DNSSEC DNS on RT-AX86U Pro causing some websites not to load properly

[SkippyP]

Forgot to add that the Quad9 tech support agent is correct. When using an upstream resolver with DNSSEC, there’s no need to enable DNSSEC locally on your router. It’s not worth the performance hit. Keep it disabled if you’re using Quad9. And if you value privacy (and you don't mind a performance hit of a few extra milliseconds), then use DoT.

Also, this is a good test site to check what your DNS resolvers are (and if there's any leakage) and if DNSSEC validation is working:

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

www.dnscheck.tools

 

[bbunge]

Forgot to add that the Quad9 tech support agent is correct. When using an upstream resolver with DNSSEC, there’s no need to enable DNSSEC locally on your router. It’s not worth the performance hit. It adds zero value and just wastes resources.

Keep it disabled if you’re using Quad9.

Not true. DNSSEC validates packets between the upstream resolver and your router or PC. Think of it as last mile protection.

 

[SkippyP]

I know. I'm just saying that it's likely not worth the performance hit unless you don't trust the public resolver doing DNSSEC validation. Also, DoT should take care of last mile protection.

An old article...not sure if anything has changed with local DNSSEC validation since then...

Costs and Benefits of Local DNSSEC Validation

Let’s take a look at the costs and benefits of enabling DNSSEC validation on the forwarding DNS resolver in your home or business.

cyounkins.medium.com

 

[Intrepid]

Forgot to add that the Quad9 tech support agent is correct. When using an upstream resolver with DNSSEC, there’s no need to enable DNSSEC locally on your router. It’s not worth the performance hit. Keep it disabled if you’re using Quad9. And if you value privacy (and you don't mind a performance hit of a few extra milliseconds), then use DoT.

Also, this is a good test site to check what your DNS resolvers are (and if there's any leakage) and if DNSSEC validation is working:

dnscheck.tools - check your dns resolvers

A tool to test for DNS leaks, DNSSEC validation, and more

www.dnscheck.tools

Thanks, yes. This is what I decided to do and DoT also provides an additional layer of security as well as privacy.
At least three people here including myself have already said that DNSSEC with both Quad9 and Cloudflare broke a major website (business.comcast.com). Certainly there are many others. That's unacceptable.

 

[SkippyP]

Your results are strange though and I can't replicate them. As I've stated before, when using Quad9 or Cloudflare with local DNSSEC enabled on my router, that comcast site loads perfectly fine. The only time it doesn't is when I'm using my ISP's DNS with local DNSSEC enabled on my router. No idea why.

I don't know if our experiences are different because of firmware version? I'm using the latest Merlin firmware. I think you're using latest Asus?

 

[Intrepid]

Your results are strange though and I can't replicate them. As I've stated before, when using Quad9 or Cloudflare with local DNSSEC enabled on my router, that comcast site loads perfectly fine. The only time it doesn't is when I'm using my ISP's DNS with local DNSSEC enabled on my router. No idea why.

I don't know if our experiences are different because of firmware version? I'm using the latest Merlin firmware. I think you're using latest Asus?

My results were confirmed by Treadler (Post #16) and dave14305 (Post #30). I suggested two possibilities for the discrepancy: My tests so far only had DNSSEC enabled (but not DoT) and I flushed all DNS caches before each test.

 

[SkippyP]

I flushed DNS too before each test (on the device I was testing with). DoT shouldn't have anything to do with this. Perhaps it's something to do with a potential difference with dnsmasq on Asus firmware vs Merlin…

 

[Intrepid]

I flushed DNS too before each test (on the device I was testing with). DoT shouldn't have anything to do with this. Perhaps it's something to do with dnsmasq...

I noticed inconsistencies if I didn't flush all the caches (Router, OS and browser). I'll have to test with both DoT and DNSSEC enabled to see if there is a change. Nevertheless, I think DNSSEC is not reliable enough as explained in great detail above.

 

[bbunge]

I noticed inconsistencies if I didn't flush all the caches (Router, OS and browser). I'll have to test with both DoT and DNSSEC enabled to see if there is a change. Nevertheless, I think DNSSEC is not reliable enough as explained in great detail above.

The tests and explanation you refer to as "explained in great detail" were done with a "cold" cache. The tester admitted that his results were not real world as a result of this. In a real world DNS scenario, dnsmasq will cache 5000 entries by default which over time will tend to smooth out the DNS resopnse. Even with DNSSEC and DoT enabled. 99.9% of users with a SOHO router will not notice the difference. They may not notice or may not care about the increased security either. Gamers may be different but then gamers are different...

The use of DoT and DNSSEC are recommended for added security. However, your upstream resolver has to support them. My guess is that most ISP's that run their own DNS resolvers do not support DNSSEC or DoT. As for Quad9, I suspect they may be doing their own thing and are not in full compliance with current internet standards. Actually, I've suspected this of them for quire a few years. Yes, I have used Quad9 but I do prefer Cloudflare Secure just because it works well for me. I also realize that it is probable that false positives will crop up (do you suppose there is something in the comcast business web site that is triggering a block?).

The bottom line is that you need to choose what is best for you and your network. I choose to use DNSSEC (enabled on my router and a RPI 3b+ with Pi-Hole and phishing, malware, scam and standard block lists) as I feel it adds an additional layer of security. I also encourage my family to do safe browsing.

 

[dave14305]

These domains failed to resolve with DNSSEC enabled with quad9:

trident-prod.digital.business.comcast.com
static.digital.business.comcast.com
web-analytics.digital.business.comcast.com
bsee-shared-hmd.prod.digital.business.comcast.com
amazon.partners.tremorhub.com

Jun 21 14:28:01 dnsmasq[28694]: validation trident-prod.digital.business.comcast.com is BOGUS
Jun 21 14:28:01 dnsmasq[28694]: validation web-analytics.digital.business.comcast.com is BOGUS
Jun 21 14:28:02 dnsmasq[28694]: validation mega-menu-content-prod.digital.business.comcast.com is BOGUS
snip

This was without DoT.

 

[SkippyP]

Those fail for me too regardless of my configuration - Cloudflare with or without local DNSSEC enabled; and my ISP DNS with or without local DNSSEC enabled.

 

[Intrepid]

Those fail for me too regardless of my configuration - Cloudflare with or without local DNSSEC enabled; and my ISP DNS with or without local DNSSEC enabled.

May be a testing error. Perhaps cache issue. Regional issue. Don't know. But those work just fine including business.comcast.com with standard UDP DNS as well as DoT. You can run a test here as well: https://www.browserling.com

 

[dave14305]

May be a testing error. Perhaps cache issue. Regional issue. Don't know. But those work just fine including business.comcast.com with standard UDP DNS as well as DoT. You can run a test here as well: https://www.browserling.com

Also, a lot changed with DNSSEC between dnsmasq v2.89 (stock) and v2.90 (Merlin).

 

[SkippyP]

Those domains all fail for me even when testing from my phone over my cellular network (bypassing my router) with plain old DNS.

 

[Intrepid]

Those domains all fail for me even when testing from my phone over my cellular network (bypassing my router) with plain old DNS.

Oh, are you trying static.digital.business.comcast.com or business.comcast.com. The correct domain to test is: business.comcast.com

 

[SkippyP]

The former

As I’ve stated before, business.comcast.com loads perfectly when using Quad9 or Cloudflare regardless if local DNSSEC is enabled or not. And it also loads perfectly when using my ISP’s DNS but only if local DNSSEC is disabled.

The only time that site doesn’t load properly is when using my ISP’s DNS combined with local DNSSEC enabled. And when I say “doesn’t load properly”, I don’t mean it’s blocked/doesn’t load at all. The site loads but it’s broken (missing content, incorrect fonts, etc).

Again, I’m using an AX86U Pro with latest Merlin firmware.

 

[maxbraketorque]

My results were confirmed by Treadler (Post #16) and dave14305 (Post #30). I suggested two possibilities for the discrepancy: My tests so far only had DNSSEC enabled (but not DoT) and I flushed all DNS caches before each test.

I've got two networks, one served by Comcast and one served by Spectrum. Both networks have ASUS routers running 388.7 and using DNSSEC + DoT with quad9 along with the router set to force all DNS traffic to use the router settings. The Comcast business website fails to load properly for both locations. If I disable DNSSEC, it loads properly.

If I switch to 1.1.1.2 for both DNSSEC and DoT (security.cloudflare-dns.com), I get the same results at both locations vs DNSSEC enable/disable, so it is not a quad9 thing for this site, at least for me.

All that aside, the comments from quad9 about DNSSEC being unneeded at the home router level for their DNS servers is interesting to hear. They seem to be saying that we do the DNSSEC for you, so there is no need to do it at the router level, and DoT takes care of MITM possibility for the connection to thier DNS server. Seems like a bunch of people here disagree.

 

[SkippyP]

I've got two networks, one served by Comcast and one served by Spectrum. Both networks have ASUS routers running 388.7 and using DNSSEC + DoT with quad9 along with the router set to force all DNS traffic to use the router settings. The Comcast business website fails to load properly for both locations. If I disable DNSSEC, it loads properly.

If I switch to 1.1.1.2 for both DNSSEC and DoT (security.cloudflare-dns.com), I get the same results at both locations vs DNSSEC enable/disable, so it is not a quad9 thing for this site, at least for me.

All that aside, the comments from quad9 about DNSSEC being unneeded for their DNS servers is interesting to hear. They seem to be saying that we do the DNSSEC for you, so there is no need to do it at the router levels, and DoT takes care of MITM possibility for the connection to thier DNS server. Seems like a bunch of people here disagree.

I don’t disagree with Quad9. I think what they’re saying makes sense. Let the upstream resolver do DNSSEC validation, and use DoT for last mile protection by encrypting the traffic between router (and clients) and upstream resolver.

As I’ve stated before, IMO, using local DNSSEC on the router (when the upstream resolver is already doing the validation) isn’t worth the additional overhead/performance hit and potential issues it can introduce. We’re already seeing different behavior (in this thread) between routers running stock Asus firmware and routers running latest Merlin firmware with local DNSSEC enabled when trying to resolve that Comcast site…and it likely points to differences in dnsmasq between firmware versions. I’d rather avoid these issues altogether if DNSSEC is already being done by the upstream resolver and traffic is encrypted. That’s just my two cents…people can do as they wish

 

[bbunge]

I've got two networks, one served by Comcast and one served by Spectrum. Both networks have ASUS routers running 388.7 and using DNSSEC + DoT with quad9 along with the router set to force all DNS traffic to use the router settings. The Comcast business website fails to load properly for both locations. If I disable DNSSEC, it loads properly.

If I switch to 1.1.1.2 for both DNSSEC and DoT (security.cloudflare-dns.com), I get the same results at both locations vs DNSSEC enable/disable, so it is not a quad9 thing for this site, at least for me.

All that aside, the comments from quad9 about DNSSEC being unneeded for their DNS servers is interesting to hear. They seem to be saying that we do the DNSSEC for you, so there is no need to do it at the router level, and DoT takes care of MITM possibility for the connection to thier DNS server. Seems like a bunch of people here disagree.

No problem here loading https://business.comcast.com/ when using Cloudflare Security with DNSSEC enabled. Oh, am also using DoT.

DNSSEC is the best way to provide last mile security between your upstream resolvers and your network.

DNSSEC – What Is It and Why Is It Important? - ICANN

www.icann.org

 

[Justinh]

I had DNSSEC support on and DoT, the Comcast site would not load. I toggled DNSSEC off and now it loads.

This has been an interesting discussion; I appreciate everyone's input.