Forum Index | Search | Register (New User) | Login (Existing User) | Who's Online | FAQ | Main Site

General Discussion
  >> General Broadband Chatter Previous thread View all threads Next thread


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | (show all)   Print Thread
Standard User Moto
(fountain of knowledge) Tue 12-Sep-23 22:39:51
Print Post

gov.uk &dnssec


[link to this post] 		 
This problem is above my pay grade.
DNS on my home network uses a local recursive DNS server (Unbound) When I query DNS, Unbound traverses the chain of authorative DNS servers starting at root to provide resolution of my query.
Last week I needed to check which bins to put out for collection and found my local authorities site did not resolve. It turned out no gov.uk site resolved. I had to add an exclusion for my dns server to use 1.0.0.1 to resolve any gov.uk site.
Exploring further I used two tools to test DNSSEC for gov.uk:
https://dnssec-debugger.verisignlabs.com/gov.uk tests squeeky clean.
https://dnsviz.net/d/gov.uk/dnssec/ has errors - servers not responding.
Either the name servers for gov.uk are borked or the routing to them is screwed. I have emailed the developers of dnsviz.net to ask whether the queries to the gov.uk nameservers come from their server or from my pc. No response.
My gut instinct is it's Virgin Media's network routing. Would someone like to help me out.

laugh A friend surfing in laugh
Standard User Oliver341
(eat-sleep-adslguide) Tue 12-Sep-23 23:24:30
Print Post

Re: gov.uk &dnssec


[re: Moto] [link to this post] 		 
If I'm reading that right, the website suggests that it is unable to get a response from 192.76.144.14 for certain queries.

I tested one of the queries using dig, and the query returned ok.

Text
1
23
45
67
89
1011
1213
1415
1617
1819
2021
2223
2425
2627

;; Truncated, retrying in TCP mode.
 ; <<>> DiG 9.18.12-0ubuntu0.22.04.2-Ubuntu <<>> gov.uk dnskey @192.76.144.14
;; global options: +cmd;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13026;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available 
;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 90d441bb9c78f775010000006500e3e0e999dde458f09eb0 (good);; QUESTION SECTION:
;gov.uk.                                IN      DNSKEY 
;; ANSWER SECTION:gov.uk.                 86400   IN      DNSKEY  257 3 8 AwEAAZhEwwuAdnpNbyhIGJwh/D28XjVp9NacL3h8iMR9wCgwdZWf41p8 1qrJqrX1sKoJzPPq1G3ecIQignJzCPhyEwXb36MSmhabVAFvUY6p4KfQ IxVioffJ9lt0OJDbiWjK8mkDgi25+I57rk6RuBK/BARLSDenpU0qk7rC xTTiQBBoncav/3Db6xoQ4ciqaEsvhqZqhz3nau0oxKfaVc7PQbB0RLRd kBWkZv86nJsKVSmi5ACT3f3rgZ6PB8hAhY3slg5xWRK7BxSAwy0SbHIx mbcvKQtX57kOlHQFUgV+hJXn/4Y4HmtXdBo5tVKeIOVLZ3Kd/MCgAEaH a1GbPuYjFOs=
gov.uk.                 86400   IN      DNSKEY  256 3 8 AwEAAfif7z+gBZWye+TqcsOY+VNIHuvlyV7iqVxLr1gocTrLiSCgMomk kx5bxAd0DmcVCJXgAgXi1b7gekAt80ufN8kM4vBIRNrTz94cqnvvFpel efSN/XJWk1uUdu9gEQyWziDee4JOzrmGK1ynr7+P6YdH/vVM8aUHNXdq oU/xvHRXgov.uk.                 86400   IN      DNSKEY  256 3 8 AwEAAcrWS7rvsJMswiDC6ty9ryAzA1BMc12vFm1rL23Uud8EeVbyKZBk k38z0fODPupIyjyui3xwU6stMeXqsrR1N1NpYMdmvsw5K4C5j1HiyaAV UfH+qasHSwkngy+gAHdU6esTr0EfY2p0tvSGc3ZFdbv15W+S1DPzK2Ml zehbNAotheIyjULUpTQXSnQRwChIA5xw0LVRA5v52yf8qCvdMIJEQbDi gX1r/moR2RZs2v5aCS9G5OlXDlvMNXf7cd1+8O7X6PorpsVak5atMNr/ wM5dgaOhyiFcHbIBxsT8zVJF3/ErWWohOI+j8Pf2nOizPb4Koo7ROAYg XjJ+CC9a+Qc=
gov.uk.                 86400   IN      DNSKEY  256 3 8 AwEAAeA4pzKgU1t4lKhkKDNlrnCUHySm6CJMgTnUUXElCht6L+C344y7 DhClQWsOtgVkWPUO4XzhjvMUHCxHowqH5C9qkiyIAmvTdkI+pGEL0VHB wCLvlEWdV+NG6CvUJAWNijwTPHPANqcttIGlUz33NMtUXFvfbm1UZTRL w0rbdQT5gov.uk.                 86400   IN      DNSKEY  257 3 8 AwEAAeIcG2L49RCQsIa2JycNpAQd2x/lEgwRUc2RXa8eLnfzj0EkpnUX rtTrYndUdFqoo1LlpVQfUIWSBMpcm7LOhD9EYvWSdXBB+k00jo2vE7yc nIcdmrPE768AkLlDZj87iuQsFxWQEw9pw7ZEbC7bwaqarp6FRJed70Bc ygotjsKPkXcw2rr/E8hW+DacKi46P+3a/HCTltvIRV/T4RUDyvOqnZ9o aRXBjaQ74EtFJF5aDKj3uFkN20st8CarE14UfVStP9RHTZKN1WN9PiHb gZrV+m2d9TrGrCnDkqJ78rQFeUL3NNLtF5uwoKXS1EA3djoIyCCg7dSb ldP8mkPFNik=
gov.uk.                 86400   IN      DNSKEY  257 3 8 AwEAAc4btyvhzTFwusTMj7fuVvXJVCeCFu70xH93voWNDf9rXwbamYO5 c64EmT+RAVqdKV5g44sHSlGjbpNsPsaVO/Gqzbxpbyk2Via5dZZxl7r1 oC8qo2L3G4U1whuDTsfRhWjHZOh9UoZkHvK2vL1I7EBkE+s3297n1pQX Wt2Ijlh3iOIbGYXLnAA+0OHdTROzcfQ57VYJ5nKoBOxkJFN6bqSadnJN CjzHrPVHSDL1xwwPubxKG2xCpr999lG+y+zLdEOA8/mRgS5KS2PF9BuV W17NHp8+sHSQ3A1X5YszNsF77+h2p7p9xQ9KnQ+9P8wMDWXo9C4NgTdO j/8kJ/F7xAs= 
;; Query time: 30 msec;; SERVER: 192.76.144.14#53(192.76.144.14) (TCP)
;; WHEN: Tue Sep 12 23:19:12 BST 2023;; MSG SIZE  rcvd: 1463


Oliver.
Standard User Moto
(fountain of knowledge) Tue 12-Sep-23 23:47:08
Print Post

Re: gov.uk &dnssec


[re: Oliver341] [link to this post] 		 
Thanks. When i try that same query I get 'connection timed out; no servers could be reached'. so it is a routing problem. Thanks.

laugh A friend surfing in laugh


Register (or login) on our website and you will not see this ad.

Standard User candlerb
(knowledge is power) Wed 13-Sep-23 08:24:54
Print Post

Re: gov.uk &dnssec


[re: Moto] [link to this post] 		 
It might not be a routing problem: you could have a firewalling issue where you're allowing UDP port 53 but not TCP port 53.

The previous comment didn't show the command used, but try this:

dig +norec @192.76.144.14 gov.uk dnskey

(He didn't add +norec but it's best practice when talking to authoritative servers)

When I do this from here, I get a successful answer but notice at the start:

Text
1
23

$ dig +norec @192.76.144.14 gov.uk dnskey
;; Truncated, retrying in TCP mode.... etc


You can force tcp to be used for the query:

dig +tcp +norec @192.76.144.14 gov.uk dnskey

DNS *must* be allowed to use TCP it's critical for DNS operation these days. For more info read up about EDNS0 and various DNS "flag days" where providers have agreed to get rid of workarounds for broken DNS resolvers that don't support TCP.
Standard User Moto
(fountain of knowledge) Wed 13-Sep-23 08:39:00
Print Post

Re: gov.uk &dnssec


[re: candlerb] [link to this post] 		 
TCP is allowed

dig +norec @192.76.144.14 gov.uk dnskey
results in ';; connection timed out; no servers could be reached'

dig +norec @8.8.8.8 gov.uk dnskey
works with a complete response

laugh A friend surfing in laugh
Standard User Oliver341
(eat-sleep-adslguide) Wed 13-Sep-23 09:57:26
Print Post

Re: gov.uk &dnssec


[re: Moto] [link to this post] 		 
Any luck with ping?

Text
1
23
45
67
89

PING 192.76.144.14 (192.76.144.14) 56(84) bytes of data.
64 bytes from 192.76.144.14: icmp_seq=1 ttl=244 time=25.2 ms64 bytes from 192.76.144.14: icmp_seq=2 ttl=244 time=24.6 ms
64 bytes from 192.76.144.14: icmp_seq=3 ttl=244 time=24.1 ms64 bytes from 192.76.144.14: icmp_seq=4 ttl=244 time=24.0 ms
^C--- 192.76.144.14 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3001msrtt min/avg/max/mdev = 24.019/24.484/25.157/0.450 ms


Oliver.
Standard User Moto
(fountain of knowledge) Wed 13-Sep-23 10:39:40
Print Post

Re: gov.uk &dnssec


[re: Oliver341] [link to this post] 		 
Yes I can ping it?
so port 53?
\tcping.exe 192.76.144.14 53
Probing 192.76.144.14:53/tcp - Port is open - time=32.552ms

dig +tcp +norec @192.76.144.14 gov.uk dnskey

; <<>> DiG 9.16.42-Debian <<>> +tcp +norec @192.76.144.14 gov.uk dnskey
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

but
dig +tcp +norec @192.76.144.14 gov.uk

; <<>> DiG 9.16.42-Debian <<>> +tcp +norec @192.76.144.14 gov.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33408
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 8747f2ef0dca66070100000065018695a946a8f77a707b9b (good)
;; QUESTION SECTION:
;gov.uk. IN A

;; ANSWER SECTION:
gov.uk. 3600 IN A 151.101.64.144
gov.uk. 3600 IN A 151.101.192.144
gov.uk. 3600 IN A 151.101.0.144
gov.uk. 3600 IN A 151.101.128.144

;; Query time: 35 msec
;; SERVER: 192.76.144.14#53(192.76.144.14)
;; WHEN: Wed Sep 13 10:53:25 BST 2023
;; MSG SIZE rcvd: 127

But dig +tcp +norec @192.76.144.14 gov.uk SOA returns with SOA but DNSViz says it doesn't.
I am now thoroughly confused. It looks like to find the answer to my problem I need to go through all gov.uk's nameservers and list what records are returned on each.

laugh A friend surfing in laugh

Edited by Moto (Wed 13-Sep-23 11:05:19)
Standard User Oliver341
(eat-sleep-adslguide) Wed 13-Sep-23 10:47:16
Print Post

Re: gov.uk &dnssec


[re: Moto] [link to this post] 		 
In reply to a post by Moto:
Yes I can ping it?

So not all traffic from you to the IP is blocked. Strange one. At least that website proves it affects others too.

Oliver.
Standard User Moto
(fountain of knowledge) Wed 13-Sep-23 11:20:01
Print Post

Re: gov.uk &dnssec


[re: Oliver341] [link to this post] 		 
Thoroughly confusing. I added to my post after you replied.
I think further investigation will be delayed until I am stuck indoors on a rainy day.
I can visualise a work experience person being given a copy of DNS & Bind and told to make gov.uk more secure. He allowed access for public name servers and blocked access for everyone else to some keys before discovering he could make more money flipping burgers and left.

laugh A friend surfing in laugh

Edited by Moto (Wed 13-Sep-23 11:40:32)
Standard User Oliver341
(eat-sleep-adslguide) Wed 13-Sep-23 12:07:44
Print Post

Re: gov.uk &dnssec


[re: Moto] [link to this post] 		 
This feels like an MTU issue. If the reply packet is blocked along the route for being too large, this would prevent the packet from reaching the client and triggering the TCP fallback.

Edit: I see TCP didn't work either, but this does seem to affect queries returning larger packets.

Oliver.

Edited by Oliver341 (Wed 13-Sep-23 12:12:15)
Pages in this thread: 1 | 2 | (show all)   Print Thread

Previous thread View all threads Next thread
Jump to