zonemaster-cli
zonemaster-cli copied to clipboard
Published
20 hours ago •
zonemaster
zonemaster
zonemaster-cli does not work inside Docker container
Given the following dockerfile:
FROM kalilinux/kali-rolling
RUN apt-get update
RUN apt-get install -y zonemaster-cli
ENTRYPOINT ["zonemaster-cli"]
CMD ["--level", "WARNING", "--no-progress"]
When I build the image and run the container:
$ docker build -t zonemaster-problem .
$ docker run -it zonemaster-problem example.com
The output I see is:
Seconds Level Message
======= ======== =======
0.06 WARNING The parent zone cannot be determined on name servers "".
0.06 ERROR "example.com" does not exist as a DNS zone. Try to test "com" instead.
0.13 CRITICAL Not enough data about example.com was found to be able to run tests.
When I run the same command directly on the host machine, zonemaster-cli gives the expected output:
$ zonemaster-cli --level WARNING --no-progress example.com
Seconds Level Message
======= ======== =======
40.89 WARNING Nameserver a.iana-servers.net has an IP address (199.43.135.53) without PTR configured.
43.96 WARNING Nameserver a.iana-servers.net/199.43.135.53 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
43.96 WARNING Nameserver a.iana-servers.net/199.43.135.53 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
43.97 WARNING Nameserver b.iana-servers.net/199.43.133.53 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
43.97 WARNING Nameserver b.iana-servers.net/199.43.133.53 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
44.18 WARNING Nameserver a.iana-servers.net/199.43.135.53 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
44.18 WARNING Nameserver a.iana-servers.net/199.43.135.53 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
45.51 WARNING Nameserver b.iana-servers.net/199.43.133.53 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
45.51 WARNING Nameserver b.iana-servers.net/199.43.133.53 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
63.20 WARNING Nameserver a.iana-servers.net/199.43.135.53 response is not authoritative on UDP port 53.
63.20 WARNING Nameserver a.iana-servers.net/199.43.135.53 response is not authoritative on TCP port 53.
63.20 WARNING Nameserver b.iana-servers.net/199.43.133.53 response is not authoritative on UDP port 53.
63.20 WARNING Nameserver b.iana-servers.net/199.43.133.53 response is not authoritative on TCP port 53.
63.22 ERROR Nameserver a.iana-servers.net/199.43.135.53 is a recursor.
63.84 ERROR Nameserver b.iana-servers.net/199.43.133.53 is a recursor.
64.45 WARNING Erroneous response from nameserver a.iana-servers.net/199.43.135.53.
64.65 WARNING Erroneous response from nameserver b.iana-servers.net/199.43.133.53.
65.68 WARNING Nameserver a.iana-servers.net/199.43.135.53 answered A query with an unexpected rcode (REFUSED).
66.08 WARNING Nameserver b.iana-servers.net/199.43.133.53 answered A query with an unexpected rcode (REFUSED).
68.95 WARNING Erroneous response from nameserver a.iana-servers.net/199.43.135.53.
69.16 WARNING Erroneous response from nameserver b.iana-servers.net/199.43.133.53.
69.36 WARNING Erroneous response from nameserver a.iana-servers.net/199.43.135.53.
69.57 WARNING Erroneous response from nameserver b.iana-servers.net/199.43.133.53.
70.80 WARNING SOA MNAME name server "ns.icann.org/199.4.138.53" gives unexpected RCODE name ("REFUSED") in response to an SOA query.
@matsduf
Container:
$ docker run -it --entrypoint=bash zonemaster-problem
┌──(root㉿deb4ec2b1f1b)-[/]
└─# zonemaster-cli --version
Zonemaster-CLI version v6.0.2
Zonemaster-Engine version v4.7.3
Zonemaster-LDNS version 3.2.0
NL NetLabs LDNS version 1.8.3
Host:
$ zonemaster-cli --version
Zonemaster-CLI version v6.0.2
Zonemaster-Engine version v4.7.2
Zonemaster-LDNS version 3.2.0
NL NetLabs LDNS version 1.8.3
My installations have the same versions:
$ zonemaster-cli --version
Zonemaster-CLI version v6.0.3
Zonemaster-Engine version v4.7.3
Zonemaster-LDNS version 3.2.0
NL NetLabs LDNS version 1.8.3
docker run --platform linux/amd64 -t --rm zonemaster/cli --version
Zonemaster-CLI version v6.0.3
Zonemaster-Engine version v4.7.3
Zonemaster-LDNS version 3.2.0
NL NetLabs LDNS version 1.8.3
When I test example.com I get the same result:
$ zonemaster-cli example.com --level WARNING
Seconds Level Testcase Message
======= ======== ============== =======
11.63 WARNING CONNECTIVITY03 All authoritative nameservers have their IPv4 addresses in the same AS (26710).
11.63 WARNING CONNECTIVITY03 All authoritative nameservers have their IPv6 addresses in the same AS (26710).
$ docker run --platform linux/amd64 -t --rm zonemaster/cli --no-ipv6 example.com --level WARNING
Seconds Level Message
======= ======== =======
21.65 WARNING All authoritative nameservers have their IPv4 addresses in the same AS (26710).
21.65 WARNING All authoritative nameservers have their IPv6 addresses in the same AS (26710).
I get the same error using the zonemaster/cli image:
$ docker run --platform linux/amd64 -t --rm zonemaster/cli example.com
Seconds Level Message
======= ======== =======
0.06 WARNING The parent zone cannot be determined on name servers "".
0.07 ERROR "example.com" does not exist as a DNS zone. Try to test "com" instead.
0.14 CRITICAL Not enough data about example.com was found to be able to run tests.
I haven't changed anything network-related in either my docker installation or host machine. I have no clue about what is going on. Could you suggest something for me to investigate?
Can you test some other domain, such as zonemaster.net?
The following two lines in your output look strange:
63.22 ERROR Nameserver a.iana-servers.net/199.43.135.53 is a recursor.
63.84 ERROR Nameserver b.iana-servers.net/199.43.133.53 is a recursor.
Are you sure that your environment has full access and that 199.43.135.53 and 199.43.133.53 are not "hijacked"? Those two are not recursors when I test with dig:
; <<>> DiG 9.18.14 <<>> @199.43.135.53 xn--nameservertest.iis.se +noidnin +noidnout +noedns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 51236
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;xn--nameservertest.iis.se. IN A
;; Query time: 105 msec
;; SERVER: 199.43.135.53#53(199.43.135.53) (UDP)
;; WHEN: Sun Oct 08 08:57:28 UTC 2023
;; MSG SIZE rcvd: 43
Also the following look strange
40.89 WARNING Nameserver a.iana-servers.net has an IP address (199.43.135.53) without PTR configured.
; <<>> DiG 9.18.14 <<>> -x 199.43.135.53 +noedns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40759
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;53.135.43.199.in-addr.arpa. IN PTR
;; ANSWER SECTION:
53.135.43.199.in-addr.arpa. 232 IN PTR a.iana-servers.net.
;; Query time: 0 msec
;; SERVER: 172.31.0.2#53(172.31.0.2) (UDP)
;; WHEN: Sun Oct 08 09:02:54 UTC 2023
;; MSG SIZE rcvd: 76
Can you test some other domain, such as zonemaster.net?
The container gives the same error output.
Host machine:
$ zonemaster-cli zonemaster.net --level WARNING
Seconds Level Message
======= ======== =======
40.21 WARNING Nameserver ns2.nic.fr has an IP address (192.93.0.4) without PTR configured.
56.29 WARNING Nameserver nsa.dnsnode.net has an IP address (194.58.192.46) without PTR configured.
56.95 WARNING Nameserver nsa.dnsnode.net has an IP address (2a01:3f1:46::53) without PTR configured.
57.45 WARNING Nameserver nsp.dnsnode.net has an IP address (194.58.198.32) without PTR configured.
58.28 WARNING Nameserver nsp.dnsnode.net has an IP address (2a01:3f1:3032::53) without PTR configured.
59.11 WARNING Nameserver nsu.dnsnode.net has an IP address (185.42.137.98) without PTR configured.
59.76 WARNING Nameserver nsu.dnsnode.net has an IP address (2a01:3f0:400::32) without PTR configured.
59.76 WARNING Nameserver ns2.nic.fr/192.93.0.4 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
59.76 WARNING Nameserver ns2.nic.fr/192.93.0.4 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
59.77 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
59.77 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
60.08 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
60.08 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
60.28 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 responds with an unexpected RCODE (REFUSED) on an SOA query over UDP.
60.28 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 responds with an unexpected RCODE (REFUSED) on an NS query over UDP.
60.61 WARNING Nameserver ns2.nic.fr/192.93.0.4 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
60.61 WARNING Nameserver ns2.nic.fr/192.93.0.4 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
61.73 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
61.73 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
62.96 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
62.96 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
63.67 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 responds with an unexpected RCODE (REFUSED) on an SOA query over TCP.
63.67 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 responds with an unexpected RCODE (REFUSED) on an NS query over TCP.
91.64 WARNING Nameserver ns2.nic.fr/192.93.0.4 response is not authoritative on UDP port 53.
91.64 WARNING Nameserver ns2.nic.fr/192.93.0.4 response is not authoritative on TCP port 53.
91.64 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 response is not authoritative on UDP port 53.
91.64 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 response is not authoritative on TCP port 53.
91.64 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 response is not authoritative on UDP port 53.
91.64 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 response is not authoritative on TCP port 53.
91.64 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 response is not authoritative on UDP port 53.
91.64 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 response is not authoritative on TCP port 53.
91.68 ERROR Nameserver ns2.nic.fr/192.93.0.4 is a recursor.
92.55 ERROR Nameserver nsa.dnsnode.net/194.58.192.46 is a recursor.
93.47 ERROR Nameserver nsp.dnsnode.net/194.58.198.32 is a recursor.
94.08 ERROR Nameserver nsu.dnsnode.net/185.42.137.98 is a recursor.
95.00 WARNING Erroneous response from nameserver ns2.nic.fr/192.93.0.4.
95.31 WARNING Erroneous response from nameserver nsa.dnsnode.net/194.58.192.46.
95.61 WARNING Erroneous response from nameserver nsp.dnsnode.net/194.58.198.32.
95.82 WARNING Erroneous response from nameserver nsu.dnsnode.net/185.42.137.98.
98.07 WARNING Nameserver ns2.nic.fr/192.93.0.4 answered A query with an unexpected rcode (REFUSED).
98.51 WARNING Nameserver nsa.dnsnode.net/194.58.192.46 answered A query with an unexpected rcode (REFUSED).
99.00 WARNING Nameserver nsp.dnsnode.net/194.58.198.32 answered A query with an unexpected rcode (REFUSED).
99.40 WARNING Nameserver nsu.dnsnode.net/185.42.137.98 answered A query with an unexpected rcode (REFUSED).
106.37 WARNING Erroneous response from nameserver ns2.nic.fr/192.93.0.4.
106.67 WARNING Erroneous response from nameserver nsa.dnsnode.net/194.58.192.46.
106.98 WARNING Erroneous response from nameserver nsp.dnsnode.net/194.58.198.32.
107.18 WARNING Erroneous response from nameserver nsu.dnsnode.net/185.42.137.98.
107.49 WARNING Erroneous response from nameserver ns2.nic.fr/192.93.0.4.
107.80 WARNING Erroneous response from nameserver nsa.dnsnode.net/194.58.192.46.
108.10 WARNING Erroneous response from nameserver nsp.dnsnode.net/194.58.198.32.
108.30 WARNING Erroneous response from nameserver nsu.dnsnode.net/185.42.137.98.
110.90 WARNING SOA MNAME name server "nsa.dnsnode.net/194.58.192.46" gives unexpected RCODE name ("REFUSED") in response to an SOA query.
What version of the zonemaster/cli image did you use?
$ docker image ls | grep zonemaster
zonemaster/cli latest c26e0e08f16c 4 weeks ago 61.8MB
Are you sure that your environment has full access
After installing Docker I ran
sudo usermod -aG docker $USER
so that I wouldn't need sudoevery time.
Not sure if that could cause problems.
and that 199.43.135.53 and 199.43.133.53 are not "hijacked"?
Sorry, I don't know how to answer this question...
Do you have access to some computer somewhere else where you can run zonemaster-cli?
Can you repeat the dig query
$ dig @192.93.0.4 zonemaster.net soa +mult +noedns +norec
The expected response is
; <<>> DiG 9.18.14 <<>> @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52154
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;zonemaster.net. IN SOA
;; ANSWER SECTION:
zonemaster.net. 3600 IN SOA nsa.dnsnode.net. hostmaster.nic.se. (
1696747200 ; serial
14400 ; refresh (4 hours)
3600 ; retry (1 hour)
2592000 ; expire (4 weeks 2 days)
600 ; minimum (10 minutes)
)
;; Query time: 29 msec
;; SERVER: 192.93.0.4#53(192.93.0.4) (UDP)
;; WHEN: Sun Oct 08 10:51:08 UTC 2023
;; MSG SIZE rcvd: 100
Do you have access to some computer somewhere else where you can run zonemaster-cli?
I do. The computer I'm using is a Kali Linux laptop. I also have a Windows desktop with WSL:
$ neofetch
.-/+oossssoo+/-. someone@somewhere
`:+ssssssssssssssssss+:` ----------------------
-+ssssssssssssssssssyyssss+- OS: Ubuntu 20.04.6 LTS on Windows 10 x86_64
.ossssssssssssssssssdMMMNysssso. Kernel: 4.19.128-microsoft-standard
/ssssssssssshdmmNNmmyNMMMMhssssss/ Uptime: 25 mins
+ssssssssshmydMMMMMMMNddddyssssssss+ Packages: 1283 (dpkg)
/sssssssshNMMMyhhyyyyhmNMMMNhssssssss/ Shell: bash 5.0.17
.ssssssssdMMMNhsssssssssshNMMMdssssssss. Terminal: /dev/pts/0
+sssshhhyNMMNyssssssssssssyNMMMysssssss+ CPU: AMD Ryzen 5 3600 (12) @ 3.593GHz
ossyNMMMNyMMhsssssssssssssshmmmhssssssso GPU: bc01:00:00.0 Microsoft Corporation Device 008e
ossyNMMMNyMMhsssssssssssssshmmmhssssssso Memory: 98MiB / 12730MiB
+sssshhhyNMMNyssssssssssssyNMMMysssssss+
.ssssssssdMMMNhsssssssssshNMMMdssssssss.
/sssssssshNMMMyhhyyyyhdNMMMNhssssssss/
+sssssssssdmydMMMMMMMMddddyssssssss+
/ssssssssssshdmNNNNmyNMMMMhssssss/
.ossssssssssssssssssdMMMNysssso.
-+sssssssssssssssssyyyssss+-
`:+ssssssssssssssssss+:`
.-/+oossssoo+/-.
When I run zonemaster-cli on the WSL system I get:
$ zonemaster-cli zonemaster.net
Seconds Level Message
======= ========= =======
0.15 CRITICAL Nameservers for "." provided no NS records for tested zone. RCODE given was REFUSED.
0.15 CRITICAL Not enough data about zonemaster.net was found to be able to run tests.
$ zonemaster-cli example.com
Seconds Level Message
======= ========= =======
0.14 CRITICAL Nameservers for "." provided no NS records for tested zone. RCODE given was REFUSED.
0.15 CRITICAL Not enough data about example.com was found to be able to run tests.
Both the Windows desktop and the Kali laptop are connected to the same wifi network, if that matters.
Can you repeat the dig query
Kali laptop:
$ dig @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; <<>> DiG 9.19.17-1-Debian <<>> @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 65395
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;zonemaster.net. IN SOA
;; Query time: 3 msec
;; SERVER: 192.93.0.4#53(192.93.0.4) (UDP)
;; WHEN: Sun Oct 08 22:31:56 -03 2023
;; MSG SIZE rcvd: 32
Windows desktop WSL:
$ dig @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; <<>> DiG 9.16.1-Ubuntu <<>> @192.93.0.4 zonemaster.net soa +mult +noedns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 12800
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;zonemaster.net. IN SOA
;; Query time: 10 msec
;; SERVER: 192.93.0.4#53(192.93.0.4)
;; WHEN: Sun Oct 08 22:40:56 -03 2023
;; MSG SIZE rcvd: 32
I see that the output is not expected, but unfortunately I don't know how to interpret it.
Real 192.93.0.4 would not refuse to respond to the query about zonemaster.net. My interpretation is that there is something in between your wifi network and Internet that captures all traffic to DNS (port 53) and that something returns the REFUSED. The operator of the network should know what is going on.
Maybe you can bring your laptop to somewhere where you can find a more open network. Try at a café, a shopping center or a friends home (a friend not using the same broadband solution as yours). If you get a response on the query to 192.93.0.4 similar to mine, then you can try zonemaster-cli again.
With my question on a computer somewhere else I meant something outside your local network, e.g. a virtual server on AWS. On AWS you can get a small VPS for free for a year. Such a VPS is more than enough for a small installation of Zonemaster. There are other providers that offer free or very cheap VPSs.