Improve Privacy, Stop using hardcoded DNS

Wim_L · July 17, 2021, 9:11am

Whats worse, Coredns keeps breaking.
I have a secured network where all dns/dot/… is blocked,
After a few hours coredns ‘forgets’ the dns server assigned,
and just stops resolving completely, as it can’t reach cloudflare.

github.com/home-assistant/plugin-dns

Dns stops resolving within hours

opened 08:22PM - 11 Jul 21 UTC

closed 04:22PM - 25 Apr 22 UTC

idfxken

Ha is configured with a local dns resolver, while all other means of resolving a…re blocked on our home automation subnet. When (re)started, HA dns runs perfectly fine, and can resolve all queries through the assigned server. ``` ha dns info host: 172.30.32.3 locals: - dns://192.168.111.1 servers: - dns://192.168.111.1 update_available: false version: 2021.06.0 version_latest: 2021.06.0 ~ $ ping google.be PING google.be (142.251.36.35): 56 data bytes ``` After a few hours, the resolver just stops resolving through the programmed server. and switches to dot 1.0.0.1/1.1.1.1:853 for all dns requests, which are all refused by the router ofcourse. Somehow HA jforgot, that 192.168.1111.1 is its assigned dns server. Edit: logs from the second the issue starts: > [ERROR] plugin/errors: 2 . NS: tls: DialWithDialer timed out > [INFO] 127.0.0.1:44137 - 6201 "NS IN . udp 40 true 2048" NOERROR - 0 1.001374795s > [ERROR] plugin/errors: 2 . NS: tls: DialWithDialer timed out > [INFO] 172.30.33.3:50563 - 6201 "NS IN . udp 40 false 4096" SERVFAIL qr,rd 17 6.071750661s > [INFO] 127.0.0.1:45411 - 6201 "NS IN . udp 40 true 2048" NOERROR - 0 1.00095742s > [ERROR] plugin/errors: 2 . NS: tls: DialWithDialer timed out > [INFO] 127.0.0.1:44137 - 6201 "NS IN . udp 40 true 2048" NOERROR - 0 1.000966169s > [ERROR] plugin/errors: 2 . NS: tls: DialWithDialer timed out > [INFO] 172.30.33.3:52280 - 6201 "NS IN . udp 40 false 4096" SERVFAIL qr,rd 17 6.008133092s > [INFO] 127.0.0.1:47155 - 3762 "A IN version.home-assistant.io. udp 54 true 2048" NOERROR - 0 1.004052137s > [ERROR] plugin/errors: 2 version.home-assistant.io. A: tls: DialWithDialer timed out > [INFO] 127.0.0.1:44272 - 3762 "A IN version.home-assistant.io. udp 54 true 2048" NOERROR - 0 1.000851399s > [ERROR] plugin/errors: 2 version.home-assistant.io. A: tls: DialWithDialer timed out > [INFO] 172.30.32.2:57753 - 3762 "A IN version.home-assistant.io. udp 43 false 512" SERVFAIL qr,rd 43 2.013838761s > [INFO] 127.0.0.1:44704 - 15932 "A IN data.buienradar.nl. udp 47 true 2048" NOERROR - 0 1.001158626s > [ERROR] plugin/errors: 2 data.buienradar.nl. A: tls: DialWithDialer timed out > [INFO] 127.0.0.1:33818 - 16449 "AAAA IN data.buienradar.nl. udp 47 true 2048" NOERROR - 0 1.003631786s > [ERROR] plugin/errors: 2 data.buienradar.nl. AAAA: tls: DialWithDialer timed out > [INFO] 127.0.0.1:60988 - 15932 "A IN data.buienradar.nl. udp 47 true 2048" NOERROR - 0 1.000984262s > [ERROR] plugin/errors: 2 data.buienradar.nl. A: tls: DialWithDialer timed out > [INFO] 172.30.32.1:45411 - 15932 "A IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,rd 36 2.005486429s > [INFO] 172.30.32.1:45411 - 15932 "A IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.00011969s > [INFO] 172.30.32.1:45411 - 15932 "A IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.000257307s > [INFO] 127.0.0.1:33982 - 16449 "AAAA IN data.buienradar.nl. udp 47 true 2048" NOERROR - 0 1.001272358s > [ERROR] plugin/errors: 2 data.buienradar.nl. AAAA: tls: DialWithDialer timed out > [INFO] 172.30.32.1:45411 - 15932 "A IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.000378729s > [INFO] 172.30.32.1:45411 - 15932 "A IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.000304851s > [INFO] 172.30.32.1:45411 - 16449 "AAAA IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,rd 36 2.010680479s > [INFO] 172.30.32.1:45411 - 16449 "AAAA IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.000205219s > [INFO] 172.30.32.1:45411 - 15932 "A IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.000374101s > [INFO] 172.30.32.1:45411 - 15932 "A IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.000223414s > [INFO] 172.30.32.1:45411 - 16449 "AAAA IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.000147082s > [INFO] 172.30.32.1:45411 - 16449 "AAAA IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.000172155s > [INFO] 172.30.32.1:45411 - 15932 "A IN data.buienradar.nl. udp 36 false 512" SERVFAIL qr,aa,rd 36 0.001195803s > [INFO] 127.0.0.1:56238 - 58622 "A IN een.be. udp 35 true 2048" NOERROR - 0 1.001122865s > [ERROR] plugin/errors: 2 een.be. A: tls: DialWithDialer timed out >

Even tried the other way round to finally fix this:
set up my own dot forwarding provider, +redirect rules
(nginx streaming dns over ssl).

Now HA still stops resolving, because:

x509: certificate is valid for *.xxx.pw, xxx.pw, not cloudflare-dns.com

So thats not gonna work either… (except if someone might have the cloudflare cert )