I run a fairly simple system for DNS resolution: My system uses NetworkManager and systemd-resolved in stub mode, where my router (fritz box) is setup for DNS resolution. My router uses DNS-over-TLS (DoT).
My question is how to check if DNS resolution works as intended.
In the fritz box menu I use two fall back DNSv4-Server 194.242.2.2 , 78.46.244.143 and the following DoT entries: blank.dnsforge.de, unicast.uncensoreddns.org , dns.mullvad.net
First check (in Terminal):
host dns.fritz.box
dns.fritz.box has address 194.242.2.2
dns.fritz.box has address 138.199.149.249
dns.fritz.box has address 78.46.244.143
dns.fritz.box has address 89.233.43.71
dns.fritz.box has address 78.47.71.194
Second Check (in terminal using AUR package dnsleaktest)
dnsleaktest
Your IP:
xx.xxx.xxx.xxx [Germany, AS12312 Ecotel Communication AG]You use 2 DNS servers:
2a03:1b20:6:f011::8888 [Germany, AS39351 31173 Services AB]
185.213.155.123 [Germany, AS39351 31173 Services AB]Conclusion:
DNS may be leaking.
Terminal output of whois 185.213.155.123 (result of dnsleaktest)
whois 185.213.155.123
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See https://docs.db.ripe.net/terms-conditions.html
% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ‘185.213.155.0 - 185.213.155.255’
% Abuse contact for ‘185.213.155.0 - 185.213.155.255’ is ‘abuse-cust-de@31173.se’
inetnum: 185.213.155.0 - 185.213.155.255
netname: NET-31173-185-213-155
country: DE
geoloc: 50.0970 8.6570
language: de
descr: 31173 Services AB infrastructure in Frankfurt, Germany.
org: ORG-SG351-RIPE
admin-c: SG17105-RIPE
tech-c: SG17105-RIPE
abuse-c: SG17105-RIPE
status: ASSIGNED PA
mnt-by: ESAB-MNT
created: 2020-05-04T09:36:05Z
last-modified: 2020-05-05T11:39:47Z
source: RIPE
organisation: ORG-SG351-RIPE
org-name: 31173 Services Germany
org-type: OTHER
geoloc: 50.0970 8.6570
language: de
address: 31173 Services AB
address: Scheelegatan 9
address: 21228
address: Malmo
address: SWEDEN
admin-c: SG17105-RIPE
tech-c: SG17105-RIPE
abuse-c: SG17105-RIPE
mnt-by: ESAB-MNT
mnt-ref: ESAB-MNT
created: 2020-05-04T08:59:40Z
last-modified: 2024-01-22T09:34:46Z
source: RIPE # Filtered
role: 31173 Services Germany
address: 31173 Services AB
address: Scheelegatan 9
address: 21228
address: Malmo
address: SWEDEN
abuse-mailbox: abuse-cust-de@31173.se
admin-c: NEMO1-RIPE
tech-c: KPE-RIPE
nic-hdl: SG17105-RIPE
mnt-by: ESAB-MNT
created: 2020-05-04T08:47:40Z
last-modified: 2024-01-22T09:39:47Z
source: RIPE # Filtered
% Information related to ‘185.213.155.0/24AS39351’
route: 185.213.155.0/24
origin: AS39351
mnt-by: ESAB-MNT
created: 2017-10-21T11:33:04Z
last-modified: 2020-05-04T09:37:23Z
source: RIPE
% This query was served by the RIPE Database Query Service version 1.119 (BUSA)
Third check
In fritz box menu Internet/online monitor/connection details/currently used DNS Server it says: 194.242.2.2.
According to mullvad webpage, 194.242.2.2 is the IP address for their DNS server.
Summary:
I believe that my fritz box connects to 194.242.2.2, a Mullvad DNS server, which translates within Mullvad’s internal enterprise environment to the responding DNS server 185.213.155.123. The problem is that whois does nowhere say Mullvad is owner of 185.213.155.123, only for 194.242.2.2.
So how would I know that my DNS resolution works as intended? Is there a command to trace it?
Mullvad is just an example. I experienced it with other DoT’s too.