DNS resolver DNSSEC - error sending query to auth server

larinux · Aug 1, 2016, 2:18 PM

Hello world!

I'm having some problems with my dns resolver setup with DNSSEC. Been searching for clues for the last 1 or 2 weeks, so I decided to ask for help here. I have a pfsense 2.2.6 setup with 1 WAN connection to my ISP and a LAN configured only on IPv4 (dhcp leases and static IPs).

I have configured DNS resolver (no forward stuff is activate, paid attention a lot of the posts from this forum). Names are resolved correctly. However, it seems that as soon as I activate the DNSSEC support names are not resolved anymore and in the Resolver log I get a lot of entries that look like this:

unbound: [46052:2] info: error sending query to auth server 2001:500:9f::42 port 53

Now, does this sound familiar?
Does DNSSEC need IPv6 access? (btw, I have played around with the IPv6 settings from System: Advanced: Networking and it doesn't help)

Looking forward to finding some other suggestions in order to continue my search :)

kpa · Aug 2, 2016, 12:29 PM

What do you have in "IPv6 Configuration Type" set up for the WAN interface? If you don't need IPv6 you should set it to "None" to avoid a situation where you get some sort of IPv6 connection from your ISP but it doesn't quite work.

DNSSEC does not require IPv6.

smitimus · Oct 16, 2016, 12:12 AM

I have had this same issue for months. Addresses will not resolve and my devices hang waiting on it. Once they resolve we are good to go for a while because they are stored local.

Mine occurs any time, including with DNSSEC enabled or disabled. Simple single interface WAN and LAN, both with IPv6 disabled.

The only thing I have found that fixes it is removing all references to IPV6 addresses from the config file through edit file. This works perfect until pfSense rebuilds the file, which seems to be more often recently (used to be able to go for days on this).

Did you happen to find a fix?

johnpoz · Oct 16, 2016, 11:25 AM

It would use ipv6 if ipv6 is given, it prefers IPv6 - unless you check in the advanced networking to prefer ipv4. So for example what domain where you looking up?

Many people run into this issue where their ipv6 is subpar, or maybe the domain dns on ipv6 is subpar, etc. either way yes when you resolve if you have issues talking to the authoritative server your going to have a bad day. What domain is that exactly - its quite possible their dnssec is broken!!

You can test that here
http://dnsviz.net/

smitimus · Oct 16, 2016, 4:11 PM

@johnpoz:

It would use ipv6 if ipv6 is given, it prefers IPv6 - unless you check in the advanced networking to prefer ipv4. So for example what domain where you looking up?

Many people run into this issue where their ipv6 is subpar, or maybe the domain dns on ipv6 is subpar, etc. either way yes when you resolve if you have issues talking to the authoritative server your going to have a bad day. What domain is that exactly - its quite possible their dnssec is broken!!

You can test that here
http://dnsviz.net/

Thanks for the reply. I have IPv6 set to None on both interfaces, prefer IPv4 checked, and allow IPv6 unchecked in advanced networking. From everything I have found, I have all aspects of IPv6 disabled.

As for the domain and DNSSEC, it really doesn't matter. It happens when DNSSEC is on or off. It happens with any DNS provider. It happens to any domain, the only thing in common is that when it happens the error shows up in the log.

I can do Diagnostic DNS lookup and lookup various domains. 1 out of 4ish will take forever to come back or will time out. I rerun the lookup and they come back instantly because they are stored at this point.

As I said before I can go in to the config file and delete all IPv6 addresses and everything works great until the config is regenerated. I have even tried selecting single interfaces in the config menu, but it still adds references to IPv6 addresses.

I should probably start a new thread and will do so shortly. I finally found something that works as a temporary solution. When I switch to DNS Forwarder, and check strict everything works perfectly.

johnpoz · Oct 16, 2016, 4:15 PM

Why would it try and send to IPv6 address if pfsense has not ipv6 address?

What do you have set for your outgoing interface on unbound. Do you have set to all, or what exactly.. Mine is only my WAN interface.. Since that is the ONLY Interface it could talk to authoritative ns on, and its only IPv4..

smitimus · Oct 16, 2016, 4:24 PM

@johnpoz:

Why would it try and send to IPv6 address if pfsense has not ipv6 address?

What do you have set for your outgoing interface on unbound. Do you have set to all, or what exactly.. Mine is only my WAN interface.. Since that is the ONLY Interface it could talk to authoritative ns on, and its only IPv4..

EXACTLY! Now you see why I have been scratching my head. I have tried everything I can think of there. WAN, All. I have interfaces set up for a VPN connection that I enable on rare occasion (currently disabled) that I even tried to send it through. Still does it. Basically any time unbound is turned on, and I have not edited the config file in the last 10ish minutes, it will do this. I have even tried fresh installs, although not recently.

Edit: My config…

##########################
# Unbound Configuration
##########################

##
# Server configuration
##
server:

chroot: /var/unbound
username: "unbound"
directory: "/var/unbound"
pidfile: "/var/run/unbound.pid"
use-syslog: yes
port: 53
verbosity: 2
hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes
module-config: "iterator"
unwanted-reply-threshold: 10000000
num-queries-per-thread: 1024
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 10
incoming-num-tcp: 10
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m

num-threads: 2
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
outgoing-range: 4096
#so-rcvbuf: 4m

prefetch: yes
prefetch-key: yes
use-caps-for-id: no
# Statistics
# Unbound Statistics
statistics-interval: 0
extended-statistics: yes
statistics-cumulative: yes

# Interface IP(s) to bind to
interface: 0.0.0.0
interface: ::0
interface-automatic: yes

# Outgoing interfaces to be used
outgoing-interface: wanIPv4 Removed

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 169.254.0.0/16
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address

# Access lists
include: /var/unbound/access_lists.conf

# Static host entries
include: /var/unbound/host_entries.conf

# dhcp lease entries
include: /var/unbound/dhcpleases_entries.conf

# Domain overrides
include: /var/unbound/domainoverrides.conf

###
# Remote Control Config
###
include: /var/unbound/remotecontrol.conf

johnpoz · Oct 16, 2016, 11:51 PM

do-ip6: yes

Interface IP(s) to bind to

interface: 0.0.0.0
interface: ::0
interface-automatic: yes

Why do you have those???

If you do not want it to use IPv6 outbound then don't bind it to Ipv6 address


# Interface IP(s) to bind to
interface: 192.168.9.253
interface: 2001:470:snipped::1
interface: 192.168.2.253
interface: 2001:470:snpped::1
interface: 192.168.3.253
interface: 2001:470:snipped::1
interface: 192.168.4.253
interface: 192.168.6.253
interface: 2001:470:snipped::1
interface: 192.168.7.253
interface: 127.0.0.1
interface: ::1

# Outgoing interfaces to be used
outgoing-interface: 24.13.snipped

I would get rid of that do ipv6 in your config if you don't want it doing ipv6 as the easy way to prevent it. You should be able to put it the advanced tab..

server:
do-ip6: no

I just tested and if you put those commands unbound isn't doing anything with ipv6.