Some root-servers.net capitalised
-
As hinted above, they are all capitalized upstream and in Unbound root.hints cache. Other than that, perhaps your logs have been abducted by aliens. Considering it is absolutely irrelevant how it's capitalized, I have had enough of peeks here.
-
So you dont know why some resolve to capitals and others dont in the fw logs then?
-
No, and I have better things to do with my life than investigating absolutely irrelevant nonsense.
P.S. For antipattern inclined, there's "Experimental Bit 0x20 Support" checkbox to have DNS queries capitalized randomly. ::)
-
You have a fast internet connection there, being able to modify your responses in 2seconds, less time than I can even get the page loaded here in order reply to your unmodified messages.
-
At least your unmodified messages are more civil than your original edited messages.
Why so touchy?
-
Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.
-
No, and I have better things to do with my life than investigating absolutely irrelevant nonsense.
P.S. For antipattern inclined, there's "Experimental Bit 0x20 Support" checkbox to have DNS queries capitalized randomly. ::)
If the Experimental Bit is supposed to capitalise the resolved names in the logs, then why are G & M consistently capitalised, or does this only randomise the root servers once for the lifetime of the machine?
-
Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.
I should record what I see.
I guess you have something to do with ESF then, perhaps a forum mod?
Edit.
The strongest I have been on is Nescafe coffee and I've never done LSD so if such a thing as flashbacks occur they cant affect someone who's never done any LSD I guess.
-
If the Experimental Bit is supposed to capitalise the resolved names in the logs, then why are G & M consistently capitalised, or does this only randomise the root servers once for the lifetime of the machine?
I should add in the interests of being clear, when I reboot the fw, the order of the root servers are random, its just the G & M root servers which always appear capitalised, which seems odd.
-
You might want to read the fscking RFC to see that the 0x20 thing does absolutely NOTHING to PTR lookups. There's no 0x20 bit for numbers.
-
https://www.unbound.net/documentation/unbound.conf.html
use-caps-for-id: <yes or="" no="">Use 0x20-encoded random bits in the query to foil spoof
attempts. This perturbs the lowercase and uppercase of query
names sent to authority servers and checks if the reply still
has the correct casing. Disabled by default. This feature is
an experimental implementation of draft dns-0x20.</yes> -
Now that you mention Unbound, the reason I spotted G.ROOT-SERVERS.NET & M.ROOT-SERVERS.NET being capitalised in the fw logs, is I've been trying to get unbound/dns resolver to Enable Forwarding Mode = ticked as per what it says here: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver
" Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations. "
This is all part of the process of trying to get to the bottom of the states not blocking or rejecting properly as I've mentioned here https://forum.pfsense.org/index.php?topic=94619.msg526667#msg526667.
I've setup two VM's running pfsense 2.1 and pfsense 2.2. Both will have the same config that I can backup from one and restore to the other & vice versa easily enough with the same rules, schedules etc, which is how I was able to see the packets going out from the virtual fws when I rebooted them and monitor them.
Anyway I was trying to get Enable Forwarding Mode to work, so having followed the instructions in the doc, the Enable Forwarding Mode = ticked appears to only work during the session of the fw and is reset back to Enable Forwarding Mode = unticked when its rebooted.
Perhaps I'm doing something wrong with the configuration of unbound?
My settings on the internet connected (1st) fw are:
System:General Setup
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
Allow DNS to be overridden by DHCP/PPP on Wan is unticked
Do not use the DNS Forwarder as DNS Server is unticked.
Dashboard shows DNS Server = 127.0.0.1Services:DNS Resolver, General Settings tab
Network Interfaces selected = Lan & Local host only
Outgoing Network Interfaces = Wan only
DNSSEC is ticked.
DNS Query Forwarding is unticked.
DHCP Registration is ticked
Static DHCP is tickedServices:DHCP Server
The VM pfsense fw's have a static IP and their hostnames match as does the domain name in both fw's.Internet connect fw is pppoe connected with unbound running just fine for lookups.
In the VM (2nd) fw connected to the internet connected (1st) fw
System:General Setup
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
Dashboard shows DNS Server = 1st fw static ip address only.Services:DNS Resolver, General Settings tab
Network Interfaces selected = Lan & Local host only
Outgoing Network Interfaces = Wan only
DNSSEC is ticked.
DNS Query Forwarding is ticked (opposite to 1st fw).
DHCP Registration is unticked (opposite to 1st fw).
Static DHCP is unticked (opposite to 1st fw).Services:DHCP Server
Not relevant.So click the Save button in Services:DNS Resolver, General Settings tab, and reboot the VM (2nd) fw.
Once the DNS resolver shows on the 2nd fw's console, I check the 1st fw logs and can see the 2nd fw is talking to the root-servers.net again, why isnt it remembering the settings to talk to the 1st fw like I had just setup?
-
Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General
…
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
DNS Query Forwarding is ticked (opposite to 1st fw).Perhaps you could think a bit about what you are doing…
-
Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General
…
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
DNS Query Forwarding is ticked (opposite to 1st fw).Perhaps you could think a bit about what you are doing…
https://doc.pfsense.org/index.php/Unbound_DNS_Resolver
" Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled).Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations. "
Both have DNSSEC enabled, so is the bold text wrong?
Likewise
"Unbound will query root servers directly (unchecked, disabled)"
" if queries will be forwarded to the upstream DNS servers defined under System > General ""In the VM (2nd) fw connected to the internet connected (1st) fw
System:General Setup
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
Dashboard shows DNS Server = 1st fw static ip address only.
"those obtained by DHCP/PPPoE/etc (checked, enabled)
"In the VM (2nd) fw connected to the internet connected (1st) fw
System:General Setup
DNS Servers - None specified in the 4 DNS server fields & GW drop down.
Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
Dashboard shows DNS Server = 1st fw static ip address only.
"or is interpreted as not AND ie not AND or OR, OR is exclusive, although the dashboard shows its getting the 1st fw static ip address only, ie no 127.0.0.1 is showing.
It seems weird imo, which is why I have been rebooting these. I dont think I need to do a powerdown as per the problems users have experienced with upgrades from earlier versions https://forum.pfsense.org/index.php?topic=93071.0 because these are fresh installations from iso's.
-
TL;DR
Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.
EDIT: Created https://redmine.pfsense.org/issues/4747 for the lack of sanity checking.
-
TL;DR
Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.
I'm not familiar with the phrase PEBKAC? Care to explain?
WRT the topic, I'll add the static IP address to the DNS fields in General Settings as per your suggestion then, give it a reboot and will see what happens, whilst ignoring
Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).I'll post my findings when I've had something to eat as well so I wont BRB. ;)
-
I'm not familiar with the phrase PEBKAC? Care to explain?
Problem Exists Between Keyboard And Chair
-
TL;DR
Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.
EDIT: Created https://redmine.pfsense.org/issues/4747 for the lack of sanity checking.
Ok, so I left all the other settings as they were before but have added in the 2nd fw the static ip address of the 1st fw in the System: General Setip, DNS Servers fields and left the gw blank.
This time, it initially during the boot process talks to the 1st fw's DNS server, but then proceeds to talk to the root servers again whilst the boot process finishes?
Next test, same as above but this time I specify the gw in the drop down as the only difference.
Same results, initially it talks to the 1st fw's DNS server, then it proceeds to talk to the root servers again.
So do you know what other setting changes I should make to the 2nd fw in order to stop unbound/DNS Resolver from talking to the root-servers.net and just use the DNS servers from the 1st fw?
I still havent found any reason for the capitalised G & M.root-servers.net though, but I have not packet captured them to see if they go out on the net like that or not.
It certainly seems odd to see some of the root server ip addresses resolved in capitals when the others are all lowercase in the pfsense fw logs though.
@KOM:
I'm not familiar with the phrase PEBKAC? Care to explain?
Problem Exists Between Keyboard And Chair
RIC
SWIM calls them Computer User(s) Non Technical. ::)
-
Same results, initially it talks to the 1st fw's DNS server, then it proceeds to talk to the root servers again.
When you have this set to
Outgoing Network Interfaces = Wan only
then it's hardly surprising it won't query another FW on your LAN or god knows where. Sigh.
So do you know what other setting changes I should make to the 2nd fw in order to stop unbound/DNS Resolver from talking to the root-servers.net and just use the DNS servers from the 1st fw?
Sure. Disable the DNS Resolver and kindly use the fine DNS Forwarder. It's there for exactly this purpose, plus won't overwhelm you with settings – preventing you from creating stupid configurations and shooting yourself into the foot repeatedly.
I still havent found any reason for the capitalised G & M.root-servers.net though, but I have not packet captured them to see if they go out on the net like that or not.
No, they do not go OUT like that. They come BACK like that when you resolve the PTR of the root server's IP address. Get some more tinfoil.
P.S. Kindly post a screenshot of the freaking settting if you are going to "debug" your "issues" in future. Absolutely NOT interested in wading through the messy descriptions.
-
Same results, initially it talks to the 1st fw's DNS server, then it proceeds to talk to the root servers again.
When you have this set to
Outgoing Network Interfaces = Wan only
then it's hardly surprising it won't query another FW on your LAN or god knows where. Sigh.
Maybe I didnt explain how its laid out properly.
Internet –>fw1---->fw2---->Lan
fw1 runs unbound
fw2 runs unbound and I know I could run the forwarder here as I could also do on fw1.So do you know what other setting changes I should make to the 2nd fw in order to stop unbound/DNS Resolver from talking to the root-servers.net and just use the DNS servers from the 1st fw?
Sure. Disable the DNS Resolver and kindly use the fine DNS Forwarder. It's there for exactly this purpose, plus won't overwhelm you with settings – preventing you from creating stupid configurations and shooting yourself into the foot repeatedly.
Well I'll give this a go tomorrow now, but I wanted to keep unbound in the loop as this is running on the main fw anyway and I'm trying to establish the states not blocking or rejecting properly in my other post.
In order to test/debug anything, its generally recognised the environment/settings are kept as identical as possible when trying to recreate problems.
I didnt think unbound would for some unexplained reason so far, still insist on talking with the root-servers unless maybe there is a bug somewhere in pfsense or the unbound package or incorrect settings. Despite your settings, unbound still insists on talking to the root-servers at which point you suggest using the forwarder.
I still havent found any reason for the capitalised G & M.root-servers.net though, but I have not packet captured them to see if they go out on the net like that or not.
No, they do not go OUT like that. They come BACK like that when you resolve the PTR of the root server's IP address. Get some more tinfoil.
I'm not saying they go out like that, I'm asking why do those two appear capitalised in the pfsense fw logs?
P.S. Kindly post a screenshot of the freaking settting if you are going to "debug" your "issues" in future. Absolutely NOT interested in wading through the messy descriptions.
Sure.
Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.
In response to the above, I've been thinking about this, hypothetically speaking, if I was subjected to a MITM attack with code injection changing what you had typed when I saw it earlier today, this is not unlike SQL Injection when taking down/over SQL Servers, & we know MITM is possible when considering this coincidental post from earlier today. https://forum.pfsense.org/index.php?topic=94838.0
So with that in mind, it then prompted another question. How would we know ESF have not had their certs nicked?
How does one go about proving that little conundrum other than reissue some new ones and send out an alert?I think its a pertinent question considering todays news about the US Govt employee db hack that goes back to 1985, it makes you wonder what the NSA are doing to protect their infrastructure and made me wonder about ESF servers which last time I checked was based in Texas.
I've still got other questions based on what you have said which seems to contradict my interpretation of the online docs but I'll see if we can actually get unbound to not talk with the root-servers first.
