DNS Resolver
-
i started using the new dns resolver but im having one issue, i have set to reset the pppoe connection ever night so when this happens, unbound stops working, i get these errors in system log continuously
Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 61031 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 19660 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 26847 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 26531 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 65308 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 19113 -
Does the resolver also handle IPv6 dns requests?
-
-
We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.
DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.
-
We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.
DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.
https://redmine.pfsense.org/issues/4095
-
I'm not sure what a message consisting solely of a link to a similar bug report means…
-
I'm not sure what a message consisting solely of a link to a similar bug report means…
I think cmb means "it is a known issue and there is a bug report for it".
It does really need fixing - as you have described, DNS resolution can stop working on a WAN DHCP address change, if you have an "unfortunate" combination of Unbound in forwarder mode… settings. -
I'm not sure what a message consisting solely of a link to a similar bug report means…
I think cmb means "it is a known issue and there is a bug report for it".
Yes, figured that was clear.
-
Latest version broke unbound for me - it did not start after the upgrade. I had to uncheck "Enable DNSSEC Support" to get it to come up.
-
I have DNS resolver setup to use opendns via dnscrypt-proxy.
I then have firewall rules setup to only allow lan clients to query lan address on port 53,
and block requests to remote DNS'; Everything works in this regard (no dns leaks).But, if I query an unknown, none existant name, such as qwertyuiopas.dfghjklzxcvbnm
I get:
drill qwertyuiopas.dfghjklzxcvbnm
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 40495
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; qwertyuiopas.dfghjklzxcvbnm. IN A;; ANSWER SECTION:
;; AUTHORITY SECTION:
. 2918 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014122700 1800 900 604800 86400;; ADDITIONAL SECTION:
;; Query time: 28 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Dec 27 18:05:03 2014
;; MSG SIZE rcvd: 120And if I ping qwertyuiopas.dfghjklzxcvbnm; It resolves to my WAN ip… (I would expect an unknown host response)
I have "NAT Reflection mode for port forwards" set to Pure NAT, could this be the culprit?
-
I am trying to do the same - can your describe this further?
"I have DNS resolver setup to use opendns via dnscrypt-proxy.
I then have firewall rules setup to only allow lan clients to query lan address on port 53,
and block requests to remote DNS';"Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS. However DNSSEC is giving me issues.
What was the process to get dnscrypt-proxy going properly?
Best,
Dan
-
"I have DNS resolver setup to use opendns via dnscrypt-proxy.
Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS. However DNSSEC is giving me issues.DNSSEC != the OpenDNS nonsense that noone else uses. If you want DNSSEC, do not use OpenDNS.
-
I installed the dnscrypt-proxy package and setup unbound with a forward-zone to 127.0.0.1.
I then setup the dnscrypt-proxy, first using dnscrypt.eu-nl; which worked for a bit, but is unstable, so right now I have it querying opendns while I investigate the dnscrypt.eu issue…btw. I have dnssec checked. no problem.
-
@ doktornotor: "If you want DNSSEC, do not use OpenDNS."
OK - do you have a recommendation what to use?
-
@JBC - Thank you.
-
I am probably misguided, admittedly, I am not an expect on these matters,
but what is the problem with dnscrypt used in conjuction with DNSSEC,
as far as I see, they solve different issues…Look at #3: What about DNSSEC? Does this eliminate the need for DNSSEC?
https://www.opendns.com/about/innovations/dnscrypt/
And again, I actually don't want to use opendns, but dnscrypt.eu.
-
@ doktornotor: "If you want DNSSEC, do not use OpenDNS."
OK - do you have a recommendation what to use?
If you are using the DNS censorship features from OpenDNS, I have no suggestions. :P Unbound is just fine as DNSSEC-validating recursive resolver, without any need for forwarding anywhere.
@jbc:
but what is the problem with dnscrypt used in conjuction with DNSSEC,
Look at #3: What about DNSSEC? Does this eliminate the need for DNSSEC?
https://www.opendns.com/about/innovations/dnscrypt/You cannot use OpenDNS servers for DNSSEC validation. They don't validate anything.
>nslookup www.dnssec-failed.org 8.8.4.4 Server: google-public-dns-b.google.com Address: 8.8.4.4 *** google-public-dns-b.google.com can't find www.dnssec-failed.org: Server failed >nslookup www.dnssec-failed.org 208.67.222.222 Server: resolver1.opendns.com Address: 208.67.222.222 Non-authoritative answer: Name: www.dnssec-failed.org Addresses: 68.87.109.242 69.252.193.191 -
I see, thank you for clearing that up :)
edit:
Incase someone stumbles across this, here is a list of free dnscrypt servers;
Column 8 notes if they support DNSSEC or not.https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv
-
For a censor free and no logging DNS service which supports DNSSEC I can recommend this:
http://www.censurfridns.dk/ -
Maybe everyone already knows this but there is not a whole lot of config advice I can find here. So I thought I'd share what I have figured out.
It seems you should really only use DNDSEC if you are using unbound as a recursive resolver (which is pretty slow if you are hitting a site for a first time). Otherwise all is good.
Otherwise turn DNSSEC off if you you are just using it as a forwarder because it's unlikely to be doing anything with OpenDNS (particularly with Google DNS since that seems to cause issues with unbound if you have it on).
From this site: https://calomel.org/unbound_dns.html
# If you use forward-zone below to query the Google DNS servers you MUST comment out # this option or all DNS queries will fail: # auto-trust-anchor-file: "/var/unbound/etc/root.key"In either configuration, recursive or forwarder, it will cache DNS entries so subsequent requests are very fast.
Hope this helps someone.