Last Docker Image
ooonea opened this issue · 8 comments
Hi, I updated the 'suami' and 'charis' servers with the last server image on Docker Hub, modified 3 days ago. After updating when I test the servers on the site https://cmdns.dev.dns-oarc.net/ I find results that I don't expect. The following tests fail: QNAME minimisation test, EDNS test, IPv6 test, TCP test, Basic DNS test. Before the update, the only test that failed was IPv6 because of my network configuration. But now why did all these new tests fail? Unfortunately on Docker Hub I can't see what changes from one version to another, but on GitHub I see that the last commit is the update of unbound. Can you help me understand?
Hi,
And sorry for the delayed response.
The last update was just about updating the base image itself, to the latest Alpine Linux release.
Do you have firewall rules? I tried to install this on Vultr for the first time, and noticed that I had to add additional rules to allow connections from 127.0.0.1.
This is the rules I ended up using in /etc/sysconfig/iptables to make it work: https://gist.githubusercontent.com/jedisct1/ee059b8ad2b84e404e639738c4c9eaa6/raw/b31ddba9dbf0c7fd8ec6299c858614d8d24776b1/iptables
Thank you so much for your reply, no matter when it arrived.
The suami and charis servers work perfectly even without the rule that allows 127.0.0.1, however I added it.
Actually nothing has changed in the eye after updating the docker container. But all the tests on the page that I told you before were going now are no longer going. And it's not a test issue, because with the cloudflare server the tests are successfully passed.
That test seems to be completely broken...
I get the same results with a vanilla Unbound installation and plain unencrypted Quad9 apparently doesn't support basic DNS, qname minimization nor randomized query ids (of course they do).
Understood, but all the tests pass through the previous version on Docker Hub. What can it depend on? Do you know any other ways to test?
There's always the previous oarc's test, grc's test and the dnssec test.
Reliable tests for other features such as padding support would require a non web-based client.
Ok, as from the txt output attached the suami and charis servers support the minimitasion qname. GRC and oarc's and dnssec tests also are OK. The only thing in the GRC test is two critical issues: external ping replied and Alphabetic Case all lower (see the screenshot).
External ping means that the sever responds to the ICMP ping command. This is not really an issue. Servers can block this but gain nothing terms of actual security or visibility. By blocking it you prevent (very) simple ping scanners. Nmap for example is not fooled.
Alphabetic case means that queries are send with mixed casing. This adds more randomness to the queries and makes dns spoofing that also requires guessing the correct port and ID harder. But because some servers don’t respond correctly to mixed casing some queries will be unanswered. Some servers have fallbacks or whitelists, but this is not perfect.
So in short I wouldn’t worry too much about it.
By the way, blocking ICMP (which is usually what's being done instead of specifically ping) is a terrible idea and does more harm than good: http://shouldiblockicmp.com/