C
CrowdSec3mo ago
GNU Plus Windows User

NGINX Bouncer doesn't resolve domain names with DNSSEC enabled

After enabling DNSSEC in Unbound the NGINX Bouncer stopped resolving my LAPI's domain name. DNS is working perfectly fine. 
2025/10/03 20:30:48 [error] 148448#148448: *21469 [lua] stream.lua:157: stream_query_api(): request to crowdsec lapi https://lapi.example.com/v1/decisions/stream?startup=true failed: lapi.example.com could not be resolved (110: Operation timed out), context: ngx.timer
2025/10/03 20:30:48 [error] 148448#148448: *21469 [lua] stream.lua:157: stream_query_api(): request to crowdsec lapi https://lapi.example.com/v1/decisions/stream?startup=true failed: lapi.example.com could not be resolved (110: Operation timed out), context: ngx.timer
My LAPI domain name supports DNSSEC, so maybe the issue only happens for DNSSEC signed domains?
10 Replies
CrowdSec
CrowdSec3mo ago
Important Information
This post has been marked as resolved. If this is a mistake please press the red button below or type /unresolve
© Created By WhyAydan for CrowdSec ❤️
blotus
blotus3mo ago
The bouncer does not do any resolution by itself, it's performed by nginx (by using the resolver set in the configuration) Do you see anything in unbound logs ?
GNU Plus Windows User
GNU Plus Windows UserOP3mo ago
I know, but everytime I enable it the bouncer just stops resolving DNSSEC enabled domain names I don't see any errors in my logs or issues in general, everything else is able to resolve my LAPI domain (Including the agent itself), it's just the NGINX bouncer that's having issues
blotus
blotus3mo ago
I tried to reproduce, but no luck. I've enabled DNSSEC on my domain, created a A record that points to 127.0.0.1, and used that in my openresty bouncer config, no issues, openresty can query LAPI without issue (the machine is using resolved as a resolver (with DNSSEC validation enabled), not unbound, so there's a difference here). I also had a look at the nginx code, no trace of any attempt to validate or do anything related to DNSSEC, and looking at tcpdump, nginx only does a A/AAAA query, the RRSIG query is made by resolved itself And just to be sure and exclude a potential issue elsewhere, does a dig +dnssec @yourresolver lapi.example.net shows the RRSIG record and thead flag when ran from the machine where nginx is running ?
GNU Plus Windows User
GNU Plus Windows UserOP3mo ago
I've tried with systemd-resolved as well but same issue. By pure luck, I found the issue: My upstream DNS server is configured to drop IPv6 records, so the bouncer was trying to connect to my LAPI over IPv6 but didn't fail over to IPv4
blotus
blotus3mo ago
If you didn't yet, you can set ipv6=off as a parameter to resolver in your nginx config to prevent it from requesting AAAA records
GNU Plus Windows User
GNU Plus Windows UserOP3mo ago
I can't find any directive like that in the manpage (I've also tried that and it doesn't work) but I did find
Note that to refuse AAAA record (unlike SRV, TXT, etc.) completely, please also disable IPv6 stack in kernel with "sysctl -w net.ipv6.conf.all.disable_ipv6=1".
blotus
blotus3mo ago
weird, according to https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver , it should work for any version that supports resolving IPv6
GNU Plus Windows User
GNU Plus Windows UserOP3mo ago
oh I thought you meant within systemd-resolved I just finished testing this and it fixed my issue
CrowdSec
CrowdSec3mo ago
Resolving NGINX Bouncer doesn't resolve domain names with DNSSEC enabled This has now been resolved. If you think this is a mistake please run /unresolve

Did you find this page helpful?