RomanHK wrote:coits wrote:
I have installed dnsmasq-full and stubby. it seems it doesn't play very well when you have dnscrypt running on it. when I run nslookup it still showing 127.0.0.1:53.
I believe I need to do some port forwarding from 53 to 5453 so that nslookup will show 127.0.01:5453.
Syslog still flooding with these errors "Insecure DS reply received, do upstream DNS servers support DNSSEC?"
I used cloudfare 1.1.1.1 and 1.0.0.1
Any thoughts or idea guys, it's nice to have this working.
Thank you.
Okay. This will be an ISP problem, disable it for DNS to be accessible. In
/etc/config/dhcp, change the value as follows:
So I hope you've added these values:
Code: Select all
option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'
And watch out for typos (127.0.
01:5453)
They should help. Let me know if you do.
Still not working, tried to ran nslookup and ping, but to no avail.
Please see details below.
Any thoughts why dnssec not working?
Thank you.
================================
nslookup google.ca
;; connection timed out; no servers could be reached
ping google.ca
ping: bad address 'google.ca'
================================
dhcp configuration:
===================
option resolvfile '/dev/null'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
option dnssec '1'
option dnsseccheckunsigned '1'
list server '127.0.0.1#5453'
list server '127.0.0.1#5353'
list server '/pool.ntp.org/208.67.222.222'
===================
Syslog is flooding with same error below.
================================
Insecure DS reply received, do upstream DNS servers support DNSSEC?
================================
I have tested stubby and it looks good if port 5453 was specified.
================================
; <<>> DiG 9.11.2-P1 <<>> dnssectest.sidn.nl +dnssec +multi -p5453 @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42421
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
;; QUESTION SECTION:
;dnssectest.sidn.nl. IN A
;; ANSWER SECTION:
dnssectest.sidn.nl. 14400 IN A 213.136.9.12
dnssectest.sidn.nl. 14400 IN RRSIG A 8 3 14400 (
20190425133854 20190326133854 42033 sidn.nl.
eJRvKCpzWqZVkuq/yJiV398ZRQrdCKLx+Sut8S5FGnhw
kdyhG/YIZW2wnf+xPqF7f1HxVI/Yu9PLjySbSDZU3mrc
LJs+60WM05r5vsH4IisPoxjH1/5cHF6Rqbc5hVhlVStJ
NeYQtw20SAIJ55dVPDhAH2LcEmv/uc1q6tgRftQ= )
================================