Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Slow DNS after 22.05

    Scheduled Pinned Locked Moved DHCP and DNS
    270 Posts 31 Posters 133.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • lohphatL
      lohphat @kvhs
      last edited by

      @kvhs said in Slow DNS after 22.05:

      I find this one solved in 1.16.0 interesting though: https://github.com/NLnetLabs/unbound/issues/670

      This seems a reasonable trail to start following -- this may be an out of memory/heap issue.

      Just curious, for those of us seeing issues are you also running IPv6? I am.

      In the bug notes it seems that disabling IPv6 addressed the issue as less memory overhead is needed. I wonder if the unbound changes may necessitate bumping up memory allocation to prevent spurious lookup failures.

      SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_1)

      1 Reply Last reply Reply Quote 0
      • K
        Kempain @bigbadvoodoodaddy
        last edited by

        @bigbadvoodoodaddy

        Just enabled logging level 4 and also see a few 'outnettcp got tcp error -1' errors but no idea if it's related.

        @lohphat

        Also running IPv6.

        Not sure I can actually rollback unless I can use config backup from 22.05 on 22.01.
        Wondering if it would be better if I just wipe and reinstall 22.05, then restore config just in case something got messed up with the upgrade.

        I believe I saw @johnpoz runs an SG-5100 too, and upgraded from 22.01 to 22.05 and doesn't have the same problems.

        GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
        • GertjanG
          Gertjan @Kempain
          last edited by

          Add me to the list #nothingtodeclare

          Running 22.05 one a Intel based box, a SG 4100.
          I'm using IPv6, although tunnel based, using ipv6.he.net

          unbound settings are native, that is, I'm not forwarding, unbound makes use of the "13 main Internet Root servers".
          On the Services > DNS Resolver > Advanced Settings I have set :
          Query Name Minimization
          Prefetch Support
          Prefetch DNS Key Support
          Harden DNSSEC Data
          Serve Expired
          Keep Probing
          Experimental Bit 0x20 Support
          Other values are - I guess, default.

          On the Services > DNS Resolver >General Settings page :

          Network Interfaces : All
          Outgoing Network Interfaces : All
          DNSSEC : Enabled ( Remember : DNSSEC makes sense only when you are NOT forwarding )
          Python Module : Ebaled ( As I'm using pfBlockerng-devel also)
          Note : DHCP Registration NOT set, which means unbound doesn't get restarted on every DHCP lease event. All known important LAN devices have static MAC DHCP leases.
          Static DHCP : enabled (as this one won't restart unbound)
          Custom options : None.

          Memory usage ? How often unbound restarts ? Requests handled ?
          I have it all the hard numbers and graphs, so I can see if something is happening, and I can check if setting makes any changes.
          Look here.

          Remember : this is DNS. I can't have or tolerate a 'doesn't work'

          Also : Netgate pfSense comes with a default DNS set up. This one works out of the box(teher might be one exception, read below) : why not using that setting and be done with it ?
          And no, Netgate does not ask you to forward to any DNS requests to some company's remote resolver. pfSense has its own resolver.

          Yes, I've tried forwardig, it did seem to work fine, but I never kept this mode for longer as a couple of days. I guess I don't need a remote resolver as unbound does a good job doing that for me.

          Btw ;: I'm using 22.05 on a SG4100 for a couple of weeks now. Before that, I was using a bare bone Intel box using a quand Intel NIC setup. Never had any issues except for the major unbound bugs that touches everybody back then, and that was always corrected immediately.
          I never had to go back a previous version, and that for the last 10+ years, since pfSense version 1.x

          Networks usage : 3 LANs,, one major company LAN, one untrusted client "captive portal" LAN with a bunch of access points for the hotel clients, one DMZ type LAN.
          No VLAN stuff

          I'm using pfBlockerng-devel, it syncs feeds ones a week, with a minimal feeds list. I'm just blocking the major adds and bads hit list.

          My ISP gives me a good (I guess) uplink with an static IPv4. It's still VDSL copper wire (about 24 Mbits sec down). This will be fibre in a very near future.

          I tend to use pfSense functionality that I "know", that I can debug, that I trust, that I understand.

          And one last thing :And please, I do not want to offend any one here :
          I rent a 'big' bare bone server for for my web sites, mail and other stuff like Munin. I'm handling all my own DNS needs myself, using bind (named), about 20 domain names. My registrar's name server entries point to my own DNS name servers, a master and two or three DNS backup servers (small VPSs).
          For 99,9 % of the time, I check regularly my DNS. For example, I use this site to mention just one.
          Because I'm doing my own DNNSEC, I use this. Many other test sites exists.
          The majority of the DNS tests are done remotely and locally using "dig".

          And here it is : no one should be handling its own DNS, as this forces you to fully understand what DNS is, how it works, how to see issues and how to deal with them 😊
          I didn't saw another way to fully understand this 'DNS' thing.
          But, suddenly, when you know all DNS, DNS will never be an issue any more.

          Consider this : take a small 1 $/€ a month VPS, and a domain name (5 $/€ a year ?) a play with your own domain name. You'll be massacring loads of misunderstandings pretty fast.
          This was called 'learning' back then ;)

          Do not underestimate the number of times your local pfSense has no issue at at, but your simply visiting a site that has issues with it's DNS. Just wait it out. Don't start modifying your own setup as it was good already.
          Even Facebook managed to completely disappear from the net, a year or so ago, because some guy really messed up.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 2
          • GertjanG Gertjan referenced this topic on
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @Kempain
            last edited by

            @kempain said in Slow DNS after 22.05:

            runs an SG-5100 too

            I'm on a SG4860, and correct I have seen zero issues with dns running 22.05 since the day it dropped.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            M 1 Reply Last reply Reply Quote 0
            • M
              mynet @johnpoz
              last edited by

              First post to add one more to the list.

              SG-1100 with no problems prior to the update. I did have some issues with the update so am running a brand new, fresh installation. The only changes from stock are to admin password, host name, and adding google DNS servers (8.8.8.8 and 8.8.4.4)

              I have had extensive problems with MacOS/iOS devices and very little if any with windows. I thought it was IPv6 related b/c no IPv6 on the windows machines but enabling it did not produce any problems (either that or I didn't leave it turned on long enough).

              Having some flashbacks to dial-up modem days....

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @mynet
                last edited by

                @mynet said in Slow DNS after 22.05:

                and adding google DNS servers (8.8.8.8 and 8.8.4.4)

                So your doing forwarding? And your forwarding via TLS? ie dot?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                M 1 Reply Last reply Reply Quote 0
                • M
                  mynet @johnpoz
                  last edited by

                  @johnpoz said in Slow DNS after 22.05:

                  So your doing forwarding? And your forwarding via TLS? ie dot?

                  No. I'm not trying (or trying not to) do anything beyond the basics. I mindlessly followed the initial configuration guide (https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/initial-configuration.html) which suggests those two addresses.

                  Beyond that, in System/General Settings/Advanced/DNS Server Settings, DNS server override is checked, and DNS Resolution Behavior is set to Use Local DNS and Fall Back to Remote DNS Servers.

                  In Services/DNS Resolver, Enable DNS Resolver is checked, and In Services/DNS Forwarder, Enable DNS Forwarder is unchecked.

                  All of this is what I had in the prior version which worked fine.

                  One thing that seems different for me compared to some others is that I haven't noticed any issues with a windows machine though I haven't used it extensively. As I said, I thought the issue might be IPv6, but I am not sure now.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @mynet
                    last edited by

                    @mynet said in Slow DNS after 22.05:

                    https://docs.netgate.com/pfsense/en/latest/solutions/sg-1100/initial-configuration.html

                    Have no idea why those are in there.. Out of the box those wouldn't even be used by clients, and would only be used by pfsense if unbound failed to work..

                    They are pointless to be in there unless resolving fails, and clients wouldn't work anyway.. Only pfsense would be able to resolve stuff and check on its updates, etc..

                    The guide should prob be reworked with more detail on what a resolver is, how it works out of the box and that you don't need to put anything in for dns, and most likely don't even want dhcp to override and set dns, etc. Only if resolving is not working should you look to doing that.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    lohphatL 1 Reply Last reply Reply Quote 0
                    • lohphatL
                      lohphat @johnpoz
                      last edited by

                      @johnpoz Wouldn't initial DNS resolver IPs be useful if you were still installing packages during initial config in an environment where DNS is blocked/filtered (e.g. in a datacenter) and unbound was in a state where it's not able to resolve yet (e.g. a VPN config needs to be setup) until config is completed later?

                      Without initial external DNS, does unbound have an initial list of hard-coded IPs for the root servers to bootstrap DNS?

                      SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_1)

                      johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @lohphat
                        last edited by johnpoz

                        @lohphat said in Slow DNS after 22.05:

                        where DNS is blocked/filtered

                        If dns is blocked how are you talking to 8.8.8.8 ;)

                        Yes there are scenarios where you would have to forward, say an ISP that only allows access to its dns.. Believe if your on SAT connection for example your limited to specific NS you can talk to..

                        My point in reworking that guide is could give the impression that you need dns, when out of the box you don't need to set anything.. Because out of the box unbound is resolver.. So unless you have some specific restrictions in place there is no need to put in anything..

                        Finding the piece that completes this puzzle - is it boxes on ARM? Is it only ARM that forward via TLS? There is some piece to this puzzle missing that would complete it and make sense.

                        All I can say is I have had zero issues with unbound resolving.. but I am not on arm, and I don't do anything like forwarding. Pretty much unbound out of the box config, other than I set a min ttl of 1 hour and serve zero.. I also do min for qname, but allow for fallback, because if you don't there are lots of cname stuff that ends up having issues - stupid ass MS with like chained cnames 7 deep and shit ;) I think there is some technet domains that fail if you don't allow for fallback on the qname stuff, etc.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        lohphatL 1 Reply Last reply Reply Quote 0
                        • lohphatL
                          lohphat @johnpoz
                          last edited by lohphat

                          @johnpoz said in Slow DNS after 22.05:

                          @lohphat said in Slow DNS after 22.05:

                          where DNS is blocked/filtered

                          If dns is blocked how are you talking to 8.8.8.8 ;)

                          ...or an internal datacenter DNS server 😜

                          We are in agreement that the docs do need a rework as do the info text blocks to document defaults and any dependencies on other settings.

                          I'd be all in for a single click "Return page (or package) settings to default values".

                          SG-3100 24.11-RELEASE (arm) | Avahi (2.2_6) | ntopng (5.6.0_1) | openvpn-client-export (1.9.5) | pfBlockerNG-devel (3.2.1_20) | System_Patches (2.2.20_1)

                          1 Reply Last reply Reply Quote 1
                          • GertjanG
                            Gertjan @lohphat
                            last edited by

                            @lohphat said in Slow DNS after 22.05:

                            Without initial external DNS, does unbound have an initial list of hard-coded IPs for the root servers to bootstrap DNS?

                            Repeat with me :

                            @gertjan said in Slow DNS after 22.05:

                            unbound makes use of the "13 main Internet Root servers".

                            Resolvers like bind actually have a text file that is used to init these servers :

                            ;       This file holds the information on root name servers needed to
                            ;       initialize cache of Internet domain name servers
                            ;       (e.g. reference this file in the "cache  .  <file>"
                            ;       configuration file of BIND domain name servers).
                            ;
                            ;       This file is made available by InterNIC 
                            ;       under anonymous FTP as
                            ;           file                /domain/named.cache
                            ;           on server           FTP.INTERNIC.NET
                            ;       -OR-                    RS.INTERNIC.NET
                            ;
                            ;       last update:    February 17, 2016
                            ;       related version of root zone:   2016021701
                            ;
                            ; formerly NS.INTERNIC.NET
                            ;
                            .                        3600000      NS    A.ROOT-SERVERS.NET.
                            A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
                            A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
                            ;
                            ; FORMERLY NS1.ISI.EDU
                            ;
                            .                        3600000      NS    B.ROOT-SERVERS.NET.
                            B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
                            B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:84::b
                            ;
                            ; FORMERLY C.PSI.NET
                            ;
                            .                        3600000      NS    C.ROOT-SERVERS.NET.
                            C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
                            C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
                            ;
                            ; FORMERLY TERP.UMD.EDU
                            ;
                            .                        3600000      NS    D.ROOT-SERVERS.NET.
                            D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
                            D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
                            ;
                            ; FORMERLY NS.NASA.GOV
                            ;
                            .                        3600000      NS    E.ROOT-SERVERS.NET.
                            E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
                            ;
                            ; FORMERLY NS.ISC.ORG
                            ;
                            .                        3600000      NS    F.ROOT-SERVERS.NET.
                            F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
                            F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
                            ;
                            ; FORMERLY NS.NIC.DDN.MIL
                            ;
                            .                        3600000      NS    G.ROOT-SERVERS.NET.
                            G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
                            ;
                            ; FORMERLY AOS.ARL.ARMY.MIL
                            ;
                            .                        3600000      NS    H.ROOT-SERVERS.NET.
                            H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
                            H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
                            ;
                            ; FORMERLY NIC.NORDU.NET
                            ;
                            .                        3600000      NS    I.ROOT-SERVERS.NET.
                            I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
                            I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
                            ;
                            ; OPERATED BY VERISIGN, INC.
                            ;
                            .                        3600000      NS    J.ROOT-SERVERS.NET.
                            J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
                            J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
                            ;
                            ; OPERATED BY RIPE NCC
                            ;
                            .                        3600000      NS    K.ROOT-SERVERS.NET.
                            K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
                            K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
                            ;
                            ; OPERATED BY ICANN
                            ;
                            .                        3600000      NS    L.ROOT-SERVERS.NET.
                            L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
                            L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
                            ;
                            ; OPERATED BY WIDE
                            ;
                            .                        3600000      NS    M.ROOT-SERVERS.NET.
                            M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
                            M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
                            ; End of file
                            

                            unbound has these compiled in the code.

                            @mynet said in Slow DNS after 22.05:

                            System/General Settings/Advanced/DNS

                            Strange, that is System=> General Setup / DNS Server Settings for me.
                            "DNS Server Override" exists for ancient reasons, when a typical PPP uplink would give you a IP WAN, gateway and one or two upstream ISP DNS servers, as relaying through the old internet up to the main 13 ( see above ) root servers would take time, and caching wasn't a thing yet.

                            These days you don't have to use the ISP DNS, or some Alphabet cache resolver any more.

                            And as already mentioned, there are still uplink connections like satellite ( the geo orbit ones ) that should rely use a DNS cache resolver as close as possible.
                            For 99,8 % or the the rest of us : no more DNS settings needed.

                            The initialization configuration wizard of pfSense is makes you think you have to fill in something. It actually asks and mention DNS related stuff to "help" the 0,2 % of the users.
                            This DNS Server Override
                            This : "Allow DNS server list to be overridden by DHCP/PPP on WAN or remote OpenVPN server" is of course something you don't want in the vast majority of all cases.

                            Here are the no-DNS-issues settings for the 99,8 % :

                            43d87572-eaac-4deb-ba14-8138f3c45d77-image.png

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              mynet @Gertjan
                              last edited by

                              @gertjan said in Slow DNS after 22.05:

                              Strange, that is System=> General Setup / DNS Server Settings for me.

                              Not sure whee I got what I wrote previously. It is System => General Setup / DNS Server Settings for me as well.

                              I will replicate your settings and see what happens.

                              Interestingly, it won't let me delete both of the google servers. With both listed, there is a delete button by each. When I deleted the first one, the delete button for the second one disappeared. So I have 1 google server and have unchecked DNS Server Override.

                              johnpozJ 1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator @mynet
                                last edited by

                                @mynet said in Slow DNS after 22.05:

                                When I deleted the first one, the delete button for the second one disappeared

                                well if your forwarding in unbound, don't think it will let you delete your dns that it would be forwarding too.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                M 1 Reply Last reply Reply Quote 0
                                • M
                                  mynet @johnpoz
                                  last edited by

                                  @johnpoz said in Slow DNS after 22.05:

                                  well if your forwarding in unbound, don't think it will let you delete your dns that it would be forwarding too.

                                  I'm not forwarding (at least I don't think I am). In Services/DNS Forwarder, Enable DNS Forwarder is unchecked.

                                  I don't want to lose sight of the topic of the thread though, and regardless of my settings, it's still the case that it worked on 22.01 (with these settings) and doesn't (intermittently) on 22.05. As I said though I have not had issues with Windows though I am on my phone or iPad more than that computer so maybe I just have gotten lucky there.

                                  Given that there haven't been any new reports in the last day or so, perhaps I will go back up and try some of the suggested settings.

                                  (Having said all of that, I do appreciate the feedback and background. I assumed I either needed to provide the DNS servers or rely on the ISP's, for example.)

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator @mynet
                                    last edited by

                                    @mynet I think I know what is happening... If you only have 1 set, you can not delete it because that is where you would put 1 if you wanted one.

                                    Just clear it out and hit save..

                                    example

                                    deletenumbers.jpg

                                    Just delete the numbers and then hit save at the bottom.

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                    M 1 Reply Last reply Reply Quote 0
                                    • M
                                      mynet @johnpoz
                                      last edited by

                                      @johnpoz said in Slow DNS after 22.05:

                                      Just clear it out and hit save..

                                      That worked, thanks.

                                      1 Reply Last reply Reply Quote 0
                                      • K
                                        Kempain
                                        last edited by Kempain

                                        Super interesting thread and a lot of knowledge here.

                                        So if I understand correctly (which is a big if!), are these assumptions correct?

                                        pfSense uses the 13 root servers by default and will only use the defined DNS servers (in general settings) for the firewall if local DNS fails AND you have fall back to remote set, OR if you have use remote ignore local set in DNS Resolution Behaviour?

                                        DNS servers listed in general settings are only used by client devices if you enable DNS forwarding and/or DNS Query Forwarding (and your not using DNS Server Override)?

                                        DNS Server Override will (typically) use your ISP's DNS servers rather than the 13 root servers unless you're using OpenVPN?

                                        From a security standpoint I'm assuming it makes no sense to use anything other than local and to block remote failback?
                                        The only question I'd have here is whether the 13 root servers all support DNSSEC etc.

                                        Assuming one really only wanted to use external DNS servers such as Cloudflare or Quad9 for both the firewall and client devices, would the process would be to:

                                        • Add the DNS servers in general settings
                                        • Enable use remote, ignore local in resolution behaviour
                                        • Enable dns forwarding and dns query forwarding

                                        Excuse anything I may have misunderstood above, just trying to get my head around it all as I definitely misunderstood these features previously (and may still do).

                                        johnpozJ 1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @Kempain
                                          last edited by johnpoz

                                          @kempain said in Slow DNS after 22.05:

                                          The only question I'd have here is whether the 13 root servers all support DNSSEC etc.

                                          Your not understanding the use of the 13 roots, those are just to get the ball rolling, they point to the gltld servers, ie which servers to talk to for the different tlds.

                                          ;com.                           IN      NS
                                          
                                          ;; ANSWER SECTION:
                                          com.                    86400   IN      NS      d.gtld-servers.net.
                                          com.                    86400   IN      NS      i.gtld-servers.net.
                                          com.                    86400   IN      NS      c.gtld-servers.net.
                                          com.                    86400   IN      NS      a.gtld-servers.net.
                                          com.                    86400   IN      NS      e.gtld-servers.net.
                                          com.                    86400   IN      NS      l.gtld-servers.net.
                                          com.                    86400   IN      NS      j.gtld-servers.net.
                                          com.                    86400   IN      NS      g.gtld-servers.net.
                                          com.                    86400   IN      NS      h.gtld-servers.net.
                                          com.                    86400   IN      NS      b.gtld-servers.net.
                                          com.                    86400   IN      NS      k.gtld-servers.net.
                                          com.                    86400   IN      NS      f.gtld-servers.net.
                                          com.                    86400   IN      NS      m.gtld-servers.net.
                                          
                                          ;; QUESTION SECTION:
                                          ;org.                           IN      NS
                                          
                                          ;; ANSWER SECTION:
                                          org.                    3600    IN      NS      b0.org.afilias-nst.org.
                                          org.                    3600    IN      NS      b2.org.afilias-nst.org.
                                          org.                    3600    IN      NS      c0.org.afilias-nst.info.
                                          org.                    3600    IN      NS      d0.org.afilias-nst.org.
                                          org.                    3600    IN      NS      a0.org.afilias-nst.info.
                                          org.                    3600    IN      NS      a2.org.afilias-nst.info.
                                          

                                          etc...

                                          When you resolve you walk down the tree..

                                          Hey roots who should I talk to for .net
                                          hey .net servers who should I talk to for domain.net

                                          Hey NS for domain.net what is the A record for www.domain.net

                                          But yes roots have dnssec, but that doesn't mean all tlds support dnssec, nor does it mean the authoritative ns for domain.net has enabled dnssec.

                                          If you want to use quad9, you wouldn't setup ignore local unless you didn't want to resolve any local sources. But yeah you would have to setup forwarding in unbound, or use the forwarder vs unbound.

                                          As to the roots all supporting dnssec..

                                          https://www.stackscale.com/blog/root-dnssec-ksk-ceremony/

                                          The 13 roots servers are only authoritative for the root zone " . " this zone has the NS records for all the tlds NS..

                                          Keep in mind it doesn't have to do this every time you ask for whatever.somedomain.tld - once it has asked the roots for NS of .tld then it caches those, and doesn't have to ask roots again for somethingelse.tld, it just asks .tld servers for ns of whateverdomain.tld until the TTL of those NS has expired.

                                          Once it knows the NSers for whateverdomain.tld, it just ask one of the NS when you ask for www.whateverdomain.tld or serverX.whateverdomain.tld, etc.

                                          The "roots" are only talked to get the NS for the .tld your asking about.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                          GertjanG 1 Reply Last reply Reply Quote 1
                                          • GertjanG
                                            Gertjan @johnpoz
                                            last edited by

                                            60 minutes to understand how the most important part of the internet works.

                                            Remove the "how you think it works", replace it for : how it really works.

                                            As soon as you understand something, you can 'see' where an issue is, change it, and do other, more interesting things.
                                            = You win !!

                                            If there are still 'DNS' questions or issues after these video's : stop dealing with DNS. Become a painter, or make bread, or help Boeing make the MAX or TLS better. Take your pick.

                                            Most of these are understandable for a 12 year old. Most videos are available in most languages.

                                            @Kempain I promise you : it's way more easier as you think. It's 'old' technology from the '60 and '70, last century. No nuclear fusion tricks are involved. There is a boatload of 'keep it simple' going on here.

                                            No "help me" PM's please. Use the forum, the community will thank you.
                                            Edit : and where are the logs ??

                                            johnpozJ 1 Reply Last reply Reply Quote 2
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.