Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolution problem with some domains #108

Open
belgotux opened this issue Mar 29, 2022 · 4 comments
Open

Resolution problem with some domains #108

belgotux opened this issue Mar 29, 2022 · 4 comments

Comments

@belgotux
Copy link

Hello,

I've got some troubles with dns resolution with your image. Example with fastmirror.pp.ua (debian image or libreoffice download).
The docker file is simple, one service for DoT and one with pihole on top.
I doing my test inside my pihole docker (most easy to install debug tools with apt). I ask the DNS request directly to the DoT container with the image qmcgaw/dns.
I've change the PROVIDERS: from 'cloudflare,quad9' to 'cloudflare' do simplify the test.

The test is reproducible, I've try on a fresh vps in another datacenter directly with the docker-compose file and same results.

My tests :

  • try directly with kdig command WORK : kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com fastmirror.pp.ua
  • try with cloudflare directly WORK : dig fastmirror.pp.ua @1.1.1.1
  • try to as to the DoT container FAIL : dig fastmirror.pp.ua @10.10.10.34
  • try with another domain WORK : dig perdu.com @10.10.10.34

The output :

root@234060bb9e9c:/# kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com  fastmirror.pp.ua
;; DEBUG: Querying for owner(fastmirror.pp.ua.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 137 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: RKlx+/Jwn2A+dVoU8gQWeRN2+2JxXcFkAczKfgU8OAI=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 54904
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 403 B

;; QUESTION SECTION:
;; fastmirror.pp.ua.            IN      A

;; ANSWER SECTION:
fastmirror.pp.ua.       13578   IN      A       93.126.105.202

---------

root@234060bb9e9c:/# dig fastmirror.pp.ua @1.1.1.1

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; ANSWER SECTION:
fastmirror.pp.ua.       12202   IN      A       93.126.105.202

;; Query time: 12 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Mar 29 12:51:55 CEST 2022
;; MSG SIZE  rcvd: 61

-------------

root@234060bb9e9c:/# dig fastmirror.pp.ua @10.10.10.34

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11466
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; Query time: 0 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Tue Mar 29 12:53:11 CEST 2022
;; MSG SIZE  rcvd: 45

-----------

root@234060bb9e9c:/# dig perdu.com @10.10.10.34

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> perdu.com @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46343
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;perdu.com.                     IN      A

;; ANSWER SECTION:
perdu.com.              9000    IN      A       208.97.177.124

;; Query time: 151 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Tue Mar 29 12:59:55 CEST 2022
;; MSG SIZE  rcvd: 54

The docker-compose :

version: '3.7'

networks:
  dnsnet:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.10.10.32/29
  proxy-net:
    external: true

services:

  dot:
    image: qmcgaw/dns:latest
    container_name: pihole-unbound-DoT
    environment:
      #PROVIDERS: 'cloudflare,quad9'
      PROVIDERS: 'cloudflare'
      CACHING: 'off'
    networks:
      dnsnet:
        ipv4_address: 10.10.10.34
    restart: unless-stopped


  pihole:
    image: pihole/pihole:latest
    container_name: pihole
    environment:
      TZ: 'Europe/Paris'
      ADMIN_EMAIL: '[email protected]'
      WEBPASSWORD: 'tttttt'
      DNS1: 10.10.10.34
      DNS2: 10.10.10.34
      VIRTUAL_HOST: pihole.xxx.com
    depends_on:
      - dot
    networks:
      proxy-net:
      dnsnet:
          ipv4_address: 10.10.10.35
    restart: unless-stopped
@qdm12
Copy link
Owner

qdm12 commented Mar 30, 2022

Maybe try with qmcgaw/dns:v2.0.0-beta? The latest image based on Unbound will be not supported anymore quite soon.

@qdm12
Copy link
Owner

qdm12 commented Mar 30, 2022

Also maybe fastmirror.pp.ua is blocked. By default BLOCK_MALICIOUS=on so you might want to turn it off.

@belgotux
Copy link
Author

Hello Quentin,
Thanks for your quick reply. Yes it's blocking, just try with the BLOCK_MALICIOUS='off'.

But the logs don't put any information about that, just retry and only have this is the logs, maybe need to add something about block in the logs ?

pihole-unbound-DoT | 2022/03/31 13:41:43 INFO [1648734103] unbound[18:0] debug: using localzone pp.ua. static

With the verbosity at max :

VERBOSITY: 5
VERBOSITY_DETAILS: 4

http://fastmirror.pp.ua is a mirror for open-source big projects, how can I check or pull request for this ?
image

For the beta, I see that it works, it's not the same malicious link ? dcdown and dcupd with both stable and beta with the BLOCK_MALICIOUS: 'on' and the beta work unlike the stable

  dot:
    image: qmcgaw/dns:latest
    container_name: pihole-unbound-DoT
    environment:
      PROVIDERS: 'cloudflare'
      CACHING: 'off'
      BLOCK_MALICIOUS: 'on'
      VERBOSITY: 2
      VERBOSITY_DETAILS: 1
    networks:
      dnsnet:
        ipv4_address: 10.10.10.34
    restart: unless-stopped

  dot2:
    image: qmcgaw/dns:v2.0.0-beta
    container_name: pihole-unbound-DoT2
    environment:
      PROVIDERS: 'cloudflare'
      CACHING: 'off'
      BLOCK_MALICIOUS: 'on'
      VERBOSITY: 1
      VERBOSITY_DETAILS: 1
    networks:
      dnsnet:
        ipv4_address: 10.10.10.36
    restart: unless-stopped
root@9a19adbf2353:/# dig fastmirror.pp.ua @10.10.10.34

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.34
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57706
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; Query time: 43 msec
;; SERVER: 10.10.10.34#53(10.10.10.34)
;; WHEN: Thu Mar 31 16:11:53 CEST 2022
;; MSG SIZE  rcvd: 45

root@9a19adbf2353:/# dig fastmirror.pp.ua @10.10.10.36

; <<>> DiG 9.11.5-P4-5.1+deb10u6-Debian <<>> fastmirror.pp.ua @10.10.10.36
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55536
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;fastmirror.pp.ua.              IN      A

;; ANSWER SECTION:
fastmirror.pp.ua.       13535   IN      A       93.126.105.202

;; Query time: 17 msec
;; SERVER: 10.10.10.36#53(10.10.10.36)
;; WHEN: Thu Mar 31 16:11:56 CEST 2022
;; MSG SIZE  rcvd: 77

@qdm12
Copy link
Owner

qdm12 commented Jul 12, 2023

Sorry for the huge delay answering. v2.0.0-beta is a totally different program really, it's coded from scratch and doesn't use Unbound. Maybe that was a bug back then? Try pulling the newer image? I also don't see fastmirror.pp.ua in https://raw.githubusercontent.com/qdm12/files/master/malicious-hostnames.updated so maybe it's no longer blocked 🤔

With the v2.0.0-beta image, you can also log all requests and/or responses using MIDDLEWARE_LOG_ENABLED=on with MIDDLEWARE_LOG_REQUESTS=on and MIDDLEWARE_LOG_RESPONSES=on if you want, and there is also #123 which could be fun to watch. There are also Prometheus metrics available although that is not PER domain.

EDIT: Also v2.0.0-beta is about to come out of beta and be the newer stable version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants