Nslookup gives "DNS timed out" on 1.1.1.1 with Simple DNSCrypt


#1

Facts: Earlier this week, I was a Verizon DSL customer. Since yesterday morning, I am a Verizon FIOS customer.

Both before and after,
— 1.1.1.1 has been the designated DNS in the router (so it affects DNS lookups from ALL my devices) and
— I have been running SImple DNSCrypt on ONE of my PCs (Win 7 Pro 64-bit), which means that that PC is always running the process dnscrypt-proxy.exe and the service dnscrypt-proxy.

Both before and after, I have been getting odd responses to nslookup on ONLY the Win 7 Pro 64-bit. When I run nslookup arstechnica.com or nslookup coloudflare.com, I get this:

Server: localhost
Address: ::1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

Server: localhost
Address: ::1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.

BUT, when I run the same two nslookups on a different PC (an XP Pro) that is behind the router with 1.1.1.1 but is NOT running any of the dnscrypt stuff, I get this:

Server: FIOS_Quantum_Gateway.fios-router.home
Address: 192.168.1.1
Name: arstechnica.com
Address: 50.31.169.131

Server: FIOS_Quantum_Gateway.fios-router.home
Address: 192.168.1.1
Name: cloudflare.com
Addresses: 198.41.215.162, 198.41.214.162

Why is nslookup dodgy on the Win 7 with the Simple DNSCrypt stuff?

(I have also asked that question on arstechnica, and < THIS LINK > is one comment, but we don’t have a solution yet.)

What do you think?


#2

ADDED INFO - On the Win 7 machine with the dnscrypt stuff, if I do an nslookup to an IPv6 number, I get a good result.

Here is what happens when I do nslookup 2606:4700:4700::1111 (which is the IPv6 for 1.1.1.1):

Server: localhost
Address: ::1

Name: 1dot1dot1dot1.cloudflare-dns.com
Address: 2606:4700:4700::1111

So, why does nslookup fail when i ask it about a URL?


#3

Bump.


#4

experienced the same DNS time out issue with Win7 HP 64bit.


#5

Do you see anything useful in the dnscrypt-proxy logs? cloudflared (or Go) on Windows 7 has problems validating certificate with an address in SAN, so perhaps it’s a similar issue.


#6

mvavrusa -

I just got FIOS a week ago, and I’m seeing something interesting in the Quantum’s Firewall Log, with three entries each time:

Apr 19 01:04:51 2018 named[1427] err<139> zone fios-router.home/IN/internal-clients: zone serial (2008122601) unchanged. zone may fail to transfer to slaves.

Apr 19 01:04:51 2018 named[1427] err<139> zone 1.168.192.in-addr.arpa/IN/internal-clients: zone serial (2008122601) unchanged. zone may fail to transfer to slaves.

Apr 19 01:04:51 2018 named[1427] err<139> zone FIOS_Quantum_Gateway/IN/internal-clients: zone serial (2008122601) unchanged. zone may fail to transfer to slaves.

Here’s a possibility - As noted above, I am running Simple DNSCrypt, which installed the process and service dnscrypt-proxy. This encrypts DNS requests and/or protects them from MITM attacks. I understand it uses 127.0.0.1 as a DNS proxy.

Do you think there’s any connection?

I’ll try your suggestion re the dnscrypt-proxy logs later.

Thanks.


#7

mvavrusa - and here’s a log from SimpleDNSCrypt - I don’t see anything interesting - do you? But please don’t skip my preceding post.

EDIT - DELETING MOST OF THE FOLLOWING BECAUSE FOUND A SOLUTION IN FOLLOWING POST –

Blockquote
|time:1524141740|host:::1|message:community.cloudflare.com|type:A|
|—|---|—|---|
|time:1524141740|host:::1|message:community.cloudflare.com|type:A|
|time:1524141740|host:::1|message:community.cloudflare.com|type:AAAA|
|time:1524141747|host:::1|message:crl.microsoft.com|type:A|
|time:1524141763|host:::1|message:community.cloudflare.com|type:A|
|time:1524141763|host:::1|message:community.cloudflare.com|type:A|
|time:1524141763|host:::1|message:community.cloudflare.com|type:AAAA|
|time:1524141766|host:::1|message:community.cloudflare.com|type:A|
|time:1524141766|host:::1|message:community.cloudflare.com|type:A|
|time:1524141766|host:::1|message:community.cloudflare.com|type:AAAA|
|time:1524141788|host:::1|message:community.cloudflare.com|type:A|
|time:1524141788|host:::1|message:community.cloudflare.com|type:A|
|time:1524141788|host:::1|message:community.cloudflare.com|type:AAAA|
|time:1524141791|host:::1|message:community.cloudflare.com|type:A|
|time:1524141791|host:::1|message:community.cloudflare.com|type:A|
|time:1524141791|host:::1|message:community.cloudflare.com|type:AAAA|
|time:1524141792|host:::1|message:ncc.avast.com|type:A|
|time:1524141792|host:::1|message:www.facebook.com|type:A|
|time:1524141792|host:::1|message:www.youtube.com|type:A|
|time:1524141792|host:::1|message:www.amazon.com|type:A|
|time:1524141792|host:::1|message:star-mini.c10r.facebook.com|type:A|
|time:1524141792|host:::1|message:youtube-ui.l.google.com|type:A|
|time:1524141792|host:::1|message:star-mini.c10r.facebook.com|type:AAAA|
|time:1524141792|host:::1|message:youtube-ui.l.google.com|type:AAAA|
|time:1524141792|host:::1|message:www.reddit.com|type:A|
|time:1524141792|host:::1|message:www.wikipedia.org|type:A|
|time:1524141792|host:::1|message:d3ag4hukkh62yn.cloudfront.net|type:A|
|time:1524141792|host:::1|message:reddit.map.fastly.net|type:A|
|time:1524141792|host:::1|message:www.wikipedia.org|type:A|
|time:1524141792|host:::1|message:www.wikipedia.org|type:AAAA|
|time:1524141792|host:::1|message:d3ag4hukkh62yn.cloudfront.net|type:AAAA|
|time:1524141792|host:::1|message:twitter.com|type:A|
|time:1524141792|host:::1|message:www.mozilla.org|type:A|
|time:1524141792|host:::1|message:twitter.com|type:A|
|time:1524141792|host:::1|message:reddit.map.fastly.net|type:AAAA|
|time:1524141792|host:::1|message:twitter.com|type:AAAA|
|time:1524141792|host:::1|message:getpocket.com|type:A|
|time:1524141792|host:::1|message:getpocket.com|type:A|
|time:1524141792|host:::1|message:getpocket.com|type:AAAA|
|time:1524141793|host:::1|message:www.mozilla.org.cdn.cloudflare.net|type:A|
|time:1524141793|host:::1|message:www.mozilla.org.cdn.cloudflare.net|type:AAAA|
|time:1524141794|host:::1|message:community.cloudflare.com|type:A|
|time:1524141794|host:::1|message:community.cloudflare.com|type:A|
|time:1524141794|host:::1|message:community.cloudflare.com|type:AAAA|
|time:1524141794|host:::1|message:typeface.nyt.com|type:A|
|time:1524141794|host:::1|message:www.google.com|type:A|
|time:1524141794|host:::1|message:g1.nyt.com|type:A|
|time:1524141794|host:::1|message:static01.nyt.com|type:A|
|time:1524141794|host:::1|message:www.googletagmanager.com|type:A|
|time:1524141795|host:::1|message:nytimes.map.fastly.net|type:AAAA|
|time:1524141795|host:::1|message:contextual.media.net|type:A|
|time:1524141795|host:::1|message:www.google.com|type:A|
|time:1524141795|host:::1|message:cdn.optimizely.com|type:A|
|time:1524141795|host:::1|message:nytimes.map.fastly.net|type:AAAA|
|time:1524141795|host:::1|message:a1.nyt.com|type:A|
|time:1524141795|host:::1|message:www.google.com|type:AAAA|
|time:1524141795|host:::1|message:s3.amazonaws.com|type:A|
|time:1524141795|host:::1|message:www-googletagmanager.l.google.com|type:A|
|time:1524141795|host:::1|message:nytimes.map.fastly.net|type:AAAA|
|time:1524141795|host:::1|message:s3-1.amazonaws.com|type:A|
|time:1524141795|host:::1|message:e607.e11.akamaiedge.net|type:A|
|time:1524141795|host:::1|message:s3-1.amazonaws.com|type:AAAA|
|time:1524141795|host:::1|message:e607.e11.akamaiedge.net|type:AAAA|
|time:1524141795|host:::1|message:cdn.optimizely.com|type:A|
|time:1524141795|host:::1|message:cdn.optimizely.com|type:AAAA|
|time:1524141795|host:::1|message:blog.mozilla.org|type:A|
|time:1524141914|host:::1|message:community.cloudflare.com|type:A|
|time:1524141914|host:::1|message:vip1.g5.cachefly.net|type:AAAA|
|time:1524141914|host:::1|message:community.cloudflare.com|type:A|
|time:1524141914|host:::1|message:dwgyu36up6iuz.cloudfront.net|type:A|
|time:1524141914|host:::1|message:community.cloudflare.com|type:AAAA|
|time:1524141914|host:::1|message:dwgyu36up6iuz.cloudfront.net|type:A|
|time:1524141914|host:::1|message:dwgyu36up6iuz.cloudfront.net|type:AAAA|
|time:1524141917|host:::1|message:community.cloudflare.com|type:A|
|time:1524141917|host:::1|message:community.cloudflare.com|type:A|
|time:1524141917|host:::1|message:community.cloudflare.com|type:AAAA|


#8

My problem with nslookup has stopped. It now shows correct results.

I think I know why.

On my Win 7 Pro 64-bit machine, I have been using Simple DNSCrypt to install and adjust settings for the dnscrypt-proxy process and service (which presumably encrypts my DNS lookup queries and directs them to a good list of DNS resolvers who don’t keep logs, etc.).

Simple DNSCrypt has various “switches” for its settings. However, I think Simple DNSCrypt is buggy about those switches and is not toggling through the settings the way we think they are. Those switches require some “jiggling”.

Just now, for different reasons, I toggled back and forth the switches at “Main Menu - Using IPv6 Server” (leaving it off, its original setting) and “Advanced Settings - Block IPv6” (leaving it on, its original setting). Now nslookup works.

I think the jiggling in Simple DNSCrypt did the trick.

Could someone else try, please?


#9

The firewall logs for zone transfers are unrelated, it’s the nameserver on your CPE transferring local zones from your ISP (not sure what for).

Glad you found the issue, seems like you don’t have IPv6 connectivity (at least to the resolvers). We’re working on a website to troubleshoot resolver reachability problems more easily, so I’ll make sure IPv6 connectivity gets added there!


#10

mvavrusa - Thanks for attention. However, everything you just wrote is way above my level. My wife says I aspire to be a geek, but I’m just a nerd.

I’m VERY curious to undestand what you wrote, so please do give us the “for Dummies” version.

Also - FYI - I just read elsewhere the past few days that my ISP, Verizon, does NOT do IPv6. I can confirm that by going to http://ipv6-test.com/. Does that affect my issue and your efforts?


#11

What I meant is, your modem (or wifi), the one that you got from Verizon, is running its own DNS proxy. In addition to being a DNS proxy, it provides some special domains (fios-router.home) that exist only in your network for internal purposes. The messages you see is the modem trying to update the contents of these domains.

Yes, if your ISP doesn’t support IPv6, it’s not going to work properly in default configuration, and you fixed it by disabling IPv6. We’re working on a webpage similar to this one. It would basically show you if you can reach 1.1.1.1 (and if not, why not).


#12

mvavrusa - I can see that I’m reaching 1.1.1.1, exclusively so for DNS queries,

How can I test that, in fact, with dnscrypt-proxy, my DNS queries are also encrypted?


#13

If you are using dnscrypt-proxy, your requests will always be encrypted; it will never send anything unencrypted.

And if you see logs after having enabled then, and apparently you do, it means that you are effectively using it. So, you’re all set :slight_smile:


#14

It took a while, but we made a website that shows you if you’re connected to 1.1.1.1 and if you’re using DNS over TLS or DNS over HTTPS, so you can check in your browser: https://1.1.1.1/help/


#15

That’s great!

So it says

Using DNS over HTTPS (DoH) |Yes|
Using DNS over TLS (DoT) |No|

Is that good or so-so? Is HTTPS better than TLS?

By the way, your new site says to post this, so here it is:
https://1.1.1.1/help/#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiWWVzIiwicmVzb2x2ZXJJcC0xLjAuMC4xIjoiWWVzIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTExMSI6Ik5vIiwicmVzb2x2ZXJJcC0yNjA2OjQ3MDA6NDcwMDo6MTAwMSI6Ik5vIiwiZGF0YWNlbnRlckxvY2F0aW9uIjoiRVdSIiwiaXNwTmFtZSI6IkNsb3VkZmxhcmUiLCJpc3BBc24iOiIxMzMzNSJ9

How are we doing?


#16

It’s just fine! My vote goes with DNS over HTTPS. As HTTP(S) evolves (HTTP/2, TLS, etc), so will DoH.


#17

Both DoH and DoT are secure and fairly similar (at least now), so you’re good!