DNS doens't resolv this addresses
-
@jperezme well your forwarding... I don't even you see you listening on any interfaces from what you posted.
And why 10.0.201.1. in one query and 10.0.20.1 in another?
Do the trace on pfsense directly - but not really going to matter because your forwarding..
-
@johnpoz First I tried from a computer connected to a vlan 10.0.201.1 and then I tried with another connected to the 10.0.0.1 lan.
Now I can't access from the console but I can execute the command from gui. From gui it works:
; <<>> DiG 9.16.23 <<>> ec.europa.eu +trace
;; global options: +cmd
. 85926 IN NS l.root-servers.net.
. 85926 IN NS m.root-servers.net.
. 85926 IN NS a.root-servers.net.
. 85926 IN NS b.root-servers.net.
. 85926 IN NS c.root-servers.net.
. 85926 IN NS d.root-servers.net.
. 85926 IN NS e.root-servers.net.
. 85926 IN NS f.root-servers.net.
. 85926 IN NS g.root-servers.net.
. 85926 IN NS h.root-servers.net.
. 85926 IN NS i.root-servers.net.
. 85926 IN NS j.root-servers.net.
. 85926 IN NS k.root-servers.net.
. 85926 IN RRSIG NS 8 0 518400 20221130050000 20221117040000 18733 . k4bOiDFhLmswfp/e/DG26SKpAfN+xF393SZYKxSyV5Rrq6QyIQYeRgm/ u69T6jcDP5nfwQ7uxwX9r0w7h/Zrz6gvgDSIAmsnzQ7OaI7TGmq19tMU nCRCDruMjzMvpMyFhRD4Bdo7EErvr19/ezLytIU1oUS/DL87ePrVRIVa accVjpu/lSu0XeYq/ucLRf4+lp9lOt3E95qnQuCcW+jz6L8xBl06kehQ wE9wMhelUOnQEPTYDBkVeB9ObzNkJVp3rR0zfJY+rEaod4XOgS08iMqw WhR+aZ/6sNNLIGP9caZV6C9aLcFg+sIKrQaKxuHLnoVei8pLJqZyi5x0 BcM0WA==
;; Received 1025 bytes from 127.0.0.1#53(127.0.0.1) in 0 mseu. 172800 IN NS w.dns.eu.
eu. 172800 IN NS x.dns.eu.
eu. 172800 IN NS y.dns.eu.
eu. 172800 IN NS be.dns.eu.
eu. 172800 IN NS si.dns.eu.
eu. 86400 IN DS 59479 8 2 5DBAA81BC0BEFE921886D8DA28498D9FD441B457FB0E3642A0B2F981 1C8E15E0
eu. 86400 IN RRSIG DS 8 1 86400 20221130050000 20221117040000 18733 . 1MMtnNZLGzfw59fz16+9ZQFVMoaNRHgUt+H7xX+/Fuw3P9LuCcfaMRq0 PBLmk2QER6hruM+SJQbzx/cAkQRsJhG3u4cQklaCs8nvR3dmKqlUD29d dts9TvHPmNFvzXSuvAvcP4NyYqfCg1ZLcHLKTe3oNtm308BArfoEFANM uI+kABs2weuJfybh6faC9Zlq5w3x1ZxV3ofz3fABfagqR3qJUa5Nw93q UyXb6hAAoDoCAYcBZgQKBMP8dRW6EUf69/WcuoJLdxuaZd9EMCxSW+p/ P+lOYV3q+C1pkAIKEGtCzkdO+MGNUIMfvdX5ZDbWD+qo8ol95JnQnbeQ p6UlDw==
;; Received 710 bytes from 199.9.14.201#53(b.root-servers.net) in 38 mseuropa.eu. 86400 IN NS ns1.bt.net.
europa.eu. 86400 IN NS ns4az1.europa.eu.
europa.eu. 86400 IN NS ans1.cw.net.
europa.eu. 86400 IN NS ns2bru.europa.eu.
europa.eu. 86400 IN NS ns2eu.bt.net.
europa.eu. 86400 IN NS ans2.cw.net.
europa.eu. 86400 IN NS ns1lux.europa.eu.
europa.eu. 86400 IN NS ns1bru.europa.eu.
europa.eu. 86400 IN NS ns2lux.europa.eu.
europa.eu. 86400 IN NS ns3bru.europa.eu.
europa.eu. 86400 IN NS ns3lux.europa.eu.
europa.eu. 86400 IN DS 14845 8 2 9EF3C28F5B3A3D33756D61715B1BDBDBB07E0555598D30256D1F2B71 95324846
europa.eu. 86400 IN DS 6250 8 2 0186EEFF28A83D2C950963CEEF2F2070DC0885AC8AD7106B03A9741C 25DC6B82
europa.eu. 86400 IN RRSIG DS 8 2 86400 20221121190658 20221114184157 22080 eu. EIb3l1VC/Q53H8kj3yN0BfjiRFMs/hGHYxjL9Z+B5OwDP1xTcNo4V0JI AOgDqVV0IwN8NycvOlyi1v3NXj89RDpVkXfqkMyCL5eNC9q6AoWFEpeF Vg1qtGO3yBdwvYO+Bego9Cko0MBYhcAF+vdPWUXr1oYf7OmxBLrXjtUL Ro0=
;; Received 758 bytes from 185.151.141.1#53(x.dns.eu) in 38 msec.europa.eu. 300 IN A 147.67.34.30
ec.europa.eu. 300 IN A 147.67.210.30
ec.europa.eu. 300 IN RRSIG A 8 3 300 20221125041823 20221117095812 23809 europa.eu. krKnOUdtyNeNFUupreifKgrbhw+0RmqskySTE2B3Ov/Qbtg55duy6R+F jqfmQdtzLQv2lqrTLKSUB7djAjE+pTf/Htb4OxZdYKFcdeK/2pAuq3vP Vig7x4nFq9qKPFetiTHE0P5PuLp+9I7BSBPMYUAOtRaeoVW0Dk7ed/Kx HGjC4VkUafGGXbK6qiKVp0FYFButgpy/6heM5fhAChHUb2erPfHvavzt V0RDdiHlYp3jYoGFCn04LoYnER/uILAN5nA72fngkyh+LjkPSmPWmfKE 0LVJ+19QMvFN5yOXo7Z+bA4i2JFdUyxiKJe6Gtg4LE5ne238g/K8MuAR gXEcLA==
ec.europa.eu. 300 IN RRSIG A 8 3 300 20221127205755 20221117095828 33483 europa.eu. IfB75c+f61hZU5sAZJmtKcIvTLMBsFZnx42AxL3WnXn4bqz1awB4L8gm i9ybCZw83mimjzJWs4Z/ZxBXioKhWZOy63reEn6ntZFiWvwVDCqUJTkW mwhErJ69xBOzv9p0lxj5/l2Gp6AvWux4zOMDO0RbBWi7gbUXJfqRZTmX KjPDqBQUPAblHye+B7Z3H4siZ/96JLiwdk+65dFiKT5qLjc3170BMF0b urwcIpPJNA1YK6BCBkhtJlTSSIErvOeua7t430UFe9v+kup7FrsqABWD Vy4OYqs1Q4IMWNKw3W87VoqIXXYK6djPyZPXxnsKOmpxkiu8PZRWQ3Xq zxBrUw==
;; Received 695 bytes from 147.67.250.3#53(ns2bru.europa.eu) in 39
-
@jperezme so that trace is how it would look when you resolve, that output from your nslookup should be forwarding.
Are you doing any sort of filtering with pfblocker or your own configs in unbound? If the lookup works on pfsense directly - that your getting servfail from a client would be odd. Unless there was some sort of acl or filtering - but acl should hand back refused.
You could up your debug level and log the queries and requests on unbound and see if that shed some light..
-
@johnpoz Logs are /var/log/resolver.log, it's true ?
-
@jperezme you might want to bump up the verbosity from the default, and add these to customs
server:
log-queries: yes
log-replies: yes -
This post is deleted! -
@jperezme
I found the problem in the logs
Nov 17 20:48:23 proxy unbound[13963]: [13963:4] error: SERVFAIL <ec.europa.eu. A IN>: all the configured stub or forward servers failed, at zone . from 172.23.144.5 got REFUSED
Nov 17 20:48:23 proxy unbound[13963]: [13963:4] reply: 10.0.0.10 ec.europa.eu. A IN SERVFAIL 0.281635 0 30
Nov 17 20:48:23 proxy unbound[13963]: [13963:5] info: iterator operate: query ec.europa.eu. A IN
Nov 17 20:48:23 proxy unbound[13963]: [13963:5] info: response for ec.europa.eu. A IN
Nov 17 20:48:23 proxy unbound[13963]: [13963:5] error: SERVFAIL <ec.europa.eu. A IN>: all the configured stub or forward servers failed, at zone . from 172.23.144.5 got REFUSED
Nov 17 20:48:23 proxy unbound[13963]: [13963:5] reply: 10.0.0.10 ec.europa.eu. A IN SERVFAIL 0.159601 0 30From what I understand and correct me if I'm wrong the dns server 172.23.144.5. Is it what is preventing the resolution of the name?
-
@jperezme said in DNS doens't resolv this addresses:
error: SERVFAIL <ec.europa.eu. A IN>: all the configured stub or forward servers failed, at zone .
Does anyone know if I can modify something in unbound to solve the problem or should something be modified in my provider's dns?
Thanks in advance and specially to @johnpoz
-
@jperezme from a quick look at that, looks like they refused to answer your query.. Are you running through a vpn?
But a quick work around for something that is not resolving for you, but works via say asking 8.8.8.8 is to do a domain override in unbound for that domain, so vs it trying to resolve it - it will forward to where you set for that specific domain.
Who is that? 172.23.144.5
That is a rfc1918 address. So your forwarding in unbound to them? In no scenario when resolving would unbound be talking to a rfc1918 address..
-
@johnpoz 172.23.144.5 It is the dns of my provider and I cannot use another one. They only allow us to use that dns
-
@jperezme said in DNS doens't resolv this addresses:
They only allow us to use that dns
so your forwarding.. You can not query say 8.8.8.8 for example..
Well then if your only allowed to use their NS, and they do not allow you to talk to any other NS on the internet then you would be out of luck.
But that is not what your trace shows, your +trace showed you talking to other NS.. and it resolve just fine.
-
@johnpoz Right. I can not use 8.8.8.8 google dns. If you remember, when I connect to the pfsense console and connect directly to the wan without going through unbound then it resolves the address well which is what you show in this last log. I suppose that would be it. The problem is when unbound forwards to 172.23.144.5
Is it possible that what you say is that 172.23.144.5 dns consult another dns later?Now I'm not in the office and I can't access the console but if via the web and from the gui I get this so it's correct:
; <<>> DiG 9.16.23 <<>> ec.europa.eu +trace
;; global options: +cmd
. 58208 IN NS d.root-servers.net.
. 58208 IN NS e.root-servers.net.
. 58208 IN NS f.root-servers.net.
. 58208 IN NS g.root-servers.net.
. 58208 IN NS h.root-servers.net.
. 58208 IN NS i.root-servers.net.
. 58208 IN NS j.root-servers.net.
. 58208 IN NS k.root-servers.net.
. 58208 IN NS l.root-servers.net.
. 58208 IN NS m.root-servers.net.
. 58208 IN NS a.root-servers.net.
. 58208 IN NS b.root-servers.net.
. 58208 IN NS c.root-servers.net.
. 58208 IN RRSIG NS 8 0 518400 20221202170000 20221119160000 18733 . oH2GJb8bpAq6s7cA3s7yheKbw8BaOhiykWmYZGR9FNuGCqCfJsDF1WRL pHgqGOiyCVQtoamQZeufqMNTsyFHb+3X3MGM1oLB9RPNek8Kf3IWUcXX 6aoyNRCK7T7Qx+AJUgcZSvAq08sJi54UVR4NNYh8L1P3nEvraQSunnjG xqhUYOeZ4e0ekr/Vr5tgmjVknUB13bCFf+oDNFGk95NsJDQSTPlkHM2X 43p19snc1s5RbhQ9h4Aaib9GoIOpe/q7s0v4DgTh9asWNxhF5vNvaphF pR3X89YTDrfr12EoT/97Xtr4JLc3xtgqvxj5/xJog449JWJKJt//S1bm y9nYLQ==
;; Received 1025 bytes from 127.0.0.1#53(127.0.0.1) in 13 mseu. 172800 IN NS w.dns.eu.
eu. 172800 IN NS x.dns.eu.
eu. 172800 IN NS y.dns.eu.
eu. 172800 IN NS be.dns.eu.
eu. 172800 IN NS si.dns.eu.
eu. 86400 IN DS 35926 8 2 89B9EF0445904E7C6074B5BECE823C3E264FBD91C103D10BDE603412 343CE70C
eu. 86400 IN DS 59479 8 2 5DBAA81BC0BEFE921886D8DA28498D9FD441B457FB0E3642A0B2F981 1C8E15E0
eu. 86400 IN RRSIG DS 8 1 86400 20221203050000 20221120040000 18733 . YrQOnGCtvEXMJ8Jn4xL/HHAWZy4pRHNhvMEjF9rMLusU/klnzewYj3sE z4KiTjK3JN0WU/RcwH1dZJUQ9SN0wexImt8Vubc63V5/Ed/9UnO89XcR vB4gc3SB7J8hgirM2YXkHE63ZUpPVwJkV3ap4FrS363Z+vMR92L0uNi4 r9paJEdGdb9q0r4uwvwTmOwLKeIMegbF6Y6L4sZqTQeL0btXKgqVAIMx 3kKuzBTuW2QKSshvCNYnh641bSwrIJD0lKzXUd7MBq2Tip1upAiXG58m zksP9B57OZ8mv5rES7zPI0N96E0VnTrP4Kz+L9i0Tm2FYcmy810XNBF2 5xy01w==
;; Received 758 bytes from 199.9.14.201#53(b.root-servers.net) in 38 mseuropa.eu. 86400 IN NS ns4az1.europa.eu.
europa.eu. 86400 IN NS ns1lux.europa.eu.
europa.eu. 86400 IN NS ns2bru.europa.eu.
europa.eu. 86400 IN NS ns2lux.europa.eu.
europa.eu. 86400 IN NS ans1.cw.net.
europa.eu. 86400 IN NS ns3lux.europa.eu.
europa.eu. 86400 IN NS ns1.bt.net.
europa.eu. 86400 IN NS ns2eu.bt.net.
europa.eu. 86400 IN NS ns1bru.europa.eu.
europa.eu. 86400 IN NS ns3bru.europa.eu.
europa.eu. 86400 IN NS ans2.cw.net.
europa.eu. 86400 IN DS 6250 8 2 0186EEFF28A83D2C950963CEEF2F2070DC0885AC8AD7106B03A9741C 25DC6B82
europa.eu. 86400 IN DS 14845 8 2 9EF3C28F5B3A3D33756D61715B1BDBDBB07E0555598D30256D1F2B71 95324846
europa.eu. 86400 IN RRSIG DS 8 2 86400 20221127000852 20221120000653 21819 eu. g+3rLbUzTImI31N1McC5u6FvCER5iREqlIU1BOODdbnhQ7O9GKNU80lY SUuVUgNFAI/0KlRLzF3mDbBVSQV+F5Q7TPTCYNyD2mNJpTvibR0sYFiM 4cHGpn7WjD9es5bDvSjTUAG8h/Aa0fg8n6nvNPjPsTiFwm7Yw8n/IZ1I 8JM=
;; Received 758 bytes from 185.151.141.1#53(x.dns.eu) in 39 msec.europa.eu. 300 IN A 147.67.210.30
ec.europa.eu. 300 IN A 147.67.34.30
ec.europa.eu. 300 IN RRSIG A 8 3 300 20221202083905 20221118083318 33483 europa.eu. PD0SduTKxbjbOSwO4x/aMKpMQ8RRPVAgN3WSdv/xgeBofAcxARXPKhSF fybxUgTU29mS8swUT2pJ8LJGnInwp06U7BQWLgXlEzHox3FT6FaFL5za iULmPttV/4uylNkHx/VWu4ELQVQSXbTs69kAy3YZht2pWvJ2DNzfr9Zj Kr4O2Ag4Sg0XgZ2RJ88Bv+nL7GVEAOq7mn/Kg3LA0XzM7vV35clW+46y 0ZSxNy2mpxA7/FBIRkY2MBMC6XxkoT8DdDcoHPXdDxYf5xKM6ZyRDTZr z1gqK1o+UzJr3WkL8uomhU4nVby6NHbbXZya/9VBdc4UIAqE5zViSs8L rqdVeQ==
ec.europa.eu. 300 IN RRSIG A 8 3 300 20221208192143 20221118083302 23809 europa.eu. qXjcj+14uiincMWRJb0y0NiTo+1PxHkZ+VyYVNQPvb9WSrW29ClXE/sZ LILEjBx/25jp5M4jOJpnxvOVwb3F1jjVUmpGx89oo3DlErkjd6syXU8f vl+aDgU9iIfyOebfm87T5Ywn43fCjMJomGMsIUA1wegz2Hg3motj5IjZ vupwwKrPwxs/NupIbUtg57d8nj231fHFDaSXB+gFtuj2z1KxY5BTfoce Tp59jOMMJ+1kmI4/qo3I5E78l5hhV2kdYDrh0arlwBR95ps63jehHjH0 4vRqc9VQetWiAaLtS6fpJ/eWNrRNTGAAEWC86JV2Mm5uxSA9/D0jSODK KjEDIQ==
;; Received 695 bytes from 147.67.12.2#53(ns1lux.europa.eu) in 36 ms -
@jperezme said in DNS doens't resolv this addresses:
The problem is when unbound forwards to 172.23.144.5
Then don't forward to them.. Out of the box pfsense resolves.. Just like in that trace you show - it talks to roots, hey roots ns for .com hey .com ns, what is ns for domain.com - hey domain.com ns what is the IP address of www.domain.com
You have zero need of your isp dns server..
Your trace shows that unbound can clearly resolve and talk to the different NS involved in looking up that record - so why are you forwarding to some isp nameserver?
-
@johnpoz I am hallucinating indeed I see that I can use other dns that are not those of my provider. I don't know if it's their mistake or they have changed their policy and now they allow us to use others. If so, this has solved my problem. Ufff!
Thank you very much for your help.
