1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Some DNS lookup failing on the router with DNSSEC on

Discussion in 'Asuswrt-Merlin' started by grifo, May 26, 2019.

Tags:
  1. grifo

    grifo Occasional Visitor

    Joined:
    Jun 9, 2017
    Messages:
    39
    I have an RT-AC87U running 384.11.2, using Cloudflare's DNS servers with strict mode DNS-over-TLS and DNSSEC turned on.

    A few days ago I noticed that my 87U can't resolve checkip.amazonaws.com, this is the primary server that my router's DDNS script uses to get its external IP in my double NAT setup. I only noticed it because I installed uiDivStats (using Diversion Lite v4.1.0) and it showed as many DNS requests for ipv4.myip.dk (the backup server that the script uses only if the primary fails) as for checkip.amazonaws.com so I don't know how long this has been happening for, I've used DNSSEC for a while.

    The lookup fails on the router but it succeeds on my laptop on the LAN using the router as its DNS server. It looks like the reason is that the answer is too long for UDP, note the ";; Truncated, retrying in TCP mode" from my laptop, which falls back to TCP and succeeds while the router doesn't and it fails. If I turn off DNSSEC the router can resolve it too. How can I make this work on the router with DNSSEC turned on?

    Router with DNSSEC turned on:
    Code:
    [email protected]:/tmp/home/root# nslookup checkip.amazonaws.com
    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain
    
    nslookup: can't resolve 'checkip.amazonaws.com'
    [email protected]:/tmp/home/root# nslookup ipv4.myip.dk
    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain
    
    Name:      ipv4.myip.dk
    Address 1: 104.28.7.4
    Address 2: 104.28.6.4
    [email protected]:/tmp/home/root#
    Router with DNSSEC turned off:
    Code:
    [email protected]:/tmp/home/root# nslookup checkip.amazonaws.com
    Server:    127.0.0.1
    Address 1: 127.0.0.1 localhost.localdomain
    
    Name:      checkip.amazonaws.com
    
    Address 1: 52.6.79.229 ec2-52-6-79-229.compute-1.amazonaws.com
    Address 2: 34.233.102.38 ec2-34-233-102-38.compute-1.amazonaws.com
    Address 3: 18.211.215.84 ec2-18-211-215-84.compute-1.amazonaws.com
    Address 4: 52.206.161.133 ec2-52-206-161-133.compute-1.amazonaws.com
    Address 5: 52.202.139.131 ec2-52-202-139-131.compute-1.amazonaws.com
    Address 6: 52.200.125.74 ec2-52-200-125-74.compute-1.amazonaws.com
    [email protected]:/tmp/home/root#
    Laptop with DNSSEC turned on on the router:
    Code:
    [[email protected] ~]$ nslookup checkip.amazonaws.com
    ;; Truncated, retrying in TCP mode.
    Server:        [my router's LAN IP]
    Address:    [my router's LAN IP]#53
    
    Non-authoritative answer:
    checkip.amazonaws.com    canonical name = checkip.check-ip.aws.a2z.com.
    checkip.check-ip.aws.a2z.com    canonical name = checkip.us-east-1.prod.check-ip.aws.a2z.com.
    Name:    checkip.us-east-1.prod.check-ip.aws.a2z.com
    Address: 52.202.139.131
    Name:    checkip.us-east-1.prod.check-ip.aws.a2z.com
    Address: 52.200.125.74
    Name:    checkip.us-east-1.prod.check-ip.aws.a2z.com
    Address: 52.6.79.229
    Name:    checkip.us-east-1.prod.check-ip.aws.a2z.com
    Address: 34.233.102.38
    Name:    checkip.us-east-1.prod.check-ip.aws.a2z.com
    Address: 18.211.215.84
    Name:    checkip.us-east-1.prod.check-ip.aws.a2z.com
    Address: 52.206.161.133
    
    [[email protected] ~]$