Some root-servers.net capitalised
-
They are all capitalized. ftp://ftp.internic.net/domain/named.cache
unbound-control -c /var/unbound/unbound.conf list_stubs . IN stub prime M.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 2001:dc3::35 2001:500:3::42 2001:7fd::1 2001:503:c27::2:30 2001:7fe::53 2001:500:1::803f:235 2001:500:2f::f 2001:500:2d::d 2001:500:2::c 2001:500:84::b 2001:503:ba3e::2:30 202.12.27.33 199.7.83.42 193.0.14.129 192.58.128.30 192.36.148.17 128.63.2.53 192.112.36.4 192.5.5.241 192.203.230.10 199.7.91.13 192.33.4.12 192.228.79.201 198.41.0.4As for patterns, try more thick tinfoil.
-
Not in the logs they are not.
Check out the tinfoil hat song on youtube, you might like it. ;D
Edit. Take a peek if you like.
-
As hinted above, they are all capitalized upstream and in Unbound root.hints cache. Other than that, perhaps your logs have been abducted by aliens. Considering it is absolutely irrelevant how it's capitalized, I have had enough of peeks here.
-
So you dont know why some resolve to capitals and others dont in the fw logs then?
-
No, and I have better things to do with my life than investigating absolutely irrelevant nonsense.
P.S. For antipattern inclined, there's "Experimental Bit 0x20 Support" checkbox to have DNS queries capitalized randomly. ::)
-
You have a fast internet connection there, being able to modify your responses in 2seconds, less time than I can even get the page loaded here in order reply to your unmodified messages.
-
At least your unmodified messages are more civil than your original edited messages.
Why so touchy?
-
Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.
-
No, and I have better things to do with my life than investigating absolutely irrelevant nonsense.
P.S. For antipattern inclined, there's "Experimental Bit 0x20 Support" checkbox to have DNS queries capitalized randomly. ::)
If the Experimental Bit is supposed to capitalise the resolved names in the logs, then why are G & M consistently capitalised, or does this only randomise the root servers once for the lifetime of the machine?
-
Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.
I should record what I see.
I guess you have something to do with ESF then, perhaps a forum mod?
Edit.
The strongest I have been on is Nescafe coffee and I've never done LSD so if such a thing as flashbacks occur they cant affect someone who's never done any LSD I guess.
-
If the Experimental Bit is supposed to capitalise the resolved names in the logs, then why are G & M consistently capitalised, or does this only randomise the root servers once for the lifetime of the machine?
I should add in the interests of being clear, when I reboot the fw, the order of the root servers are random, its just the G & M root servers which always appear capitalised, which seems odd.
-
You might want to read the fscking RFC to see that the 0x20 thing does absolutely NOTHING to PTR lookups. There's no 0x20 bit for numbers.
-
https://www.unbound.net/documentation/unbound.conf.html
use-caps-for-id: <yes or="" no="">Use 0x20-encoded random bits in the query to foil spoof
attempts. This perturbs the lowercase and uppercase of query
names sent to authority servers and checks if the reply still
has the correct casing. Disabled by default. This feature is
an experimental implementation of draft dns-0x20.</yes> -
Now that you mention Unbound, the reason I spotted G.ROOT-SERVERS.NET & M.ROOT-SERVERS.NET being capitalised in the fw logs, is I've been trying to get unbound/dns resolver to Enable Forwarding Mode = ticked as per what it says here: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver
" Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations. "
This is all part of the process of trying to get to the bottom of the states not blocking or rejecting properly as I've mentioned here https://forum.pfsense.org/index.php?topic=94619.msg526667#msg526667.
I've setup two VM's running pfsense 2.1 and pfsense 2.2. Both will have the same config that I can backup from one and restore to the other & vice versa easily enough with the same rules, schedules etc, which is how I was able to see the packets going out from the virtual fws when I rebooted them and monitor them.
Anyway I was trying to get Enable Forwarding Mode to work, so having followed the instructions in the doc, the Enable Forwarding Mode = ticked appears to only work during the session of the fw and is reset back to Enable Forwarding Mode = unticked when its rebooted.
Perhaps I'm doing something wrong with the configuration of unbound?
My settings on the internet connected (1st) fw are:
System:General Setup
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
Allow DNS to be overridden by DHCP/PPP on Wan is unticked
Do not use the DNS Forwarder as DNS Server is unticked.
Dashboard shows DNS Server = 127.0.0.1Services:DNS Resolver, General Settings tab
Network Interfaces selected = Lan & Local host only
Outgoing Network Interfaces = Wan only
DNSSEC is ticked.
DNS Query Forwarding is unticked.
DHCP Registration is ticked
Static DHCP is tickedServices:DHCP Server
The VM pfsense fw's have a static IP and their hostnames match as does the domain name in both fw's.Internet connect fw is pppoe connected with unbound running just fine for lookups.
In the VM (2nd) fw connected to the internet connected (1st) fw
System:General Setup
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
Dashboard shows DNS Server = 1st fw static ip address only.Services:DNS Resolver, General Settings tab
Network Interfaces selected = Lan & Local host only
Outgoing Network Interfaces = Wan only
DNSSEC is ticked.
DNS Query Forwarding is ticked (opposite to 1st fw).
DHCP Registration is unticked (opposite to 1st fw).
Static DHCP is unticked (opposite to 1st fw).Services:DHCP Server
Not relevant.So click the Save button in Services:DNS Resolver, General Settings tab, and reboot the VM (2nd) fw.
Once the DNS resolver shows on the 2nd fw's console, I check the 1st fw logs and can see the 2nd fw is talking to the root-servers.net again, why isnt it remembering the settings to talk to the 1st fw like I had just setup?
-
Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General
…
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
DNS Query Forwarding is ticked (opposite to 1st fw).Perhaps you could think a bit about what you are doing…
-
Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General
…
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
DNS Query Forwarding is ticked (opposite to 1st fw).Perhaps you could think a bit about what you are doing…
https://doc.pfsense.org/index.php/Unbound_DNS_Resolver
" Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled).Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations. "
Both have DNSSEC enabled, so is the bold text wrong?
Likewise
"Unbound will query root servers directly (unchecked, disabled)"
" if queries will be forwarded to the upstream DNS servers defined under System > General ""In the VM (2nd) fw connected to the internet connected (1st) fw
System:General Setup
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
Dashboard shows DNS Server = 1st fw static ip address only.
"those obtained by DHCP/PPPoE/etc (checked, enabled)
"In the VM (2nd) fw connected to the internet connected (1st) fw
System:General Setup
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
Dashboard shows DNS Server = 1st fw static ip address only.
"or is interpreted as not AND ie not AND or OR, OR is exclusive, although the dashboard shows its getting the 1st fw static ip address only, ie no 127.0.0.1 is showing.
It seems weird imo, which is why I have been rebooting these. I dont think I need to do a powerdown as per the problems users have experienced with upgrades from earlier versions https://forum.pfsense.org/index.php?topic=93071.0 because these are fresh installations from iso's.
-
TL;DR
Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.
EDIT: Created https://redmine.pfsense.org/issues/4747 for the lack of sanity checking.
-
TL;DR
Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.
I'm not familiar with the phrase PEBKAC? Care to explain?
WRT the topic, I'll add the static IP address to the DNS fields in General Settings as per your suggestion then, give it a reboot and will see what happens, whilst ignoring
Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).I'll post my findings when I've had something to eat as well so I wont BRB. ;)
-
I'm not familiar with the phrase PEBKAC? Care to explain?
Problem Exists Between Keyboard And Chair
-
TL;DR
Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.
EDIT: Created https://redmine.pfsense.org/issues/4747 for the lack of sanity checking.
Ok, so I left all the other settings as they were before but have added in the 2nd fw the static ip address of the 1st fw in the System: General Setip, DNS Servers fields and left the gw blank.
This time, it initially during the boot process talks to the 1st fw's DNS server, but then proceeds to talk to the root servers again whilst the boot process finishes?
Next test, same as above but this time I specify the gw in the drop down as the only difference.
Same results, initially it talks to the 1st fw's DNS server, then it proceeds to talk to the root servers again.
So do you know what other setting changes I should make to the 2nd fw in order to stop unbound/DNS Resolver from talking to the root-servers.net and just use the DNS servers from the 1st fw?
I still havent found any reason for the capitalised G & M.root-servers.net though, but I have not packet captured them to see if they go out on the net like that or not.
It certainly seems odd to see some of the root server ip addresses resolved in capitals when the others are all lowercase in the pfsense fw logs though.
@KOM:
I'm not familiar with the phrase PEBKAC? Care to explain?
Problem Exists Between Keyboard And Chair
RIC
SWIM calls them Computer User(s) Non Technical. ::)
