{"id":683,"date":"2022-11-07T12:44:39","date_gmt":"2022-11-07T12:44:39","guid":{"rendered":"https:\/\/www.quppa.net\/blog\/?p=683"},"modified":"2022-12-14T05:15:55","modified_gmt":"2022-12-14T05:15:55","slug":"teamviewer-dnssec-broken","status":"publish","type":"post","link":"https:\/\/www.quppa.net\/blog\/2022\/11\/07\/teamviewer-dnssec-broken\/","title":{"rendered":"TeamViewer (sometimes) doesn&#8217;t work with DNSSEC enabled"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><em>Update (2022-12-06):<\/em> It looks like TeamViewer fixed their DNS config (<a href=\"https:\/\/dnsviz.net\/d\/router1.teamviewer.com\/Y2z8xQ\/dnssec\/\">before<\/a> and <a href=\"https:\/\/dnsviz.net\/d\/router1.teamviewer.com\/Y48Vuw\/dnssec\/\">after<\/a>).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Update (2022-11-12): <\/em>I tested again after Frankie in the comments noted that it works on his machine, and indeed it does for me, too, even with DNSSEC turned back on. My only explanation is that it&#8217;s an intermittent issue.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I couldn&#8217;t figure out why TeamViewer was perpetually stuck in the &#8216;Not ready. Please check your connection&#8217; state, and the <a href=\"https:\/\/community.teamviewer.com\/English\/kb\/articles\/49093-not-ready-please-check-your-connection\">help article<\/a> didn&#8217;t give any clues (port 5938 was already open for outbound connections).<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"622\" src=\"https:\/\/www.quppa.net\/blog\/wp-content\/uploads\/2022\/11\/2022-11-07-TeamViewer-1024x622.png\" alt=\"\" class=\"wp-image-684\" srcset=\"https:\/\/www.quppa.net\/blog\/wp-content\/uploads\/2022\/11\/2022-11-07-TeamViewer-1024x622.png 1024w, https:\/\/www.quppa.net\/blog\/wp-content\/uploads\/2022\/11\/2022-11-07-TeamViewer-300x182.png 300w, https:\/\/www.quppa.net\/blog\/wp-content\/uploads\/2022\/11\/2022-11-07-TeamViewer-768x466.png 768w, https:\/\/www.quppa.net\/blog\/wp-content\/uploads\/2022\/11\/2022-11-07-TeamViewer.png 1367w\" sizes=\"auto, (max-width: 709px) 85vw, (max-width: 909px) 67vw, (max-width: 1362px) 62vw, 840px\" \/><figcaption class=\"wp-element-caption\">The dreaded &#8216;Not ready. Please check your connection&#8217;<\/figcaption><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">The log files (<code>\/opt\/teamviewer\/logfiles\/TeamViewer15_Logfile.log<\/code> in Fedora) gave a hint:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>S!! HttpRequestImpl::CurlFinished(): curl request failed: Couldn't resolve host name (6), Could not resolve host: router1.teamviewer.com, Errorcode=97\nS!! CHttpConnectionOutgoing::ResolveDNSName: resolving DNS name failed, status = Failed, HTTP response code = 0, URL = 'http:\/\/router1.teamviewer.com\/cname.aspx', Errorcode=97\nS!! CHttpConnectionOutgoing::HandleResolveDNS: empty address, m_ConnectionState=0, Errorcode=97\nS!  CProcessCommandHandlerKeepAlive&#91;308]::HandleKeepAliveConnect(): Connect to KeepAliveServer failed\nS!!!KeepAliveSessionOutgoing::ConnectFailureHandler(): KeepAliveConnect to router1.teamviewer.com failed, Errorcode=97<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">The host would cycle from <code>router1.teamviewer.com<\/code> to <code>router16.teamviewer.com<\/code>, but none of them would resolve. Long story short, <a href=\"https:\/\/dnssec-debugger.verisignlabs.com\/router1.teamviewer.com\">DNSSEC is broken<\/a> for these TeamViewer domains, and the application won&#8217;t work if none of them can be reached.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Sadly, this problem was reported <a href=\"https:\/\/community.teamviewer.com\/English\/discussion\/91394\/authoritative-dns-returns-nxdomain-for-routerpool7-rlb-teamviewer-com\">years<\/a> <a href=\"https:\/\/twitter.com\/robcza\/status\/1255016572206428163\">ago<\/a> but nothing has changed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Workarounds<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Neither of these is good! I recommend <a href=\"https:\/\/www.teamviewer.com\/en\/customer-support\/\">contacting TeamViewer<\/a> and letting them know about this issue (particularly if you&#8217;re a paying customer).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Hard code an IP address in <code>hosts<\/code><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Adding an IP address for <code>router1.teamviewer.com<\/code> to <code>hosts<\/code> seems to make the application functional.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&gt; host router1.teamviewer.com 1.1.1.1\nUsing domain server:\nName: 1.1.1.1\nAddress: 1.1.1.1#53\nAliases: \n\nrouter1.teamviewer.com is an alias for routerpool1.rlb.teamviewer.com.\nrouterpool1.rlb.teamviewer.com has address 37.252.244.151\nrouterpool1.rlb.teamviewer.com has address 37.252.244.143\nrouterpool1.rlb.teamviewer.com has address 188.172.203.45\nrouterpool1.rlb.teamviewer.com has address 188.172.208.134\nrouterpool1.rlb.teamviewer.com has address 217.146.12.138\nrouterpool1.rlb.teamviewer.com has IPv6 address 2a00:11c0:28:351:217:146:11:108\nrouterpool1.rlb.teamviewer.com has IPv6 address 2a00:11c0:12:351:188:172:208:142\nrouterpool1.rlb.teamviewer.com has IPv6 address 2a00:11c0:13:351:37:252:244:135\nrouterpool1.rlb.teamviewer.com has IPv6 address 2a00:11c0:27:351:213:227:184:141\nrouterpool1.rlb.teamviewer.com has IPv6 address 2a00:11c0:45:351:217:146:12:138<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">I just picked the first IPv4 address and added it to <code>\/etc\/hosts<\/code>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>37.252.244.151 router1.teamviewer.com<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">These IP addresses are of course liable to change.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Disable DNSSEC<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><em><strong>Note:<\/strong> DNSSEC <a href=\"https:\/\/www.cloudflare.com\/en-au\/learning\/dns\/dns-security\/\">exists for a reason<\/a> &#8211; don&#8217;t disable it unless absolutely necessary.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The nuclear option is to turn off DNSSEC checks entirely, or switch to using DNS servers that don&#8217;t support it in the first place (I recommend neither).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On Fedora 36 with <code><a href=\"https:\/\/wiki.archlinux.org\/title\/systemd-resolved\">systemd-resolved<\/a><\/code>, this means editing <code>\/etc\/systemd\/resolved.conf<\/code> and adding <code>DNSSEC=no<\/code> under <code>[Resolve]<\/code>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update (2022-12-06): It looks like TeamViewer fixed their DNS config (before and after). Update (2022-11-12): I tested again after Frankie in the comments noted that it works on his machine, and indeed it does for me, too, even with DNSSEC turned back on. My only explanation is that it&#8217;s an intermittent issue. I couldn&#8217;t figure &hellip; <a href=\"https:\/\/www.quppa.net\/blog\/2022\/11\/07\/teamviewer-dnssec-broken\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;TeamViewer (sometimes) doesn&#8217;t work with DNSSEC enabled&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":684,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4,9],"tags":[201,198,200,193,202,199],"class_list":["post-683","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","category-miscellaneous","category-windows","tag-cloudflare","tag-dns","tag-dnssec","tag-fedora","tag-google","tag-teamviewer"],"_links":{"self":[{"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/posts\/683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/comments?post=683"}],"version-history":[{"count":7,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/posts\/683\/revisions"}],"predecessor-version":[{"id":697,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/posts\/683\/revisions\/697"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/media\/684"}],"wp:attachment":[{"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/media?parent=683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/categories?post=683"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quppa.net\/blog\/wp-json\/wp\/v2\/tags?post=683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}