Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Some root-servers.net capitalised

    Scheduled Pinned Locked Moved General pfSense Questions
    41 Posts 6 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      firewalluser
      last edited by

      So you dont know why some resolve to capitals and others dont in the fw logs then?

      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

      Asch Conformity, mainly the blind leading the blind.

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        No, and I have better things to do with my life than investigating absolutely irrelevant nonsense.

        P.S. For antipattern inclined, there's "Experimental Bit 0x20 Support" checkbox to have DNS queries capitalized randomly.  ::)

        1 Reply Last reply Reply Quote 0
        • F Offline
          firewalluser
          last edited by

          You have a fast internet connection there, being able to modify your responses in 2seconds, less time than I can even get the page loaded here in order reply to your unmodified messages.

          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

          Asch Conformity, mainly the blind leading the blind.

          1 Reply Last reply Reply Quote 0
          • F Offline
            firewalluser
            last edited by

            At least your unmodified messages are more civil than your original edited messages.

            Why so touchy?

            Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

            Asch Conformity, mainly the blind leading the blind.

            1 Reply Last reply Reply Quote 0
            • D Offline
              doktornotor Banned
              last edited by

              Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.

              1 Reply Last reply Reply Quote 0
              • F Offline
                firewalluser
                last edited by

                @doktornotor:

                No, and I have better things to do with my life than investigating absolutely irrelevant nonsense.

                P.S. For antipattern inclined, there's "Experimental Bit 0x20 Support" checkbox to have DNS queries capitalized randomly.  ::)

                If the Experimental Bit is supposed to capitalise the resolved names in the logs, then why are G & M consistently capitalised, or does this only randomise the root servers once for the lifetime of the machine?

                Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                Asch Conformity, mainly the blind leading the blind.

                1 Reply Last reply Reply Quote 0
                • F Offline
                  firewalluser
                  last edited by

                  @doktornotor:

                  Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.

                  I should record what I see.

                  I guess you have something to do with ESF then, perhaps a forum mod?

                  Edit.

                  The strongest I have been on is Nescafe coffee and I've never done LSD so if such a thing as flashbacks occur they cant affect someone who's never done any LSD I guess.

                  Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                  Asch Conformity, mainly the blind leading the blind.

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    firewalluser
                    last edited by

                    @firewalluser:

                    If the Experimental Bit is supposed to capitalise the resolved names in the logs, then why are G & M consistently capitalised, or does this only randomise the root servers once for the lifetime of the machine?

                    I should add in the interests of being clear, when I reboot the fw, the order of the root servers are random, its just the G & M root servers which always appear capitalised, which seems odd.

                    Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                    Asch Conformity, mainly the blind leading the blind.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      doktornotor Banned
                      last edited by

                      You might want to read the fscking RFC to see that the 0x20 thing does absolutely NOTHING to PTR lookups. There's no 0x20 bit for numbers.

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        doktornotor Banned
                        last edited by

                        https://www.unbound.net/documentation/unbound.conf.html

                        use-caps-for-id: <yes or="" no="">Use  0x20-encoded  random  bits  in  the  query  to  foil  spoof
                                      attempts.  This  perturbs  the lowercase and uppercase of query
                                      names sent to authority servers and checks if  the  reply  still
                                      has  the  correct casing.  Disabled by default.  This feature is
                                      an experimental implementation of draft dns-0x20.</yes>

                        1 Reply Last reply Reply Quote 0
                        • F Offline
                          firewalluser
                          last edited by

                          Now that you mention Unbound, the reason I spotted G.ROOT-SERVERS.NET & M.ROOT-SERVERS.NET being capitalised in the fw logs, is I've been trying to get unbound/dns resolver to Enable Forwarding Mode = ticked as per what it says here: https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

                          " Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled). Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations. "

                          This is all part of the process of trying to get to the bottom of the states not blocking or rejecting properly as I've mentioned here https://forum.pfsense.org/index.php?topic=94619.msg526667#msg526667.

                          I've setup two VM's running pfsense 2.1 and pfsense 2.2. Both will have the same config that I can backup from one and restore to the other & vice versa easily enough with the same rules, schedules etc, which is how I was able to see the packets going out from the virtual fws when I rebooted them and monitor them.

                          Anyway I was trying to get Enable Forwarding Mode to work, so having followed the instructions in the doc, the Enable Forwarding Mode = ticked appears to only work during the session of the fw and is reset back to Enable Forwarding Mode = unticked when its rebooted.

                          Perhaps I'm doing something wrong with the configuration of unbound?

                          My settings on the internet connected (1st) fw are:
                          System:General Setup
                          DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                          Allow DNS to be overridden by DHCP/PPP on Wan is unticked
                          Do not use the DNS Forwarder as DNS Server is unticked.
                          Dashboard shows DNS Server = 127.0.0.1

                          Services:DNS Resolver, General Settings tab
                          Network Interfaces selected = Lan & Local host only
                          Outgoing Network Interfaces = Wan only
                          DNSSEC is ticked.
                          DNS Query Forwarding is unticked.
                          DHCP Registration is ticked
                          Static DHCP is ticked

                          Services:DHCP Server
                          The VM pfsense fw's have a static IP and their hostnames match as does the domain name in both fw's.

                          Internet connect fw is pppoe connected with unbound running just fine for lookups.

                          In the VM (2nd) fw connected to the internet connected (1st) fw
                          System:General Setup
                          DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                          Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
                          Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
                          Dashboard shows DNS Server = 1st fw static ip address only.

                          Services:DNS Resolver, General Settings tab
                          Network Interfaces selected = Lan & Local host only
                          Outgoing Network Interfaces = Wan only
                          DNSSEC is ticked.
                          DNS Query Forwarding is ticked (opposite to 1st fw).
                          DHCP Registration is unticked (opposite to 1st fw).
                          Static DHCP is unticked (opposite to 1st fw).

                          Services:DHCP Server
                          Not relevant.

                          So click the Save button in Services:DNS Resolver, General Settings tab, and reboot the VM (2nd) fw.

                          Once the DNS resolver shows on the 2nd fw's console, I check the 1st fw logs and can see the 2nd fw is talking to the root-servers.net again, why isnt it remembering the settings to talk to the 1st fw like I had just setup?

                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                          Asch Conformity, mainly the blind leading the blind.

                          1 Reply Last reply Reply Quote 0
                          • D Offline
                            doktornotor Banned
                            last edited by

                            @firewalluser:

                            Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General

                            …

                            DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                            DNS Query Forwarding is ticked (opposite to 1st fw).

                            Perhaps you could think a bit about what you are doing…

                            1 Reply Last reply Reply Quote 0
                            • F Offline
                              firewalluser
                              last edited by

                              @doktornotor:

                              @firewalluser:

                              Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General

                              …

                              DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                              DNS Query Forwarding is ticked (opposite to 1st fw).

                              Perhaps you could think a bit about what you are doing…

                              https://doc.pfsense.org/index.php/Unbound_DNS_Resolver
                              " Enable Forwarding Mode: Controls whether Unbound will query root servers directly (unchecked, disabled) or if queries will be forwarded to the upstream DNS servers defined under System > General or those obtained by DHCP/PPPoE/etc (checked, enabled).

                              Forwarding mode may be enabled if the upstream DNS servers are trusted and also provide DNSSEC support. Forwarding mode is necessary for Multi-WAN Configurations. "

                              Both have DNSSEC enabled, so is the bold text wrong?

                              Likewise
                              "Unbound will query root servers directly (unchecked, disabled)"
                              " if queries will be forwarded to the upstream DNS servers defined under System > General "

                              "In the VM (2nd) fw connected to the internet connected (1st) fw
                              System:General Setup
                              DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                              Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
                              Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
                              Dashboard shows DNS Server = 1st fw static ip address only.
                              "

                              those obtained by DHCP/PPPoE/etc (checked, enabled)
                              "In the VM (2nd) fw connected to the internet connected (1st) fw
                              System:General Setup
                              DNS Servers - None specified in the 4 DNS server fields & GW drop down.
                              Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
                              Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).
                              Dashboard shows DNS Server = 1st fw static ip address only.
                              "

                              or is interpreted as not AND ie not AND or OR, OR is exclusive, although the dashboard shows its getting the 1st fw static ip address only, ie no 127.0.0.1 is showing.

                              It seems weird imo, which is why I have been rebooting these. I dont think I need to do a powerdown as per the problems users have experienced with upgrades from earlier versions https://forum.pfsense.org/index.php?topic=93071.0 because these are fresh installations from iso's.

                              Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                              Asch Conformity, mainly the blind leading the blind.

                              1 Reply Last reply Reply Quote 0
                              • D Offline
                                doktornotor Banned
                                last edited by

                                TL;DR

                                Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.

                                EDIT: Created https://redmine.pfsense.org/issues/4747 for the lack of sanity checking.

                                1 Reply Last reply Reply Quote 0
                                • F Offline
                                  firewalluser
                                  last edited by

                                  @doktornotor:

                                  TL;DR

                                  Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.

                                  I'm not familiar with the phrase PEBKAC? Care to explain?

                                  WRT the topic, I'll add the static IP address to the DNS fields in General Settings as per your suggestion then, give it a reboot and will see what happens, whilst ignoring

                                  Allow DNS to be overridden by DHCP/PPP on Wan is ticked (opposite to 1st fw).
                                  Do not use the DNS Forwarder as DNS Server is ticked (opposite to 1st fw).

                                  I'll post my findings when I've had something to eat as well so I wont BRB.  ;)

                                  Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                  Asch Conformity, mainly the blind leading the blind.

                                  1 Reply Last reply Reply Quote 0
                                  • KOMK Offline
                                    KOM
                                    last edited by

                                    I'm not familiar with the phrase PEBKAC? Care to explain?

                                    Problem Exists Between Keyboard And Chair

                                    1 Reply Last reply Reply Quote 0
                                    • F Offline
                                      firewalluser
                                      last edited by

                                      @doktornotor:

                                      TL;DR

                                      Dude when you don't specify any upstream DNS servers there's nothing to forward to. PERIOD. Severe case of PEBKAC.

                                      EDIT: Created https://redmine.pfsense.org/issues/4747 for the lack of sanity checking.

                                      Ok, so I left all the other settings as they were before but have added in the 2nd fw the static ip address of the 1st fw in the System: General Setip, DNS Servers fields and left the gw blank.

                                      This time, it initially during the boot process talks to the 1st fw's DNS server, but then proceeds to talk to the root servers again whilst the boot process finishes?

                                      Next test, same as above but this time I specify the gw in the drop down as the only difference.

                                      Same results, initially it talks to the 1st fw's DNS server, then it proceeds to talk to the root servers again.

                                      So do you know what other setting changes I should make to the 2nd fw in order to stop unbound/DNS Resolver from talking to the root-servers.net and just use the DNS servers from the 1st fw?

                                      I still havent found any reason for the capitalised G & M.root-servers.net though, but I have not packet captured them to see if they go out on the net like that or not.

                                      It certainly seems odd to see some of the root server ip addresses resolved in capitals when the others are all lowercase in the pfsense fw logs though.

                                      @KOM:

                                      I'm not familiar with the phrase PEBKAC? Care to explain?

                                      Problem Exists Between Keyboard And Chair

                                      RIC

                                      SWIM calls them Computer User(s) Non Technical.  ::)

                                      Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                      Asch Conformity, mainly the blind leading the blind.

                                      1 Reply Last reply Reply Quote 0
                                      • D Offline
                                        doktornotor Banned
                                        last edited by

                                        @firewalluser:

                                        Same results, initially it talks to the 1st fw's DNS server, then it proceeds to talk to the root servers again.

                                        When you have this set to

                                        Outgoing Network Interfaces = Wan only

                                        then it's hardly surprising it won't query another FW on your LAN or god knows where. Sigh.

                                        @firewalluser:

                                        So do you know what other setting changes I should make to the 2nd fw in order to stop unbound/DNS Resolver from talking to the root-servers.net and just use the DNS servers from the 1st fw?

                                        Sure. Disable the DNS Resolver and kindly use the fine DNS Forwarder. It's there for exactly this purpose, plus won't overwhelm you with settings – preventing you from creating stupid configurations and shooting yourself into the foot repeatedly.

                                        @firewalluser:

                                        I still havent found any reason for the capitalised G & M.root-servers.net though, but I have not packet captured them to see if they go out on the net like that or not.

                                        No, they do not go OUT like that. They come BACK like that when you resolve the PTR of the root server's IP address. Get some more tinfoil.

                                        P.S. Kindly post a screenshot of the freaking settting if you are going to "debug" your "issues" in future. Absolutely NOT interested in wading through the messy descriptions.

                                        1 Reply Last reply Reply Quote 0
                                        • F Offline
                                          firewalluser
                                          last edited by

                                          @doktornotor:

                                          @firewalluser:

                                          Same results, initially it talks to the 1st fw's DNS server, then it proceeds to talk to the root servers again.

                                          When you have this set to

                                          Outgoing Network Interfaces = Wan only

                                          then it's hardly surprising it won't query another FW on your LAN or god knows where. Sigh.

                                          Maybe I didnt explain how its laid out properly.

                                          Internet –>fw1---->fw2---->Lan
                                          fw1 runs unbound
                                          fw2 runs unbound and I know I could run the forwarder here as I could also do on fw1.

                                          @firewalluser:

                                          So do you know what other setting changes I should make to the 2nd fw in order to stop unbound/DNS Resolver from talking to the root-servers.net and just use the DNS servers from the 1st fw?

                                          Sure. Disable the DNS Resolver and kindly use the fine DNS Forwarder. It's there for exactly this purpose, plus won't overwhelm you with settings – preventing you from creating stupid configurations and shooting yourself into the foot repeatedly.

                                          Well I'll give this a go tomorrow now, but I wanted to keep unbound in the loop as this is running on the main fw anyway and I'm trying to establish the states not blocking or rejecting properly in my other post.

                                          In order to test/debug anything, its generally recognised the environment/settings are kept as identical as possible when trying to recreate problems.

                                          I didnt think unbound would for some unexplained reason so far, still insist on talking with the root-servers unless maybe there is a bug somewhere in pfsense or the unbound package or incorrect settings. Despite your settings, unbound still insists on talking to the root-servers at which point you suggest using the forwarder.

                                          @firewalluser:

                                          I still havent found any reason for the capitalised G & M.root-servers.net though, but I have not packet captured them to see if they go out on the net like that or not.

                                          No, they do not go OUT like that. They come BACK like that when you resolve the PTR of the root server's IP address. Get some more tinfoil.

                                          I'm not saying they go out like that, I'm asking why do those two appear capitalised in the pfsense fw logs?

                                          P.S. Kindly post a screenshot of the freaking settting if you are going to "debug" your "issues" in future. Absolutely NOT interested in wading through the messy descriptions.

                                          Sure.

                                          @doktornotor:

                                          Are you on LSD? The only thing I modified here was moving the 0x20 P.S. to a new post – since you meanwhile posted another post.

                                          In response to the above, I've been thinking about this, hypothetically speaking, if I was subjected to a MITM attack with code injection changing what you had typed when I saw it earlier today, this is not unlike SQL Injection when taking down/over SQL Servers, & we know MITM is possible when considering this coincidental post from earlier today. https://forum.pfsense.org/index.php?topic=94838.0

                                          So with that in mind, it then prompted another question. How would we know ESF have not had their certs nicked?
                                          How does one go about proving that little conundrum other than reissue some new ones and send out an alert?

                                          I think its a pertinent question considering todays news about the US Govt employee db hack that goes back to 1985, it makes you wonder what the NSA are doing to protect their infrastructure and made me wonder about ESF servers which last time I checked was based in Texas.

                                          I've still got other questions based on what you have said which seems to contradict my interpretation of the online docs but I'll see if we can actually get unbound to not talk with the root-servers first.

                                          Capitalism, currently The World's best Entertainment Control System and YOU cant buy it! But you can buy this, or some of this or some of these

                                          Asch Conformity, mainly the blind leading the blind.

                                          1 Reply Last reply Reply Quote 0
                                          • D Offline
                                            doktornotor Banned
                                            last edited by

                                            @firewalluser:

                                            I'm not saying they go out like that, I'm asking why do those two appear capitalised in the pfsense fw logs?

                                            God almighty. Because whatever server your are quering for the PTR returns them like that. Period. And it's not even the LOG. It's the IP being RESOLVED in the WebGUI because you clicked the i to do so. Stop clicking there and the CAPS "pattern" won't bother you.

                                            Out of this conspiracy idiocy, enough time wasted.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.