DNS Resolver + DNSSEC + sharepoint.com = SERVFAIL : my solution :-) [SOLVED]



  • Hi!
    this is an old issue (https://forum.pfsense.org/index.php?topic=85640.msg469919#msg469919)
    but still persistent at today…
    This is my solution/workaround to bypass the issue without need to disable the forwarding mode:
    just put this in  "Custom Options" of "DNS resolver" settings page:

    server: domain-insecure: "sharepoint.com"
    

    Restart unbound/DNS Resolver service and… it works!  :)


  • LAYER 8 Global Moderator

    not sure what your issue is but sharepoint.com has no dnssec enabled. And is only a cname for sharepoint.microsoft.com Which also has no dnssec enabled, which is just SAD… But having dnssec setup on unbound would not cause servefail on this, nor should you have to set the domain as insecure.

    
    user@ubuntu:~$ dig sharepoint.com
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> sharepoint.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11375
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;sharepoint.com.                        IN      A
    
    ;; ANSWER SECTION:
    sharepoint.com.         86400   IN      CNAME   sharepoint.microsoft.com.
    sharepoint.microsoft.com. 3600  IN      A       65.55.39.10
    sharepoint.microsoft.com. 3600  IN      A       64.4.6.100
    
    ;; Query time: 171 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Thu May 26 14:13:31 CDT 2016
    ;; MSG SIZE  rcvd: 110
    
    user@ubuntu:~$ dig sharepoint.microsoft.com
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> sharepoint.microsoft.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27340
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;sharepoint.microsoft.com.      IN      A
    
    ;; ANSWER SECTION:
    sharepoint.microsoft.com. 3589  IN      A       65.55.39.10
    sharepoint.microsoft.com. 3589  IN      A       64.4.6.100
    
    ;; Query time: 9 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Thu May 26 14:13:42 CDT 2016
    ;; MSG SIZE  rcvd: 85
    
    user@ubuntu:~$
    
    

    So not sure what your issue is, but what you think fixed it has nothing to do with it.

    Maybe you had something going on with unbound, and just its restart cleared up your problem.



  • Maybe you had something going on with unbound, and just its restart cleared up your problem.

    Yes, I agree with you, sharepoint.com is not a DNSSEC signed domain,
    but this (DNSSEC verify relatively to sharepoint.com domain) is a known problem even outside pfsense environment.

    https://community.sophos.com/products/unified-threat-management/f/53/t/76044

    Anyway, the issue described here :  https://forum.pfsense.org/index.php?topic=85640.0
    is easily replicable.


  • LAYER 8 Global Moderator

    dude that thread is from 2014, maybe at that time they had tried to implement dnssec on the domain, and failed?

    Currently I show no issues at all resolving sharepoint.com with unbound, and I for sure have dnssec enabled.

    
    user@ubuntu:~$ dig +comments test.dnssec-or-not.net
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> +comments test.dnssec-or-not.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56465
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;test.dnssec-or-not.net.                IN      A
    
    ;; ANSWER SECTION:
    test.dnssec-or-not.net. 3600    IN      A       72.13.58.64
    
    ;; AUTHORITY SECTION:
    dnssec-or-not.net.      3600    IN      NS      ns0.dnssec-or-not.net.
    dnssec-or-not.net.      3600    IN      NS      ns1.dnssec-or-not.net.
    
    ;; ADDITIONAL SECTION:
    ns0.dnssec-or-not.net.  3600    IN      A       72.13.58.76
    ns1.dnssec-or-not.net.  3600    IN      A       72.13.58.80
    
    ;; Query time: 179 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Fri May 27 07:31:11 CDT 2016
    ;; MSG SIZE  rcvd: 135
    
    
    
    user@ubuntu:~$ dig sigok.verteiltesysteme.net
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> sigok.verteiltesysteme.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59287
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;sigok.verteiltesysteme.net.    IN      A
    
    ;; ANSWER SECTION:
    sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
    
    ;; AUTHORITY SECTION:
    verteiltesysteme.net.   3600    IN      NS      ns2.verteiltesysteme.net.
    verteiltesysteme.net.   3600    IN      NS      ns1.verteiltesysteme.net.
    
    ;; ADDITIONAL SECTION:
    ns1.verteiltesysteme.net. 3600  IN      A       134.91.78.139
    ns1.verteiltesysteme.net. 3600  IN      AAAA    2001:638:501:8efc::139
    ns2.verteiltesysteme.net. 3600  IN      A       134.91.78.141
    ns2.verteiltesysteme.net. 3600  IN      AAAA    2001:638:501:8efc::141
    
    ;; Query time: 169 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Fri May 27 07:33:29 CDT 2016
    ;; MSG SIZE  rcvd: 195
    
    user@ubuntu:~$ dig sigfail.verteiltesysteme.net
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> sigfail.verteiltesysteme.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 14309
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;sigfail.verteiltesysteme.net.  IN      A
    
    ;; Query time: 762 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Fri May 27 07:33:42 CDT 2016
    ;; MSG SIZE  rcvd: 57
    
    user@ubuntu:~$
    
    

    That second test is from http://dnssec.vs.uni-due.de/ that comes up when you google for  dnssec-or-not.net



  • case A: DNSSEC enabled and DNS Query Forwarding enabled (FAILURE, ZERO ANSWER)

    [2.3.2-DEVELOPMENT][admin@******]/root: dig sharepoint.com
    
    ; <<>> DiG 9.10.3-P4 <<>> sharepoint.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28474
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;sharepoint.com.                        IN      A
    
    ;; Query time: 250 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri May 27 14:49:28 CEST 2016
    ;; MSG SIZE  rcvd: 43
    

    case B: DNSSEC enabled and DNS Query Forwarding disabled (SUCCESS)

    [2.3.2-DEVELOPMENT][admin@*****]/root: dig sharepoint.com
    
    ; <<>> DiG 9.10.3-P4 <<>> sharepoint.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24949
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;sharepoint.com.                        IN      A
    
    ;; ANSWER SECTION:
    sharepoint.com.         86399   IN      CNAME   sharepoint.microsoft.com.
    sharepoint.microsoft.com. 3600  IN      A       65.55.39.10
    sharepoint.microsoft.com. 3600  IN      A       64.4.6.100
    
    ;; Query time: 546 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri May 27 14:53:55 CEST 2016
    ;; MSG SIZE  rcvd: 110
    

    case C: DNSSEC disabled and DNS Query Forwarding enabled (SUCCESS)

    2.3.2-DEVELOPMENT][admin@*******]/root: dig sharepoint.com
    
    ; <<>> DiG 9.10.3-P4 <<>> sharepoint.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39032
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 9
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;sharepoint.com.                        IN      A
    
    ;; ANSWER SECTION:
    sharepoint.com.         21800   IN      CNAME   sharepoint.microsoft.com.
    sharepoint.microsoft.com. 3600  IN      A       65.55.39.10
    sharepoint.microsoft.com. 3600  IN      A       64.4.6.100
    
    ;; AUTHORITY SECTION:
    microsoft.com.          1544    IN      NS      ns3.msft.net.
    microsoft.com.          1544    IN      NS      ns4.msft.net.
    microsoft.com.          1544    IN      NS      ns2.msft.net.
    microsoft.com.          1544    IN      NS      ns1.msft.net.
    
    ;; ADDITIONAL SECTION:
    ns1.msft.net.           130     IN      A       208.84.0.53
    ns1.msft.net.           216     IN      AAAA    2620:0:30::53
    ns2.msft.net.           1544    IN      A       208.84.2.53
    ns2.msft.net.           11001   IN      AAAA    2620:0:32::53
    ns3.msft.net.           130     IN      A       193.221.113.53
    ns3.msft.net.           130     IN      AAAA    2620:0:34::53
    ns4.msft.net.           1544    IN      A       208.76.45.53
    ns4.msft.net.           7210    IN      AAAA    2620:0:37::53
    
    ;; Query time: 53 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri May 27 14:56:33 CEST 2016
    ;; MSG SIZE  rcvd: 366
    

    case D: DNSSEC enabled and DNS Query Forwarding enabled (SUCCESS)

    [2.3.2-DEVELOPMENT][admin@*******]/root: dig +comments test.dnssec-or-not.net
    
    ; <<>> DiG 9.10.3-P4 <<>> +comments test.dnssec-or-not.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50560
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;test.dnssec-or-not.net.                IN      A
    
    ;; ANSWER SECTION:
    test.dnssec-or-not.net. 3600    IN      A       72.13.58.64
    
    ;; AUTHORITY SECTION:
    dnssec-or-not.net.      3600    IN      NS      ns1.dnssec-or-not.net.
    dnssec-or-not.net.      3600    IN      NS      ns0.dnssec-or-not.net.
    
    ;; ADDITIONAL SECTION:
    ns0.dnssec-or-not.net.  3600    IN      A       72.13.58.76
    ns1.dnssec-or-not.net.  3600    IN      A       72.13.58.80
    
    ;; Query time: 881 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri May 27 15:10:51 CEST 2016
    ;; MSG SIZE  rcvd: 135
    

    case E: DNSSEC enabled and DNS Query Forwarding enabled (SUCCESS)

    [2.3.2-DEVELOPMENT][admin@*******]/root: dig sigok.verteiltesysteme.net
    
    ;<<>> DiG 9.10.3-P4 <<>> sigok.verteiltesysteme.net
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55229
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;sigok.verteiltesysteme.net.    IN      A
    
    ;; ANSWER SECTION:
    sigok.verteiltesysteme.net. 60  IN      A       134.91.78.139
    
    ;; AUTHORITY SECTION:
    verteiltesysteme.net.   3600    IN      NS      ns2.verteiltesysteme.net.
    verteiltesysteme.net.   3600    IN      NS      ns1.verteiltesysteme.net.
    
    ;; ADDITIONAL SECTION:
    ns1.verteiltesysteme.net. 95486 IN      A       134.91.78.139
    ns1.verteiltesysteme.net. 95486 IN      AAAA    2001:638:501:8efc::139
    ns2.verteiltesysteme.net. 95486 IN      A       134.91.78.141
    ns2.verteiltesysteme.net. 95486 IN      AAAA    2001:638:501:8efc::141
    
    ;; Query time: 61 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Fri May 27 15:13:04 CEST 2016
    ;; MSG SIZE  rcvd: 195
    

  • LAYER 8 Global Moderator

    Where are you forwarding too?

    And why if you want dnssec support.. If were your forwarding doesn't support dnssec then your just out of freaking luck, etc.

    At a loss to understand your use case..  Why are you using unbound in forwarder mode?  In forwarder mode your at the mercy of who you forward too and what they return.  Why would you want that?

    Here I changed to forwarder mode, forwarding to my isp dns comcast at 75.75.75.75, they have dnssec support.

    So as you see from sniff on pfsense wan, it asks 75.75.75.75 and resolves sharepoint just fine.  I then ask it for a domain that is dnssec signed and get back the AD flag that means it all good..

    Here is query with unbound in forwarder mode and dnssec comes back fine as well on domain with valid dnssec

    
    user@ubuntu:~$ dig pir.org +dnssec +multi
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> pir.org +dnssec +multi
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33147
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags: do; udp: 4096
    ;; QUESTION SECTION:
    ;pir.org.               IN A
    
    ;; ANSWER SECTION:
    pir.org.                300 IN A 97.107.141.235
    pir.org.                300 IN RRSIG A 5 2 300 (
                                    20160609204000 20160526204000 58424 pir.org.
                                    s4MIhMXapTDd1COi6SiTgLmz0OXDv2Ikq/B+ftBtDtr3
                                    94a1i01x5+o04mnbqed19a+lAeF6zZmzh1OD97wuK3Va
                                    DQxf9N5h4hnBHWu1i2cLPTxCtIHxY1qeQ5qE2ddjODNn
                                    ewYLtVxYam3+YMiIsOjuF1E91gZU/hevNKx40sE= )
    
    ;; Query time: 341 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Fri May 27 08:31:43 CDT 2016
    ;; MSG SIZE  rcvd: 219
    
    user@ubuntu:~$
    
    

    Yes if your wanting to dnssec and where your forwarding has a borked setup for dnssec then sure you could get all kinds of issues.  I don't see how setting unbound to use dnssec, and then forwarding it to somewhere that has bad dnssec support or none at all, and then telling unbound not to use dnssec for domains that fail is any sort of solution to anything.  Either use a forwarder that has full dnssec support, or just actually use unbound as resolver with dnssec support.  Or just use forwarder and turn off dnssec if where you want to forward to doesn't support it.






  • Where are you forwarding too?

    Forwarding to my isp DNS (and also Google 8.8.8.8 / 8.8.4.4 dns, same results).
    Why forwarding? Because:

    1. response time from near dns is far short than root authoritative dns servers
    2. Local regional Google and local isp dns  servers resolve to near cdn server.
      (ie: from root dns www.facebook.com resolves to USA server, and I'm in Europe so latency >150ms compared to 7ms versus local cdn facebook server)
    3. No issue at all using forward mode + DNSSEC except "sharepoint.com"

    The same, identical, situation described in that old thread: (https://forum.pfsense.org/index.php?topic=85640.msg469919#msg469919)


  • LAYER 8 Global Moderator

    So using 8.8.8.8 yes I see your issue with sharepoint.  But what is odd is that is just a cname to sharepoint.microsoft.com which does resolve using googledns as forwarded too with dnssec enabled.

    Wouldn't a simpler solution just be to use sharepoint.microsoft.com vs the cname? ;)

    If you do a test for sharepoint.com is all BORKED… So yeah can see why it fails
    http://mxtoolbox.com/SuperTool.aspx?action=dns%3Asharepoint.com&run=toolpage




  • Wouldn't a simpler solution just be to use sharepoint.microsoft.com vs the cname?

    I had already thought of this, unfortunately is not possible, it does not work applied to MS Onedrive for business.
    Anyway … for now, I put:

    server: domain-insecure: "sharepoint.com"
    

    to bypass the problem :-)



  • Finally, after 1+ year!…. Microsoft seems to had decided to fix their wrong dns configuration.... and now it works!

    PREVIOUS (WRONG)

    ;; ANSWER SECTION:
    sharepoint.com.         86400   IN      CNAME   sharepoint.microsoft.com.
    sharepoint.microsoft.com. 3600  IN      A       65.55.39.10
    sharepoint.microsoft.com. 3600  IN      A       64.4.6.100
    

    NOW (RIGHT, NO MORE CNAME RECORD IN ROOT)

    ;; ANSWER SECTION:
    sharepoint.com.		11	IN	A	13.107.6.168
    sharepoint.com.		11	IN	A	13.107.9.168
    

Log in to reply