DNS Resolver + DNSSEC + sharepoint.com = SERVFAIL : my solution :-) [SOLVED]
-
Hi!
this is an old issue (https://forum.pfsense.org/index.php?topic=85640.msg469919#msg469919)
but still persistent at today…
This is my solution/workaround to bypass the issue without need to disable the forwarding mode:
just put this in "Custom Options" of "DNS resolver" settings page:server: domain-insecure: "sharepoint.com"Restart unbound/DNS Resolver service and… it works! :)
-
not sure what your issue is but sharepoint.com has no dnssec enabled. And is only a cname for sharepoint.microsoft.com Which also has no dnssec enabled, which is just SAD… But having dnssec setup on unbound would not cause servefail on this, nor should you have to set the domain as insecure.
user@ubuntu:~$ dig sharepoint.com ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> sharepoint.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11375 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sharepoint.com. IN A ;; ANSWER SECTION: sharepoint.com. 86400 IN CNAME sharepoint.microsoft.com. sharepoint.microsoft.com. 3600 IN A 65.55.39.10 sharepoint.microsoft.com. 3600 IN A 64.4.6.100 ;; Query time: 171 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Thu May 26 14:13:31 CDT 2016 ;; MSG SIZE rcvd: 110 user@ubuntu:~$ dig sharepoint.microsoft.com ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> sharepoint.microsoft.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27340 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sharepoint.microsoft.com. IN A ;; ANSWER SECTION: sharepoint.microsoft.com. 3589 IN A 65.55.39.10 sharepoint.microsoft.com. 3589 IN A 64.4.6.100 ;; Query time: 9 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Thu May 26 14:13:42 CDT 2016 ;; MSG SIZE rcvd: 85 user@ubuntu:~$So not sure what your issue is, but what you think fixed it has nothing to do with it.
Maybe you had something going on with unbound, and just its restart cleared up your problem.
-
Maybe you had something going on with unbound, and just its restart cleared up your problem.
Yes, I agree with you, sharepoint.com is not a DNSSEC signed domain,
but this (DNSSEC verify relatively to sharepoint.com domain) is a known problem even outside pfsense environment.https://community.sophos.com/products/unified-threat-management/f/53/t/76044
Anyway, the issue described here : https://forum.pfsense.org/index.php?topic=85640.0
is easily replicable. -
dude that thread is from 2014, maybe at that time they had tried to implement dnssec on the domain, and failed?
Currently I show no issues at all resolving sharepoint.com with unbound, and I for sure have dnssec enabled.
user@ubuntu:~$ dig +comments test.dnssec-or-not.net ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> +comments test.dnssec-or-not.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56465 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test.dnssec-or-not.net. IN A ;; ANSWER SECTION: test.dnssec-or-not.net. 3600 IN A 72.13.58.64 ;; AUTHORITY SECTION: dnssec-or-not.net. 3600 IN NS ns0.dnssec-or-not.net. dnssec-or-not.net. 3600 IN NS ns1.dnssec-or-not.net. ;; ADDITIONAL SECTION: ns0.dnssec-or-not.net. 3600 IN A 72.13.58.76 ns1.dnssec-or-not.net. 3600 IN A 72.13.58.80 ;; Query time: 179 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Fri May 27 07:31:11 CDT 2016 ;; MSG SIZE rcvd: 135user@ubuntu:~$ dig sigok.verteiltesysteme.net ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> sigok.verteiltesysteme.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59287 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sigok.verteiltesysteme.net. IN A ;; ANSWER SECTION: sigok.verteiltesysteme.net. 60 IN A 134.91.78.139 ;; AUTHORITY SECTION: verteiltesysteme.net. 3600 IN NS ns2.verteiltesysteme.net. verteiltesysteme.net. 3600 IN NS ns1.verteiltesysteme.net. ;; ADDITIONAL SECTION: ns1.verteiltesysteme.net. 3600 IN A 134.91.78.139 ns1.verteiltesysteme.net. 3600 IN AAAA 2001:638:501:8efc::139 ns2.verteiltesysteme.net. 3600 IN A 134.91.78.141 ns2.verteiltesysteme.net. 3600 IN AAAA 2001:638:501:8efc::141 ;; Query time: 169 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Fri May 27 07:33:29 CDT 2016 ;; MSG SIZE rcvd: 195 user@ubuntu:~$ dig sigfail.verteiltesysteme.net ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> sigfail.verteiltesysteme.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14309 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sigfail.verteiltesysteme.net. IN A ;; Query time: 762 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Fri May 27 07:33:42 CDT 2016 ;; MSG SIZE rcvd: 57 user@ubuntu:~$That second test is from http://dnssec.vs.uni-due.de/ that comes up when you google for dnssec-or-not.net
-
case A: DNSSEC enabled and DNS Query Forwarding enabled (FAILURE, ZERO ANSWER)
[2.3.2-DEVELOPMENT][admin@******]/root: dig sharepoint.com ; <<>> DiG 9.10.3-P4 <<>> sharepoint.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28474 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sharepoint.com. IN A ;; Query time: 250 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 14:49:28 CEST 2016 ;; MSG SIZE rcvd: 43case B: DNSSEC enabled and DNS Query Forwarding disabled (SUCCESS)
[2.3.2-DEVELOPMENT][admin@*****]/root: dig sharepoint.com ; <<>> DiG 9.10.3-P4 <<>> sharepoint.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24949 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sharepoint.com. IN A ;; ANSWER SECTION: sharepoint.com. 86399 IN CNAME sharepoint.microsoft.com. sharepoint.microsoft.com. 3600 IN A 65.55.39.10 sharepoint.microsoft.com. 3600 IN A 64.4.6.100 ;; Query time: 546 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 14:53:55 CEST 2016 ;; MSG SIZE rcvd: 110case C: DNSSEC disabled and DNS Query Forwarding enabled (SUCCESS)
2.3.2-DEVELOPMENT][admin@*******]/root: dig sharepoint.com ; <<>> DiG 9.10.3-P4 <<>> sharepoint.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39032 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 9 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sharepoint.com. IN A ;; ANSWER SECTION: sharepoint.com. 21800 IN CNAME sharepoint.microsoft.com. sharepoint.microsoft.com. 3600 IN A 65.55.39.10 sharepoint.microsoft.com. 3600 IN A 64.4.6.100 ;; AUTHORITY SECTION: microsoft.com. 1544 IN NS ns3.msft.net. microsoft.com. 1544 IN NS ns4.msft.net. microsoft.com. 1544 IN NS ns2.msft.net. microsoft.com. 1544 IN NS ns1.msft.net. ;; ADDITIONAL SECTION: ns1.msft.net. 130 IN A 208.84.0.53 ns1.msft.net. 216 IN AAAA 2620:0:30::53 ns2.msft.net. 1544 IN A 208.84.2.53 ns2.msft.net. 11001 IN AAAA 2620:0:32::53 ns3.msft.net. 130 IN A 193.221.113.53 ns3.msft.net. 130 IN AAAA 2620:0:34::53 ns4.msft.net. 1544 IN A 208.76.45.53 ns4.msft.net. 7210 IN AAAA 2620:0:37::53 ;; Query time: 53 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 14:56:33 CEST 2016 ;; MSG SIZE rcvd: 366case D: DNSSEC enabled and DNS Query Forwarding enabled (SUCCESS)
[2.3.2-DEVELOPMENT][admin@*******]/root: dig +comments test.dnssec-or-not.net ; <<>> DiG 9.10.3-P4 <<>> +comments test.dnssec-or-not.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50560 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;test.dnssec-or-not.net. IN A ;; ANSWER SECTION: test.dnssec-or-not.net. 3600 IN A 72.13.58.64 ;; AUTHORITY SECTION: dnssec-or-not.net. 3600 IN NS ns1.dnssec-or-not.net. dnssec-or-not.net. 3600 IN NS ns0.dnssec-or-not.net. ;; ADDITIONAL SECTION: ns0.dnssec-or-not.net. 3600 IN A 72.13.58.76 ns1.dnssec-or-not.net. 3600 IN A 72.13.58.80 ;; Query time: 881 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 15:10:51 CEST 2016 ;; MSG SIZE rcvd: 135case E: DNSSEC enabled and DNS Query Forwarding enabled (SUCCESS)
[2.3.2-DEVELOPMENT][admin@*******]/root: dig sigok.verteiltesysteme.net ;<<>> DiG 9.10.3-P4 <<>> sigok.verteiltesysteme.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55229 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;sigok.verteiltesysteme.net. IN A ;; ANSWER SECTION: sigok.verteiltesysteme.net. 60 IN A 134.91.78.139 ;; AUTHORITY SECTION: verteiltesysteme.net. 3600 IN NS ns2.verteiltesysteme.net. verteiltesysteme.net. 3600 IN NS ns1.verteiltesysteme.net. ;; ADDITIONAL SECTION: ns1.verteiltesysteme.net. 95486 IN A 134.91.78.139 ns1.verteiltesysteme.net. 95486 IN AAAA 2001:638:501:8efc::139 ns2.verteiltesysteme.net. 95486 IN A 134.91.78.141 ns2.verteiltesysteme.net. 95486 IN AAAA 2001:638:501:8efc::141 ;; Query time: 61 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri May 27 15:13:04 CEST 2016 ;; MSG SIZE rcvd: 195 -
Where are you forwarding too?
And why if you want dnssec support.. If were your forwarding doesn't support dnssec then your just out of freaking luck, etc.
At a loss to understand your use case.. Why are you using unbound in forwarder mode? In forwarder mode your at the mercy of who you forward too and what they return. Why would you want that?
Here I changed to forwarder mode, forwarding to my isp dns comcast at 75.75.75.75, they have dnssec support.
So as you see from sniff on pfsense wan, it asks 75.75.75.75 and resolves sharepoint just fine. I then ask it for a domain that is dnssec signed and get back the AD flag that means it all good..
Here is query with unbound in forwarder mode and dnssec comes back fine as well on domain with valid dnssec
user@ubuntu:~$ dig pir.org +dnssec +multi ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> pir.org +dnssec +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33147 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;pir.org. IN A ;; ANSWER SECTION: pir.org. 300 IN A 97.107.141.235 pir.org. 300 IN RRSIG A 5 2 300 ( 20160609204000 20160526204000 58424 pir.org. s4MIhMXapTDd1COi6SiTgLmz0OXDv2Ikq/B+ftBtDtr3 94a1i01x5+o04mnbqed19a+lAeF6zZmzh1OD97wuK3Va DQxf9N5h4hnBHWu1i2cLPTxCtIHxY1qeQ5qE2ddjODNn ewYLtVxYam3+YMiIsOjuF1E91gZU/hevNKx40sE= ) ;; Query time: 341 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Fri May 27 08:31:43 CDT 2016 ;; MSG SIZE rcvd: 219 user@ubuntu:~$Yes if your wanting to dnssec and where your forwarding has a borked setup for dnssec then sure you could get all kinds of issues. I don't see how setting unbound to use dnssec, and then forwarding it to somewhere that has bad dnssec support or none at all, and then telling unbound not to use dnssec for domains that fail is any sort of solution to anything. Either use a forwarder that has full dnssec support, or just actually use unbound as resolver with dnssec support. Or just use forwarder and turn off dnssec if where you want to forward to doesn't support it.
-
Where are you forwarding too?
Forwarding to my isp DNS (and also Google 8.8.8.8 / 8.8.4.4 dns, same results).
Why forwarding? Because:- response time from near dns is far short than root authoritative dns servers
- Local regional Google and local isp dns servers resolve to near cdn server.
(ie: from root dns www.facebook.com resolves to USA server, and I'm in Europe so latency >150ms compared to 7ms versus local cdn facebook server) - No issue at all using forward mode + DNSSEC except "sharepoint.com"
The same, identical, situation described in that old thread: (https://forum.pfsense.org/index.php?topic=85640.msg469919#msg469919)
-
So using 8.8.8.8 yes I see your issue with sharepoint. But what is odd is that is just a cname to sharepoint.microsoft.com which does resolve using googledns as forwarded too with dnssec enabled.
Wouldn't a simpler solution just be to use sharepoint.microsoft.com vs the cname? ;)
If you do a test for sharepoint.com is all BORKED… So yeah can see why it fails
http://mxtoolbox.com/SuperTool.aspx?action=dns%3asharepoint.com&run=toolpage
-
Wouldn't a simpler solution just be to use sharepoint.microsoft.com vs the cname?
I had already thought of this, unfortunately is not possible, it does not work applied to MS Onedrive for business.
Anyway … for now, I put:server: domain-insecure: "sharepoint.com"to bypass the problem :-)
-
Finally, after 1+ year!…. Microsoft seems to had decided to fix their wrong dns configuration.... and now it works!
PREVIOUS (WRONG)
;; ANSWER SECTION: sharepoint.com. 86400 IN CNAME sharepoint.microsoft.com. sharepoint.microsoft.com. 3600 IN A 65.55.39.10 sharepoint.microsoft.com. 3600 IN A 64.4.6.100NOW (RIGHT, NO MORE CNAME RECORD IN ROOT)
;; ANSWER SECTION: sharepoint.com. 11 IN A 13.107.6.168 sharepoint.com. 11 IN A 13.107.9.168