DNS Resolver

phil.davis

@NobodyHere:

I'm not sure what a message consisting solely of a link to a similar bug report means…

I think cmb means "it is a known issue and there is a bug report for it".
It does really need fixing - as you have described, DNS resolution can stop working on a WAN DHCP address change, if you have an "unfortunate" combination of Unbound in forwarder mode… settings.

cmb

@phil.davis:

@NobodyHere:

I'm not sure what a message consisting solely of a link to a similar bug report means…

I think cmb means "it is a known issue and there is a bug report for it".

Yes, figured that was clear.

dstroot

Latest version broke unbound for me - it did not start after the upgrade.  I had to uncheck "Enable DNSSEC Support" to get it to come up.

jbc

I have DNS resolver setup to use opendns via dnscrypt-proxy.
I then have firewall rules setup to only allow lan clients to query lan address on port 53,
and block requests to remote DNS'; Everything works in this regard (no dns leaks).

But, if I query an unknown, none existant name, such as qwertyuiopas.dfghjklzxcvbnm
I get:
drill qwertyuiopas.dfghjklzxcvbnm
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 40495
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; qwertyuiopas.dfghjklzxcvbnm. IN      A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.      2918    IN      SOA    a.root-servers.net. nstld.verisign-grs.com. 2014122700 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 28 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Dec 27 18:05:03 2014
;; MSG SIZE  rcvd: 120

And if I ping qwertyuiopas.dfghjklzxcvbnm; It resolves to my WAN ip… (I would expect an unknown host response)

I have "NAT Reflection mode for port forwards" set to Pure NAT, could this be the culprit?

dstroot

I am trying to do the same - can your describe this further?

"I have DNS resolver setup to use opendns via dnscrypt-proxy.
I then have firewall rules setup to only allow lan clients to query lan address on port 53,
and block requests to remote DNS';"

Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS.  However DNSSEC is giving me issues.

What was the process to get dnscrypt-proxy going properly?

Best,
Dan

doktornotor

@dstroot:

"I have DNS resolver setup to use opendns via dnscrypt-proxy.
Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS.  However DNSSEC is giving me issues.

DNSSEC != the OpenDNS nonsense that noone else uses. If you want DNSSEC, do not use OpenDNS.

jbc

I installed the dnscrypt-proxy package and setup unbound with a forward-zone to 127.0.0.1.
I then setup the dnscrypt-proxy, first using dnscrypt.eu-nl; which worked for a bit, but is unstable, so right now I have it querying opendns while I investigate the dnscrypt.eu issue…

btw. I have dnssec checked. no problem.

dstroot

@ doktornotor: "If you want DNSSEC, do not use OpenDNS."

OK - do you have a recommendation what to use?

dstroot

@JBC - Thank you.

jbc

I am probably misguided, admittedly, I am not an expect on these matters,
but what is the problem with dnscrypt used in conjuction with DNSSEC,
as far as I see, they solve different issues…

Look at #3: What about DNSSEC? Does this eliminate the need for DNSSEC?

https://www.opendns.com/about/innovations/dnscrypt/

And again, I actually don't want to use opendns, but dnscrypt.eu.

doktornotor

@dstroot:

@ doktornotor: "If you want DNSSEC, do not use OpenDNS."

OK - do you have a recommendation what to use?

If you are using the DNS censorship features from OpenDNS, I have no suggestions.  :P Unbound is just fine as DNSSEC-validating recursive resolver, without any need for forwarding anywhere.

@jbc:

but what is the problem with dnscrypt used in conjuction with DNSSEC,
Look at #3: What about DNSSEC? Does this eliminate the need for DNSSEC?
https://www.opendns.com/about/innovations/dnscrypt/

You cannot use OpenDNS servers for DNSSEC validation. They don't validate anything.

>nslookup www.dnssec-failed.org 8.8.4.4
Server:  google-public-dns-b.google.com
Address:  8.8.4.4

*** google-public-dns-b.google.com can't find www.dnssec-failed.org: Server failed

>nslookup www.dnssec-failed.org 208.67.222.222
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:    www.dnssec-failed.org
Addresses:  68.87.109.242
          69.252.193.191

jbc

@doktornotor:

I see, thank you for clearing that up :)

edit:
Incase someone stumbles across this, here is a list of free dnscrypt servers;
Column 8 notes if they support DNSSEC or not.

https://github.com/jedisct1/dnscrypt-proxy/blob/master/dnscrypt-resolvers.csv

mir

For a censor free and no logging  DNS service which supports DNSSEC I can recommend this:
http://www.censurfridns.dk/

dstroot

Maybe everyone already knows this but there is not a whole lot of config advice I can find here.  So I thought I'd share what I have figured out.

It seems you should really only use DNDSEC if you are using unbound as a recursive resolver (which is pretty slow if you are hitting a site for a first time).  Otherwise all is good.

Otherwise turn DNSSEC off if you you are just using it as a forwarder because it's unlikely to be doing anything with OpenDNS (particularly with Google DNS since that seems to cause issues with unbound if you have it on).

From this site: https://calomel.org/unbound_dns.html

  # If you use forward-zone below to query the Google DNS servers you MUST comment out 
  # this option or all DNS queries will fail:
  # auto-trust-anchor-file: "/var/unbound/etc/root.key"

In either configuration, recursive or forwarder, it will cache DNS entries so subsequent requests are very fast.

Hope this helps someone.

cmb

@dstroot:

It seems you should really only use DNDSEC if you are using unbound as a recursive resolver (which is pretty slow if you are hitting a site for a first time).  Otherwise all is good.

Otherwise turn DNSSEC off if you you are just using it as a forwarder because it's unlikely to be doing anything with OpenDNS (particularly with Google DNS since that seems to cause issues with unbound if you have it on).

Only use it in forwarder mode if your configured servers for forwarding support DNSSEC. Google's public DNS is fine there, OpenDNS apparently isn't.

In many situations there won't be much if any difference in query response time between recursive and forwarder. Depends on how much latency between you and that domain's NSes, how much latency there is between you and your forwarders, and whether or not the forwarders have it cached.

cmb

@cmb:

@NobodyHere:

We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.

DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.

https://redmine.pfsense.org/issues/4095

The above referenced issue should be fixed. Those who were seeing that, please try on the 31st or newer snapshot.

firewalluser

Since going with the new resolver (unbound) instead of the forwarder, I've noticed periods of non responsiveness occurring where I cant access pf from within the lan, but I also notice a large number of firewall log entries for port 53.

A typical entry would look like
Jan 1 22:48:56 Direction=OUT WAN my ip address:random port  78.151.235.3:53 UDP

but to various ip addresses, not just 78.151.235.3 in this example. When this happens I will typically see 75-100 entries per second which amounts to a DDOS of sorts on a slow ADSL home connection.

As resolver is running in default mode, is this normal or to be expected behaviour, and if so, could resolver become a cause for concern for those using pfsense on a variable ip adsl connection aka a typical home connection?

pfsense is running on a dual nic Intel NUC 847 http://www.intel.com/content/www/us/en/nuc/nuc-kit-dccp847dye.html with 8Gb of Ram and a 128Gb msata ssd, so performance shouldnt be too bad I would have thought.

So is there something I can do to avoid these periods of unresponsiveness, perhaps go back to the forwarder maybe, or change a setting or two?

TIA.

markuhde

@cmb:

@cmb:

@NobodyHere:

We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.

DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.

https://redmine.pfsense.org/issues/4095

The above referenced issue should be fixed. Those who were seeing that, please try on the 31st or newer snapshot.

I just discovered this issue, or one similar to it, today - the hard way. Unbound failing on a machine with a PPPoE link randomly, but DNS still working on the firewall - just not for any client. Build is 2.2-RC (i386)
built on Thu Jan 01 06:14:04 CST 2015
FreeBSD 10.1-RELEASE-p3

I went back to dnsmasq for now.

q54e3w

Im not sure if this is a real issue or if its particular to my setup but I was having trouble starting DNS Resolver. To maximise my 10be throughput I use a high kern.ipc.maxsockbuf

kern.ipc.maxsockbuf: 33554432

the so-rcvbuf is derived from this value so in my case, 'so-rcvbuf: 31m' which caused unbound to fail to launch with the following errors

Jan 4 08:47:06 php-fpm[6441]: /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1420361226] unbound[24922:0] debug: creating udp4 socket 192.168.50.1 53 [1420361226] unbound[24922:0] error: setsockopt(..., SO_RCVBUF, ...) failed: No buffer space available [1420361226] unbound[24922:0] fatal error: could not open ports'

adding an advanced option

so-rcvbuf: 8m

to reduce this 31m down to 8m allows unbound to start correctly.

phil.davis

@irj972:

Im not sure if this is a real issue or if its particular to my setup but I was having trouble starting DNS Resolver. To maximise my 10be throughput I use a high kern.ipc.maxsockbuf

kern.ipc.maxsockbuf: 33554432

the so-rcvbuf is derived from this value so in my case, 'so-rcvbuf: 31m' which caused unbound to fail to launch with the following errors

Jan 4 08:47:06 php-fpm[6441]: /status_services.php: The command '/usr/local/sbin/unbound -c /var/unbound/unbound.conf' returned exit code '1', the output was '[1420361226] unbound[24922:0] debug: creating udp4 socket 192.168.50.1 53 [1420361226] unbound[24922:0] error: setsockopt(..., SO_RCVBUF, ...) failed: No buffer space available [1420361226] unbound[24922:0] fatal error: could not open ports'

adding an advanced option

so-rcvbuf: 8m

to reduce this 31m down to 8m allows unbound to start correctly.

The unbound docs I have found all are giving 8m as the example for a busy system, so maybe there is something in the unbound compile or FreeBSD that is limiting that socket option to 8m anyway.
I made this pull request to limit the calculation to 8m : https://github.com/pfsense/pfsense/pull/1420
That might be a practical fix here to protect people like you who have set kern.ipc.maxsockbuf high for other reasons.