DNS lookups failing periodically on VPN VLAN

toluun

After a couple more nights of testing I believe I have narrowed down the issue to DNSSEC.  I disabled DNSSEC and have not has any problems since.  Would like to enable DNSSEC so I will continue to look for a solution.

toluun

Could someone maybe walk me through my resolver logs? I have to say I am thoroughly confused at some of the addresses the replies are coming from.

Jan 23 21:11:10	unbound	86566:1	info: query response REC_LAME: recursive but not authoritative server
Jan 23 21:11:10	unbound	86566:1	info: mark as REC_LAME
Jan 23 21:11:10	unbound	86566:1	info: response for data.cnn.com. A IN
Jan 23 21:11:10	unbound	86566:1	info: reply from <dsce12.akamaiedge.net.> 69.31.102.177#53
Jan 23 21:11:10	unbound	86566:1	info: query response was ANSWER
Jan 23 21:11:10	unbound	86566:1	info: resolving cnn.com. DS IN</dsce12.akamaiedge.net.>

THe first three lines repeat over and over with variation on the response address and the address the reply is from.  It seems the relevant logs data ends with:

Jan 23 21:10:15	unbound	86566:1	info: Verified that unsigned response is INSECURE
Jan 23 21:11:05	unbound	86566:1	info: resolving www.cnn.com. A IN

All these responses are from when cnn.com was actually resolved and I was able to see the page, however seeing the INSECURE has me worried. I have included similar logs for when I unbound fails to resolve a page.

Jan 23 21:35:46	unbound	86566:1	info: query response was nodata ANSWER
Jan 23 21:35:46	unbound	86566:1	info: response for n5g.akamaiedge.net. AAAA IN
Jan 23 21:35:46	unbound	86566:1	info: reply from <akamaiedge.net.> 184.26.161.192#53
Jan 23 21:35:46	unbound	86566:1	info: query response was nodata ANSWER
Jan 23 21:35:46	unbound	86566:1	info: response for n2g.akamaiedge.net. AAAA IN
Jan 23 21:35:46	unbound	86566:1	info: reply from <akamaiedge.net.> 95.101.36.192#53
Jan 23 21:35:46	unbound	86566:1	info: query response was nodata ANSWER
Jan 23 21:35:46	unbound	86566:1	info: response for www.nhl.com. A IN
Jan 23 21:35:46	unbound	86566:1	info: reply from <g.akamaiedge.net.> 88.221.81.192#53
Jan 23 21:35:46	unbound	86566:1	info: query response was ANSWER
Jan 23 21:35:46	unbound	86566:1	info: resolving nhl.com. DS IN</g.akamaiedge.net.></akamaiedge.net.></akamaiedge.net.>

Once again it appears to end with

Jan 23 21:35:10	unbound	86566:1	info: NSEC3s for the referral proved no DS.
Jan 23 21:35:10	unbound	86566:1	info: Verified that unsigned response is INSECURE
Jan 23 21:35:16	unbound	86566:1	info: resolving www.nhl.com. A IN

At this point I am probably stuck with disabling DNSSEC as I probably just do not have enough knowledge to fully understand what is causing unbound to stop working (but not crashing).  I will stop spamming this thread now.

Gertjan

@toluun:

At this point I am probably stuck with disabling DNSSEC as I probably just do not have enough knowledge to fully understand what is causing unbound to stop working (but not crashing).  I will stop spamming this thread now.

It's the other way around : you should keep DNSSEC enabled.
cnn.com, as many if not the most sites on the net use the classic DNS without DNSSEC - so, from a "DNSSEC-check" point of view, the answers to DNS request are unsecured. But that's ok.
Because the entire DNS, as it works for many years already, is very not secure. "DNS spoofing" really happens these days.

Btw : even forum.pfsense.org doesn't use DNSSEC  ;)

toluun

I agree, I would love to keep DNSSEC enabled but it is causing my unbound stop resolving every hour or so.  Only a manual restart of unbound fixes the issue.

Johnlumsden

While browsing the internet, you may encounter several errors and chances are you browse chrome often then the error code DNS PROBE FINISHED NXDOMAIN is likely to happen. But there’s nothing to worry about because when there is a problem, it comes with a solution.
You can find the solution here https://www.techtosh.com/how-to/error-code-dns-probe-finished-nxdomain/

toluun

Hmm I'm not sure this article really apples to my situation.  I'm almost positive the error is occurring at the pfsense box and not the client machines.  Mainly cause all clients are affected when the resolver fails.

Still looking for troubleahooting ideas if anyone has any.

romainp

Hi,
Not sure it is related to your exact issue, but I have also some really strange dns issue, explained here:

https://forum.pfsense.org/index.php?topic=143559.0

toluun

Did your try disabling DNSSEC? Did it change anything?

nononame

Hey, @toluun, I know a lot of time has passed since the last activity on this topic, but did you find a solution? I'm experiencing the same problems with DNS Resolver.

Gertjan

Things changed.
As things do, over time.

www.cnn.com is using DNSSEC now.

See it for yourself :https://dnsviz.net/d/www.cnn.com/dnssec/

Although, not with issues, as there are warnings.

I tend to say : call them to have it fixed ?!