Comments (5)
qdm12
commented on September 2, 2024
1
It's because libredns doesn't support DNSSEC. I disabled it in Unbound if one of the providers is LibreDNS, and now it works 👍
from dns.
qdm12
commented on September 2, 2024
Fixed in 17cb054
It was because the program was trying to use the DNS over plaintext to get the files at start. LibreDNS only supports DNS over TLS on port 853 and not plain DNS over 53 udp.
So now it just uses your default DNS you have setup in your network to resolve github.com. Subsequent file updates however will use DNS over TLS. I'll see what I can do to have these files bundled in the image so it doesn't leak the first DNS resolution at start.
from dns.
axel-dd
commented on September 2, 2024
Hi Quentin,
I tested libredns with the newest docker image. It still does not work.
logs:
=========================================
=========================================
=== Made with ❤️ by github.com/qdm12 ====
=========================================
Running version latest built on 2020-12-31T23:19:05Z (commit dd90001)
🔧 Need help? https://github.com/qdm12/cloudflare-dns-server/issues/new
💻 Email? [email protected]
☕ Slack? Join from the Slack button on Github
💸 Help me? https://github.com/sponsors/qdm12
2021-01-01T14:14:47.451Z INFO Unbound version: 1.10.1
2021-01-01T14:14:47.451Z INFO Settings summary:
DNS over TLS provider:
|--libredns
Listening port: 53
Caching: enabled
IPv4 resolution: enabled
IPv6 resolution: disabled
Verbosity level: 1/5
Verbosity details level: 0/4
Validation log level: 0/2
Block malicious: enabled
Block surveillance: disabled
Block ads: disabled
Blocked hostnames:
Blocked IP addresses:
Allowed hostnames:
Private addresses:
|--127.0.0.1/8
|--10.0.0.0/8
|--172.16.0.0/12
|--192.168.0.0/16
|--169.254.0.0/16
|--::1/128
�
|--fc00::/7
|--fe80::/10
|--::ffff:0:0/96
Check Unbound: enabled
Update: every 24h0m0s
2021-01-01T14:14:47.451Z INFO using DNS address 127.0.0.1 internally
2021-01-01T14:14:47.451Z INFO healthcheck server: listening on 127.0.0.1:9999
2021-01-01T14:14:47.451Z INFO generating Unbound configuration
2021-01-01T14:14:47.452Z INFO starting unbound
2021-01-01T14:14:47.482Z INFO unbound: [1609510487] unbound[12:0] notice: init module 0: validator
2021-01-01T14:14:47.482Z INFO unbound: [1609510487] unbound[12:0] notice: init module 1: iterator
2021-01-01T14:14:47.593Z INFO unbound: [1609510487] unbound[12:0] info: start of service (unbound 1.10.1).
2021-01-01T14:14:47.835Z INFO unbound: [1609510487] unbound[12:1] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:47.879Z INFO unbound: [1609510487] unbound[12:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:47.962Z INFO unbound: [1609510487] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:47.963Z INFO unbound: [1609510487] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:47.963Z INFO unbound: [1609510487] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:47.963Z INFO unbound: [1609510487] unbound[12:1] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:49.080Z INFO unbound: [1609510489] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:49.080Z INFO unbound: [1609510489] unbound[12:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:49.139Z INFO unbound: [1609510489] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:49.140Z INFO unbound: [1609510489] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:49.140Z INFO unbound: [1609510489] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:49.141Z INFO unbound: [1609510489] unbound[12:1] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:50.226Z INFO unbound: [1609510490] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:50.227Z INFO unbound: [1609510490] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:50.227Z INFO unbound: [1609510490] unbound[12:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:50.326Z INFO unbound: [1609510490] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:50.326Z INFO unbound: [1609510490] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:50.326Z INFO unbound: [1609510490] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:50.327Z INFO unbound: [1609510490] unbound[12:1] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:50.382Z INFO unbound: [1609510490] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:50.382Z INFO unbound: [1609510490] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:50.383Z INFO unbound: [1609510490] unbound[12:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:51.576Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.576Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.576Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.576Z INFO unbound: [1609510491] unbound[12:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:51.607Z INFO unbound: [1609510491] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.607Z INFO unbound: [1609510491] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.607Z INFO unbound: [1609510491] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.607Z INFO unbound: [1609510491] unbound[12:1] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:51.701Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.701Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.701Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.701Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.701Z INFO unbound: [1609510491] unbound[12:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
2021-01-01T14:14:51.812Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.812Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.813Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.813Z INFO unbound: [1609510491] unbound[12:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.837Z INFO unbound: [1609510491] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.837Z INFO unbound: [1609510491] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.838Z INFO unbound: [1609510491] unbound[12:1] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
2021-01-01T14:14:51.838Z WARN could not resolve github.com (try 1 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
2021-01-01T14:14:52.339Z WARN could not resolve github.com (try 2 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
2021-01-01T14:14:52.841Z WARN could not resolve github.com (try 3 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
2021-01-01T14:14:53.343Z WARN could not resolve github.com (try 4 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
2021-01-01T14:14:53.846Z WARN could not resolve github.com (try 5 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
2021-01-01T14:14:54.347Z WARN could not resolve github.com (try 6 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
2021-01-01T14:14:54.849Z WARN could not resolve github.com (try 7 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
2021-01-01T14:14:55.351Z WARN could not resolve github.com (try 8 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
2021-01-01T14:14:55.853Z WARN could not resolve github.com (try 9 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
2021-01-01T14:14:56.355Z WARN could not resolve github.com (try 10 of 10): lookup github.com on 127.0.0.11:53: server misbehaving
With quad9 everywing works well. libredns is online but supports DoT only.
$ kdig @116.202.176.26 heise.de +tls
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 49891
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; heise.de. IN A
;; ANSWER SECTION:
heise.de. 86374 IN A 193.99.144.80
;; Received 53 B
;; Time 2021-01-01 15:40:30 CET
;; From 116.202.176.26@853(TCP) in 92.9 ms
$ dig @116.202.176.26 heise.de
; <<>> DiG 9.16.10 <<>> @116.202.176.26 heise.de
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
from dns.
qdm12
commented on September 2, 2024
Strange, I'm investigating. Maybe the root key / named root are expired on my repo, I'll check.
from dns.
axel-dd
commented on September 2, 2024
Thanks now everything works fine.
from dns.
Related Issues (20)
- feature request: environment variable to allow privileged ports when running without root
- All `pkg` constructors should validate settings and return an error HOT 1
- Remove exported interfaces in `pkg` and use only local interfaces HOT 1
- Remove prometheus.Registerer interface usage HOT 1
- Add comments for all exported methods in the `pkg` directory
- Option to log requests/responses in color
- cache: remove all expired elements from oldest to newest
- filter: Middleware should keep blocked cached response HOT 1
- Cannot start v2-beta container: invalid value for max entries of the LRU cache HOT 2
- Hardcode DoH URL ip addresses if no DoT/plaintext-DNS should be used to resolve the URL HOT 1
- Add Mullvad DNS servers
- Review namings according to IEFT document
- Respond too large responses with truncated field and switch to TCP
- Ensure dns:v2.0.0-beta works with TCP over 53 for truncated messages
- Enhancement: use pool of DNS connections
- Document the difference between DoT and DoH
- Investigate using `golang.org/x/net/dns`
- MacOS port 53 conflict with mdnsresponder HOT 17
- Panic error on Windows Server 2022 running on a VM HOT 13
- Error on Linux Cent OS with beta version HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dns.