DNSSEC log

[bluepoint]

Are you getting this log using cloudfare's DNS with DNSSEC support enabled?
dnsmasq[248]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

I do, whenever my daughter in law goes to portal.chamberlain.edu. Together with the said log, the website comes up blank intermittently, sometimes it works, sometimes it doesn't. If DNSSEC support is disabled, the website comes up normally. What's weird is, when I tried another DNS(QUAD9) with DNSSEC support enabled it works perfectly and so it doesn't produce the log. So it seems the problem lies between the site(portal.chamberlain.edu), cloudflare or Merlin's firmware's DNSSEC support implementation. However, I doubt if it's the firmware causing it as the site works with Quad's DNS.
Can someone please try and see if you can duplicate our experience?

Rt-AC68P 384.6 B1 or even the Alpha's with DNSSEC support enabled
DNS 1.1.1.1 or 1.0.0.1
Website: portal.chamberlain.edu
Browser: Edge or Safari

 

[skeal]

Are you getting this log using cloudfare's DNS with DNSSEC support enabled?
dnsmasq[248]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

I do, whenever my daughter in law goes to portal.chamberlain.edu. Together with the said log, the website comes up blank intermittently, sometimes it works, sometimes it doesn't. If DNSSEC support is disabled, the website comes up normally. What's weird is, when I tried another DNS(QUAD9) with DNSSEC support enabled it works perfectly and so it doesn't produce the log. So it seems the problem lies between the site(portal.chamberlain.edu), cloudflare or Merlin's firmware's DNSSEC support implementation. However, I doubt if it's the firmware causing it as the site works with Quad's DNS.
Can someone please try and see if you can duplicate our experience?

Rt-AC68P 384.6 B1 or even the Alpha's with DNSSEC support enabled
DNS 1.1.1.1 or 1.0.0.1
Website: portal.chamberlain.edu
Browser: Edge or Safari

I can confirm this but I have no clue why.

 

[john9527]

Thought I had read a post with a possible explanation for Cloudfare not being able to resolve some sites.....

https://www.snbforums.com/threads/b...eta-is-now-available.47772/page-2#post-418024

 

[bluepoint]

Test again, It was a CloudFLARE problem, but they fixed today.

Do you have any reference that they fix it? Thank you all!

Update: BTW, I just tested and the problem is still there.

 

[HowIFix]

Do you have any reference that they fix it? Thank you all!

Update: BTW, I just tested and the problem is still there.

If you have problems, you can report here: (or install Asuswrt-Merlin v384.5)
https://community.cloudflare.com/c/reliability

DNS & Network
Discuss all things DNS, including DNSSEC, IPv6, and other reliability feature related questions.

 

[bluepoint]

If you have problems, you can report here: (or install Asuswrt-Merlin v384.5)
https://community.cloudflare.com/c/reliability

I already did 4 days ago.
https://community.cloudflare.com/t/unable-to-reach-a-sub-site-from-chamberlain-edu/24637
At this time I don't know if there is a fix but the site has been working as of past 2 hours. I'll observe whole day and see if it stays.

 

[Mutzli]

Do you have any reference that they fix it? Thank you all!

Update: BTW, I just tested and the problem is still there.

I don't show any DNSSEC entries in my log for the last week or so. I wonder if it depends on the location you're on. Maybe they are updating the servers or it has something to do with geo-routing.

 

[bluepoint]

I don't show any DNSSEC entries in my log for the last week or so. I wonder if it depends on the location you're on. Maybe they are updating the servers or it has something to do with geo-routing.

There will be a log if DNSSEC cannot render the site. Are you able to go to portal.chamberlain.edu? Right now, it's working for me and naturally there is no log.

 

[Mutzli]

There will be a log if DNSSEC cannot render the site. Are you able to go to portal.chamberlain.edu? Right now, it's working for me and naturally there is no log.

No, it loads an empty gray page and I do get a DNSSEC error: Jul 20 16:43:27 dnsmasq[28258]: Insecure DS reply received, do upstream DNS servers support DNSSEC?

I have not seen this in over a week. Maybe no one on this router tried to access a site that returned a DNSSEC error.

 

[best.binoculars]

I already did 4 days ago.
https://community.cloudflare.com/t/unable-to-reach-a-sub-site-from-chamberlain-edu/24637
At this time I don't know if there is a fix but the site has been working as of past 2 hours. I'll observe whole day and see if it stays.

The page you're trying to access loads some script from this CDN: cdn.ckeditor.com
The intermittent blank page is caused by problem resolving this domain.

You can test it yourself, try blocking that domain (cdn.ckeditor.com), either by using extension like uMatrix or entering that domain to your HOST file or firewall. It will load empty page.

Repeat the nslookup test the Cloudflare staff told you to do, use cdn.ckeditor.com
This time you'll see, cloudflare gives different address compared to 8.8.8.8

::EDIT::
Sorry forgot to mention, do the nslookup test when you have problem accessing the page.
When there's no problem, the nslookup will give the same address.

 

[bluepoint]

The page you're trying to access loads some script from this CDN: cdn.ckeditor.com
The intermittent blank page is caused by problem resolving this domain.

You can test it yourself, try blocking that domain (cdn.ckeditor.com), either by using extension like uMatrix or entering that domain to your HOST file or firewall. It will load empty page.

Repeat the nslookup test the Cloudflare staff told you to do, use cdn.ckeditor.com
This time you'll see, cloudflare gives different address compared to 8.8.8.8

Yes indeed, cloudflare gives a different address than google's.

PS C:\Users\> nslookup cdn.ckeditor.com 1.1.1.1
Server:  1dot1dot1dot1.cloudflare-dns.com
Address:  1.1.1.1
Non-authoritative answer:
Name:    d3vxtqk803u6i6.cloudfront.net
Addresses:  52.85.101.10
          52.85.101.76
          52.85.101.195
          52.85.101.207
Aliases:  cdn.ckeditor.com
PS C:\Users\> nslookup cdn.ckeditor.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8
Non-authoritative answer:
Name:    d3vxtqk803u6i6.cloudfront.net
Addresses:  13.33.35.192
          13.33.35.39
          13.33.35.44
          13.33.35.63
Aliases:  cdn.ckeditor.com

So who do you think I should report these? But then again why is it resolving when DNSSEC is disabled? Also, checked nslookup using Quad9 and it resolves equally with cloudflare's. I have a feeling that since it's a CDN, the ip's will vary, it so happens cloudflare and Quad9 agrees.

PS C:\Users\> nslookup cdn.ckeditor.com 9.9.9.9
Server:  dns.quad9.net
Address:  9.9.9.9
Non-authoritative answer:
Name:    d3vxtqk803u6i6.cloudfront.net
Addresses:  52.85.101.76
          52.85.101.10
          52.85.101.195
          52.85.101.207
Aliases:  cdn.ckeditor.com

 

[john9527]

I have a feeling that since it's a CDN, the ip's will vary, it so happens cloudflare and Quad9 agrees.

Right...I'm using a DNSCrypt server that supports DNSSEC and it resolves to yet another address for me. The edu portal loads fine for me.

nslookup cdn.ckeditor.com 192.168.1.1
Server:  router.asus.com
Address:  192.168.1.1

Non-authoritative answer:
Name:    d3vxtqk803u6i6.cloudfront.net
Addresses:  54.192.151.91
          54.192.151.108
          54.192.151.39
          54.192.151.57
Aliases:  cdn.ckeditor.com

 

[best.binoculars]

So who do you think I should report these?

I don't think you can do much about it, whomever you report to will blame the other party.

IMHO, a DNS resolver should resolve all domain without any problem. I wouldn't use a resolver that breaks access to certain domain or CDN.

 

[bluepoint]

IMHO, a DNS resolver should resolve all domain without any problem. I wouldn't use a resolver that breaks access to certain domain or CDN.

In a sense it's true that DNS resolver must not break access to any sites, however, unexpected problems sometimes shows its ugly head. As a user that experience a problem I'd like them to know so they can fix the problem not only for me but for everybody.
Cloudflare's DNS is fast and guarantee privacy if you believe them.

We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.

Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.

https://1.1.1.1/

At this time the edu portal is still resolving for me, maybe somebody has fixed it. Let's see in the next coming days.

 

[INeedYou]

In a sense it's true that DNS resolver must not break access to any sites, however, unexpected problems sometimes shows its ugly head. As a user that experience a problem I'd like them to know so they can fix the problem not only for me but for everybody.
Cloudflare's DNS is fast and guarantee privacy if you believe them.

We will never log your IP address (the way other companies identify you). And we’re not just saying that. We’ve retained KPMG to audit our systems annually to ensure that we're doing what we say.

Frankly, we don’t want to know what you do on the Internet—it’s none of our business—and we’ve taken the technical steps to ensure we can’t.

https://1.1.1.1/

At this time the edu portal is still resolving for me, maybe somebody has fixed it. Let's see in the next coming days.

 

[Flitzjoy]

Regarding those logs I complain about them since alpha version with the new dnsmasq.

Already tried Google, CloudFlare and Quad9 DNSs (always disabling my router IP as additional DNS) and as a network newbie I believe when they said it supports the feature.

My basic test case is check the status in this website after clearing Windows and Chrome DNS cache. I´ve got positive for those 3 providers and negative when using my ISP DNS. (So again I believe it's working).

Anyway the log entry keeps popping in my System Logs but as it doesn't affect in anything my performance I learned to ignore it.

Another side effect of this configuration is Internet showed as disconnect in network map even working normally.

 

[Treadler]

I have trialled both Quad9, & Cloudflare.
DNSSEC support > yes, DNS rebind protection > yes.
Cloudflare results in log messages “do upstream servers support DNSSEC”.
Quad9 though, is fine, no errors.

Looks like Cloudflare has a problem......

 

[Flitzjoy]

Hummm.... just saw that system log on boot
"
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.138#53
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.10#53
"
those are my ISP DNS, not the one specified in Lan -> DHCP Server.

I´m missing something?

 

[kfp]

Hummm.... just saw that system log on boot
"
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.138#53
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.10#53
"
those are my ISP DNS, not the one specified in Lan -> DHCP Server.

I´m missing something?

WAN > WAN DNS Setting > No
then put whatever you want there

the settings on the DHCP page is just the server IPs pushed to clients via DHCP, not what dnsmasq would forward to

 

[Treadler]

Hummm.... just saw that system log on boot
"
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.138#53
Jul 26 20:04:33 dnsmasq[4213]: using nameserver 200.204.0.10#53
"
those are my ISP DNS, not the one specified in Lan -> DHCP Server.

I´m missing something?

Go to AiProtect>DNS Filtering>turn on & select ‘router’, (leave the DNS fields blank).
That forces all DNS to be directed to your router, & your chosen servers.
Worked for me.........

(DNS in LAN>DHCP should be blank. Enter your chosen servers in WAN. & IPv6 if needed).