tcp error for address xxxx port 853
-
I see lots of posts but no conclusive solution, so asking experts here.
I am using SSL/TLS for outgoing DNS Queries and see errors:
unbound 67011:3 debug: tcp error for address xxxx port 853
It's the same for 8.8.8.8, 9.9.9.9 and 1.1.1.1
Anybody knows how to fix it ?
Thx
-
Where are these posts with no solutions exactly?
And lets set your setup.. What version of pfsense are you using exactly? Do you have some vpn setup where all your traffic is going over a vpn, what other packages if any are you running.
-
2.4.4-RELEASE-p2
DNS server(s)
127.0.0.1
9.9.9.9
149.112.112.112Resolver setup https://snag.gy/6MoRP1.jpg
I run OpenVNP server but no clients and don't think have traffic l going over.
Thx
-
So clearly your running pfblocker - which I asked about any packages. That for sure can cause a wrench to be thrown into unbound..
2nd you have dnssec enabled in forwarding mode - zero reason to do that.. whole thread about it recently where someone put together guide on setting up dns and tls.. When you forwarder to a resolver, if it supports dnssec its already doing it.. So you do not have to click that check box.
Do you have uncheck to let dhcp override your dns?
-
Unchecked "Enable DNSSEC Support"
"Do you have uncheck to let dhcp override your dns?"
what do you mean ^ ?Not sure what I can do about pfBNG
Thx!
-
@chudak said in tcp error for address xxxx port 853:
Not sure what I can do about pfBNG
Turn it OFF, uninstall it - do your errors go away? If so it has something to do with your configuration of pfblocker.
-
My "Allow DNS server list to be overridden by DHCP/PPP on WAN" is unchecked
I turned OFF pfBNG and still see errors in Resolver log:
Feb 12 13:48:38 unbound 79932:3 debug: tcp error for address 9.9.9.9 port 853 Feb 12 13:48:38 unbound 79932:3 debug: tcp error for address 149.112.112.112 port 853 -
Not sure if its related to this:
https://forum.netgate.com/topic/138274/unbound-1-8-1-only-single-thread-processing-dns-requestsTo disable this option, you need to add the following to: pfSense Resolver Adv. Custom options: (and save)
server:so-reuseport: noOtherwise, try with pfSense 2.4.5 as it has Unbound 1.9.0
-
Does not seem to make any difference:(
I wonder if this issue is easy reproducible...
My setup is pretty much out of the box
-
In Unbound Adv. Settings, increase the "Log Level" to "2" and "Save". Then review the resolver.log for any other clues.... And as a test disable OpenVPN and see if the error stops.
-
Done
Not sure what is suspicious in it, maybe insecuredFeb 12 20:27:32 unbound 80650:3 info: resolving myvisualiq.net. DS IN
Feb 12 20:27:32 unbound 80650:3 info: query response was ANSWER
Feb 12 20:27:32 unbound 80650:3 info: reply from <.> 9.9.9.9#853
Feb 12 20:27:32 unbound 80650:3 info: response for t.myvisualiq.net. A IN
Feb 12 20:27:32 unbound 80650:3 info: Verified that unsigned response is INSECURE
Feb 12 20:27:32 unbound 80650:3 info: NSEC3s for the referral proved no DS.
Feb 12 20:27:32 unbound 80650:3 info: resolving akamaiedge.net. DS IN
Feb 12 20:27:32 unbound 80650:3 info: Verified that unsigned response is INSECURE
Feb 12 20:27:32 unbound 80650:3 info: NSEC3s for the referral proved no DS. -
Thought you turned off dnssec?
You sure you don't have multiple copies running of unbound, and your config never got updated? Pfblocker can leave some hanging when it tries to update, etc.
Also that
server:so-reuseport: nowould have to do with how many threads, would not cause a tcp error...
I can not reproduce this problem... Enabling dns over tls is clickity clickity..
What other packages you have? Sorry but installing pfblocker is NOT OUT OF THE BOX... And when asked what packages you didn't even list that.. I only knew you were running it from its entry in your unbound screenshot.
So what else is not out of the box??
-
Ack on so-reuseport: no, and remover it
I’m sure I run one pfsense, how can it be confirmed?
Would it help if I send you my config xml file?“Enabling dns over tls is clickity clickity..”. Btw how do you test that it actually works fine?
-
sorry that was "typo" I changed it - meant unbound :) can not run multiple copies of pfsense ;) hehehe
-
@johnpoz said in tcp error for address xxxx port 853:
sorry that was "typo" I changed it - meant unbound :) can not run multiple copies of pfsense ;) hehehe
Too late :)
-
what is output of this
sockstat | grep unbound
Also again going to ask are you running anything else?? Any other packages?
-
@johnpoz said in tcp error for address xxxx port 853:
sockstat | grep unbound
sockstat | grep unbound unbound unbound 94103 3 udp4 192.168.90.1:53 *:* unbound unbound 94103 4 tcp4 192.168.90.1:53 *:* unbound unbound 94103 5 udp4 192.168.90.1:853 *:* unbound unbound 94103 6 tcp4 192.168.90.1:853 *:* unbound unbound 94103 7 udp4 192.168.70.1:53 *:* unbound unbound 94103 8 tcp4 192.168.70.1:53 *:* unbound unbound 94103 9 udp4 192.168.70.1:853 *:* unbound unbound 94103 10 tcp4 192.168.70.1:853 *:* unbound unbound 94103 11 udp4 127.0.0.1:53 *:* unbound unbound 94103 12 stream /var/run/php-fpm.socket unbound unbound 94103 13 stream /var/run/php-fpm.socket unbound unbound 94103 14 tcp4 127.0.0.1:53 *:* unbound unbound 94103 15 udp4 127.0.0.1:853 *:* unbound unbound 94103 16 tcp4 127.0.0.1:853 *:* unbound unbound 94103 17 udp4 192.168.90.1:53 *:* unbound unbound 94103 18 tcp4 192.168.90.1:53 *:* unbound unbound 94103 19 udp4 192.168.90.1:853 *:* unbound unbound 94103 20 tcp4 192.168.90.1:853 *:* unbound unbound 94103 21 udp4 192.168.70.1:53 *:* unbound unbound 94103 22 tcp4 192.168.70.1:53 *:* unbound unbound 94103 23 udp4 192.168.70.1:853 *:* unbound unbound 94103 24 tcp4 192.168.70.1:853 *:* unbound unbound 94103 25 udp4 127.0.0.1:53 *:* unbound unbound 94103 26 tcp4 127.0.0.1:53 *:* unbound unbound 94103 27 udp4 127.0.0.1:853 *:* unbound unbound 94103 28 tcp4 127.0.0.1:853 *:* unbound unbound 94103 29 udp4 192.168.90.1:53 *:* unbound unbound 94103 30 tcp4 192.168.90.1:53 *:* unbound unbound 94103 31 udp4 192.168.90.1:853 *:* unbound unbound 94103 32 tcp4 192.168.90.1:853 *:* unbound unbound 94103 33 udp4 192.168.70.1:53 *:* unbound unbound 94103 34 tcp4 192.168.70.1:53 *:* unbound unbound 94103 35 udp4 192.168.70.1:853 *:* unbound unbound 94103 36 tcp4 192.168.70.1:853 *:* unbound unbound 94103 37 udp4 127.0.0.1:53 *:* unbound unbound 94103 38 tcp4 127.0.0.1:53 *:* unbound unbound 94103 39 udp4 127.0.0.1:853 *:* unbound unbound 94103 40 tcp4 127.0.0.1:853 *:* unbound unbound 94103 41 udp4 192.168.90.1:53 *:* unbound unbound 94103 42 tcp4 192.168.90.1:53 *:* unbound unbound 94103 43 udp4 192.168.90.1:853 *:* unbound unbound 94103 44 tcp4 192.168.90.1:853 *:* unbound unbound 94103 45 udp4 192.168.70.1:53 *:* unbound unbound 94103 46 tcp4 192.168.70.1:53 *:* unbound unbound 94103 47 udp4 192.168.70.1:853 *:* unbound unbound 94103 48 tcp4 192.168.70.1:853 *:* unbound unbound 94103 49 udp4 127.0.0.1:53 *:* unbound unbound 94103 50 tcp4 127.0.0.1:53 *:* unbound unbound 94103 51 udp4 127.0.0.1:853 *:* unbound unbound 94103 52 tcp4 127.0.0.1:853 *:* unbound unbound 94103 53 tcp4 127.0.0.1:953 *:* unbound unbound 94103 54 dgram -> /var/run/logpriv unbound unbound 94103 55 stream -> ?? unbound unbound 94103 56 stream -> ?? unbound unbound 94103 57 stream -> ?? unbound unbound 94103 58 stream -> ?? unbound unbound 94103 59 stream -> ?? unbound unbound 94103 60 stream -> ?? unbound unbound 94103 61 stream -> ?? unbound unbound 94103 62 stream -> ??I run several packages - https://snag.gy/CRfoFM.jpg
Unfortunately I can't easily disable vpn ATM
-
That looks normal..
Here I just turned with clickity clickity and ZERO errors..
Feb 12 23:34:40 unbound 95989:0 info: query response was ANSWER Feb 12 23:34:40 unbound 95989:0 info: reply from <.> 9.9.9.9#853 Feb 12 23:34:40 unbound 95989:0 info: response for checkip.synology.com. A IN Feb 12 23:34:40 unbound 95989:0 info: resolving checkip.synology.com. A IN Feb 12 23:34:40 unbound 95989:0 info: query response was CNAME Feb 12 23:34:40 unbound 95989:0 info: reply from <.> 149.112.112.112#853 Feb 12 23:34:40 unbound 95989:0 info: response for checkip.synology.com. A IN Feb 12 23:34:40 unbound 95989:0 info: resolving checkip.synology.com. A IN Feb 12 23:34:40 unbound 95989:0 info: query response was CNAME Feb 12 23:34:40 unbound 95989:0 info: reply from <.> 9.9.9.9#853 Feb 12 23:34:40 unbound 95989:0 info: response for checkip.synology.com. A IN Feb 12 23:34:40 unbound 95989:0 info: resolving checkip.synology.com. A IN Feb 12 23:34:35 unbound 95989:3 info: query response was ANSWER Feb 12 23:34:35 unbound 95989:3 info: reply from <.> 9.9.9.9#853 Feb 12 23:34:35 unbound 95989:3 info: response for t.myvisualiq.net. A IN Feb 12 23:34:35 unbound 95989:3 info: resolving t.myvisualiq.net. A IN Feb 12 23:34:35 unbound 95989:3 info: query response was CNAME Feb 12 23:34:35 unbound 95989:3 info: reply from <.> 9.9.9.9#853 Feb 12 23:34:35 unbound 95989:3 info: response for t.myvisualiq.net. A IN Feb 12 23:34:34 unbound 95989:3 info: resolving t.myvisualiq.net. A IN Feb 12 23:33:56 unbound 95989:3 info: query response was ANSWER Feb 12 23:33:56 unbound 95989:3 info: reply from <.> 9.9.9.9#853 Feb 12 23:33:56 unbound 95989:3 info: response for conemu.github.io. A IN Feb 12 23:33:56 unbound 95989:0 info: query response was ANSWER Feb 12 23:33:56 unbound 95989:0 info: reply from <.> 9.9.9.9#853 Feb 12 23:33:56 unbound 95989:0 info: response for conemu.github.io. A IN Feb 12 23:33:56 unbound 95989:2 info: query response was ANSWER Feb 12 23:33:56 unbound 95989:2 info: reply from <.> 9.9.9.9#853 Feb 12 23:33:56 unbound 95989:2 info: response for conemu.github.io. A IN Feb 12 23:33:56 unbound 95989:3 info: resolving conemu.github.io. A IN Feb 12 23:33:56 unbound 95989:0 info: resolving conemu.github.io. A IN Feb 12 23:33:56 unbound 95989:2 info: resolving conemu.github.io. A IN Feb 12 23:33:54 unbound 95989:1 info: query response was nodata ANSWER Feb 12 23:33:54 unbound 95989:1 info: reply from <.> 149.112.112.112#853 Feb 12 23:33:54 unbound 95989:1 info: response for us.pool.ntp.org. AAAA IN Feb 12 23:33:53 unbound 95989:1 info: resolving us.pool.ntp.org. AAAA IN Feb 12 23:33:53 unbound 95989:3 info: query response was ANSWER Feb 12 23:33:53 unbound 95989:3 info: reply from <.> 149.112.112.112#853 Feb 12 23:33:53 unbound 95989:3 info: response for us.pool.ntp.org. A IN Feb 12 23:33:53 unbound 95989:3 info: resolving us.pool.ntp.org. A IN Feb 12 23:33:07 unbound 95989:0 info: start of service (unbound 1.8.1).I even did a query for that entry you posted up.. Notice nothing about insecure... No errors about tcp errors, etc..
Post up your dns servers you set - you didn't set a gateway did you?
Again for what possible reason or you running TLS local for??? That is just pointless!!! Who would be sniffing your dns traffic locally???
unbound unbound 94103 52 tcp4 127.0.0.1:853 :Turn that OFF!!! Does that remove your errors?
-
@johnpoz ok ok done :)
DNS Server Settings =>
https://snag.gy/g3bnED.jpg"clickity clickity and ZERO errors.." that's in logs Resolver, what Log Level do you have set ?
-
2! It wouldn't show that info not at least that.
And Yes its the resolver log.... Where else would it be?
