to the strictness of the "validate unsigned signatures" option

    some DNS servers are much more friendly with this than others.

    google DoT vs cloudflare DoT vs quad 9 DoT

    [​IMG]
    this was with Cloudflare DoT using DNSSEC via DNSMASQ with the Validate Unsigned signatures flagged.

    these were some of the logged responses from the test
    Code:
    ay  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d2a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d1a3n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d1a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d2a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a3n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a10n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a3n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d1a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d1a3n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a14n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a5n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d4a6n3.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    May  2 16:14:37 dnsmasq[21778]: Insecure DS reply received for d3a5n1.rootcanary.net, could be bad domain configuration or lack of DNSSEC support from upstream DNS servers
    
    Notice the message "lack of DNSSEC support from upstream DNS servers"
     
    Last edited: May 21, 2019
  4. bbunge

    bbunge Very Senior Member

    Joined:
    Aug 11, 2014
    Messages:
    905
    Location:
    Pennsylvania USA
    When we had DNSSEC through stubby the error messages did not show and the system worked perfectly well. Folks were not worried about those "failures" as they were out of sight. Someone wanted the enhanced dnsmasq logging and now folks can worry over "errors" that don't really matter.
    Just my $0.02 worth.

    Sent from my SM-T380 using Tapatalk
     
    Butterfly Bones and Swistheater like this.
  5. Swistheater

    Swistheater Very Senior Member

    Joined:
    Jul 8, 2017
    Messages:
    982
    Location:
    Florida
    Here are some test I did using other Methods
    • Without DNSSEC
    • With DNSMASQ DNSSEC w/o option of validate unsigned signatures
    • With DNSMASQ DNSSEC with option of validate unsigned signatures
    • With DNSSEC via Stubby.yml option (for this option gui dnssec must be disabled and .yml file needs to be configured using stubby.postconf script)
    Test with DoT_Page_1.jpg
    Test with DoT_Page_2.jpg
     
  6. Swistheater

    Swistheater Very Senior Member

    Joined:
    Jul 8, 2017
    Messages:
    982
    Location:
    Florida
    I believe the issue with all the errors lies in the translation from DoT down to dnsmasq dnssec vs if you just had a basic setup running with dnssec turned on you don't see these errors. if DNSSEC is dealt with inside stubby.yml you do not have this translation issue either, because the dnssec is handled before it is passed back.