DNS Resolver in 2.5x weird behaviour
-
I've been having strange behaviour with DNS since upgrading to 2.5.x.
I use it in forwarder mode as I found true resolver mode was a little slow on a home networkAm I missing something obvious here?
Here's an example seen at the client using nslookup:
*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for gitlab.netgate.com > gitlab.netgate.com Server: gw.griffo.co Address: 2403:5800:7600:x *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for gitlab.netgate.com (switching to IPv4) > server 192.168.1.1 DNS request timed out. timeout was 2 seconds. Default Server: [192.168.1.1] Address: 192.168.1.1 > gitlab.netgate.com Server: [192.168.1.1] Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to [192.168.1.1] timed-out > gitlab.netgate.com Server: [192.168.1.1] Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for gitlab.netgate.com > gitlab.netgate.com Server: [192.168.1.1] Address: 192.168.1.1 *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for gitlab.netgate.com > gitlab.netgate.com Server: [192.168.1.1] Address: 192.168.1.1 DNS request timed out. timeout was 2 seconds. *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for gitlab.netgate.com > gitlab.netgate.com Server: [192.168.1.1] Address: 192.168.1.1 *** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for gitlab.netgate.com > code_text
However if I look in the logs:
Jan 29 18:07:51 gw unbound[76244]: [76244:1] info: Verified that unsigned response is INSECURE Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: resolving gitlab.netgate.com.griffo.co. A IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: response for gitlab.netgate.com.griffo.co. A IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: reply from <.> 2606:4700:4700::1001#853 Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: query response was nodata ANSWER Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: resolving co. DS IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: response for co. DS IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: reply from <.> 1.1.1.1#853 Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: query response was ANSWER Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: validated DS co. DS IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: resolving co. DNSKEY IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: response for co. DNSKEY IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: reply from <.> 2606:4700:4700::1001#853 Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: query response was ANSWER Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: validated DNSKEY co. DNSKEY IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: resolving griffo.co. DS IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: response for griffo.co. DS IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: reply from <.> 2606:4700:4700::1001#853 Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: query response was nodata ANSWER Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: NSEC3s for the referral proved no DS. Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: Verified that response is INSECURE Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: resolving gitlab.netgate.com.griffo.co. AAAA IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: response for gitlab.netgate.com.griffo.co. AAAA IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: reply from <.> 1.0.0.1#853 Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: query response was nodata ANSWER Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: resolving gitlab.netgate.com. A IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: response for gitlab.netgate.com. A IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: reply from <.> 1.0.0.1#853 Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: query response was nodata ANSWER Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: resolving netgate.com. DS IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: response for netgate.com. DS IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: reply from <.> 1.0.0.1#853 Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: query response was nodata ANSWER Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: NSEC3s for the referral proved no DS. Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: Verified that unsigned response is INSECURE Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: resolving gitlab.netgate.com. AAAA IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: response for gitlab.netgate.com. AAAA IN Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: reply from <.> 2606:4700:4700::1001#853 Jan 29 18:07:51 gw unbound[76244]: [76244:3] info: query response was nodata ANSWER
but I query my upstream directly
> server 1.1.1.1 Default Server: one.one.one.one Address: 1.1.1.1 > gitlab.netgate.com Server: one.one.one.one Address: 1.1.1.1 Non-authoritative answer: Name: gitlab.netgate.com Address: 172.27.10.132
-
I don't know what 1.1.1.1 knows, or not.
I prefer to ask the authoritative names servers of netgate.com what it knows about gitlab.netgate.com.
Aka : use the resolver.The answer you've got was ok, though :
dig gitlab.netgate.com +short
Conclusion : the zone
gitlab.netgate.com
doesn't exist.
( it has no A record)Consider :
C:\Users\Gauche>nslookup Serveur par dÚfaut : pfsense.brit-hotel-fumel.net Address: 2001:470:1f13:5c0:2::1 > gitlab.netgate.com Serveur : pfsense.brit-hotel-fumel.net Address: 2001:470:1f13:5c0:2::1 Nom : gitlab.netgate.com Served by: - ns2.netgate.com 162.208.119.38 netgate.com - ns1.netgate.com 208.123.73.80 2610:160:11:11::80 netgate.com > server 1.1.1.1 Serveur par dÚfaut : one.one.one.one Address: 1.1.1.1 > gitlab.netgate.com Serveur : one.one.one.one Address: 1.1.1.1 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Le délai de la requête sur one.one.one.one est dépassé. >
Which means that the answer from 1.1.1.1 was different for me.
I got a "unknown" - which seems ok to meYou had :
Non-authoritative answer: Name: gitlab.netgate.com Address: 172.27.10.132
when talking to 1.1.1.1 directly - bypassing pfSense DNS all together.
Can't tell where this "172.27.10.132" came from. It seems to be RFC1918 ;)What about changing the subject ?
LikeDNS Resolver in 2.5x weird behaviour
to
Great DNS Resolver in 2.5x behaviour !!.
-
@gertjan ha! I didn't even notice the address.
Something weird is going on with their DNS
> server ns2.netgate.com Default Server: ns2.netgate.com Address: 162.208.119.38 > gitlab.netgate.com Server: ns2.netgate.com Address: 162.208.119.38 Name: gitlab.netgate.com Address: 172.27.10.132
And i don't think it's my network
Either way though, it looks like this has side-tracked me. I definately have some issue with unbound giving nxdomain responses today. Maybe it's a coincidence and cloudflare had issues today. I use them as an upstream as with only a handful of devices I found records were aging out all the time so my gig internet felt slow when browsing.
-
@griffo said in DNS Resolver in 2.5x weird behaviour:
unbound giving nxdomain
If unbound is told to forward, an "nxdomain" is the valid answer coming from a resolver like 1.1.1.1 and it says it couldn't resolve (== find) the DNS request. So its probably a very new domain or non-existent domain.
So nxdomain isn't a unbound answer here, as it is in forward mode.
if the problem is local, or the communication to the upstream resolver dosn't work, you will get a "servfail" which (for me) says : can't communicate with upstream resolver - or unbound has issues, etc.