certain website takling long to respond or erro nx dns

scorpoin

@johnpoz
Thanks for you prompt response,

[2.7.0-RELEASE][myuser@mypfsense]/var/db: dig portal.accaglobal.com +trace

; <<>> DiG 9.18.14 <<>> portal.accaglobal.com +trace
;; global options: +cmd
.                       57616   IN      NS      e.root-servers.net.
.                       57616   IN      NS      c.root-servers.net.
.                       57616   IN      NS      i.root-servers.net.
.                       57616   IN      NS      h.root-servers.net.
.                       57616   IN      NS      k.root-servers.net.
.                       57616   IN      NS      m.root-servers.net.
.                       57616   IN      NS      b.root-servers.net.
.                       57616   IN      NS      f.root-servers.net.
.                       57616   IN      NS      g.root-servers.net.
.                       57616   IN      NS      j.root-servers.net.
.                       57616   IN      NS      l.root-servers.net.
.                       57616   IN      NS      d.root-servers.net.
.                       57616   IN      NS      a.root-servers.net.
.                       57616   IN      RRSIG   NS 8 0 518400 20231120210000 20231107200000 46780 . AY+2ByyT/znyXYNeZ8nomAGyKwJKsfh/40WSIVy7T1n1e1+EFLeJ7CqK F+tkEF3+qOV5QJaoogC/hdQveiFdTUFtVh/L7oHCre5H+1f7MyIbcghO osIs0z+dJjq3tn/LXBBGbyNVEljkWlbJ7P5kEDuiW8zfRiT13pfNGf2u /5/iQQG7zLvTLmFpwzPgbvB8YvGTArY0VnCz0KEFlmX8Z4HfwnBg5WJY 87Op1bMbMoLcyiIvz7TbkjWaPhM81NMeL16DopaxkSU47JfmZb5quny/ ReTYaBqK3wV5L95C802YeUZ/RRrYmBT5V1oe9AawlwkqHO10y1nPZVVN 3SpWVg==
;; Received 1097 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20231120210000 20231107200000 46780 . fE0SpcPK2lcIkWMqwWtoh3Q/C6f+nTi1Z8H+9WDfdK3aNmbSNs8xsHq3 L71Ph+yu+pzf3tDHYy4YqUmpirkpFQmBcevKO5hv0fwgPZsd4xrectpT ipEr9e/ZyawUwoMkH6hohZiH9BeGtbmAshOZRgED/ceOV7VurX3u1A4L o0BEmvCgt+As2OWbacGMG3/egu6vsxoWfpAwaBNZsTxO9zEa4DdWIVDJ JaF10Ax+KHna0tVPvu2U1QGOWpXO4vQyCLqNKejpicF0bQMXsUSC9cHX gxbJ5sZipuNIkQ7m6azvNODXHD5u0JtEP+yRpZ8qrCR1pMvU4et//3K8 59evqQ==
;; Received 1181 bytes from 192.58.128.30#53(j.root-servers.net) in 191 ms

accaglobal.com.         172800  IN      NS      ns-86.awsdns-10.com.
accaglobal.com.         172800  IN      NS      ns-718.awsdns-25.net.
accaglobal.com.         172800  IN      NS      ns-1677.awsdns-17.co.uk.
accaglobal.com.         172800  IN      NS      ns-1428.awsdns-50.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20231114052550 20231107041550 63246 com. Qeg8YllC8KbvaizuSmn3Jlaro97H5qydstgnIDAE9qEXbMUxqrt5ZJ/x tlFiZ9Y9O1ep/ZuIhe5BAzPLMAPDUCzahuBq1VNN5BvQMwx53bMSij+V cPBLPd45H9yACQH0W6fw4Omy4Zj/De9a36P7Q/5+/P7f4ItDuWLsqakG 7qpeIkIS7CwJdpcS5hL8lomNNsaboST+YSCNtDptHRr4iA==
VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN NSEC3 1 1 0 - VMP6D1HJAD95FV1LHBQPGSVNHCR5UR5V NS DS RRSIG
VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN RRSIG NSEC3 8 2 86400 20231112052327 20231105041327 63246 com. go0WbkwaVF9mKRCqascQxZKF/9uTQ4lQmNUgCqUShrYFRgDIo5Bsyupa gdfqWXa+PT2fNmpkUqmkyN8mZ5672FoJmHeJzMVBztni1ANQaGN3ETKL k2pg9q/nTJta2kAaD9CoDewfXA0BGve7b7vCvJwLTdWr9Nx49SzW9UcG hk3Ir8APn4yCyRQdQJ1pJ8LQrdNvVJ42nrYv9Bf90yGpQg==
;; Received 751 bytes from 192.12.94.30#53(e.gtld-servers.net) in 117 ms

;; UDP setup with 2600:9000:5302:ce00::1#53(2600:9000:5302:ce00::1) for portal.accaglobal.com failed: host unreachable.
;; UDP setup with 2600:9000:5302:ce00::1#53(2600:9000:5302:ce00::1) for portal.accaglobal.com failed: host unreachable.
;; UDP setup with 2600:9000:5302:ce00::1#53(2600:9000:5302:ce00::1) for portal.accaglobal.com failed: host unreachable.
;; UDP setup with 2600:9000:5306:8d00::1#53(2600:9000:5306:8d00::1) for portal.accaglobal.com failed: host unreachable.
portal.accaglobal.com.  3600    IN      NS      ns1.uk.atos.net.
portal.accaglobal.com.  3600    IN      NS      ns2.uk.atos.net.
portal.accaglobal.com.  3600    IN      NS      ns3.uk.atos.net.
;; Received 115 bytes from 205.251.198.141#53(ns-1677.awsdns-17.co.uk) in 121 ms

portal.accaglobal.com.  30      IN      CNAME   epflecw.x.incapdns.net.
;; Received 114 bytes from 157.203.176.100#53(ns2.uk.atos.net) in 139 ms

yes Im using unbound for resolve and forward as well. I have disabled ipv6 on pfsense only using ipv4 and also blocked port 53 udp for ipv6 :/ .

Above is the dig result from pfsense.

Regards

johnpoz

@scorpoin said in certain website takling long to respond or erro nx dns:

portal.accaglobal.com. 30 IN CNAME epflecw.x.incapdns.net.

So with a trace, you have to now do a trace to that cname epflecw.x.incapdns.net.

But you were able to get that - so now you should do a trace to that fqdn.

Does a client resolve it? Test from a machine on your network that uses pfsense for dns.

maverickws

@johnpoz

This is not an isolated issue.

https://forum.netgate.com/topic/183918/unbound-resolver-failed-to-resolve-host/

And there is another user on another topic talking about the same issues. This unbound dns looks like it's hanging with scotch tape

johnpoz

@maverickws said in certain website takling long to respond or erro nx dns:

This unbound dns looks like it's hanging with scotch tape

I wouldn't say that - I have been using unbound on pfsense since its been just a package. And other than the whole restart on dhcp, which I have never used - I have never had any issues with it at all..

maverickws

Well, I understand what you're saying, but truth be told when I'm looking around about pfSense and DNS Resolver, I have to say (and this is a perception only, doesn't hold as true) but most topics have people configuring DNS Forwarding, and external DNS resolvers right off the bat.
So I would believe that masks the issues with unbound and a number of people won't come across said issues because of this.
Also, I'm not sure if this has anything to do with the DNS resolver settings, some combination that doesn't work well, could it be because I have 2 WAN's, I mean, really don't know. But it's been an awful experience. And it seems no one's paying much attention to these issues.

johnpoz

@maverickws said in certain website takling long to respond or erro nx dns:

people configuring DNS Forwarding

Yeah wouldn't be me - I don't have any use for that. The great thing when they brought unbound in was that it was a resolver, not a forwarder like dnsmasq..

If a user had choice between forwarding and resolving - I personally don't get why you would forward, why hand off your dns to any specific anyone. Now if you have some need be it real or not for forwarding over tls, then ok. Maybe I have never seen any issues because I don't foward be it in the clear or not. And when I have an issue with dns, I know how to troubleshoot it vs just blaming pfsense/unbound.

I can tell you for sure - if your going to forward, you shouldn't have dnssec enabled.. And maybe pfsense could of done a better job of stating that. But that is going to be problematic, and I have been saying it for years and years.

If me, if user enabled forwarding - the default should be to disable dnssec, and if user tried to re-enable it, should of been a big warning. But hey you can also take the stance - users of pfsense you would "hope" are not your typical user and understands such things. But then again we have a lot of users wanting to use pfsense, that really don't understand these protocols at say a level that you would hope.

maverickws

@johnpoz

Well, I'm really not looking to forward. If I were to forward, I'd set up a resolver and forward to my resolver. But having the unbound package right here, doesn't make much sense I believe.
So I completely agree on your comments on the DNS Forwarding part.

What tests do you suggest that can add to the debugging here?

johnpoz

@maverickws if your resolving +trace is your friend, can you actually talk to all the ns in the line to get to the authoritative ns. If you can - then need to check that their dnssec is not messed up

great site for issues with dnssec is

https://dnsviz.net/

When you trace if it ends at a cname, you would then have to trace that cname, and sometimes that just ends up pointing to another cname, which you would have to evaluate the resolving with that, etc.

maverickws

@johnpoz so the issue is intermittent, if you look at my topic you'l notice the issue resolves by itself, after a while.
I know dnsviz actually use it every so often, but my failure is not definitive, I mean, unbound doesn't resolve right away, takes a long time to respond or whatever, but after a few minutes those same domains that were failing before, are then working. Without any intervention.

So if it was an issue with DNSSEC, it wouldn't resolve by itself after a few minutes without intervention. Today these issues included even this forum address:

% host forum.netgate.com
;; connection timed out; no servers could be reached

If I do it using pfSense > Diagnostics > NS Lookup or what is, I get either an error or a huge response time.

Tracing is making me look for issues on the wrong place. I get your debugging options, but I don't think they apply here.

johnpoz

@maverickws said in certain website takling long to respond or erro nx dns:

Today these issues included even this forum address:

There was an outage earlier.. There was someone that is logging outages to the forums - another thread.. And I have just after this morning and couldn't get there added it to my monitoring.

You need to troubleshoot a specific issue, one site dns might not be working, another site dns might be working but you can not get there because another network issue along the path, or the site is just having an issue..

maverickws

@johnpoz this was actually maybe like 2 and half hours ago, but anyway forum outage means what?
Is it an outage on the web server/db or whatever, or is it a failure in resolving the DNS of the forum? Is the forum server also it's DNS server? Was the outage on Netgate's DNS?

johnpoz

@maverickws all I remember, is this morning when I first went to go to forums it wasn't working.. Then a bit latter I checked and all working.. I then added it to my monitoring..

So the issue was some time before when I first added it

When first saw the problem, said oh maybe they still having issues from the other day when there was an extended one.. Not exactly sure when it was, but I know when looked at the page - it was showing the little error that lost connectivity, and tried to refresh and failed.. Went and got some coffee, looked at some other stuff and by that time it was working. Some time not long after that I decided to add it to my monitoring.

maverickws

@johnpoz actually your description fits perfectly in my issue.
The lost connectivity is because you were no longer resolving correctly "forum.netgate.com" - so it couldn't connect, didn't know where.

You went for a coffee and when coming back already worked. Fits as a glove on my description:

@maverickws said in certain website takling long to respond or erro nx dns:

but my failure is not definitive, I mean, unbound doesn't resolve right away, takes a long time to respond or whatever, but after a few minutes those same domains that were failing before, are then working. Without any intervention.

This is exactly the same, your unbound is failing, you went for a coffee and it worked. That's it.
Did the forum actually have an outage? Was it a DNS outage? Was it a CDN outage? Was it your resolver?

johnpoz

@maverickws said in certain website takling long to respond or erro nx dns:

your unbound is failing

No my unbound is not failing - I have had zero issues with anything else.. Seems like without any sort of diagnoses your just jumping to the conclusion your unbound is the problem..

If it happens again I will look into it before going to get a cup of coffee, but every other site looked at before going back to the forums worked just fine.

as it a DNS outage? Was it a CDN outage? Was it your resolver?

I am not sure - I wasn't too concerned.. All I can tell you is they had a major outage yesterday.. And this morning I did see a problem, but normally it is pretty solid.. But they do run into issues now and then.. If I see it happen again I will look into if unbound had any issues resolving it, or if was still in cache and changed, etc.

You need to troubleshoot a specific issue, not just jump to well unbound is broke..

maverickws

@johnpoz said in certain website takling long to respond or erro nx dns:

but every other site looked at before going back to the forums worked just fine.

The every other sites that I visit also work fine, unless they don't. But the percentage is minimal, for sure.
About jumping on conclusions, from an outage "yesterday", you're jumping to the conclusion there was a forum outage today, are you not?

So why am I not entitled to relate your description of the issue to my description of the issue, since the behaviour fits perfectly in what I described earlier, and on the "taking long to respond" remarks of the other users? (notice the title says "certain websites" not "all websites at a given moment").

We all can jump to conclusions at a given time, for sure. And that can make you overlook the actual issue, can it not?