On 2024-01-13 17:10 UTC, Klemens Nanni <k...@openbsd.org> wrote: > On Sat, Jan 13, 2024 at 05:48:43PM +0100, Florian Obser wrote: >> I think we need to improve debug logging a bit, but I'm pretty sure you >> are hitting >> >> } else >> checked_resolver->state = DEAD; /* we know the root exists */ >> >> on line 1588 in resolver.c. I.e. your fritz.box makes up some DNS >> bullshit and isn't suitable as a resolver. >> >> Out of idle curiosity, what's the result of >> >> dig @fd00... . NS ? > > $ dig @fd00::4a5d:35ff:feab:7938 . NS > > ; <<>> dig 9.10.8-P1 <<>> @fd00::4a5d:35ff:feab:7938 . NS > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 33334 > ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;. IN NS > > ;; AUTHORITY SECTION: > fritz.box. 9 IN SOA fritz.box. admin.fritz.box. > 1705165655 21600 1800 43200 10 > > ;; Query time: 1 msec > ;; SERVER: fd00::4a5d:35ff:feab:7938#53(fd00::4a5d:35ff:feab:7938) > ;; WHEN: Sat Jan 13 18:07:35 CET 2024 > ;; MSG SIZE rcvd: 68 >
Uh huh. So your fritz.box is telling you that there are no name servers for the root zone. Amazing. Anyway, so the idea behind force was to make split horizon DNS work. But that's really complicated and we kinda half-arsed it[1]. Say you have evil-corp.example.com that resolves to something from the internet and something different when you are at evil-corp's office. You'd force evil-corp.example.com to a forwarder that's only reachable from the office network. When you are outside of the office you can't reach the internal forwarder and so resolve evil-corp.example.com via the internet. For this to work unwind has to fall back to other resolvers when it detects that the forwarder is dead. Obviously this doesn't work with your fritz.box because it just messes around with DNS. [1] We made one kind of split horizon DNS work. There are many others. I have ideas but I'm not particularly motivated since - it's not a problem I have - I think split horizon DNS is fundamentally broken -- In my defence, I have been left unsupervised.
