tcp error for address xxxx port 853

johnpoz

@chudak said in tcp error for address xxxx port 853:

Not sure what I can do about pfBNG

Turn it OFF, uninstall it - do your errors go away? If so it has something to do with your configuration of pfblocker.

chudak

@johnpoz

My "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked

I turned OFF pfBNG and still see errors in Resolver log:

Feb 12 13:48:38	unbound	79932:3	debug: tcp error for address 9.9.9.9 port 853
Feb 12 13:48:38	unbound	79932:3	debug: tcp error for address 149.112.112.112 port 853

BBcan177

Not sure if its related to this:
https://forum.netgate.com/topic/138274/unbound-1-8-1-only-single-thread-processing-dns-requests

To disable this option, you need to add the following to: pfSense Resolver Adv. Custom options: (and save)

server:so-reuseport: no

Otherwise, try with pfSense 2.4.5 as it has Unbound 1.9.0

chudak

@bbcan177

Does not seem to make any difference:(

I wonder if this issue is easy reproducible...

My setup is pretty much out of the box

BBcan177

In Unbound Adv. Settings, increase the "Log Level" to "2" and "Save". Then review the resolver.log for any other clues.... And as a test disable OpenVPN and see if the error stops.

chudak

@bbcan177

Done
Not sure what is suspicious in it, maybe insecured

Feb 12 20:27:32 unbound 80650:3 info: resolving myvisualiq.net. DS IN
Feb 12 20:27:32 unbound 80650:3 info: query response was ANSWER
Feb 12 20:27:32 unbound 80650:3 info: reply from <.> 9.9.9.9#853
Feb 12 20:27:32 unbound 80650:3 info: response for t.myvisualiq.net. A IN
Feb 12 20:27:32 unbound 80650:3 info: Verified that unsigned response is INSECURE
Feb 12 20:27:32 unbound 80650:3 info: NSEC3s for the referral proved no DS.
Feb 12 20:27:32 unbound 80650:3 info: resolving akamaiedge.net. DS IN
Feb 12 20:27:32 unbound 80650:3 info: Verified that unsigned response is INSECURE
Feb 12 20:27:32 unbound 80650:3 info: NSEC3s for the referral proved no DS.

johnpoz

Thought you turned off dnssec?

You sure you don't have multiple copies running of unbound, and your config never got updated? Pfblocker can leave some hanging when it tries to update, etc.

Also that
server:so-reuseport: no

would have to do with how many threads, would not cause a tcp error...

I can not reproduce this problem... Enabling dns over tls is clickity clickity..

What other packages you have? Sorry but installing pfblocker is NOT OUT OF THE BOX... And when asked what packages you didn't even list that.. I only knew you were running it from its entry in your unbound screenshot.

So what else is not out of the box??

chudak

@johnpoz

Ack on so-reuseport: no, and remover it

I’m sure I run one pfsense, how can it be confirmed?
Would it help if I send you my config xml file?

“Enabling dns over tls is clickity clickity..”. Btw how do you test that it actually works fine?

johnpoz

sorry that was "typo" I changed it - meant unbound :) can not run multiple copies of pfsense ;) hehehe

chudak

@johnpoz said in tcp error for address xxxx port 853:

sorry that was "typo" I changed it - meant unbound :) can not run multiple copies of pfsense ;) hehehe

Too late :)

johnpoz

what is output of this

sockstat | grep unbound

Also again going to ask are you running anything else?? Any other packages?

chudak

@johnpoz said in tcp error for address xxxx port 853:

sockstat | grep unbound

sockstat | grep unbound
unbound  unbound    94103 3  udp4   192.168.90.1:53       *:*
unbound  unbound    94103 4  tcp4   192.168.90.1:53       *:*
unbound  unbound    94103 5  udp4   192.168.90.1:853      *:*
unbound  unbound    94103 6  tcp4   192.168.90.1:853      *:*
unbound  unbound    94103 7  udp4   192.168.70.1:53       *:*
unbound  unbound    94103 8  tcp4   192.168.70.1:53       *:*
unbound  unbound    94103 9  udp4   192.168.70.1:853      *:*
unbound  unbound    94103 10 tcp4   192.168.70.1:853      *:*
unbound  unbound    94103 11 udp4   127.0.0.1:53          *:*
unbound  unbound    94103 12 stream /var/run/php-fpm.socket
unbound  unbound    94103 13 stream /var/run/php-fpm.socket
unbound  unbound    94103 14 tcp4   127.0.0.1:53          *:*
unbound  unbound    94103 15 udp4   127.0.0.1:853         *:*
unbound  unbound    94103 16 tcp4   127.0.0.1:853         *:*
unbound  unbound    94103 17 udp4   192.168.90.1:53       *:*
unbound  unbound    94103 18 tcp4   192.168.90.1:53       *:*
unbound  unbound    94103 19 udp4   192.168.90.1:853      *:*
unbound  unbound    94103 20 tcp4   192.168.90.1:853      *:*
unbound  unbound    94103 21 udp4   192.168.70.1:53       *:*
unbound  unbound    94103 22 tcp4   192.168.70.1:53       *:*
unbound  unbound    94103 23 udp4   192.168.70.1:853      *:*
unbound  unbound    94103 24 tcp4   192.168.70.1:853      *:*
unbound  unbound    94103 25 udp4   127.0.0.1:53          *:*
unbound  unbound    94103 26 tcp4   127.0.0.1:53          *:*
unbound  unbound    94103 27 udp4   127.0.0.1:853         *:*
unbound  unbound    94103 28 tcp4   127.0.0.1:853         *:*
unbound  unbound    94103 29 udp4   192.168.90.1:53       *:*
unbound  unbound    94103 30 tcp4   192.168.90.1:53       *:*
unbound  unbound    94103 31 udp4   192.168.90.1:853      *:*
unbound  unbound    94103 32 tcp4   192.168.90.1:853      *:*
unbound  unbound    94103 33 udp4   192.168.70.1:53       *:*
unbound  unbound    94103 34 tcp4   192.168.70.1:53       *:*
unbound  unbound    94103 35 udp4   192.168.70.1:853      *:*
unbound  unbound    94103 36 tcp4   192.168.70.1:853      *:*
unbound  unbound    94103 37 udp4   127.0.0.1:53          *:*
unbound  unbound    94103 38 tcp4   127.0.0.1:53          *:*
unbound  unbound    94103 39 udp4   127.0.0.1:853         *:*
unbound  unbound    94103 40 tcp4   127.0.0.1:853         *:*
unbound  unbound    94103 41 udp4   192.168.90.1:53       *:*
unbound  unbound    94103 42 tcp4   192.168.90.1:53       *:*
unbound  unbound    94103 43 udp4   192.168.90.1:853      *:*
unbound  unbound    94103 44 tcp4   192.168.90.1:853      *:*
unbound  unbound    94103 45 udp4   192.168.70.1:53       *:*
unbound  unbound    94103 46 tcp4   192.168.70.1:53       *:*
unbound  unbound    94103 47 udp4   192.168.70.1:853      *:*
unbound  unbound    94103 48 tcp4   192.168.70.1:853      *:*
unbound  unbound    94103 49 udp4   127.0.0.1:53          *:*
unbound  unbound    94103 50 tcp4   127.0.0.1:53          *:*
unbound  unbound    94103 51 udp4   127.0.0.1:853         *:*
unbound  unbound    94103 52 tcp4   127.0.0.1:853         *:*
unbound  unbound    94103 53 tcp4   127.0.0.1:953         *:*
unbound  unbound    94103 54 dgram  -> /var/run/logpriv
unbound  unbound    94103 55 stream -> ??
unbound  unbound    94103 56 stream -> ??
unbound  unbound    94103 57 stream -> ??
unbound  unbound    94103 58 stream -> ??
unbound  unbound    94103 59 stream -> ??
unbound  unbound    94103 60 stream -> ??
unbound  unbound    94103 61 stream -> ??
unbound  unbound    94103 62 stream -> ??

I run several packages - https://snag.gy/CRfoFM.jpg

Unfortunately I can't easily disable vpn ATM

johnpoz

That looks normal..

Here I just turned with clickity clickity and ZERO errors..

Feb 12 23:34:40 	unbound 	95989:0 	info: query response was ANSWER
Feb 12 23:34:40 	unbound 	95989:0 	info: reply from <.> 9.9.9.9#853
Feb 12 23:34:40 	unbound 	95989:0 	info: response for checkip.synology.com. A IN
Feb 12 23:34:40 	unbound 	95989:0 	info: resolving checkip.synology.com. A IN
Feb 12 23:34:40 	unbound 	95989:0 	info: query response was CNAME
Feb 12 23:34:40 	unbound 	95989:0 	info: reply from <.> 149.112.112.112#853
Feb 12 23:34:40 	unbound 	95989:0 	info: response for checkip.synology.com. A IN
Feb 12 23:34:40 	unbound 	95989:0 	info: resolving checkip.synology.com. A IN
Feb 12 23:34:40 	unbound 	95989:0 	info: query response was CNAME
Feb 12 23:34:40 	unbound 	95989:0 	info: reply from <.> 9.9.9.9#853
Feb 12 23:34:40 	unbound 	95989:0 	info: response for checkip.synology.com. A IN
Feb 12 23:34:40 	unbound 	95989:0 	info: resolving checkip.synology.com. A IN
Feb 12 23:34:35 	unbound 	95989:3 	info: query response was ANSWER
Feb 12 23:34:35 	unbound 	95989:3 	info: reply from <.> 9.9.9.9#853
Feb 12 23:34:35 	unbound 	95989:3 	info: response for t.myvisualiq.net. A IN
Feb 12 23:34:35 	unbound 	95989:3 	info: resolving t.myvisualiq.net. A IN
Feb 12 23:34:35 	unbound 	95989:3 	info: query response was CNAME
Feb 12 23:34:35 	unbound 	95989:3 	info: reply from <.> 9.9.9.9#853
Feb 12 23:34:35 	unbound 	95989:3 	info: response for t.myvisualiq.net. A IN
Feb 12 23:34:34 	unbound 	95989:3 	info: resolving t.myvisualiq.net. A IN
Feb 12 23:33:56 	unbound 	95989:3 	info: query response was ANSWER
Feb 12 23:33:56 	unbound 	95989:3 	info: reply from <.> 9.9.9.9#853
Feb 12 23:33:56 	unbound 	95989:3 	info: response for conemu.github.io. A IN
Feb 12 23:33:56 	unbound 	95989:0 	info: query response was ANSWER
Feb 12 23:33:56 	unbound 	95989:0 	info: reply from <.> 9.9.9.9#853
Feb 12 23:33:56 	unbound 	95989:0 	info: response for conemu.github.io. A IN
Feb 12 23:33:56 	unbound 	95989:2 	info: query response was ANSWER
Feb 12 23:33:56 	unbound 	95989:2 	info: reply from <.> 9.9.9.9#853
Feb 12 23:33:56 	unbound 	95989:2 	info: response for conemu.github.io. A IN
Feb 12 23:33:56 	unbound 	95989:3 	info: resolving conemu.github.io. A IN
Feb 12 23:33:56 	unbound 	95989:0 	info: resolving conemu.github.io. A IN
Feb 12 23:33:56 	unbound 	95989:2 	info: resolving conemu.github.io. A IN
Feb 12 23:33:54 	unbound 	95989:1 	info: query response was nodata ANSWER
Feb 12 23:33:54 	unbound 	95989:1 	info: reply from <.> 149.112.112.112#853
Feb 12 23:33:54 	unbound 	95989:1 	info: response for us.pool.ntp.org. AAAA IN
Feb 12 23:33:53 	unbound 	95989:1 	info: resolving us.pool.ntp.org. AAAA IN
Feb 12 23:33:53 	unbound 	95989:3 	info: query response was ANSWER
Feb 12 23:33:53 	unbound 	95989:3 	info: reply from <.> 149.112.112.112#853
Feb 12 23:33:53 	unbound 	95989:3 	info: response for us.pool.ntp.org. A IN
Feb 12 23:33:53 	unbound 	95989:3 	info: resolving us.pool.ntp.org. A IN
Feb 12 23:33:07 	unbound 	95989:0 	info: start of service (unbound 1.8.1). 

I even did a query for that entry you posted up.. Notice nothing about insecure... No errors about tcp errors, etc..

Post up your dns servers you set - you didn't set a gateway did you?

Again for what possible reason or you running TLS local for??? That is just pointless!!! Who would be sniffing your dns traffic locally???
unbound unbound 94103 52 tcp4 127.0.0.1:853 :

Turn that OFF!!! Does that remove your errors?

chudak

@johnpoz ok ok done :)

DNS Server Settings =>
https://snag.gy/g3bnED.jpg

"clickity clickity and ZERO errors.." that's in logs Resolver, what Log Level do you have set ?

johnpoz

2! It wouldn't show that info not at least that.

And Yes its the resolver log.... Where else would it be?

chudak

@johnpoz

try 3 and filter for error in Message

johnpoz

No errors..

Feb 12 23:48:17 	unbound 	27548:3 	debug: cache memory msg=66771 rrset=66949 infra=8306 val=0
Feb 12 23:48:17 	unbound 	27548:3 	info: finishing processing for p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: query response was ANSWER
Feb 12 23:48:17 	unbound 	27548:3 	info: reply from <.> 9.9.9.9#853
Feb 12 23:48:17 	unbound 	27548:3 	info: response for p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: iterator operate: chased to bookmarks.fe.apple-dns.net. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: iterator operate: query p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply
Feb 12 23:48:17 	unbound 	27548:3 	debug: cache memory msg=66309 rrset=66537 infra=8306 val=0
Feb 12 23:48:17 	unbound 	27548:3 	debug: sending to target: <.> 9.9.9.9#853
Feb 12 23:48:17 	unbound 	27548:3 	info: sending query: bookmarks.fe.apple-dns.net. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: processQueryTargets: p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: resolving p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: query response was CNAME
Feb 12 23:48:17 	unbound 	27548:3 	info: reply from <.> 149.112.112.112#853
Feb 12 23:48:17 	unbound 	27548:3 	info: response for p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: sanitize: removing extraneous answer RRset: bookmarks.fe.apple-dns.net. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: iterator operate: query p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply
Feb 12 23:48:17 	unbound 	27548:3 	debug: cache memory msg=66309 rrset=66313 infra=8057 val=0
Feb 12 23:48:17 	unbound 	27548:3 	debug: sending to target: <.> 149.112.112.112#853
Feb 12 23:48:17 	unbound 	27548:3 	info: sending query: p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: processQueryTargets: p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	info: resolving p14-bookmarks.icloud.com. A IN
Feb 12 23:48:17 	unbound 	27548:3 	debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new
Feb 12 23:48:16 	unbound 	27548:3 	debug: cache memory msg=66309 rrset=66313 infra=8057 val=0
Feb 12 23:48:16 	unbound 	27548:3 	info: finishing processing for _bookmarkdavs._tcp.p14-bookmarks.icloud.com. SRV IN
Feb 12 23:48:16 	unbound 	27548:3 	info: query response was NXDOMAIN ANSWER
Feb 12 23:48:16 	unbound 	27548:3 	info: reply from <.> 149.112.112.112#853
Feb 12 23:48:16 	unbound 	27548:3 	info: response for _bookmarkdavs._tcp.p14-bookmarks.icloud.com. SRV IN
Feb 12 23:48:16 	unbound 	27548:3 	info: iterator operate: query _bookmarkdavs._tcp.p14-bookmarks.icloud.com. SRV IN
Feb 12 23:48:16 	unbound 	27548:3 	debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply
Feb 12 23:48:16 	unbound 	27548:3 	debug: cache memory msg=66072 rrset=66072 infra=8057 val=0
Feb 12 23:48:16 	unbound 	27548:3 	debug: sending to target: <.> 149.112.112.112#853
Feb 12 23:48:16 	unbound 	27548:3 	info: sending query: _bookmarkdavs._tcp.p14-bookmarks.icloud.com. SRV IN
Feb 12 23:48:16 	unbound 	27548:3 	info: processQueryTargets: _bookmarkdavs._tcp.p14-bookmarks.icloud.com. SRV IN
Feb 12 23:48:16 	unbound 	27548:3 	info: resolving _bookmarkdavs._tcp.p14-bookmarks.icloud.com. SRV IN
Feb 12 23:48:16 	unbound 	27548:3 	debug: iterator[module 0] operate: extstate:module_state_initial event:module_event_new
Feb 12 23:47:21 	unbound 	27548:2 	debug: cache memory msg=66072 rrset=66072 infra=7808 val=0
Feb 12 23:47:21 	unbound 	27548:2 	info: DelegationPoint<.>: 0 names (0 missing), 2 addrs (0 result, 2 avail) parentNS
Feb 12 23:47:21 	unbound 	27548:3 	debug: cache memory msg=66072 rrset=66072 infra=7808 val=0
Feb 12 23:47:21 	unbound 	27548:2 	debug: Forward zone server list:
Feb 12 23:47:21 	unbound 	27548:3 	info: DelegationPoint<.>: 0 names (0 missing), 2 addrs (0 result, 2 avail) parentNS
Feb 12 23:47:21 	unbound 	27548:3 	debug: Forward zone server list: 

Set to Level 3!

if I filter on errors there is NOTHING to show ;)

chudak

@johnpoz

not for me :(

Feb 12 21:57:02	unbound	54983:3	debug: tcp error for address 9.9.9.9 port 853
Feb 12 21:57:02	unbound	54983:3	debug: tcp error for address 9.9.9.9 port 853
Feb 12 21:56:53	unbound	54983:3	debug: tcp error for address 149.112.112.112 port 853
Feb 12 21:56:53	unbound	54983:3	debug: tcp error for address 9.9.9.9 port 853
Feb 12 21:56:53	unbound	54983:3	debug: tcp error for address 149.112.112.112 port 853
Feb 12 21:56:50	unbound	54983:3	debug: tcp error for address 9.9.9.9 port 853

johnpoz

@chudak said in tcp error for address xxxx port 853:

error

Ok I found 1

Feb 12 23:50:42 	unbound 	27548:1 	debug: sending to target: <.> 149.112.112.112#853
Feb 12 23:50:42 	unbound 	27548:1 	info: sending query: wpad.nafta.cds.t-internal.com. A IN
Feb 12 23:50:42 	unbound 	27548:1 	info: processQueryTargets: wpad.nafta.cds.t-internal.com. A IN
Feb 12 23:50:42 	unbound 	27548:1 	info: iterator operate: query wpad.nafta.cds.t-internal.com. A IN
Feb 12 23:50:42 	unbound 	27548:1 	debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_noreply
Feb 12 23:50:42 	unbound 	27548:1 	debug: tcp error for address 149.112.112.112 port 853 

Well yeah that is not going to get an anwer ;) It asked for wpad.nafta.cds.t-internal.com

Prob just a timeout since it had to resolve it... When I ask again I get NX

And what is the REST OF THE LOG!!! What is before that error?
See in mine
debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_noreply

So what is NOT working here dude?? What doesn't resolve? Why do you have level 3 logging setup and looking for debug info?

johnpoz

Late here - have to go to bed..