Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    186 Posts 44 Posters 138.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      xbipin
      last edited by

      i started using the new dns resolver but im having one issue, i have set to reset the pppoe connection ever night so when this happens, unbound stops working, i get these errors in system log continuously

      Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
      Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 61031
      Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
      Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 19660
      Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
      Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 26847
      Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
      Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 26531
      Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
      Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 65308
      Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
      Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 19113
      
      1 Reply Last reply Reply Quote 0
      • R
        router_wang
        last edited by

        Does the resolver also handle IPv6 dns requests?

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          @router_wang:

          Does the resolver also handle IPv6 dns requests?

          Of course.

          1 Reply Last reply Reply Quote 0
          • N
            NobodyHere
            last edited by

            We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.

            DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              @NobodyHere:

              We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.

              DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.

              https://redmine.pfsense.org/issues/4095

              1 Reply Last reply Reply Quote 0
              • N
                NobodyHere
                last edited by

                I'm not sure what a message consisting solely of a link to a similar bug report means…

                1 Reply Last reply Reply Quote 0
                • P
                  phil.davis
                  last edited by

                  @NobodyHere:

                  I'm not sure what a message consisting solely of a link to a similar bug report means…

                  I think cmb means "it is a known issue and there is a bug report for it".
                  It does really need fixing - as you have described, DNS resolution can stop working on a WAN DHCP address change, if you have an "unfortunate" combination of Unbound in forwarder mode… settings.

                  As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
                  If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    @phil.davis:

                    @NobodyHere:

                    I'm not sure what a message consisting solely of a link to a similar bug report means…

                    I think cmb means "it is a known issue and there is a bug report for it".

                    Yes, figured that was clear.

                    1 Reply Last reply Reply Quote 0
                    • D
                      dstroot
                      last edited by

                      Latest version broke unbound for me - it did not start after the upgrade.  I had to uncheck "Enable DNSSEC Support" to get it to come up.

                      1 Reply Last reply Reply Quote 0
                      • J
                        jbc
                        last edited by

                        I have DNS resolver setup to use opendns via dnscrypt-proxy.
                        I then have firewall rules setup to only allow lan clients to query lan address on port 53,
                        and block requests to remote DNS'; Everything works in this regard (no dns leaks).

                        But, if I query an unknown, none existant name, such as qwertyuiopas.dfghjklzxcvbnm
                        I get:
                        drill qwertyuiopas.dfghjklzxcvbnm
                        ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 40495
                        ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
                        ;; QUESTION SECTION:
                        ;; qwertyuiopas.dfghjklzxcvbnm. IN      A

                        ;; ANSWER SECTION:

                        ;; AUTHORITY SECTION:
                        .      2918    IN      SOA    a.root-servers.net. nstld.verisign-grs.com. 2014122700 1800 900 604800 86400

                        ;; ADDITIONAL SECTION:

                        ;; Query time: 28 msec
                        ;; SERVER: 127.0.0.1
                        ;; WHEN: Sat Dec 27 18:05:03 2014
                        ;; MSG SIZE  rcvd: 120

                        And if I ping qwertyuiopas.dfghjklzxcvbnm; It resolves to my WAN ip… (I would expect an unknown host response)

                        I have "NAT Reflection mode for port forwards" set to Pure NAT, could this be the culprit?

                        1 Reply Last reply Reply Quote 0
                        • D
                          dstroot
                          last edited by

                          I am trying to do the same - can your describe this further?

                          "I have DNS resolver setup to use opendns via dnscrypt-proxy.
                          I then have firewall rules setup to only allow lan clients to query lan address on port 53,
                          and block requests to remote DNS';"

                          Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS.  However DNSSEC is giving me issues.

                          What was the process to get dnscrypt-proxy going properly?

                          Best,
                          Dan

                          firewall_home_lan_-_Services__DNS_Resolver.png
                          firewall_home_lan_-_Services__DNS_Resolver.png_thumb
                          firewall_home_lan_-_Services__DNS_Resolver__Advanced.png
                          firewall_home_lan_-_Services__DNS_Resolver__Advanced.png_thumb

                          1 Reply Last reply Reply Quote 0
                          • D
                            doktornotor Banned
                            last edited by

                            @dstroot:

                            "I have DNS resolver setup to use opendns via dnscrypt-proxy.
                            Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS.  However DNSSEC is giving me issues.

                            DNSSEC != the OpenDNS nonsense that noone else uses. If you want DNSSEC, do not use OpenDNS.

                            1 Reply Last reply Reply Quote 0
                            • J
                              jbc
                              last edited by

                              I installed the dnscrypt-proxy package and setup unbound with a forward-zone to 127.0.0.1.
                              I then setup the dnscrypt-proxy, first using dnscrypt.eu-nl; which worked for a bit, but is unstable, so right now I have it querying opendns while I investigate the dnscrypt.eu issue…

                              btw. I have dnssec checked. no problem.

                              1 Reply Last reply Reply Quote 0
                              • D
                                dstroot
                                last edited by

                                @ doktornotor: "If you want DNSSEC, do not use OpenDNS."

                                OK - do you have a recommendation what to use?

                                1 Reply Last reply Reply Quote 0
                                • D
                                  dstroot
                                  last edited by

                                  @JBC - Thank you.

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    jbc
                                    last edited by

                                    I am probably misguided, admittedly, I am not an expect on these matters,
                                    but what is the problem with dnscrypt used in conjuction with DNSSEC,
                                    as far as I see, they solve different issues…

                                    Look at #3: What about DNSSEC? Does this eliminate the need for DNSSEC?

                                    https://www.opendns.com/about/innovations/dnscrypt/

                                    And again, I actually don't want to use opendns, but dnscrypt.eu.

                                    1 Reply Last reply Reply Quote 0
                                    • D
                                      doktornotor Banned
                                      last edited by

                                      @dstroot:

                                      @ doktornotor: "If you want DNSSEC, do not use OpenDNS."

                                      OK - do you have a recommendation what to use?

                                      If you are using the DNS censorship features from OpenDNS, I have no suggestions.  :P Unbound is just fine as DNSSEC-validating recursive resolver, without any need for forwarding anywhere.

                                      @jbc:

                                      but what is the problem with dnscrypt used in conjuction with DNSSEC,
                                      Look at #3: What about DNSSEC? Does this eliminate the need for DNSSEC?
                                      https://www.opendns.com/about/innovations/dnscrypt/

                                      You cannot use OpenDNS servers for DNSSEC validation. They don't validate anything.

                                      
                                      >nslookup www.dnssec-failed.org 8.8.4.4
                                      Server:  google-public-dns-b.google.com
                                      Address:  8.8.4.4
                                      
                                      *** google-public-dns-b.google.com can't find www.dnssec-failed.org: Server failed
                                      
                                      >nslookup www.dnssec-failed.org 208.67.222.222
                                      Server:  resolver1.opendns.com
                                      Address:  208.67.222.222
                                      
                                      Non-authoritative answer:
                                      Name:    www.dnssec-failed.org
                                      Addresses:  68.87.109.242
                                                69.252.193.191
                                      
                                      
                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        jbc
                                        last edited by

                                        @doktornotor:

                                        I see, thank you for clearing that up :)

                                        edit:
                                        Incase someone stumbles across this, here is a list of free dnscrypt servers;
                                        Column 8 notes if they support DNSSEC or not.

                                        https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          mir
                                          last edited by

                                          For a censor free and no logging  DNS service which supports DNSSEC I can recommend this:
                                          http://www.censurfridns.dk/

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            dstroot
                                            last edited by

                                            Maybe everyone already knows this but there is not a whole lot of config advice I can find here.  So I thought I'd share what I have figured out.

                                            It seems you should really only use DNDSEC if you are using unbound as a recursive resolver (which is pretty slow if you are hitting a site for a first time).  Otherwise all is good.

                                            Otherwise turn DNSSEC off if you you are just using it as a forwarder because it's unlikely to be doing anything with OpenDNS (particularly with Google DNS since that seems to cause issues with unbound if you have it on).

                                            From this site: https://calomel.org/unbound_dns.html

                                            
                                              # If you use forward-zone below to query the Google DNS servers you MUST comment out 
                                              # this option or all DNS queries will fail:
                                              # auto-trust-anchor-file: "/var/unbound/etc/root.key"
                                            
                                            

                                            In either configuration, recursive or forwarder, it will cache DNS entries so subsequent requests are very fast.

                                            Hope this helps someone.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.