DNS issues: servfail on selected subdomains, Qubes modifying DNS replies by stripping IPv6?
18 views
Skip to first unread message
qtpie
May 11, 2021, 5:47:55 PM5/11/21
to qubes-users
I have a very annoying issue with DNS recently. I'm using the standard
DNS device and servers provided by my internetprovider which runs a full
dual-stack IPv4/6. Other non-qubes devices have no issues. I think this
might be a Qubes bug but I want to ask for help first to rule out an
error on my side.
Selected domainnames (all subdomains, eg www.qubes.org, so not
qubes.org) get a SERVFAIL when trying to resolve them within
applications, and on the commandline with 'host' and 'nslookup'.
Strangely enough, 'dig' has no issues, (querying the same default
resolver ip of course). At times, the domainname will resolve inside
sys-net and certain app-vm's, and not in another app-vm. At other times,
it resolves nowhere. When quering resolvers directly (like my isp's
resolvers or 1.1.1.1) the issue does not occur.
What can be happening here? One of the only consistent hints I found is
that Qubes does not seem to pass the full nslookup response from sys-net
to the appvm (compare nslookup examples below). My router gives a
servfail when quering it via ipv4, nslookup then tries it's ipv6
address, where it does get a reply, but this reply is not passed to the
appvm. The servfail might be an ipv6 issue or an issue with my router,
but I think still Qubes should pass the full response, right?
some affected domainnames:
www.duckduckgo.com
www.startpage.com
textsecure-service.whispersystems.org
user@chat-1:~$ host -v www.startpage.com
Trying "www.startpage.com"
Host www.startpage.com not found: 2(SERVFAIL)
Received 35 bytes from 10.139.1.2#53 in 2 ms
-
user@chat-1:~$ nslookup www.startpage.com
;; Got SERVFAIL reply from 10.139.1.1, trying next server
Server: 10.139.1.2
Address: 10.139.1.2#53
** server can't find www.startpage.com: SERVFAIL
user@sys-net:~$ host -v www.startpage.com
Trying "www.startpage.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22135
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.startpage.com. IN A
;; ANSWER SECTION:
www.startpage.com. 2393 IN CNAME startpage.com.
startpage.com. 10 IN A 145.131.132.72
Received 65 bytes from 192.168.0.1#53 in 4 ms
Trying "startpage.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8508
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;startpage.com. IN AAAA
;; AUTHORITY SECTION:
startpage.com. 2598
IN SOA dns1.p01.nsone.net.
hostmaster.nsone.net. 1619470914 3600 600 1209600 3600
Received 96 bytes from 192.168.0.1#53 in 3 ms
Trying "startpage.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44449
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;startpage.com. IN MX
;; ANSWER SECTION:
startpage.com. 2598
IN MX 10 mx2.startmail.com.
startpage.com. 2598
IN MX 10 mx1.startmail.com.
Received 81 bytes from 192.168.0.1#53 in 1 ms
user@sys-net:~$ nslookup www.startpage.com
;; Got SERVFAIL reply from 192.168.0.1, trying next server
Server: fd00::(redacted):ee5e
Address: fd00::(redacted):ee5e#53
Non-authoritative answer:
www.startpage.com canonical name = startpage.com.
Name: startpage.com
Address: 37.0.87.39
DNS device and servers provided by my internetprovider which runs a full
dual-stack IPv4/6. Other non-qubes devices have no issues. I think this
might be a Qubes bug but I want to ask for help first to rule out an
error on my side.
Selected domainnames (all subdomains, eg www.qubes.org, so not
qubes.org) get a SERVFAIL when trying to resolve them within
applications, and on the commandline with 'host' and 'nslookup'.
Strangely enough, 'dig' has no issues, (querying the same default
resolver ip of course). At times, the domainname will resolve inside
sys-net and certain app-vm's, and not in another app-vm. At other times,
it resolves nowhere. When quering resolvers directly (like my isp's
resolvers or 1.1.1.1) the issue does not occur.
What can be happening here? One of the only consistent hints I found is
that Qubes does not seem to pass the full nslookup response from sys-net
to the appvm (compare nslookup examples below). My router gives a
servfail when quering it via ipv4, nslookup then tries it's ipv6
address, where it does get a reply, but this reply is not passed to the
appvm. The servfail might be an ipv6 issue or an issue with my router,
but I think still Qubes should pass the full response, right?
some affected domainnames:
www.duckduckgo.com
www.startpage.com
textsecure-service.whispersystems.org
user@chat-1:~$ host -v www.startpage.com
Trying "www.startpage.com"
Host www.startpage.com not found: 2(SERVFAIL)
Received 35 bytes from 10.139.1.2#53 in 2 ms
-
user@chat-1:~$ nslookup www.startpage.com
;; Got SERVFAIL reply from 10.139.1.1, trying next server
Server: 10.139.1.2
Address: 10.139.1.2#53
** server can't find www.startpage.com: SERVFAIL
user@sys-net:~$ host -v www.startpage.com
Trying "www.startpage.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22135
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.startpage.com. IN A
;; ANSWER SECTION:
www.startpage.com. 2393 IN CNAME startpage.com.
startpage.com. 10 IN A 145.131.132.72
Received 65 bytes from 192.168.0.1#53 in 4 ms
Trying "startpage.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8508
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;startpage.com. IN AAAA
;; AUTHORITY SECTION:
startpage.com. 2598
IN SOA dns1.p01.nsone.net.
hostmaster.nsone.net. 1619470914 3600 600 1209600 3600
Received 96 bytes from 192.168.0.1#53 in 3 ms
Trying "startpage.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44449
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;startpage.com. IN MX
;; ANSWER SECTION:
startpage.com. 2598
IN MX 10 mx2.startmail.com.
startpage.com. 2598
IN MX 10 mx1.startmail.com.
Received 81 bytes from 192.168.0.1#53 in 1 ms
user@sys-net:~$ nslookup www.startpage.com
;; Got SERVFAIL reply from 192.168.0.1, trying next server
Server: fd00::(redacted):ee5e
Address: fd00::(redacted):ee5e#53
Non-authoritative answer:
www.startpage.com canonical name = startpage.com.
Name: startpage.com
Address: 37.0.87.39
unman
May 12, 2021, 9:15:45 AM5/12/21
to qubes-users
On Tue, May 11, 2021 at 11:47:50PM +0200, 'qtpie' via qubes-users wrote:
> I have a very annoying issue with DNS recently. I'm using the standard DNS
> device and servers provided by my internetprovider which runs a full
> dual-stack IPv4/6. Other non-qubes devices have no issues. I think this
> might be a Qubes bug but I want to ask for help first to rule out an error
> on my side.
>
> Selected domainnames (all subdomains, eg www.qubes.org, so not qubes.org)
> get a SERVFAIL when trying to resolve them within applications, and on the
> commandline with 'host' and 'nslookup'. Strangely enough, 'dig' has no
> issues, (querying the same default resolver ip of course). At times, the
> domainname will resolve inside sys-net and certain app-vm's, and not in
> another app-vm. At other times, it resolves nowhere. When quering resolvers
> directly (like my isp's resolvers or 1.1.1.1) the issue does not occur.
>
> What can be happening here? One of the only consistent hints I found is that
> Qubes does not seem to pass the full nslookup response from sys-net to the
> appvm (compare nslookup examples below). My router gives a servfail when
> quering it via ipv4, nslookup then tries it's ipv6 address, where it does
> get a reply, but this reply is not passed to the appvm. The servfail might
> be an ipv6 issue or an issue with my router, but I think still Qubes should
> pass the full response, right?
>
Do you have ipv6 enabled across every part of the Qubes networking
> I have a very annoying issue with DNS recently. I'm using the standard DNS
> device and servers provided by my internetprovider which runs a full
> dual-stack IPv4/6. Other non-qubes devices have no issues. I think this
> might be a Qubes bug but I want to ask for help first to rule out an error
> on my side.
>
> Selected domainnames (all subdomains, eg www.qubes.org, so not qubes.org)
> get a SERVFAIL when trying to resolve them within applications, and on the
> commandline with 'host' and 'nslookup'. Strangely enough, 'dig' has no
> issues, (querying the same default resolver ip of course). At times, the
> domainname will resolve inside sys-net and certain app-vm's, and not in
> another app-vm. At other times, it resolves nowhere. When quering resolvers
> directly (like my isp's resolvers or 1.1.1.1) the issue does not occur.
>
> What can be happening here? One of the only consistent hints I found is that
> Qubes does not seem to pass the full nslookup response from sys-net to the
> appvm (compare nslookup examples below). My router gives a servfail when
> quering it via ipv4, nslookup then tries it's ipv6 address, where it does
> get a reply, but this reply is not passed to the appvm. The servfail might
> be an ipv6 issue or an issue with my router, but I think still Qubes should
> pass the full response, right?
>
chain?
Just to be clear - this is an intermittent issue, intermittent in time
and as it affects qubes?
The fact that dig has no issues is interesting - can you test dig with
IPv4 and IPv6 separately?
Do you see the same behaviour if you set the resolver in sys-net to use
9.9.9.9?
Reply all
Reply to author
Forward
0 new messages