certain website takling long to respond or erro nx dns

johnpoz

@scorpoin said in certain website takling long to respond or erro nx dns:

portal.accaglobal.com. 30 IN CNAME epflecw.x.incapdns.net.

So with a trace, you have to now do a trace to that cname epflecw.x.incapdns.net.

But you were able to get that - so now you should do a trace to that fqdn.

Does a client resolve it? Test from a machine on your network that uses pfsense for dns.

maverickws

@johnpoz

This is not an isolated issue.

https://forum.netgate.com/topic/183918/unbound-resolver-failed-to-resolve-host/

And there is another user on another topic talking about the same issues. This unbound dns looks like it's hanging with scotch tape

johnpoz

@maverickws said in certain website takling long to respond or erro nx dns:

This unbound dns looks like it's hanging with scotch tape

I wouldn't say that - I have been using unbound on pfsense since its been just a package. And other than the whole restart on dhcp, which I have never used - I have never had any issues with it at all..

maverickws

Well, I understand what you're saying, but truth be told when I'm looking around about pfSense and DNS Resolver, I have to say (and this is a perception only, doesn't hold as true) but most topics have people configuring DNS Forwarding, and external DNS resolvers right off the bat.
So I would believe that masks the issues with unbound and a number of people won't come across said issues because of this.
Also, I'm not sure if this has anything to do with the DNS resolver settings, some combination that doesn't work well, could it be because I have 2 WAN's, I mean, really don't know. But it's been an awful experience. And it seems no one's paying much attention to these issues.

johnpoz

@maverickws said in certain website takling long to respond or erro nx dns:

people configuring DNS Forwarding

Yeah wouldn't be me - I don't have any use for that. The great thing when they brought unbound in was that it was a resolver, not a forwarder like dnsmasq..

If a user had choice between forwarding and resolving - I personally don't get why you would forward, why hand off your dns to any specific anyone. Now if you have some need be it real or not for forwarding over tls, then ok. Maybe I have never seen any issues because I don't foward be it in the clear or not. And when I have an issue with dns, I know how to troubleshoot it vs just blaming pfsense/unbound.

I can tell you for sure - if your going to forward, you shouldn't have dnssec enabled.. And maybe pfsense could of done a better job of stating that. But that is going to be problematic, and I have been saying it for years and years.

If me, if user enabled forwarding - the default should be to disable dnssec, and if user tried to re-enable it, should of been a big warning. But hey you can also take the stance - users of pfsense you would "hope" are not your typical user and understands such things. But then again we have a lot of users wanting to use pfsense, that really don't understand these protocols at say a level that you would hope.

maverickws

@johnpoz

Well, I'm really not looking to forward. If I were to forward, I'd set up a resolver and forward to my resolver. But having the unbound package right here, doesn't make much sense I believe.
So I completely agree on your comments on the DNS Forwarding part.

What tests do you suggest that can add to the debugging here?

johnpoz

@maverickws if your resolving +trace is your friend, can you actually talk to all the ns in the line to get to the authoritative ns. If you can - then need to check that their dnssec is not messed up

great site for issues with dnssec is

https://dnsviz.net/

When you trace if it ends at a cname, you would then have to trace that cname, and sometimes that just ends up pointing to another cname, which you would have to evaluate the resolving with that, etc.

maverickws

@johnpoz so the issue is intermittent, if you look at my topic you'l notice the issue resolves by itself, after a while.
I know dnsviz actually use it every so often, but my failure is not definitive, I mean, unbound doesn't resolve right away, takes a long time to respond or whatever, but after a few minutes those same domains that were failing before, are then working. Without any intervention.

So if it was an issue with DNSSEC, it wouldn't resolve by itself after a few minutes without intervention. Today these issues included even this forum address:

% host forum.netgate.com
;; connection timed out; no servers could be reached

If I do it using pfSense > Diagnostics > NS Lookup or what is, I get either an error or a huge response time.

Tracing is making me look for issues on the wrong place. I get your debugging options, but I don't think they apply here.

johnpoz

@maverickws said in certain website takling long to respond or erro nx dns:

Today these issues included even this forum address:

There was an outage earlier.. There was someone that is logging outages to the forums - another thread.. And I have just after this morning and couldn't get there added it to my monitoring.

You need to troubleshoot a specific issue, one site dns might not be working, another site dns might be working but you can not get there because another network issue along the path, or the site is just having an issue..

maverickws

@johnpoz this was actually maybe like 2 and half hours ago, but anyway forum outage means what?
Is it an outage on the web server/db or whatever, or is it a failure in resolving the DNS of the forum? Is the forum server also it's DNS server? Was the outage on Netgate's DNS?

johnpoz

@maverickws all I remember, is this morning when I first went to go to forums it wasn't working.. Then a bit latter I checked and all working.. I then added it to my monitoring..

So the issue was some time before when I first added it

When first saw the problem, said oh maybe they still having issues from the other day when there was an extended one.. Not exactly sure when it was, but I know when looked at the page - it was showing the little error that lost connectivity, and tried to refresh and failed.. Went and got some coffee, looked at some other stuff and by that time it was working. Some time not long after that I decided to add it to my monitoring.

maverickws

@johnpoz actually your description fits perfectly in my issue.
The lost connectivity is because you were no longer resolving correctly "forum.netgate.com" - so it couldn't connect, didn't know where.

You went for a coffee and when coming back already worked. Fits as a glove on my description:

@maverickws said in certain website takling long to respond or erro nx dns:

but my failure is not definitive, I mean, unbound doesn't resolve right away, takes a long time to respond or whatever, but after a few minutes those same domains that were failing before, are then working. Without any intervention.

This is exactly the same, your unbound is failing, you went for a coffee and it worked. That's it.
Did the forum actually have an outage? Was it a DNS outage? Was it a CDN outage? Was it your resolver?

johnpoz

@maverickws said in certain website takling long to respond or erro nx dns:

your unbound is failing

No my unbound is not failing - I have had zero issues with anything else.. Seems like without any sort of diagnoses your just jumping to the conclusion your unbound is the problem..

If it happens again I will look into it before going to get a cup of coffee, but every other site looked at before going back to the forums worked just fine.

as it a DNS outage? Was it a CDN outage? Was it your resolver?

I am not sure - I wasn't too concerned.. All I can tell you is they had a major outage yesterday.. And this morning I did see a problem, but normally it is pretty solid.. But they do run into issues now and then.. If I see it happen again I will look into if unbound had any issues resolving it, or if was still in cache and changed, etc.

You need to troubleshoot a specific issue, not just jump to well unbound is broke..

maverickws

@johnpoz said in certain website takling long to respond or erro nx dns:

but every other site looked at before going back to the forums worked just fine.

The every other sites that I visit also work fine, unless they don't. But the percentage is minimal, for sure.
About jumping on conclusions, from an outage "yesterday", you're jumping to the conclusion there was a forum outage today, are you not?

So why am I not entitled to relate your description of the issue to my description of the issue, since the behaviour fits perfectly in what I described earlier, and on the "taking long to respond" remarks of the other users? (notice the title says "certain websites" not "all websites at a given moment").

We all can jump to conclusions at a given time, for sure. And that can make you overlook the actual issue, can it not?