Unbound Resolver not working with Nextiva desktop App or Ring Central app

nicholsnt

Hi everybody,

So we are having a problem at all locations that seem to be DNS related. So we recently moved to a Hosted VOIP solution with Nextiva. All works great, except I their Desktop App says "Site Can't be reached" when using the Pfsense IP as DNS (10.10.10.2).
If I manually set my NIC's DNS to 8.8.8.8 the app works... no problem.

Using the Unbound Resolver and performing an nslookup for auth.nextiva.com I get the following results:

C:\Users\Tech1>nslookup auth.nextiva.com
Server: pfSense.localdomain
Address: 10.10.10.2

Non-authoritative answer:
Name: ok7-crtr-custom-domains-5a88e0d38552310e.elb.us-west-2.amazonaws.com
Addresses: 54.189.255.225
54.189.255.224
Aliases: auth.nextiva.com
nextiva.customdomains.okta.com
ok7-custom-crtrs.okta.com

If I manually set the NIC's DNS to 8.8.8.8 I also get the same results.....I came across a forum where another user had a similar issue and the nslookup also showed Aliases that, at least in that forum they thought could be the issue returning results back to the HOST.

I have disabled DNSSEC (No luck)....So hoping for some help.... ;o)

If I DIG auth.nextiva.com i get the following....

C:\Users\Tech1>dig auth.nextiva.com + trace
;; Invalid option

; <<>> DiG 9.16.10 <<>> auth.nextiva.com + trace
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15506
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;auth.nextiva.com. IN A

;; ANSWER SECTION:
auth.nextiva.com. 300 IN CNAME nextiva.customdomains.okta.com.
nextiva.customdomains.okta.com. 300 IN CNAME ok7-custom-crtrs.okta.com.
ok7-custom-crtrs.okta.com. 300 IN CNAME ok7-crtr-custom-domains-5a88e0d38552310e.elb.us-west-2.amazonaws.com.
ok7-crtr-custom-domains-5a88e0d38552310e.elb.us-west-2.amazonaws.com. 60 IN A 54.189.255.224
ok7-crtr-custom-domains-5a88e0d38552310e.elb.us-west-2.amazonaws.com. 60 IN A 54.189.255.225

;; Query time: 96 msec
;; SERVER: 10.10.10.2#53(10.10.10.2)
;; WHEN: Mon Mar 08 11:40:10 Central Standard Time 2021
;; MSG SIZE rcvd: 228

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19024
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;trace. IN A

;; AUTHORITY SECTION:
. 2954 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2021030801 1800 900 604800 86400

;; Query time: 41 msec
;; SERVER: 10.10.10.2#53(10.10.10.2)
;; WHEN: Mon Mar 08 11:40:10 Central Standard Time 2021
;; MSG SIZE rcvd: 109

If I DIG auth.nextiva.com using 8.8.8.8 I get the following...

C:\Users\Tech1>dig auth.nextiva.com + trace
;; Invalid option

; <<>> DiG 9.16.10 <<>> auth.nextiva.com + trace
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20777
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;auth.nextiva.com. IN A

;; ANSWER SECTION:
auth.nextiva.com. 299 IN CNAME nextiva.customdomains.okta.com.
nextiva.customdomains.okta.com. 299 IN CNAME ok7-custom-crtrs.okta.com.
ok7-custom-crtrs.okta.com. 299 IN CNAME ok7-crtr-custom-domains-5a88e0d38552310e.elb.us-west-2.amazonaws.com.
ok7-crtr-custom-domains-5a88e0d38552310e.elb.us-west-2.amazonaws.com. 59 IN A 54.189.255.224
ok7-crtr-custom-domains-5a88e0d38552310e.elb.us-west-2.amazonaws.com. 59 IN A 54.189.255.225

;; Query time: 55 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 08 11:42:02 Central Standard Time 2021
;; MSG SIZE rcvd: 228

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26396
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;trace. IN A

;; AUTHORITY SECTION:
. 86377 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2021030801 1800 900 604800 86400

;; Query time: 20 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Mar 08 11:42:02 Central Standard Time 2021
;; MSG SIZE rcvd: 109

What's my next step to figure this out???
Thank you!

Gertjan

@nicholsnt said in Unbound Resolver not working with Nextiva desktop App or Ring Central app:

(10.10.10.2).

You do not use pfBlockerNG-devel, right ?

My DNS settings are all default.
Works just fine :

C:\Users\Gauche>nslookup auth.nextiva.com
Serveur :   pfsense.local.net
Address:  2001:470:dead:beed:::1

Réponse ne faisant pas autorité :
Nom :    ok7-crtr-custom-domains-5a88e0d38552310e.elb.us-west-2.amazonaws.com
Addresses:  54.189.255.225
          54.189.255.224
Aliases:  auth.nextiva.com
          nextiva.customdomains.okta.com
          ok7-custom-crtrs.okta.com

Btw : default settings mean I'm using the original 'internet way of doing DNS', the one that always works (because, if not, Internet itself would be broken and we wouldn't be able to even post on this forum ) :

[2.5.0-RELEASE][admin@pfsense.local.net]/root: dig auth.nextiva.com +trace

; <<>> DiG 9.16.12 <<>> auth.nextiva.com +trace
;; global options: +cmd
.                       155     IN      NS      l.root-servers.net.
.                       155     IN      NS      f.root-servers.net.
.                       155     IN      NS      g.root-servers.net.
.                       155     IN      NS      d.root-servers.net.
.                       155     IN      NS      i.root-servers.net.
.                       155     IN      NS      c.root-servers.net.
.                       155     IN      NS      j.root-servers.net.
.                       155     IN      NS      b.root-servers.net.
.                       155     IN      NS      e.root-servers.net.
.                       155     IN      NS      m.root-servers.net.
.                       155     IN      NS      k.root-servers.net.
.                       155     IN      NS      h.root-servers.net.
.                       155     IN      NS      a.root-servers.net.
.                       155     IN      RRSIG   NS 8 0 518400 20210321200000 20210308190000 42351 . TKqDvWFObutSAF+9yifNmSqkzlT/OIzFio+zkfd3hBRo35zvjFw+dkI8 61+ZbPahPw5e+rNgFIcQrYG6VO7RTOiIBteuxz19yeQmogVVTd11luFl ILWAlSLnIE4ch5BXNkDoA15Iy7+v5g2gUzCy371nhMKyyhRTyJHsoOll 1uRmAr8bsFuxHLul52tr8AKkx5o1n0mm/qGMpxwGxVk2NLml7B26kPDI cbP/wirySDQnvW2sXl4E2Vmxqn8Aj6LP6aOAL1BYK6UHmwi5Mx9JjJ/c uUeiqD1ZfHZ6FNXwJr2qjL6lhYQTTwNYL3VoBZJH/wBQgJhPRTEkVRwr demNPg==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20210322050000 20210309040000 42351 . oDbi+utsFGbjrHV7H1wx9BtbQIYVtRCEAmThKEoK66H+CE5iojQxyw5r H3Hi5Ahy4dj3XH/y1pR+W5ZygQjttnRQgRbuZ14st4pN6ZNFHvIuoEHO VAgBDK10Tj3U4wPNwtpTOald3ImAerUN34Z+aftzDGrUj6nJZCEe2N0T a43qMVfp37o8u8f0P8d/rlHiWtn7PlYZgY6QmPmgcldXsBEmTXcIvoVi NIfMANDXG6ebkNH1kB5GnWkxIUKOAYYYlOC5UlDPtcccafLfAP4R0FqV WRnXVZgjCPCksyAUlK8z0UND5wNj3EhyefTwnNp9Ypt2qzMm9nYe4HkN Lk+1YQ==
;; Received 1176 bytes from 202.12.27.33#53(m.root-servers.net) in 34 ms

nextiva.com.            172800  IN      NS      ns-546.awsdns-04.net.
nextiva.com.            172800  IN      NS      ns-485.awsdns-60.com.
nextiva.com.            172800  IN      NS      ns-1269.awsdns-30.org.
nextiva.com.            172800  IN      NS      ns-1903.awsdns-45.co.uk.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210313054023 20210306043023 58540 com. ML/ush0Hvdw0xdTHUz8cgFeLWqTp9Zy/4OXQp9G2kIXMqHE/R9acR2lN hjS5euFMkSeKSt1FxOGtUriOEaHn9Pgpn6woncHl2iTBEyFVBhPnolnJ PX3NiFOjIZs2ewK2YND9f8VKoqgs0v45UMe8QyvjztpAGHSUf2knT3kf 8dB2Pd9K4qCs10nkqyv7sx3YWtWWnE+HTfyEnFxqJqbGKg==
1JPBDA1G64KTLS1NBC5UK8D6FP5DSVQN.com. 86400 IN NSEC3 1 1 0 - 1JPCCR09C8PE4JF1B7TOG4I715NISHMB NS DS RRSIG
1JPBDA1G64KTLS1NBC5UK8D6FP5DSVQN.com. 86400 IN RRSIG NSEC3 8 2 86400 20210314060553 20210307055553 58540 com. doV63UCaADqY4JLeSp5Mns98ujQrRqOZWIOPSOdlmy6humeivG81xEoT P8u0TuCNRZgzIB24x78epqCKfeZKq5SsKSbkm1O61e/7/9eyyZDA9J6E ICBLX+ZQQu3By2xFfzyTBRnAWr0h89dJatdrW5WaiolXockbr5u2Fybi IimdhAi0l4/O2KPUFKT82nm2mgkN6ed9O6ZSn/pjo7JrRg==
;; Received 747 bytes from 2001:503:39c1::30#53(i.gtld-servers.net) in 52 ms

auth.nextiva.com.       300     IN      CNAME   nextiva.customdomains.okta.com.
nextiva.com.            172800  IN      NS      ns-1269.awsdns-30.org.
nextiva.com.            172800  IN      NS      ns-1903.awsdns-45.co.uk.
nextiva.com.            172800  IN      NS      ns-485.awsdns-60.com.
nextiva.com.            172800  IN      NS      ns-546.awsdns-04.net.
;; Received 223 bytes from 2600:9000:5307:6f00::1#53(ns-1903.awsdns-45.co.uk) in 88 ms

The answer was
auth.nextiva.com. 300 IN CNAME nextiva.customdomains.okta.com.

which needs another lookup.
And another ....

nicholsnt

Clean install pfsense 2.5.0 with no packages installed with the Unbound DNS Resolver enabled. I can disable it and just DHCP the DNS I want to the devices and it works. I can also Use the DNS Forwarder and it works. Just something with the many lookups and Unbound that is causing the issue from what I can tell. This occurs with the prior Pfsense Release version also. Can I create a static entry in the pfsense for each of those aliases to perhaps negate the lookups?

nicholsnt

@gertjan said in Unbound Resolver not working with Nextiva desktop App or Ring Central app:

nextiva.customdomains.okta.com

Yeah, I get results from an nslookup and DIG and on surface looks like it resolves. But something with using root hints with Unbound breaks the application...

Would Unbound have any known issues with constant lookups maybe resulting in the application timing out? I can bypass Unbound but I do want to use pfBlockerNG which from what I understand requires the Unbound Resolver...

Anyway thanks for your help...

Gertjan

@nicholsnt

What are you 'looking up' ?
Not every time a host name is used (to be resolved), a complete DNS lookup is performed.
The application can cache the DNS answer.
Your local OS can and will cache the answer.
unbound will cache the answer.

How long ? This is determined by the so called the 'TTL' or Time to Live' or the time it should stay valid in the (a) cache. Something like 2 hours is normal.

So, no problem if you try to resolve 1 million times per second a host name like microsoft.com : it will 'resolve' in less time, as it is cached (locally).

@nicholsnt said in Unbound Resolver not working with Nextiva desktop App or Ring Central app:

just something with the many lookups

You'll be needing thousands of devices (PC's) to do that.
Or only using domains that have a 1 second TTL.

@nicholsnt said in Unbound Resolver not working with Nextiva desktop App or Ring Central app:

Can I create a static entry in the pfsense for each of those aliases to perhaps negate the lookups?

On the Unbound settings page. As many as you like.