Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    unbound not resolving - dig on ssh session works

    Scheduled Pinned Locked Moved DHCP and DNS
    3 Posts 2 Posters 865 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scope
      last edited by

      Good evening!

      I'm currently in the process of evaluating pfsense as a new platform for my home network.
      First things first: Thanks for this awesome project!

      I have a VDSL2 line, a separate DSL-modem and currently use a zotac zbox ci (dual gigabyte nics) for my setup.
      So I'm using PPPoE, which works fine.... but...

      It appears that unbound is not resolving external domains. I digged through the forum for a while now, but I can't find a thread that seems to be similar to my case.

      Here are some details about my setup:

      • I currently run 2.4.4-RELEASE-p2 (amd64).
      • LAN interface on 10.0.0.2/24
      • WAN interface on PPPoE for IPv4 with credentials for my provider and none for IPv6
      • No DNS servers configured in System -> General Setup
      • DNS Resolver active, interfaces set to All / All, Static DHCP checked and some host overrides
      • WAN connects without problems and WAN_PPPOE is the only (and default) gateway

      It appears to me, that this is a fairly basic setup. Yet, something must be wrong (or I've been too stupid and misconfigured something...).

      If I manually set DNS to e.g. 1.1.1.1 for my Windows box, everything works as excpected, so my internet connection seems to be ok (latency and bandwidth is ok, too).

      If I try to use 10.0.0.2 as a resolver, I just get a timeout.

      The resolver log just show something like:

      Apr 12 00:18:04	unbound	25146:0	notice: init module 0: validator
      Apr 12 00:18:04	unbound	25146:0	notice: init module 1: iterator
      Apr 12 00:18:04	unbound	25146:0	info: start of service (unbound 1.8.1).
      

      So I tried to dig into this (literally).

      What I've tried so far:

      Unbound is running and answers queries that correspond to the configured host overrides:

      [2.4.4-RELEASE][admin@pfsense.home]/root: dig zbox.home
      
      ; <<>> DiG 9.12.2-P1 <<>> zbox.home
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57640
      ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags:; udp: 4096
      ;; QUESTION SECTION:
      ;zbox.home.           IN      A
      
      ;; ANSWER SECTION:
      zbox.home.    3600    IN      A       10.0.0.8
      
      ;; Query time: 0 msec
      ;; SERVER: 127.0.0.1#53(127.0.0.1)
      ;; WHEN: Fri Apr 12 00:20:00 CEST 2019
      ;; MSG SIZE  rcvd: 64
      

      I then dumped the query list:

      [2.4.4-RELEASE][admin@pfsense.home]/: unbound-control -c /var/unbound/unbound.conf dump_requestlist
      thread #0
      #   type cl name    seconds    module status
        0   NS IN . - iterator wait for 202.12.27.33
        1    A IN 0.pfsense.pool.ntp.org. 349.483801 iterator wants NS IN .
        2    A IN 0.pfsense.pool.ntp.org.home. 324.312648 iterator wants NS IN .
        3    A IN pkg.pfsense.org. 324.193176 iterator wants NS IN .
        4    A IN pkg.pfsense.org.home. 294.051367 iterator wants NS IN .
        5    A IN stun.gigaset.net. 254.992681 iterator wants NS IN .
        6    A IN dynreg.gigaset.net. 276.110724 iterator wants NS IN .
        7 AAAA IN 0.pfsense.pool.ntp.org. 339.347040 iterator wants NS IN .
        8 AAAA IN 0.pfsense.pool.ntp.org.home. 309.203612 iterator wants NS IN .
        9 AAAA IN pkg.pfsense.org. 309.141421 iterator wants NS IN .
       10 AAAA IN pkg.pfsense.org.home. 349.483801 iterator wants NS IN .
       11  SRV IN _https._tcp.pkg.pfsense.org. 339.351057 iterator wants NS IN .
      

      So it's collecting queries, but these just seem to be stuck and waiting forever.

      If I manually try to query I get:

      [2.4.4-RELEASE][admin@pfsense.home]/root: dig 0.pfsense.pool.ntp.org.
      
      ; <<>> DiG 9.12.2-P1 <<>> 0.pfsense.pool.ntp.org.
      ;; global options: +cmd
      ;; connection timed out; no servers could be reached
      

      Talking to a root server works, so these seem not to be blocked by my ISP:

      [2.4.4-RELEASE][admin@pfsense.home]/root: dig @202.12.27.33 +dnssec 0.pfsense.pool.ntp.org.
      
      ; <<>> DiG 9.12.2-P1 <<>> @202.12.27.33 +dnssec 0.pfsense.pool.ntp.org.
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52472
      ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 9, ADDITIONAL: 13
      ;; WARNING: recursion requested but not available
      
      ;; OPT PSEUDOSECTION:
      ; EDNS: version: 0, flags: do; udp: 4096
      ;; QUESTION SECTION:
      ;0.pfsense.pool.ntp.org.                IN      A
      
      ;; AUTHORITY SECTION:
      org.                    172800  IN      NS      d0.org.afilias-nst.org.
      org.                    172800  IN      NS      b2.org.afilias-nst.org.
      org.                    172800  IN      NS      a0.org.afilias-nst.info.
      org.                    172800  IN      NS      c0.org.afilias-nst.info.
      org.                    172800  IN      NS      a2.org.afilias-nst.info.
      org.                    172800  IN      NS      b0.org.afilias-nst.org.
      org.                    86400   IN      DS      9795 7 2 3922B31B6F3A4EA92B19EB7B52120F031FD8E05FF0B03BAFCF9F891B FE7FF8E5
      org.                    86400   IN      DS      9795 7 1 364DFAB3DAF254CAB477B5675B10766DDAA24982
      org.                    86400   IN      RRSIG   DS 8 1 86400 20190424170000 20190411160000 25266 . mUjeRKpkX1lXiqP1N9Dh0HDlMkObK5VdrLTbmYMajgb8muftE6nmzX1y tuyzp9lciFvSnBrjLfy+OPlxKCenMZVej6wwPIUtSlK/JDOgFBedAP4h +9iuUkrY4WzhdRbWcwHiWm6mh1FRy/3ZWPdXV1zys0fyn3WLr9/U0php rlwxQPIEH9UXmpJHeqnypN+9xmHfQnFT1RfMJCdVKumKyms1tJQVVcjg Q+G9+HtUcDw3xLsbvwVUa4mweeFcMoljpP7KM/GHRgxJj8wZ/sxYAIgY SlvXe8D75EK2YaRRCKnkSH1sOa9Gc8CxjWqfwWDfX42aWRprdEDOQWSa i5bMig==
      
      ;; ADDITIONAL SECTION:
      a0.org.afilias-nst.info. 172800 IN      A       199.19.56.1
      a2.org.afilias-nst.info. 172800 IN      A       199.249.112.1
      b0.org.afilias-nst.org. 172800  IN      A       199.19.54.1
      b2.org.afilias-nst.org. 172800  IN      A       199.249.120.1
      c0.org.afilias-nst.info. 172800 IN      A       199.19.53.1
      d0.org.afilias-nst.org. 172800  IN      A       199.19.57.1
      a0.org.afilias-nst.info. 172800 IN      AAAA    2001:500:e::1
      a2.org.afilias-nst.info. 172800 IN      AAAA    2001:500:40::1
      b0.org.afilias-nst.org. 172800  IN      AAAA    2001:500:c::1
      b2.org.afilias-nst.org. 172800  IN      AAAA    2001:500:48::1
      c0.org.afilias-nst.info. 172800 IN      AAAA    2001:500:b::1
      d0.org.afilias-nst.org. 172800  IN      AAAA    2001:500:f::1
      
      ;; Query time: 152 msec
      ;; SERVER: 202.12.27.33#53(202.12.27.33)
      ;; WHEN: Fri Apr 12 01:04:07 CEST 2019
      ;; MSG SIZE  rcvd: 824
      

      If I follow the path down, this results in a.ntpns.org being the nameserver to ask.

      Which does not work by name:

      [2.4.4-RELEASE][admin@pfsense.home]/root: dig @a.ntpns.org +dnssec 0.pfsense.pool.ntp.org.
      dig: couldn't get address for 'a.ntpns.org': not found
      

      But by IP:

      [2.4.4-RELEASE][admin@pfsense.home]/root: dig @207.171.17.42 +dnssec 0.pfsense.pool.ntp.org.
      
      ; <<>> DiG 9.12.2-P1 <<>> @207.171.17.42 +dnssec 0.pfsense.pool.ntp.org.
      ; (1 server found)
      ;; global options: +cmd
      ;; Got answer:
      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32168
      ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
      ;; WARNING: recursion requested but not available
      
      ;; QUESTION SECTION:
      ;0.pfsense.pool.ntp.org.                IN      A
      
      ;; ANSWER SECTION:
      0.pfsense.pool.ntp.org. 150     IN      A       5.189.146.13
      0.pfsense.pool.ntp.org. 150     IN      A       37.120.184.82
      0.pfsense.pool.ntp.org. 150     IN      A       176.9.102.215
      0.pfsense.pool.ntp.org. 150     IN      A       87.118.124.35
      
      ;; Query time: 22 msec
      ;; SERVER: 207.171.17.42#53(207.171.17.42)
      ;; WHEN: Fri Apr 12 01:08:32 CEST 2019
      ;; MSG SIZE  rcvd: 192
      

      Of course, if I knew all the IPs beforehand, I wouldn't need to use DNS ;)

      A full trace does not work either:

      [2.4.4-RELEASE][admin@pfsense.home]/root: dig +dnssec +trace 0.pfsense.pool.ntp.org.
      
      ; <<>> DiG 9.12.2-P1 <<>> +dnssec +trace 0.pfsense.pool.ntp.org.
      ;; global options: +cmd
      ;; connection timed out; no servers could be reached
      

      At least I'd expect to see the list of root servers here.

      Any insight? Hopefully I'm just doing it wrong...

      Greetings and thanks for your help!

      GertjanG 1 Reply Last reply Reply Quote 0
      • GertjanG
        Gertjan @scope
        last edited by

        @scope said in unbound not resolving - dig on ssh session works:

        The resolver log just show something like:

        92759bb5-ed2e-49bb-bb63-67eb48ac4ffb-image.png

        It show what you want to see ;)
        If you want, inform it to show more details (like what servers it can't reach).

        Btw - your last command :

        dig +dnssec +trace 0.pfsense.pool.ntp.org.
        

        runs fully for me.

        Also :

        dig @a.ntpns.org +dnssec 0.pfsense.pool.ntp.org.
        

        works for me, @dig @a.ntpns.org will get resolved to "207.171.17.42" (and it's IPv6 counter part)

        Although you gave good info, I can't see (from here) why 'some' NS servers can't be contacted.

        What are (floating) firewall rules ? NAT specials ? packages ?

        As you said : the Resolvers works fine right after setup. Nothing need to be done to make it work better.
        I used pppoe myself for years, many do still today. That couldn't be the issue.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • S
          scope
          last edited by

          Hi,

          thanks for your feedback!

          Ok, did not look closely enough on the advanced tab - log level ist easy to overlook :)

          Fortunately I was able to resolve my issue, though I still don't know what happened exactly.

          I tried to take as much out of the equation as possible - my last try was to take even pfsense out...
          So I started unbound as a docker container on one of my machines (pfsense still in use for internet gateway, though)...
          That showed the exact same symptoms.

          That was a serious WTF moment :|

          I then googled for a long time, and tried to debug that single docker unbound instance - without success. It seemed as if something dropped packets, but I did not know what.

          I eventually found a promising thread:
          https://forums.freebsd.org/threads/unbound-very-slow-and-or-dns-address-could-not-be-found.57493/

          That setup seemed to be similar. I as well use a Fritzbox that is tricked into working only as a dsl modem.
          I tried to change the dsl protocol version as suggested in the thread - without success.

          I then took a deeper look at the fritzbox again. There are various modes the fritzbox can be turned into a dsl modem.
          I used the variant, where the fritzbox itself handles VLAN tag 7 for VDSL.
          I found various threads, that this bridge mode suffers a drop-some-PPPoE-packets problem.

          I then switched the box to full_bridge - of course I had to adjust pfsense to do the VLAN tagging itself on the WAN interface.
          And guess what: it worked.

          Unbound now works fine. Why the bridge mode of the fritzbox dropped just these specific DNS packets - I have absolutely no idea. Of course, I mustn't complain, since I use the box in a way it was not designed for (at least not officially) :)

          So basically everything was set up correctly and I did look at the wrong end...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.