Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange issue - not sure how to fix

    General pfSense Questions
    3
    93
    9.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      Not the text that is shown, the download button.

      downloadpcap.jpg

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.03 | Lab VMs 2.7.2, 24.03

      1 Reply Last reply Reply Quote 0
      • P
        pfguy2018
        last edited by

        Great - got it. Now how do I edit out my ip address prior to posting the output? There does not seem to be any replace function in the UI that I can see.

        P 1 Reply Last reply Reply Quote 0
        • P
          pfguy2018 @pfguy2018
          last edited by

          @pfguy2018
          NVM - figured that out
          Here is some of the output from the capture I posted above
          Screen Shot 2020-02-23 at 10.18.30 AM copy.jpg

          1 Reply Last reply Reply Quote 0
          • P
            pfguy2018
            last edited by

            It's a little hard to read the image, but there do appear to be successful queries to the root servers, as expected. So I will repeat this capture once the domain question stops resolving, to see if there are any differences in the traffic.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              Exactly the big question is are you actually sending the queries and just not getting an answer.. Or are you not sending them at all..

              If it was just something hung up in unbound, you would think a restart of it would fix it... But your having to reboot... Which makes less sense unless its something with the actual wan connection.

              You should always know the IPs of the roots, because you don't have to query for them - its in the hints file.. So you should always be able to query for IP of a root server even if no wan connectivity..

              [2.4.4-RELEASE][admin@sg4860.local.lan]/root: dig h.root-servers.net

; <<>> DiG 9.12.2-P1 <<>> h.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34795
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;h.root-servers.net.            IN      A

;; ANSWER SECTION:
h.root-servers.net.     25823   IN      A       198.97.190.53

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Feb 23 09:30:53 CST 2020
;; MSG SIZE  rcvd: 63

              You should be able to ask unbound this way as well how it would look up NS for a tld... When it fails again.. I would check this as well to see what the output is..

              [2.4.4-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf lookup com
The following name servers are used for lookup of com.
;rrset 80980 13 0 2 0
com.    80980   IN      NS      b.gtld-servers.net.
com.    80980   IN      NS      e.gtld-servers.net.
com.    80980   IN      NS      c.gtld-servers.net.
com.    80980   IN      NS      h.gtld-servers.net.
com.    80980   IN      NS      l.gtld-servers.net.
com.    80980   IN      NS      a.gtld-servers.net.
com.    80980   IN      NS      k.gtld-servers.net.
com.    80980   IN      NS      g.gtld-servers.net.
com.    80980   IN      NS      i.gtld-servers.net.
com.    80980   IN      NS      f.gtld-servers.net.
com.    80980   IN      NS      d.gtld-servers.net.
com.    80980   IN      NS      j.gtld-servers.net.
com.    80980   IN      NS      m.gtld-servers.net.
;rrset 80980 1 1 11 5
com.    80980   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com.    80980   IN      RRSIG   DS 8 1 86400 20200307050000 20200223040000 33853 . sLV0mt5DtczNJfepnGzpEjM5Gctb51i5Spnjk63LfpKu0YiWw160w9zDis/RoclzEKIAQ1wSWJNo04uBOQg7VAQ646bPoEcvSQ2Y7GJap4FqVIdAS3o5pJhKKmqeSVJxQ/aaj1BQAaWEFaU9yIvtnNWL7Lg0wUakZ483FTUxknRzTVHEVhNhnLUdjUcxEId0wEmmrkfsc5yiqRV9fYcOXUEZwFrV8YaoOTKaXKeL69zA2S4CJyXqQMbzFndPEE3/FnIhk3F19JfLgya8kwKTKbX22JJImxbmXA4zMTI8efnhlJ/ZS5QuuPcY2P2r+qVITs2Ibv2gvVBCYJltNxxaEQ== ;{id = 33853}
;rrset 25739 1 0 8 3
m.gtld-servers.net.     25739   IN      A       192.55.83.30
;rrset 25739 1 0 8 3
m.gtld-servers.net.     25739   IN      AAAA    2001:501:b1f9::30
;rrset 25738 1 0 8 3
j.gtld-servers.net.     25738   IN      A       192.48.79.30
;rrset 25738 1 0 8 3
j.gtld-servers.net.     25738   IN      AAAA    2001:502:7094::30
;rrset 25737 1 0 8 3
d.gtld-servers.net.     25737   IN      A       192.31.80.30
;rrset 25737 1 0 8 3
d.gtld-servers.net.     25737   IN      AAAA    2001:500:856e::30
;rrset 25737 1 0 8 3
f.gtld-servers.net.     25737   IN      A       192.35.51.30
;rrset 25737 1 0 8 3
f.gtld-servers.net.     25737   IN      AAAA    2001:503:d414::30
;rrset 25738 1 0 8 3
i.gtld-servers.net.     25738   IN      A       192.43.172.30
;rrset 25738 1 0 8 3
i.gtld-servers.net.     25738   IN      AAAA    2001:503:39c1::30
;rrset 25738 1 0 8 3
g.gtld-servers.net.     25738   IN      A       192.42.93.30
;rrset 25738 1 0 8 3
g.gtld-servers.net.     25738   IN      AAAA    2001:503:eea3::30
;rrset 25738 1 0 8 3
k.gtld-servers.net.     25738   IN      A       192.52.178.30
;rrset 25738 1 0 8 3
k.gtld-servers.net.     25738   IN      AAAA    2001:503:d2d::30
;rrset 25737 1 0 8 3
a.gtld-servers.net.     25737   IN      A       192.5.6.30
;rrset 25737 1 0 8 3
a.gtld-servers.net.     25737   IN      AAAA    2001:503:a83e::2:30
;rrset 25738 1 0 8 3
l.gtld-servers.net.     25738   IN      A       192.41.162.30
;rrset 25739 1 0 8 3
l.gtld-servers.net.     25739   IN      AAAA    2001:500:d937::30
;rrset 25738 1 0 8 3
h.gtld-servers.net.     25738   IN      A       192.54.112.30
;rrset 25738 1 0 8 3
h.gtld-servers.net.     25738   IN      AAAA    2001:502:8cc::30
;rrset 25737 1 0 8 3
c.gtld-servers.net.     25737   IN      A       192.26.92.30
;rrset 25737 1 0 8 3
c.gtld-servers.net.     25737   IN      AAAA    2001:503:83eb::30
;rrset 25737 1 0 8 3
e.gtld-servers.net.     25737   IN      A       192.12.94.30
;rrset 25737 1 0 8 3
e.gtld-servers.net.     25737   IN      AAAA    2001:502:1ca1::30
;rrset 25737 1 0 8 3
b.gtld-servers.net.     25737   IN      A       192.33.14.30
;rrset 25737 1 0 8 3
b.gtld-servers.net.     25737   IN      AAAA    2001:503:231d::2:30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:231d::2:30     rto 376 msec, ttl 460, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.33.14.30            not in infra cache.
2001:502:1ca1::30       rto 376 msec, ttl 460, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.12.94.30            rto 191 msec, ttl 302, ping 15 var 44 rtt 191, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:83eb::30       rto 376 msec, ttl 171, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.26.92.30            rto 183 msec, ttl 302, ping 15 var 42 rtt 183, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:8cc::30        not in infra cache.
192.54.112.30           rto 243 msec, ttl 294, ping 3 var 60 rtt 243, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:d937::30       rto 376 msec, ttl 302, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.41.162.30           rto 285 msec, ttl 473, ping 17 var 67 rtt 285, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:a83e::2:30     rto 376 msec, ttl 460, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.5.6.30              rto 279 msec, ttl 733, ping 7 var 68 rtt 279, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:d2d::30        rto 376 msec, ttl 302, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.52.178.30           rto 317 msec, ttl 711, ping 13 var 76 rtt 317, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:eea3::30       rto 376 msec, ttl 460, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.42.93.30            rto 327 msec, ttl 91, ping 23 var 76 rtt 327, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:39c1::30       rto 376 msec, ttl 711, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.43.172.30           rto 214 msec, ttl 268, ping 6 var 52 rtt 214, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:d414::30       rto 376 msec, ttl 171, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.35.51.30            rto 365 msec, ttl 473, ping 9 var 89 rtt 365, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:856e::30       rto 376 msec, ttl 171, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.31.80.30            rto 238 msec, ttl 302, ping 10 var 57 rtt 238, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:7094::30       not in infra cache.
192.48.79.30            rto 302 msec, ttl 706, ping 2 var 75 rtt 302, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:501:b1f9::30       not in infra cache.
192.55.83.30            rto 351 msec, ttl 706, ping 7 var 86 rtt 351, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
[2.4.4-RELEASE][admin@sg4860.local.lan]/root:

              To validate it actually has IPs for roots.

              [2.4.4-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf lookup .
The following name servers are used for lookup of .
;rrset 80411 13 1 11 5
.       80411   IN      NS      k.root-servers.net.
.       80411   IN      NS      b.root-servers.net.
.       80411   IN      NS      m.root-servers.net.
.       80411   IN      NS      c.root-servers.net.
.       80411   IN      NS      d.root-servers.net.
.       80411   IN      NS      l.root-servers.net.
.       80411   IN      NS      h.root-servers.net.
.       80411   IN      NS      j.root-servers.net.
.       80411   IN      NS      g.root-servers.net.
.       80411   IN      NS      e.root-servers.net.
.       80411   IN      NS      f.root-servers.net.
.       80411   IN      NS      a.root-servers.net.
.       80411   IN      NS      i.root-servers.net.
.       80411   IN      RRSIG   NS 8 0 518400 20200307050000 20200223040000 33853 . OywKX+NljD5Qsir5p4YY6Cz4raE6/1M5peyPyBymFCakHkG2tKG6u8k70cjNe/VAyYG0JPkqOFJ7I4+gzCqODab/8Vc18hClQ3XO6yj5IsdWcl5w+GgI7DFO5Tk7Bhx/5HqCNEXrmiCr8u1qvry0cdgmOO8iYvMDSXnT4FlGt49DIr4msrRU6Fsr0yjamoBVdcEaQwU9KDptzbMDnqJVL2FYGnpftrVanszm6Vs8q2iZivNlmTL1b2QKFidqI8DLs6V2yIPMbCOHFdAwlfw6LpWUaQhUxmxdsfBn28QUonZTUz/BOWpzWRmXDb2TDo1ofUkoOLvj7pHJvC7JEt07Zg== ;{id = 33853}
;rrset 25166 1 0 8 3
i.root-servers.net.     25166   IN      A       192.36.148.17
;rrset 25166 1 0 8 3
i.root-servers.net.     25166   IN      AAAA    2001:7fe::53
;rrset 25167 1 0 8 3
a.root-servers.net.     25167   IN      A       198.41.0.4
;rrset 25167 1 0 8 3
a.root-servers.net.     25167   IN      AAAA    2001:503:ba3e::2:30
;rrset 25166 1 0 8 3
f.root-servers.net.     25166   IN      A       192.5.5.241
;rrset 25166 1 0 8 3
f.root-servers.net.     25166   IN      AAAA    2001:500:2f::f
;rrset 25165 1 0 8 3
e.root-servers.net.     25165   IN      A       192.203.230.10
;rrset 25165 1 0 8 3
e.root-servers.net.     25165   IN      AAAA    2001:500:a8::e
;rrset 25166 1 0 8 3
g.root-servers.net.     25166   IN      A       192.112.36.4
;rrset 25166 1 0 8 3
g.root-servers.net.     25166   IN      AAAA    2001:500:12::d0d
;rrset 25167 1 0 8 3
j.root-servers.net.     25167   IN      A       192.58.128.30
;rrset 25167 1 0 8 3
j.root-servers.net.     25167   IN      AAAA    2001:503:c27::2:30
;rrset 25164 1 0 8 3
h.root-servers.net.     25164   IN      A       198.97.190.53
;rrset 25164 1 0 8 3
h.root-servers.net.     25164   IN      AAAA    2001:500:1::53
;rrset 25167 1 0 8 3
l.root-servers.net.     25167   IN      A       199.7.83.42
;rrset 25167 1 0 8 3
l.root-servers.net.     25167   IN      AAAA    2001:500:9f::42
;rrset 25167 1 0 8 3
d.root-servers.net.     25167   IN      A       199.7.91.13
;rrset 25167 1 0 8 3
d.root-servers.net.     25167   IN      AAAA    2001:500:2d::d
;rrset 25165 1 0 8 3
c.root-servers.net.     25165   IN      A       192.33.4.12
;rrset 25166 1 0 8 3
c.root-servers.net.     25166   IN      AAAA    2001:500:2::c
;rrset 25165 1 0 8 3
m.root-servers.net.     25165   IN      A       202.12.27.33
;rrset 25165 1 0 8 3
m.root-servers.net.     25165   IN      AAAA    2001:dc3::35
;rrset 25166 1 0 8 3
b.root-servers.net.     25166   IN      A       199.9.14.201
;rrset 25167 1 0 8 3
b.root-servers.net.     25167   IN      AAAA    2001:500:200::b
;rrset 25165 1 0 8 3
k.root-servers.net.     25165   IN      A       193.0.14.129
;rrset 25165 1 0 8 3
k.root-servers.net.     25165   IN      AAAA    2001:7fd::1
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:7fd::1             rto 376 msec, ttl 751, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
193.0.14.129            not in infra cache.
2001:500:200::b         not in infra cache.
199.9.14.201            rto 369 msec, ttl 481, ping 9 var 90 rtt 369, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:dc3::35            rto 376 msec, ttl 751, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
202.12.27.33            not in infra cache.
2001:500:2::c           not in infra cache.
192.33.4.12             not in infra cache.
2001:500:2d::d          not in infra cache.
199.7.91.13             not in infra cache.
2001:500:9f::42         rto 376 msec, ttl 751, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
199.7.83.42             rto 356 msec, ttl 751, ping 8 var 87 rtt 356, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:1::53          not in infra cache.
198.97.190.53           not in infra cache.
2001:503:c27::2:30      rto 376 msec, ttl 751, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.58.128.30           not in infra cache.
2001:500:12::d0d        not in infra cache.
192.112.36.4            rto 328 msec, ttl 751, ping 4 var 81 rtt 328, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:a8::e          not in infra cache.
192.203.230.10          not in infra cache.
2001:500:2f::f          not in infra cache.
192.5.5.241             rto 320 msec, ttl 751, ping 4 var 79 rtt 320, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:ba3e::2:30     not in infra cache.
198.41.0.4              rto 256 msec, ttl 228, ping 4 var 63 rtt 256, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:7fe::53            not in infra cache.
192.36.148.17           not in infra cache.
[2.4.4-RELEASE][admin@sg4860.local.lan]/root:

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.03 | Lab VMs 2.7.2, 24.03

              1 Reply Last reply Reply Quote 0
              • P
                pfguy2018
                last edited by

                @johnpoz said in Strange issue - not sure how to fix:

                unbound-control -c /var/unbound/unbound.conf lookup .

                Yes, when I run those commands, I get very similar output to what you posted, as I should. So I will wait for the next time that domains stop resolving, and run everything again, and then post the results. Unfortunately, I have no idea when that will occur.

                1 Reply Last reply Reply Quote 0
                • P
                  pfguy2018
                  last edited by

                  It happened again and I was able to run the various commands you listed above and perform a packet capture.

                  ; <<>> DiG 9.12.2-P1 <<>> h.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56121
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;h.root-servers.net.		IN	A

;; ANSWER SECTION:
h.root-servers.net.	86400	IN	A	198.97.190.53

;; Query time: 158 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Feb 23 16:18:59 EST 2020
;; MSG SIZE  rcvd: 63

                  The following name servers are used for lookup of com.
;rrset 85352 13 0 2 0
com.	85352	IN	NS	a.gtld-servers.net.
com.	85352	IN	NS	b.gtld-servers.net.
com.	85352	IN	NS	c.gtld-servers.net.
com.	85352	IN	NS	d.gtld-servers.net.
com.	85352	IN	NS	e.gtld-servers.net.
com.	85352	IN	NS	f.gtld-servers.net.
com.	85352	IN	NS	g.gtld-servers.net.
com.	85352	IN	NS	h.gtld-servers.net.
com.	85352	IN	NS	i.gtld-servers.net.
com.	85352	IN	NS	j.gtld-servers.net.
com.	85352	IN	NS	k.gtld-servers.net.
com.	85352	IN	NS	l.gtld-servers.net.
com.	85352	IN	NS	m.gtld-servers.net.
;rrset 85352 1 1 11 5
com.	85352	IN	DS	30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com.	85352	IN	RRSIG	DS 8 1 86400 20200307170000 20200223160000 33853 . AkoMkh2radmKCnXu8NeiINg3AlAYfHvuZORUApNH96ZCtOkPZ0vxFgdwnls009OkPO2IYeUuIySROSJNSPc9Ukj/ybot7AyjAv6brrTcYVCg0KvPPSaFLwBCHXuJdUNlIF8xhxv73/gFBEcGThLAmxfeRk2lpODXeXNDbZ9GPnWVeC2KVwEeL22JfBcBmpAxEhNLnufgPLR5Kv9aY+O7cleHDuRpQa4qNSEBgF/88ugrpNdixNx+5FO6Nl7mZRdPjSr97H6EH/aCvlzPMGl7bPVtT/7A9T943yQP4kMznxVRSMNXSMimarzRJhmM0ZE5H1qwUTi+UoeMjBq+mJHmBA== ;{id = 33853}
;rrset 85352 1 0 1 0
m.gtld-servers.net.	85352	IN	A	192.55.83.30
;rrset 85352 1 0 1 0
m.gtld-servers.net.	85352	IN	AAAA	2001:501:b1f9::30
;rrset 85352 1 0 1 0
l.gtld-servers.net.	85352	IN	A	192.41.162.30
;rrset 85352 1 0 1 0
l.gtld-servers.net.	85352	IN	AAAA	2001:500:d937::30
;rrset 85352 1 0 1 0
k.gtld-servers.net.	85352	IN	A	192.52.178.30
;rrset 85352 1 0 1 0
k.gtld-servers.net.	85352	IN	AAAA	2001:503:d2d::30
;rrset 85352 1 0 1 0
j.gtld-servers.net.	85352	IN	A	192.48.79.30
;rrset 85352 1 0 1 0
j.gtld-servers.net.	85352	IN	AAAA	2001:502:7094::30
;rrset 85352 1 0 1 0
i.gtld-servers.net.	85352	IN	A	192.43.172.30
;rrset 85352 1 0 1 0
i.gtld-servers.net.	85352	IN	AAAA	2001:503:39c1::30
;rrset 85352 1 0 1 0
h.gtld-servers.net.	85352	IN	A	192.54.112.30
;rrset 85352 1 0 1 0
h.gtld-servers.net.	85352	IN	AAAA	2001:502:8cc::30
;rrset 85352 1 0 1 0
g.gtld-servers.net.	85352	IN	A	192.42.93.30
;rrset 85352 1 0 1 0
g.gtld-servers.net.	85352	IN	AAAA	2001:503:eea3::30
;rrset 85352 1 0 1 0
f.gtld-servers.net.	85352	IN	A	192.35.51.30
;rrset 85352 1 0 1 0
f.gtld-servers.net.	85352	IN	AAAA	2001:503:d414::30
;rrset 85352 1 0 1 0
e.gtld-servers.net.	85352	IN	A	192.12.94.30
;rrset 85352 1 0 1 0
e.gtld-servers.net.	85352	IN	AAAA	2001:502:1ca1::30
;rrset 85352 1 0 1 0
d.gtld-servers.net.	85352	IN	A	192.31.80.30
;rrset 85352 1 0 1 0
d.gtld-servers.net.	85352	IN	AAAA	2001:500:856e::30
;rrset 85352 1 0 1 0
c.gtld-servers.net.	85352	IN	A	192.26.92.30
;rrset 85352 1 0 1 0
c.gtld-servers.net.	85352	IN	AAAA	2001:503:83eb::30
;rrset 85352 1 0 1 0
b.gtld-servers.net.	85352	IN	A	192.33.14.30
;rrset 85352 1 0 1 0
b.gtld-servers.net.	85352	IN	AAAA	2001:503:231d::2:30
;rrset 85352 1 0 1 0
a.gtld-servers.net.	85352	IN	A	192.5.6.30
;rrset 85352 1 0 1 0
a.gtld-servers.net.	85352	IN	AAAA	2001:503:a83e::2:30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:a83e::2:30	not in infra cache.
192.5.6.30      	rto 307 msec, ttl 574, ping 19 var 72 rtt 307, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:231d::2:30	not in infra cache.
192.33.14.30    	rto 347 msec, ttl 735, ping 7 var 85 rtt 347, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:83eb::30	not in infra cache.
192.26.92.30    	not in infra cache.
2001:500:856e::30	not in infra cache.
192.31.80.30    	rto 197 msec, ttl 244, ping 37 var 40 rtt 197, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:1ca1::30	not in infra cache.
192.12.94.30    	not in infra cache.
2001:503:d414::30	not in infra cache.
192.35.51.30    	not in infra cache.
2001:503:eea3::30	not in infra cache.
192.42.93.30    	rto 123 msec, ttl 152, ping 23 var 25 rtt 123, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:8cc::30	not in infra cache.
192.54.112.30   	rto 324 msec, ttl 635, ping 4 var 80 rtt 324, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:39c1::30	not in infra cache.
192.43.172.30   	rto 298 msec, ttl 573, ping 10 var 72 rtt 298, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:7094::30	not in infra cache.
192.48.79.30    	rto 752 msec, ttl 384, ping 0 var 94 rtt 376, tA 1, tAAAA 0, tother 0, EDNS 0 assumed.
2001:503:d2d::30	not in infra cache.
192.52.178.30   	rto 360 msec, ttl 574, ping 8 var 88 rtt 360, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:d937::30	not in infra cache.
192.41.162.30   	rto 356 msec, ttl 736, ping 8 var 87 rtt 356, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:501:b1f9::30	not in infra cache.
192.55.83.30    	rto 336 msec, ttl 551, ping 24 var 78 rtt 336, tA 0, tAAAA 0, tother 0, EDNS 0 probed.

                  The following name servers are used for lookup of .
;rrset 85317 13 1 8 0
.	85317	IN	NS	m.root-servers.net.
.	85317	IN	NS	b.root-servers.net.
.	85317	IN	NS	c.root-servers.net.
.	85317	IN	NS	d.root-servers.net.
.	85317	IN	NS	e.root-servers.net.
.	85317	IN	NS	f.root-servers.net.
.	85317	IN	NS	g.root-servers.net.
.	85317	IN	NS	h.root-servers.net.
.	85317	IN	NS	a.root-servers.net.
.	85317	IN	NS	i.root-servers.net.
.	85317	IN	NS	j.root-servers.net.
.	85317	IN	NS	k.root-servers.net.
.	85317	IN	NS	l.root-servers.net.
.	85317	IN	RRSIG	NS 8 0 518400 20200307170000 20200223160000 33853 . GN9hZh6mOFruU2IWiP4EIvALgU6uQLlXo748wScmwsJYCcmPiPFT6y2qNnsJfg06OrI2qhZueL0NNtcZ5W9hGLFff3nzUcOETUnEWcbW4MwIRWDxVQ4MVMmsnIhWM3BCQdA5hG0eIALwJ+9q3aUe+lHhORN98lpYxfs+tx73A+GgmNZUm4Coz44hmhJ6G+mM0mYsMLZ1oAvDH/exgo/VExwEA9P3xyRQb5H09yJdc0cdmygbD8R1L/yjyQUlnyKLOC8ZQ3bpei9NKRXWqv5p29cnpwt4AiaAuZNkCVQA9SIWIKdFVrBh40NsO+RDpEcmh84r30wTVm+qYGT4PItLag== ;{id = 33853}
;rrset 85317 1 0 3 3
l.root-servers.net.	85317	IN	A	199.7.83.42
;rrset 85317 1 0 3 3
l.root-servers.net.	85317	IN	AAAA	2001:500:9f::42
;rrset 85317 1 0 3 3
k.root-servers.net.	85317	IN	A	193.0.14.129
;rrset 85317 1 0 3 3
k.root-servers.net.	85317	IN	AAAA	2001:7fd::1
;rrset 85317 1 0 3 3
j.root-servers.net.	85317	IN	A	192.58.128.30
;rrset 85317 1 0 3 3
j.root-servers.net.	85317	IN	AAAA	2001:503:c27::2:30
;rrset 85317 1 0 3 3
i.root-servers.net.	85317	IN	A	192.36.148.17
;rrset 85317 1 0 3 3
i.root-servers.net.	85317	IN	AAAA	2001:7fe::53
;rrset 85317 1 0 3 3
a.root-servers.net.	85317	IN	A	198.41.0.4
;rrset 85317 1 0 3 3
a.root-servers.net.	85317	IN	AAAA	2001:503:ba3e::2:30
;rrset 86325 1 0 8 3
h.root-servers.net.	86325	IN	A	198.97.190.53
;rrset 85317 1 0 3 3
h.root-servers.net.	85317	IN	AAAA	2001:500:1::53
;rrset 85317 1 0 3 3
g.root-servers.net.	85317	IN	A	192.112.36.4
;rrset 85317 1 0 3 3
g.root-servers.net.	85317	IN	AAAA	2001:500:12::d0d
;rrset 85317 1 0 3 3
f.root-servers.net.	85317	IN	A	192.5.5.241
;rrset 85317 1 0 3 3
f.root-servers.net.	85317	IN	AAAA	2001:500:2f::f
;rrset 85317 1 0 3 3
e.root-servers.net.	85317	IN	A	192.203.230.10
;rrset 85317 1 0 3 3
e.root-servers.net.	85317	IN	AAAA	2001:500:a8::e
;rrset 85317 1 0 3 3
d.root-servers.net.	85317	IN	A	199.7.91.13
;rrset 85317 1 0 3 3
d.root-servers.net.	85317	IN	AAAA	2001:500:2d::d
;rrset 85317 1 0 3 3
c.root-servers.net.	85317	IN	A	192.33.4.12
;rrset 85317 1 0 3 3
c.root-servers.net.	85317	IN	AAAA	2001:500:2::c
;rrset 85317 1 0 3 3
b.root-servers.net.	85317	IN	A	199.9.14.201
;rrset 85317 1 0 3 3
b.root-servers.net.	85317	IN	AAAA	2001:500:200::b
;rrset 85317 1 0 3 3
m.root-servers.net.	85317	IN	A	202.12.27.33
;rrset 85317 1 0 3 3
m.root-servers.net.	85317	IN	AAAA	2001:dc3::35
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:dc3::35    	not in infra cache.
202.12.27.33    	expired, rto 62969312 msec, tA 2 tAAAA 0 tother 0.
2001:500:200::b 	not in infra cache.
199.9.14.201    	expired, rto 62969312 msec, tA 1 tAAAA 0 tother 0.
2001:500:2::c   	not in infra cache.
192.33.4.12     	rto 210 msec, ttl 110, ping 18 var 48 rtt 210, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:2d::d  	not in infra cache.
199.7.91.13     	not in infra cache.
2001:500:a8::e  	not in infra cache.
192.203.230.10  	not in infra cache.
2001:500:2f::f  	not in infra cache.
192.5.5.241     	rto 287 msec, ttl 499, ping 7 var 70 rtt 287, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:12::d0d	not in infra cache.
192.112.36.4    	not in infra cache.
2001:500:1::53  	not in infra cache.
198.97.190.53   	not in infra cache.
2001:503:ba3e::2:30	not in infra cache.
198.41.0.4      	not in infra cache.
2001:7fe::53    	not in infra cache.
192.36.148.17   	not in infra cache.
2001:503:c27::2:30	not in infra cache.
192.58.128.30   	rto 328 msec, ttl 642, ping 4 var 81 rtt 328, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:7fd::1     	not in infra cache.
193.0.14.129    	not in infra cache.
2001:500:9f::42 	not in infra cache.
199.7.83.42     	not in infra cache.

                  ; <<>> DiG 9.12.2-P1 <<>> feedly.com +trace
;; global options: +cmd
.			85262	IN	NS	m.root-servers.net.
.			85262	IN	NS	b.root-servers.net.
.			85262	IN	NS	c.root-servers.net.
.			85262	IN	NS	d.root-servers.net.
.			85262	IN	NS	e.root-servers.net.
.			85262	IN	NS	f.root-servers.net.
.			85262	IN	NS	g.root-servers.net.
.			85262	IN	NS	h.root-servers.net.
.			85262	IN	NS	a.root-servers.net.
.			85262	IN	NS	i.root-servers.net.
.			85262	IN	NS	j.root-servers.net.
.			85262	IN	NS	k.root-servers.net.
.			85262	IN	NS	l.root-servers.net.
.			85262	IN	RRSIG	NS 8 0 518400 20200307170000 20200223160000 33853 . GN9hZh6mOFruU2IWiP4EIvALgU6uQLlXo748wScmwsJYCcmPiPFT6y2q NnsJfg06OrI2qhZueL0NNtcZ5W9hGLFff3nzUcOETUnEWcbW4MwIRWDx VQ4MVMmsnIhWM3BCQdA5hG0eIALwJ+9q3aUe+lHhORN98lpYxfs+tx73 A+GgmNZUm4Coz44hmhJ6G+mM0mYsMLZ1oAvDH/exgo/VExwEA9P3xyRQ b5H09yJdc0cdmygbD8R1L/yjyQUlnyKLOC8ZQ3bpei9NKRXWqv5p29cn pwt4AiaAuZNkCVQA9SIWIKdFVrBh40NsO+RDpEcmh84r30wTVm+qYGT4 PItLag==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

;; connection timed out; no servers could be reached

                  Screen Shot 2020-02-23 at 4.26.46 PM copy 2.jpg

                  What can I learn from all this?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Did you set that public IP to resolve as local?

                    Where are the queries to and from .com server Servers?.. I only see queries for the root servers?

                    You prob want to set number of packets to capture to 0 vs just the 100..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                    P 1 Reply Last reply Reply Quote 0
                    • P
                      pfguy2018 @johnpoz
                      last edited by

                      @johnpoz said in Strange issue - not sure how to fix:

                      Did you set that public IP to resolve as local?

                      Yes - to obscure my IP address. Wherever it says "local", it originally listed my IP address.

                      Where are the queries to and from .com server Servers?.. I only see queries for the root servers?

                      Not sure. But the packet capture was taken while I ran the command dig feedly.com +trace. I ran it again while trying to browse to feedly.com - results below.

                      You prob want to set number of packets to capture to 0 vs just the 100..

                      Done below

                      Screen Shot 2020-02-23 at 4.49.10 PM copy.jpg

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz

                        That image is too small for me to make out anything.

                        Looks like you have some queries for fox.com - but I don't see anything to the cloudflare NS that are for feedly.com

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                        1 Reply Last reply Reply Quote 0
                        • P
                          pfguy2018
                          last edited by

                          Unfortunately, I can't seem to upload any images > 1 mb, so that one was the best resolution I could use (if you click on it to open in a separate tab, it should be more readable)
                          But it does show DNS queries going out to various name servers. This was occurring while I was trying to load feedly.com (unsuccessfully) and in other tabs browsing to other sites (successfully).
                          Does this help narrow down the issue at all?

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            Dude just shrink it... And it sure isn't showing anything over 100 queries... And I tried clicking into - its too small..

                            download.jpg

                            If you click into that you can read it can you not..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                            1 Reply Last reply Reply Quote 0
                            • P
                              pfguy2018
                              last edited by

                              The pciture is a screenshot from wireshark - it was the max number of lines I could fit on my screen at one time. When I tried to cut and paste the text itself, the forum software rejects it as being spam, so it won't let me post it. However, I searched the capture file on my end - even though I was trying to resolve feedly.com, there were no entries for feedly.com in the capture (and other DNS requests are going out as expected at the exact same time). It's as if the request to resolve feedly.com is not even getting to the DNS resolver. I am not sure where along the way it is getting blocked.

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfguy2018
                                last edited by

                                And strangest of all - the problem just seemed to fix itself without any intervention on my part. When I tried to browse to feedly.com, it resolved (unfortunately was not performing packet capture at the time). However, I notice that this is at exactly the same time that pfBlocker NG is updating itself/cron job. Is that just a coincidence, or is that pointing to an issue with pfBlocker NG?

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pfguy2018
                                  last edited by

                                  Spoke too soon - feedly.com resolved in firefox (still using the firefox internal cloudfare DNS lookup) but not safari at the same time - i.e. it could resolve when 1.1.1.1 was used but not unbound. As soon as pfBlocker NG finished its update, firefox could not resolve feedly.com any longer.

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    pfguy2018
                                    last edited by

                                    Tried another packet capture while browsing to feedly.com, pinging feedly.com, and performing an nslookup via the command prompt. During all of that, feedly.com never appeared in the UDP port 53 packet capture, even though other domains did appear as expected (and resolved without issue) - including websites that I have never accessed in the past. The problem does seem to be limited to feedly. I remain mystified.

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz

                                      @pfguy2018 said in Strange issue - not sure how to fix:

                                      notice that this is at exactly the same time that pfBlocker NG is updating itself/cron job.

                                      Dude that restarts unbound! And yes that will cause you problems with resolving. As to not seeing anything for feedly in your sniff - because once its cached you don't have to go lookup it up again..

                                      How freaking often do you have pfblocker updating?

                                      Why don't you turn off that firefox nonsense?

                                      Here lets do this - how long has unbound been up?

                                      [2.4.4-RELEASE][admin@sg4860.local.lan]/root: unbound-control -c /var/unbound/unbound.conf status
version: 1.9.1
verbosity: 1
threads: 4
modules: 2 [ validator iterator ]
uptime: 555956 seconds
options: control(ssl)
unbound (pid 83160) is running...
[2.4.4-RELEASE][admin@sg4860.local.lan]/root:

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pfguy2018
                                        last edited by pfguy2018

                                        Here is another data point. The issue I noted above where I was able to resolve feedly.com while pfBlockerNG was reloading its lists, but was then unable to resolve it once the cron job finished made me look harder at pfBlockerNG. I found an alias in the firewall rules called pfBlockerNGSuppress, which contained feedly.com as one of the addresses. As soon as I removed feedly from that alias and reloaded, feedly.com resolved immediately. Still not sure how this all fits together, but it seems to be working now, and I will monitor to see if it fails again or whether this has solved the problem.

                                        PfBlocker is set to update hourly, which is the default setting that it came with. Would you suggest a lesser frequency?

                                        I have disabled Firefox's use of cloudfare's DNS servers, as you suggested. Out of interest, is your distaste for the use of these servers based on security concerns, or privacy issues, or some other factor?

                                        EDIT:

                                        Here is the output of that command. Note that I had just reloaded the firewall rules when I deleted the entry in the Suppress list as noted above.

                                        version: 1.9.1
verbosity: 3
threads: 4
modules: 2 [ validator iterator ]
uptime: 7515 seconds
options: control(ssl)
unbound (pid 71227) is running...
                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by johnpoz

                                          Its all three - I don't want firefox using anything different for dns than what I tell it too! Period.. That that think its ok to do this is just utter madness.. And they are not fooling anyone with there - our users are too freaking stupid, and we are doing it for their own good nonsense..

                                          I have had TRR disabled well before they turned it on.. There is a long running thread about it here..

                                          From that your unbound has only been up for bit over 2 hours... Every time unbound restarts you loose all caching.. So no you shouldn't be restarting it.. Sure and the F not every hour..

                                          I only uses pfblocker for aliases... I don't let it block anything on its own..

                                          edit: Here is the TRR thread.. Been running since 2018
                                          https://forum.netgate.com/topic/133679/heads-up-be-aware-of-trusted-recursive-resolver-trr-in-firefox

                                          You understand if firefox is bypassing your dns - none of your filtering is of any use at all..

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            pfguy2018
                                            last edited by

                                            Here is what I don't get though:

                                            1. Feedly.com WAS able to be resolved (in non-firefox browsers and portable devices) ONLY when pfBlockerNG was running its cron job (i.e. pfBlockerNG was "down" at the time). Since the only DNS resolver on my network (other than for firefox at that time) is Unbound, does this not suggest that pfBlockerNG was blocking the DNS resolution requests?

                                            2. Why is it that removing the feedly entry from the pfBlockerNGSuppress alias fixed this problem?

                                            Yes, I understand that firefox was bypassing the DNS (not anymore since I disabled that setting though, following your suggestion). I will check out the thread you linked to.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post