On 22/10/2018 17:56, Craig Andrews wrote: > I'm unable to look up *.disa.mil when using dnsmasq - I'm hoping that we > can figure out why that is. > > I have dnsmasq configured to use Cloudflare's 1.1.1.1 as its upstream > DNS server; dnsmasq is running on 192.168.0.1. > > Here are some a couple tests demonstrating the problem: > ------ > $ dig disa.mil @192.168.0.1 +dnssec +short > <no output> > $ dig disa.mil @8.8.8.8 +dnssec +short > 156.112.108.76 > A 8 2 7200 20181117145327 20181018145327 52983 disa.mil. > dMS5WbQ5xJ0HuCBPZUkuoshf0A2n1tvxA75smhcFZNS5SHSOA0zsQaSc > YOzNdu5gH6qFXA7TbKhPYN0RcPD+vVcmtfbzv3eJZfh4343IXlBznG6w > aLaLt+kI6GGnPQ7skNWOcO4yLct+yaeNxTT95CZnHtwRUx3vzGHS3dJF GYc= > [candrews@craigatwork vars]$ dig disa.mil @1.1.1.1 +dnssec +short > 156.112.108.76 > ------ > So looking it up using Google's 8.8.8.8 or Cloudflare's 1.1.1.1 with > dnssec works, but not with dnsmasq. > > ------ > # dnsmasq --version > Dnsmasq version 2.80test3 Copyright (c) 2000-2018 Simon Kelley > Compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 > no-Lua TFTP conntrack ipset auth DNSSEC no-ID loop-detect inotify dumpfile > > This software comes with ABSOLUTELY NO WARRANTY. > Dnsmasq is free software, and you are welcome to redistribute it > under the terms of the GNU General Public License, version 2 or 3. > ------ > > Thanks in advance for your help and for this great software, > ~Craig
I can reproduce this, and checking with DNSviz doesn't show any problems with the domain, so this could well be a dnsmasq/DNSSEC problem. I'll try and find time to do some forensics on it in the next day or two. Cheers, Simon.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss