Draytek 2762: Cannot resolve numerous .co.uk and other tlds

Zero Trust 1.1.1.1
,
1

Hi,

I’m trying to setup Cloudflare DNS on my home network but seeing numerous resolution problems, mostly for .co.uk domains but some other tlds as well.

ISP is Plusnet, router is Draytek 2762
Problem verified on both Windows 10 and Android 9 Pie connected to the Draytek

The basic tests work;

dig example.com @1.1.1.1

; <<>> DiG 9.12.2-P2 <<>> example.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60992
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 15 extra bytes at end

;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            5686    IN      A       93.184.216.34

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Nov 13 01:59:10 GMT Standard Time 2018
;; MSG SIZE  rcvd: 60

Testing with bbc.co.uk highlights a problem;

dig bbc.co.uk @1.1.1.1

; <<>> DiG 9.12.2-P2 <<>> bbc.co.uk @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

dig bbc.co.uk @1.0.0.1

; <<>> DiG 9.12.2-P2 <<>> bbc.co.uk @1.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached

The same with Google DNS;

dig bbc.co.uk @8.8.8.8

; <<>> DiG 9.12.2-P2 <<>> bbc.co.uk @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7646
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 13 extra bytes at end

;; QUESTION SECTION:
;bbc.co.uk.                     IN      A

;; ANSWER SECTION:
bbc.co.uk.              234     IN      A       151.101.128.81
bbc.co.uk.              234     IN      A       151.101.64.81
bbc.co.uk.              234     IN      A       151.101.0.81
bbc.co.uk.              234     IN      A       151.101.192.81

;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Nov 13 02:03:21 GMT Standard Time 2018
;; MSG SIZE  rcvd: 104

Testing other domains;
dig myhappymedium.net @1.1.1.1

; <<>> DiG 9.12.2-P2 <<>> myhappymedium.net @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

dig myhappymedium.net @8.8.8.8

; <<>> DiG 9.12.2-P2 <<>> myhappymedium.net @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48823
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: Message has 13 extra bytes at end

;; QUESTION SECTION:
;myhappymedium.net.             IN      A

;; ANSWER SECTION:
myhappymedium.net.      3599    IN      A       79.170.40.4

;; Query time: 287 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Nov 13 02:08:45 GMT Standard Time 2018
;; MSG SIZE  rcvd: 64

Other info;
dig +short CHAOS TXT id.server @1.1.1.1
“LHR”

dig +short CHAOS TXT id.server @1.0.0.1
"LHR"

(test above was performed whilst connected to Google DNS)

2

That’s bizarre. If nothing else, it looks like you’re running through some sort of destructive firewall or middlebox that mangles EDNS.

Yet it seems like you really can reach 1.1.1.1.

What happens if you add +noedns to the dig commands?

Just to check, what do these commands return?

dig whoami.ds.akahelp.net txt @1.1.1.1
dig whoami.ds.akahelp.net txt @8.8.8.8
dig whoami.ds.akahelp.net txt @1.1.1.1 +noedns
dig whoami.ds.akahelp.net txt @8.8.8.8 +noedns

Can you switch to 1.1.1.1 for a few minutes and run it again?

Edit:

By the way, I really don’t have any idea what’s wrong, or how to fix it. You do have a broken firewall/middlebox, but I can’t fathom why any of the other things are happening.

Edit:

It’s probably a coincidence, but example.com uses DNSSEC, and the two domains that don’t work don’t use DNSSEC.

What about this?

dig @1.1.1.1 Cloudflare.com
dig @1.1.1.1 Cloudflarestream.com
1 Like
3

Hello mnordhoff,

Thanks for the insight regarding DNSSEC, with that in mind I repeated the tests against Google DNS and was able to see the same issue with regarding “Message has 15 extra bytes at end” and no mention of EDNS support from dig in the headers.

I repeated the tests on another Plusnet line, this time behind a Sophos XG firewall - worked perfectly.

In short, I then factory reset my Draytek 2762 with 3.8.9.2 (latest at time of writing) and hey presto, everything started working

I’ve updated the title of this ticket in case anyone else is having a similar issue
Thanks for your help!