Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Some root-servers.net capitalised

    Scheduled Pinned Locked Moved General pfSense Questions
    41 Posts 6 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      firewalluser
      last edited by

      2.2.2 AMD64

      Any reason why some of the root-server.net requests are capitalised, namely G & M?

      This generates a pattern.

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        They are all capitalized. ftp://ftp.internic.net/domain/named.cache

        
         unbound-control -c /var/unbound/unbound.conf list_stubs
        . IN stub prime M.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 2001:dc3::35 2001:500:3::42 2001:7fd::1 2001:503:c27::2:30 2001:7fe::53 2001:500:1::803f:235 2001:500:2f::f 2001:500:2d::d 2001:500:2::c 2001:500:84::b 2001:503:ba3e::2:30 202.12.27.33 199.7.83.42 193.0.14.129 192.58.128.30 192.36.148.17 128.63.2.53 192.112.36.4 192.5.5.241 192.203.230.10 199.7.91.13 192.33.4.12 192.228.79.201 198.41.0.4
        
        

        As for patterns, try more thick tinfoil.

        1 Reply Last reply Reply Quote 0
        • F Offline
          firewalluser
          last edited by

          Not in the logs they are not.

          Check out the tinfoil hat song on youtube, you might like it.  ;D

          Edit. Take a peek if you like.

          rootservers.png_thumb
          rootservers.png

          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

          Asch Conformity, mainly the blind leading the blind.

          1 Reply Last reply Reply Quote 0
          • D Offline
            doktornotor Banned
            last edited by

            As hinted above, they are all capitalized upstream and in Unbound root.hints cache. Other than that, perhaps your logs have been abducted by aliens. Considering it is absolutely irrelevant how it's capitalized, I have had enough of peeks here.

            1 Reply Last reply Reply Quote 0
            • F Offline
              firewalluser
              last edited by

              So you dont know why some resolve to capitals and others dont in the fw logs then?

              Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

              Asch Conformity, mainly the blind leading the blind.

              1 Reply Last reply Reply Quote 0
              • D Offline
                doktornotor Banned
                last edited by

                No, and I have better things to do with my life than investigating absolutely irrelevant nonsense.

                P.S. For antipattern inclined, there's "Experimental Bit 0x20 Support" checkbox to have DNS queries capitalized randomly.  ::)

                1 Reply Last reply Reply Quote 0
                • F Offline
                  firewalluser
                  last edited by

                  You have a fast internet connection there, being able to modify your responses in 2seconds, less time than I can even get the page loaded here in order reply to your unmodified messages.

                  Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                  Asch Conformity, mainly the blind leading the blind.

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    firewalluser
                    last edited by

                    At least your unmodified messages are more civil than your original edited messages.

                    Why so touchy?

                    Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                    Asch Conformity, mainly the blind leading the blind.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      doktornotor Banned
                      last edited by

                      Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.

                      1 Reply Last reply Reply Quote 0
                      • F Offline
                        firewalluser
                        last edited by

                        @doktornotor:

                        No, and I have better things to do with my life than investigating absolutely irrelevant nonsense.

                        P.S. For antipattern inclined, there's "Experimental Bit 0x20 Support" checkbox to have DNS queries capitalized randomly.  ::)

                        If the Experimental Bit is supposed to capitalise the resolved names in the logs, then why are G & M consistently capitalised, or does this only randomise the root servers once for the lifetime of the machine?

                        Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                        Asch Conformity, mainly the blind leading the blind.

                        1 Reply Last reply Reply Quote 0
                        • F Offline
                          firewalluser
                          last edited by

                          @doktornotor:

                          Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.

                          I should record what I see.

                          I guess you have something to do with ESF then, perhaps a forum mod?

                          Edit.

                          The strongest I have been on is Nescafe coffee and I've never done LSD so if such a thing as flashbacks occur they cant affect someone who's never done any LSD I guess.

                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                          Asch Conformity, mainly the blind leading the blind.

                          1 Reply Last reply Reply Quote 0
                          • F Offline
                            firewalluser
                            last edited by

                            @firewalluser:

                            If the Experimental Bit is supposed to capitalise the resolved names in the logs, then why are G & M consistently capitalised, or does this only randomise the root servers once for the lifetime of the machine?

                            I should add in the interests of being clear, when I reboot the fw, the order of the root servers are random, its just the G & M root servers which always appear capitalised, which seems odd.

                            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                            Asch Conformity, mainly the blind leading the blind.

                            1 Reply Last reply Reply Quote 0
                            • D Offline
                              doktornotor Banned
                              last edited by

                              You might want to read the fscking RFC to see that the 0x20 thing does absolutely NOTHING to PTR lookups. There's no 0x20 bit for numbers.

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                doktornotor Banned
                                last edited by

                                https://www.unbound.net/documentation/unbound.conf.html

                                use-caps-for-id: <yes or="" no="">Use  0x20-encoded  random  bits  in  the  query  to  foil  spoof
                                              attempts.  This  perturbs  the lowercase and uppercase of query
                                              names sent to authority servers and checks if  the  reply  still
                                              has  the  correct casing.  Disabled by default.  This feature is
                                              an experimental implementation of draft dns-0x20.</yes>

                                1 Reply Last reply Reply Quote 0
                                • F Offline
                                  firewalluser
                                  last edited by

                                  Now that you mention Unbound, the reason I spotted G.ROOT-SERVERS.NET & M.ROOT-SERVERS.NET being capitalised in the fw logs, is I've been trying to get unbound/dns resolver to Enable Forwarding Mode = ticked as per what it says here: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

                                  " Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations. "

                                  This is all part of the process of trying to get to the bottom of the states not blocking or rejecting properly as I've mentioned here https://forum.pfsense.org/index.php?topic=94619.msg526667#msg526667.

                                  I've setup two VM's running pfsense 2.1 and pfsense 2.2. Both will have the same config that I can backup from one and restore to the other & vice versa easily enough with the same rules, schedules etc, which is how I was able to see the packets going out from the virtual fws when I rebooted them and monitor them.

                                  Anyway I was trying to get Enable Forwarding Mode to work, so having followed the instructions in the doc, the Enable Forwarding Mode = ticked appears to only work during the session of the fw and is reset back to Enable Forwarding Mode = unticked when its rebooted.

                                  Perhaps I'm doing something wrong with the configuration of unbound?

                                  My settings on the internet connected (1st) fw are:
                                  System:General Setup
                                  DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                                  Allow DNS to be overridden by DHCP/PPP on Wan is unticked
                                  Do not use the DNS Forwarder as DNS Server is unticked.
                                  Dashboard shows DNS Server = 127.0.0.1

                                  Services:DNS Resolver, General Settings tab
                                  Network Interfaces selected = Lan & Local host only
                                  Outgoing Network Interfaces = Wan only
                                  DNSSEC is ticked.
                                  DNS Query Forwarding is unticked.
                                  DHCP Registration is ticked
                                  Static DHCP is ticked

                                  Services:DHCP Server
                                  The VM pfsense fw's have a static IP and their hostnames match as does the domain name in both fw's.

                                  Internet connect fw is pppoe connected with unbound running just fine for lookups.

                                  In the VM (2nd) fw connected to the internet connected (1st) fw
                                  System:General Setup
                                  DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                                  Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
                                  Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
                                  Dashboard shows DNS Server = 1st fw static ip address only.

                                  Services:DNS Resolver, General Settings tab
                                  Network Interfaces selected = Lan & Local host only
                                  Outgoing Network Interfaces = Wan only
                                  DNSSEC is ticked.
                                  DNS Query Forwarding is ticked (opposite to 1st fw).
                                  DHCP Registration is unticked (opposite to 1st fw).
                                  Static DHCP is unticked (opposite to 1st fw).

                                  Services:DHCP Server
                                  Not relevant.

                                  So click the Save button in Services:DNS Resolver, General Settings tab, and reboot the VM (2nd) fw.

                                  Once the DNS resolver shows on the 2nd fw's console, I check the 1st fw logs and can see the 2nd fw is talking to the root-servers.net again, why isnt it remembering the settings to talk to the 1st fw like I had just setup?

                                  Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                  Asch Conformity, mainly the blind leading the blind.

                                  1 Reply Last reply Reply Quote 0
                                  • D Offline
                                    doktornotor Banned
                                    last edited by

                                    @firewalluser:

                                    Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General

                                    …

                                    DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                                    DNS Query Forwarding is ticked (opposite to 1st fw).

                                    Perhaps you could think a bit about what you are doing…

                                    1 Reply Last reply Reply Quote 0
                                    • F Offline
                                      firewalluser
                                      last edited by

                                      @doktornotor:

                                      @firewalluser:

                                      Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General

                                      …

                                      DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                                      DNS Query Forwarding is ticked (opposite to 1st fw).

                                      Perhaps you could think a bit about what you are doing…

                                      https://doc.pfsense.org/index.php/Unbound_DNS_Resolver
                                      " Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled).

                                      Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations. "

                                      Both have DNSSEC enabled, so is the bold text wrong?

                                      Likewise
                                      "Unbound will query root servers directly (unchecked, disabled)"
                                      " if queries will be forwarded to the upstream DNS servers defined under System > General "

                                      "In the VM (2nd) fw connected to the internet connected (1st) fw
                                      System:General Setup
                                      DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                                      Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
                                      Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
                                      Dashboard shows DNS Server = 1st fw static ip address only.
                                      "

                                      those obtained by DHCP/PPPoE/etc (checked, enabled)
                                      "In the VM (2nd) fw connected to the internet connected (1st) fw
                                      System:General Setup
                                      DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                                      Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
                                      Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
                                      Dashboard shows DNS Server = 1st fw static ip address only.
                                      "

                                      or is interpreted as not AND ie not AND or OR, OR is exclusive, although the dashboard shows its getting the 1st fw static ip address only, ie no 127.0.0.1 is showing.

                                      It seems weird imo, which is why I have been rebooting these. I dont think I need to do a powerdown as per the problems users have experienced with upgrades from earlier versions https://forum.pfsense.org/index.php?topic=93071.0 because these are fresh installations from iso's.

                                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                      Asch Conformity, mainly the blind leading the blind.

                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        doktornotor Banned
                                        last edited by

                                        TL;DR

                                        Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.

                                        EDIT: Created https://redmine.pfsense.org/issues/4747 for the lack of sanity checking.

                                        1 Reply Last reply Reply Quote 0
                                        • F Offline
                                          firewalluser
                                          last edited by

                                          @doktornotor:

                                          TL;DR

                                          Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.

                                          I'm not familiar with the phrase PEBKAC? Care to explain?

                                          WRT the topic, I'll add the static IP address to the DNS fields in General Settings as per your suggestion then, give it a reboot and will see what happens, whilst ignoring

                                          Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
                                          Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).

                                          I'll post my findings when I've had something to eat as well so I wont BRB.  ;)

                                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                          Asch Conformity, mainly the blind leading the blind.

                                          1 Reply Last reply Reply Quote 0
                                          • KOMK Offline
                                            KOM
                                            last edited by

                                            I'm not familiar with the phrase PEBKAC? Care to explain?

                                            Problem Exists Between Keyboard And Chair

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.