I have an RT-AC87U running 384.11.2, using Cloudflare's DNS servers with strict mode DNS-over-TLS and DNSSEC turned on.
A few days ago I noticed that my 87U can't resolve checkip.amazonaws.com, this is the primary server that my router's DDNS script uses to get its external IP in my double NAT setup. I only noticed it because I installed uiDivStats (using Diversion Lite v4.1.0) and it showed as many DNS requests for ipv4.myip.dk (the backup server that the script uses only if the primary fails) as for checkip.amazonaws.com so I don't know how long this has been happening for, I've used DNSSEC for a while.
The lookup fails on the router but it succeeds on my laptop on the LAN using the router as its DNS server. It looks like the reason is that the answer is too long for UDP, note the ";; Truncated, retrying in TCP mode" from my laptop, which falls back to TCP and succeeds while the router doesn't and it fails. If I turn off DNSSEC the router can resolve it too. How can I make this work on the router with DNSSEC turned on?
Router with DNSSEC turned on:
Router with DNSSEC turned off:
Laptop with DNSSEC turned on on the router:
A few days ago I noticed that my 87U can't resolve checkip.amazonaws.com, this is the primary server that my router's DDNS script uses to get its external IP in my double NAT setup. I only noticed it because I installed uiDivStats (using Diversion Lite v4.1.0) and it showed as many DNS requests for ipv4.myip.dk (the backup server that the script uses only if the primary fails) as for checkip.amazonaws.com so I don't know how long this has been happening for, I've used DNSSEC for a while.
The lookup fails on the router but it succeeds on my laptop on the LAN using the router as its DNS server. It looks like the reason is that the answer is too long for UDP, note the ";; Truncated, retrying in TCP mode" from my laptop, which falls back to TCP and succeeds while the router doesn't and it fails. If I turn off DNSSEC the router can resolve it too. How can I make this work on the router with DNSSEC turned on?
Router with DNSSEC turned on:
Code:
me@87u:/tmp/home/root# nslookup checkip.amazonaws.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
nslookup: can't resolve 'checkip.amazonaws.com'
me@87u:/tmp/home/root# nslookup ipv4.myip.dk
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name: ipv4.myip.dk
Address 1: 104.28.7.4
Address 2: 104.28.6.4
me@87u:/tmp/home/root#Router with DNSSEC turned off:
Code:
me@87u:/tmp/home/root# nslookup checkip.amazonaws.com
Server: 127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name: checkip.amazonaws.com
Address 1: 52.6.79.229 ec2-52-6-79-229.compute-1.amazonaws.com
Address 2: 34.233.102.38 ec2-34-233-102-38.compute-1.amazonaws.com
Address 3: 18.211.215.84 ec2-18-211-215-84.compute-1.amazonaws.com
Address 4: 52.206.161.133 ec2-52-206-161-133.compute-1.amazonaws.com
Address 5: 52.202.139.131 ec2-52-202-139-131.compute-1.amazonaws.com
Address 6: 52.200.125.74 ec2-52-200-125-74.compute-1.amazonaws.com
me@87u:/tmp/home/root#Laptop with DNSSEC turned on on the router:
Code:
[me@laptop ~]$ nslookup checkip.amazonaws.com
;; Truncated, retrying in TCP mode.
Server: [my router's LAN IP]
Address: [my router's LAN IP]#53
Non-authoritative answer:
checkip.amazonaws.com canonical name = checkip.check-ip.aws.a2z.com.
checkip.check-ip.aws.a2z.com canonical name = checkip.us-east-1.prod.check-ip.aws.a2z.com.
Name: checkip.us-east-1.prod.check-ip.aws.a2z.com
Address: 52.202.139.131
Name: checkip.us-east-1.prod.check-ip.aws.a2z.com
Address: 52.200.125.74
Name: checkip.us-east-1.prod.check-ip.aws.a2z.com
Address: 52.6.79.229
Name: checkip.us-east-1.prod.check-ip.aws.a2z.com
Address: 34.233.102.38
Name: checkip.us-east-1.prod.check-ip.aws.a2z.com
Address: 18.211.215.84
Name: checkip.us-east-1.prod.check-ip.aws.a2z.com
Address: 52.206.161.133
[me@laptop ~]$
