Understand about the iptables divert but coz the dig command specifically asking it to resolve via 188.8.131.52These iptables to redirect everything to stubby are in place:
However, running with @127.0.0.1 indeed fails:Code:
# Force Client DNS requests to use Stubby iptables -t nat -A PREROUTING -i br0 -p udp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)" iptables -t nat -A PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to "$(nvram get lan_ipaddr)"
Do you have a solution @DonnyJohnny?Code:
# dig asuswrt.lostrealm.ca @127.0.0.1 +dnssec +multi ; <<>> DiG 9.11.3 <<>> asuswrt.lostrealm.ca @127.0.0.1 +dnssec +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1950 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1452 ;; QUESTION SECTION: ;asuswrt.lostrealm.ca. IN A ;; ANSWER SECTION: asuswrt.lostrealm.ca. 164 IN A 184.108.40.206 asuswrt.lostrealm.ca. 164 IN RRSIG A 13 3 300 ( 20181023110146 20181021090146 35273 lostrealm.ca. 4d0TFNjIqkyCnOIZhc1sis9ElTT50mziKqFKZ1WNa1xm wpEgJs+BrYltFNVvxWzONpydai5DqbQex758EHPylw== ) ;; Query time: 13 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Oct 22 10:04:02 UTC 2018 ;; MSG SIZE rcvd: 213
Anyway currently only way is use firmware dnssec validation with strict unsigned validation set to NO.
Technically, we should use strict unsigned validation to YES to maximum the objective of DNSSEC, as by setting strict validation to no mean unsigned dnssec will still still pass thru as insecure but valid.
I am wondering if this is Cloudflare specific problem with dnssec validation.
Maybe u can just try do some testing with other resolvers with strict validation set to YES