DNSSEC log

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

bluepoint

Very Senior Member
Are you getting this log using cloudfare's DNS with DNSSEC support enabled?
dnsmasq[248]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

I do, whenever my daughter in law goes to portal.chamberlain.edu. Together with the said log, the website comes up blank intermittently, sometimes it works, sometimes it doesn't. If DNSSEC support is disabled, the website comes up normally. What's weird is, when I tried another DNS(QUAD9) with DNSSEC support enabled it works perfectly and so it doesn't produce the log. So it seems the problem lies between the site(portal.chamberlain.edu), cloudflare or Merlin's firmware's DNSSEC support implementation. However, I doubt if it's the firmware causing it as the site works with Quad's DNS.
Can someone please try and see if you can duplicate our experience?

Rt-AC68P 384.6 B1 or even the Alpha's with DNSSEC support enabled
DNS 1.1.1.1 or 1.0.0.1
Website: portal.chamberlain.edu
Browser: Edge or Safari
 

skeal

Part of the Furniture
Are you getting this log using cloudfare's DNS with DNSSEC support enabled?
dnsmasq[248]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

I do, whenever my daughter in law goes to portal.chamberlain.edu. Together with the said log, the website comes up blank intermittently, sometimes it works, sometimes it doesn't. If DNSSEC support is disabled, the website comes up normally. What's weird is, when I tried another DNS(QUAD9) with DNSSEC support enabled it works perfectly and so it doesn't produce the log. So it seems the problem lies between the site(portal.chamberlain.edu), cloudflare or Merlin's firmware's DNSSEC support implementation. However, I doubt if it's the firmware causing it as the site works with Quad's DNS.
Can someone please try and see if you can duplicate our experience?

Rt-AC68P 384.6 B1 or even the Alpha's with DNSSEC support enabled
DNS 1.1.1.1 or 1.0.0.1
Website: portal.chamberlain.edu
Browser: Edge or Safari
I can confirm this but I have no clue why.
 

Mutzli

Very Senior Member
Do you have any reference that they fix it? Thank you all!

Update: BTW, I just tested and the problem is still there.:(
I don't show any DNSSEC entries in my log for the last week or so. I wonder if it depends on the location you're on. Maybe they are updating the servers or it has something to do with geo-routing.
 

bluepoint

Very Senior Member
I don't show any DNSSEC entries in my log for the last week or so. I wonder if it depends on the location you're on. Maybe they are updating the servers or it has something to do with geo-routing.
There will be a log if DNSSEC cannot render the site. Are you able to go to portal.chamberlain.edu? Right now, it's working for me and naturally there is no log.
 

Mutzli

Very Senior Member
There will be a log if DNSSEC cannot render the site. Are you able to go to portal.chamberlain.edu? Right now, it's working for me and naturally there is no log.
No, it loads an empty gray page and I do get a DNSSEC error: Jul 20 16:43:27 dnsmasq[28258]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

I have not seen this in over a week. Maybe no one on this router tried to access a site that returned a DNSSEC error.
 

best.binoculars

New Around Here
I already did 4 days ago.
https://community.cloudflare.com/t/unable-to-reach-a-sub-site-from-chamberlain-edu/24637
At this time I don't know if there is a fix but the site has been working as of past 2 hours. I'll observe whole day and see if it stays.

The page you're trying to access loads some script from this CDN: cdn.ckeditor.com
The intermittent blank page is caused by problem resolving this domain.

You can test it yourself, try blocking that domain (cdn.ckeditor.com), either by using extension like uMatrix or entering that domain to your HOST file or firewall. It will load empty page.

Repeat the nslookup test the Cloudflare staff told you to do, use cdn.ckeditor.com
This time you'll see, cloudflare gives different address compared to 8.8.8.8

::EDIT::
Sorry forgot to mention, do the nslookup test when you have problem accessing the page.
When there's no problem, the nslookup will give the same address.
 
Last edited:

bluepoint

Very Senior Member
The page you're trying to access loads some script from this CDN: cdn.ckeditor.com
The intermittent blank page is caused by problem resolving this domain.

You can test it yourself, try blocking that domain (cdn.ckeditor.com), either by using extension like uMatrix or entering that domain to your HOST file or firewall. It will load empty page.

Repeat the nslookup test the Cloudflare staff told you to do, use cdn.ckeditor.com
This time you'll see, cloudflare gives different address compared to 8.8.8.8
Yes indeed, cloudflare gives a different address than google's.
Code:
PS C:\Users\> nslookup cdn.ckeditor.com 1.1.1.1
Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.1.1.1
Non-authoritative answer:
Name:    d3vxtqk803u6i6.cloudfront.net
Addresses:  52.85.101.10
          52.85.101.76
          52.85.101.195
          52.85.101.207
Aliases:  cdn.ckeditor.com
PS C:\Users\> nslookup cdn.ckeditor.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
Non-authoritative answer:
Name:    d3vxtqk803u6i6.cloudfront.net
Addresses:  13.33.35.192
          13.33.35.39
          13.33.35.44
          13.33.35.63
Aliases:  cdn.ckeditor.com
So who do you think I should report these? But then again why is it resolving when DNSSEC is disabled? Also, checked nslookup using Quad9 and it resolves equally with cloudflare's. I have a feeling that since it's a CDN, the ip's will vary, it so happens cloudflare and Quad9 agrees.
Code:
PS C:\Users\> nslookup cdn.ckeditor.com 9.9.9.9
Server:  dns.quad9.net
Address:  9.9.9.9
Non-authoritative answer:
Name:    d3vxtqk803u6i6.cloudfront.net
Addresses:  52.85.101.76
          52.85.101.10
          52.85.101.195
          52.85.101.207
Aliases:  cdn.ckeditor.com
 
Last edited:

john9527

Part of the Furniture
I have a feeling that since it's a CDN, the ip's will vary, it so happens cloudflare and Quad9 agrees.
Right...I'm using a DNSCrypt server that supports DNSSEC and it resolves to yet another address for me. The edu portal loads fine for me.
Code:
nslookup cdn.ckeditor.com 192.168.1.1
Server:  router.asus.com
Address:  192.168.1.1

Non-authoritative answer:
Name:    d3vxtqk803u6i6.cloudfront.net
Addresses:  54.192.151.91
          54.192.151.108
          54.192.151.39
          54.192.151.57
Aliases:  cdn.ckeditor.com
 

best.binoculars

New Around Here
So who do you think I should report these?

I don't think you can do much about it, whomever you report to will blame the other party.

IMHO, a DNS resolver should resolve all domain without any problem. I wouldn't use a resolver that breaks access to certain domain or CDN.
 

bluepoint

Very Senior Member
IMHO, a DNS resolver should resolve all domain without any problem. I wouldn't use a resolver that breaks access to certain domain or CDN.
In a sense it's true that DNS resolver must not break access to any sites, however, unexpected problems sometimes shows its ugly head. As a user that experience a problem I'd like them to know so they can fix the problem not only for me but for everybody.
Cloudflare's DNS is fast and guarantee privacy;) if you believe them.:rolleyes::D

Code:
We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.

Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.
https://1.1.1.1/

At this time the edu portal is still resolving for me, maybe somebody has fixed it. Let's see in the next coming days.
 

INeedYou

New Around Here
In a sense it's true that DNS resolver must not break access to any sites, however, unexpected problems sometimes shows its ugly head. As a user that experience a problem I'd like them to know so they can fix the problem not only for me but for everybody.
Cloudflare's DNS is fast and guarantee privacy;) if you believe them.:rolleyes::D

Code:
We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.

Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.
https://1.1.1.1/

At this time the edu portal is still resolving for me, maybe somebody has fixed it. Let's see in the next coming days.

 

Flitzjoy

Occasional Visitor
Regarding those logs I complain about them since alpha version with the new dnsmasq.

Already tried Google, CloudFlare and Quad9 DNSs (always disabling my router IP as additional DNS) and as a network newbie I believe when they said it supports the feature.

My basic test case is check the status in this website after clearing Windows and Chrome DNS cache. I´ve got positive for those 3 providers and negative when using my ISP DNS. (So again I believe it's working).

Anyway the log entry keeps popping in my System Logs but as it doesn't affect in anything my performance I learned to ignore it.

Another side effect of this configuration is Internet showed as disconnect in network map even working normally.
 

Treadler

Very Senior Member
I have trialled both Quad9, & Cloudflare.
DNSSEC support > yes, DNS rebind protection > yes.
Cloudflare results in log messages “do upstream servers support DNSSEC”.
Quad9 though, is fine, no errors.

Looks like Cloudflare has a problem......
 

Flitzjoy

Occasional Visitor
Hummm.... just saw that system log on boot
"
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.138#53
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.10#53
"
those are my ISP DNS, not the one specified in Lan -> DHCP Server.

I´m missing something?
 

kfp

Very Senior Member
Hummm.... just saw that system log on boot
"
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.138#53
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.10#53
"
those are my ISP DNS, not the one specified in Lan -> DHCP Server.

I´m missing something?

WAN > WAN DNS Setting > No
then put whatever you want there

the settings on the DHCP page is just the server IPs pushed to clients via DHCP, not what dnsmasq would forward to
 

Treadler

Very Senior Member
Hummm.... just saw that system log on boot
"
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.138#53
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.10#53
"
those are my ISP DNS, not the one specified in Lan -> DHCP Server.

I´m missing something?

Go to AiProtect>DNS Filtering>turn on & select ‘router’, (leave the DNS fields blank).
That forces all DNS to be directed to your router, & your chosen servers.
Worked for me.........

(DNS in LAN>DHCP should be blank. Enter your chosen servers in WAN. & IPv6 if needed).
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top