DNS resolver DNSSEC - error sending query to auth server



  • Hello world!

    I'm having some problems with my dns resolver setup with DNSSEC. Been searching for clues for the last 1 or 2 weeks, so I decided to ask for help here. I have a pfsense 2.2.6 setup with 1 WAN connection to my ISP and a LAN configured only on IPv4 (dhcp leases and static IPs).

    I have configured DNS resolver (no forward stuff is activate, paid attention a lot of the posts from this forum). Names are resolved correctly. However, it seems that as soon as I activate the DNSSEC support names are not resolved anymore and in the Resolver log I get a lot of entries that look like this:

    unbound: [46052:2] info: error sending query to auth server 2001:500:9f::42 port 53

    Now, does this sound familiar?
    Does DNSSEC need IPv6 access? (btw, I have played around with the IPv6 settings from System: Advanced: Networking and it doesn't help)

    Looking forward to finding some other suggestions in order to continue my search :)



  • What do you have in "IPv6 Configuration Type" set up for the WAN interface? If you don't need IPv6 you should set it to "None" to avoid a situation where you get some sort of IPv6 connection from your ISP but it doesn't quite work.

    DNSSEC does not require IPv6.



  • I have had this same issue for months. Addresses will not resolve and my devices hang waiting on it. Once they resolve we are good to go for a while because they are stored  local.

    Mine occurs any time, including with DNSSEC enabled or disabled. Simple single interface WAN and LAN, both with IPv6 disabled.

    The only thing I have found that fixes it is removing all references to IPV6 addresses from the config file through edit file. This works perfect until pfSense rebuilds the file, which seems to be more often recently (used to be able to go for days on this).

    Did you happen to find a fix?


  • Rebel Alliance Global Moderator

    It would use ipv6 if ipv6 is given, it prefers IPv6 - unless you check in the advanced networking to prefer ipv4.  So for example what domain where you looking up?

    Many people run into this issue where their ipv6 is subpar, or maybe the domain dns on ipv6 is subpar, etc.  either way yes when you resolve if you have issues talking to the authoritative server your going to have a bad day.  What domain is that exactly - its quite possible their dnssec is broken!!

    You can test that here
    http://dnsviz.net/



  • @johnpoz:

    It would use ipv6 if ipv6 is given, it prefers IPv6 - unless you check in the advanced networking to prefer ipv4.  So for example what domain where you looking up?

    Many people run into this issue where their ipv6 is subpar, or maybe the domain dns on ipv6 is subpar, etc.  either way yes when you resolve if you have issues talking to the authoritative server your going to have a bad day.  What domain is that exactly - its quite possible their dnssec is broken!!

    You can test that here
    http://dnsviz.net/

    Thanks for the reply. I have IPv6 set to None on both interfaces, prefer IPv4 checked, and allow IPv6 unchecked in advanced networking. From everything I have found, I have all aspects of IPv6 disabled.

    As for the domain and DNSSEC, it really doesn't matter. It happens when DNSSEC is on or off. It happens with any DNS provider. It happens to any domain, the only thing in common is that when it happens the error shows up in the log.

    I can do Diagnostic DNS lookup and lookup various domains. 1 out of 4ish will take forever to come back or will time out. I rerun the lookup and they come back instantly because they are stored at this point.

    As I said before I can go in to the config file and delete all IPv6 addresses and everything works great until the config is regenerated. I have even tried selecting single interfaces in the config menu, but it still adds references to IPv6 addresses.

    I should probably start a new thread and will do so shortly. I finally found something that works as a temporary solution. When I switch to DNS Forwarder, and check strict everything works perfectly.


  • Rebel Alliance Global Moderator

    Why would it try and send to IPv6 address if pfsense has not ipv6 address?

    What do you have set for your outgoing interface on unbound.  Do you have set to all, or what exactly.. Mine is only my WAN interface..  Since that is the ONLY Interface it could talk to authoritative ns on, and its only IPv4..



  • @johnpoz:

    Why would it try and send to IPv6 address if pfsense has not ipv6 address?

    What do you have set for your outgoing interface on unbound.  Do you have set to all, or what exactly.. Mine is only my WAN interface..  Since that is the ONLY Interface it could talk to authoritative ns on, and its only IPv4..

    EXACTLY! Now you see why I have been scratching my head. I have tried everything I can think of there. WAN, All. I have interfaces set up for a VPN connection that I enable on rare occasion (currently disabled) that I even tried to send it through. Still does it. Basically any time unbound is turned on, and I have not edited the config file in the last 10ish minutes, it will do this. I have even tried fresh installs, although not recently.

    Edit: My config…

    ##########################
    # Unbound Configuration
    ##########################
    
    ##
    # Server configuration
    ##
    server:
    
    chroot: /var/unbound
    username: "unbound"
    directory: "/var/unbound"
    pidfile: "/var/run/unbound.pid"
    use-syslog: yes
    port: 53
    verbosity: 2
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    do-daemonize: yes
    module-config: "iterator"
    unwanted-reply-threshold: 10000000
    num-queries-per-thread: 1024
    jostle-timeout: 200
    infra-host-ttl: 900
    infra-cache-numhosts: 10000
    outgoing-num-tcp: 10
    incoming-num-tcp: 10
    edns-buffer-size: 4096
    cache-max-ttl: 86400
    cache-min-ttl: 0
    harden-dnssec-stripped: yes
    msg-cache-size: 4m
    rrset-cache-size: 8m
    
    num-threads: 2
    msg-cache-slabs: 2
    rrset-cache-slabs: 2
    infra-cache-slabs: 2
    key-cache-slabs: 2
    outgoing-range: 4096
    #so-rcvbuf: 4m
    
    prefetch: yes
    prefetch-key: yes
    use-caps-for-id: no
    # Statistics
    # Unbound Statistics
    statistics-interval: 0
    extended-statistics: yes
    statistics-cumulative: yes
    
    # Interface IP(s) to bind to
    interface: 0.0.0.0
    interface: ::0
    interface-automatic: yes
    
    # Outgoing interfaces to be used
    outgoing-interface: wanIPv4 Removed
    
    # DNS Rebinding
    # For DNS Rebinding prevention
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 169.254.0.0/16
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10
    # Set private domains in case authoritative name server returns a Private IP address
    
    # Access lists
    include: /var/unbound/access_lists.conf
    
    # Static host entries
    include: /var/unbound/host_entries.conf
    
    # dhcp lease entries
    include: /var/unbound/dhcpleases_entries.conf
    
    # Domain overrides
    include: /var/unbound/domainoverrides.conf
    
    ###
    # Remote Control Config
    ###
    include: /var/unbound/remotecontrol.conf
    
    

  • Rebel Alliance Global Moderator

    do-ip6: yes

    Interface IP(s) to bind to

    interface: 0.0.0.0
    interface: ::0
    interface-automatic: yes

    Why do you have those???

    If you do not want it to use IPv6 outbound then don't bind it to Ipv6 address

    
    # Interface IP(s) to bind to
    interface: 192.168.9.253
    interface: 2001:470:snipped::1
    interface: 192.168.2.253
    interface: 2001:470:snpped::1
    interface: 192.168.3.253
    interface: 2001:470:snipped::1
    interface: 192.168.4.253
    interface: 192.168.6.253
    interface: 2001:470:snipped::1
    interface: 192.168.7.253
    interface: 127.0.0.1
    interface: ::1
    
    # Outgoing interfaces to be used
    outgoing-interface: 24.13.snipped
    
    

    I would get rid of that do ipv6 in your config if you don't want it doing ipv6 as the easy way to prevent it.  You should be able to put it the advanced tab..

    server:
    do-ip6: no

    I just tested and if you put those commands unbound isn't doing anything with ipv6.