Strange issue - not sure how to fix
-
I have been experiencing a strange issue that seems to only affect navigation to a single website. My box is an SG-4860, on 2.4.4-RELEASE-p3 (supplying this info in case it is pertinent). From time to time, I am unable to connect to a specific website, feedly.com. When I check under Diagnostics -DNS lookup, resolver is able to look up the site and return the IP address. However, if I try to ping or traceroute to the site (either by name or IP address), there is no connection. Rebooting pfSense fixes the problem, but then it recurs at some variable amount of time later (generally 1 to several days, but it varies and does not seem to be predictable).
I have pfBlocker NG installed, but I have feedly.com whitelisted, and feedly.com does not appear in any of the block lists. Additionally, feedly.com does not appear in the pfBlocker logs to indicate that it is being blocked.
Additionally, I have not seen feedly.com on any of the firewall logs.
How can I work this problem? Any suggestions would be welcome.
-
One thing to add that might be a clue.
When I check under Status - DNS resolver, feedly.com is listed as
173.245.58.102 feedly.com.
173.245.59.143 feedly.com.However, when I do a DNS lookup for feedly.com, I get
104.20.60.241
104.20.59.241Could this be the source of the issue? What do I do to fix it?
-
What your seeing for status there is the NS for that domain, which are cloudflare NS..
; QUESTION SECTION: ;feedly.com. IN NS ;; ANSWER SECTION: feedly.com. 86400 IN NS anna.ns.cloudflare.com. feedly.com. 86400 IN NS sid.ns.cloudflare.com.I am on the same box as you 4860, but that really doesn't have anything to do with it... I am not having any issues accessing that site currently.. Never been on it before.
You sure when your having issues, its just not that unbound has restarted or something.. pfblocker can delay unbounds startup time.
The TTL on those records is really low at 5 minutes.
;feedly.com. IN A ;; ANSWER SECTION: feedly.com. 300 IN A 104.20.59.241 feedly.com. 300 IN A 104.20.60.241Couple of things you could do when you have problems resolving.. You could turn on prefetching, you could enable return on 0 ttl. And you could also set a min ttl, ie have mine set to 1 hour 3600 seconds. Because I think its just asinine to use such short ttls for a record 5 minutes... JFC people really!! ;)
in advanced enable
Prefetch Support
Serve Expired
If you want set your
Minimum TTL for RRsets and Messages
to something like 3600, or 1200 or something so your caching stuff like this for more than 5 freaking minutes. -
I don't think it is unbound restarting, as all other sites resolve properly when this behavior occurs, and there are no entries in the unbound logs indicating that it restarted.
I applied the settings you recommended, but no joy. Still not resolving feedly.com.
I am mystified by this. -
Can you directly query the NS? Do a dig plus trace to see where you might be failing..
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: dig feedly.com +trace ; <<>> DiG 9.12.2-P1 <<>> feedly.com +trace ;; global options: +cmd . 55245 IN NS h.root-servers.net. . 55245 IN NS k.root-servers.net. . 55245 IN NS e.root-servers.net. . 55245 IN NS m.root-servers.net. . 55245 IN NS c.root-servers.net. . 55245 IN NS f.root-servers.net. . 55245 IN NS i.root-servers.net. . 55245 IN NS g.root-servers.net. . 55245 IN NS b.root-servers.net. . 55245 IN NS j.root-servers.net. . 55245 IN NS a.root-servers.net. . 55245 IN NS d.root-servers.net. . 55245 IN NS l.root-servers.net. . 55245 IN RRSIG NS 8 0 518400 20200305190000 20200221180000 33853 . Md9l213wnywkUFV95YPQHkCeE+ZwSJbop+9tJq3SIyBOpUlmRk550Q3R b12eEipqdJr0PqwGX5a4kI0LrtRTRfVw87g2/shLnNU8n8eeeu5AhpYN oieNajpTyijaHBthsOu6mooM9kUyeWr4SAPTJ7ejna5z7MXKLxLp5x65 YWbyxoJZYgqVvrq9UG30Z6xMT2nHLlYJP8jrRVcFm2BRtLSGGTYr/zPu T/CukO9xW0O+VNKgV2QlQ1nWkKBytd3SylJ/cDk7xn6ilQNk1y31B0T3 5mj7xuDY6bspkMMXweDSmADVDX9YHQBs8jMFEpzAYASf3xDU3rHiif5f Qn7yfg== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20200306170000 20200222160000 33853 . nKP5Lv27AOcUTOm757OfCNXwSlfg8v2sgN8bBC6JvkPlCWDl1P9WI7MQ uQeLEkx7/uUV8LIWt9ydzRb0C1ZPAmZQqzcs/AyAS2vZpxg4zPntejA2 U8RrTi2LCNmB3nr6LKGGZIcFMPH9CzLGld2PI6PNJPLE6Fjd/KnfwmLk t3Say5Rc1Q04998aQU56kXwzVy35zni3HZXMrPkKnlW0aMYm3u2UC+Pi HuxP9QrzE7G9QAz/mq2jkf3IjSyi3b4E5gOhGOMpU0gdKAHngVaDLa6W 1Pdv+ksnrqkXAwbFxhzMW8HDC3qEHxxcNWvZBJyvjcWwAsHbUPtcHiTd c1+gMQ== ;; Received 1170 bytes from 192.58.128.30#53(j.root-servers.net) in 50 ms feedly.com. 172800 IN NS sid.ns.cloudflare.com. feedly.com. 172800 IN NS anna.ns.cloudflare.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200227054927 20200220043927 56311 com. A7zRR2FLhyIgXRnCDNNvgAx2rJS8Rmn1XVVobuXfiDuGSvok2VpUPFfq cSN1rspiJJxCuU1z0IP5QL6zVUroFJ6JEghztjdP+P8l0rpE28/MEJz6 XHIagMgIVeUQfmDgzvBvk8ufccBKbrMJ6CWsmtJZYIjp+5Bar5qx7Ekr +QfZbnhvW2bmnLuUxK57EhVDcdpllDVYBxxjye0EU60l5Q== 3I8E1G3SLVIC3HRKRAQSO6EK28ISKHP7.com. 86400 IN NSEC3 1 1 0 - 3I8FF9SHMK4CDS6I5ID1K3FROQE4EUPK NS DS RRSIG 3I8E1G3SLVIC3HRKRAQSO6EK28ISKHP7.com. 86400 IN RRSIG NSEC3 8 2 86400 20200229055410 20200222044410 56311 com. jomgLV9NMlv4s8S+WeAWT7lq3AUzv0Ij0KcEneyjQYXyCGktENfZBAfr g1qlt1eZBVwG8jIXh+zmfSbW5QLVzRLjTC0WuuDMWOW8S2mkpt3cWfY3 yHwNNZgP3zobIylthc+VnC+jhEqeQavOnlyVv10XUX4Ceyg/k7MTnSR3 Svq9A+CNrdZLztwXlHEQ8/mCZU+BFLMXGfNkFYK6+V7hHQ== ;; Received 727 bytes from 2001:502:1ca1::30#53(e.gtld-servers.net) in 38 ms feedly.com. 300 IN A 104.20.59.241 feedly.com. 300 IN A 104.20.60.241 ;; Received 71 bytes from 173.245.59.143#53(sid.ns.cloudflare.com) in 23 msThose settings won't help resolve something that is specifically failing if you have not atleast resolved it once.
-
@johnpoz said in Strange issue - not sure how to fix:
dig feedly.com +trace
This is the output:
; <<>> DiG 9.12.2-P1 <<>> feedly.com +trace
;; global options: +cmd
. 86247 IN NS b.root-servers.net.
. 86247 IN NS e.root-servers.net.
. 86247 IN NS l.root-servers.net.
. 86247 IN NS g.root-servers.net.
. 86247 IN NS f.root-servers.net.
. 86247 IN NS i.root-servers.net.
. 86247 IN NS k.root-servers.net.
. 86247 IN NS d.root-servers.net.
. 86247 IN NS a.root-servers.net.
. 86247 IN NS m.root-servers.net.
. 86247 IN NS h.root-servers.net.
. 86247 IN NS c.root-servers.net.
. 86247 IN NS j.root-servers.net.
. 86247 IN RRSIG NS 8 0 518400 20200306170000 20200222160000 33853 . OllzbzJsOGxkm+P/Ey6qfFo8aQAw2uj4myYKF8VK5wW/2wxfpUNvRpfR zqrknCl2bYIuW/NtVVqrfD/u8NxeMEqOf44O7SjHj6xEvEVlDnb+L3tU rb2q3yUOKROLKd4hsjNWqzYqX8ceP9ZfFnSMGrDEZLgS64/SK3QRHY74 XEGj1knstNH7iRjvUt/DH851ViURrJ+sQCnw0eXWqkKsgF27arrQES3T vgnW7VvEal5bPgLNImafvgmiHmjL74No2QlRUtWl2KpspZqqiXZOe3lr HIMnZJhY5ku8QB35u9Yxb/YX6b5yo0u9xv4akOB8rYKlzwLRw9/ilQ2a vhDQRQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms;; connection timed out; no servers could be reached
What does this tell me?
-
Tells me you are not able to talk to any of the roots!! So nothing going to resolve.. Only stuff you have cached already is going to be able to resolve.
-
That is strange. Because I am having no trouble accessing any other sites, including sites where I have never browsed before.
How do I solve that issue? Any pointers?
-
Well why can you not query the roots... Try to query one..
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: dig @h.root-servers.net com NS ; <<>> DiG 9.12.2-P1 <<>> @h.root-servers.net com NS ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54900 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;com. IN NS ;; AUTHORITY SECTION: com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN A 192.5.6.30 b.gtld-servers.net. 172800 IN A 192.33.14.30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 m.gtld-servers.net. 172800 IN A 192.55.83.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30 d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30 e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30 f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30 g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30 h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30 i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30 j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30 k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30 l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30 m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30 ;; Query time: 45 msec ;; SERVER: 198.97.190.53#53(198.97.190.53) ;; WHEN: Sat Feb 22 16:49:09 CST 2020 -
@johnpoz said in Strange issue - not sure how to fix:
dig @h.root-servers.net com NS
; <<>> DiG 9.12.2-P1 <<>> @h.root-servers.net com NS
; (2 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached -
your not even getting an IP? dig to IP.
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: dig h.root-servers.net ; <<>> DiG 9.12.2-P1 <<>> h.root-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31354 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;h.root-servers.net. IN A ;; ANSWER SECTION: h.root-servers.net. 85798 IN A 198.97.190.53 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Feb 22 16:51:18 CST 2020 ;; MSG SIZE rcvd: 63Then try and dig to that IP..
dig @198.97.190.53 com ns
If your not getting back IPs from unbound for roots - then yeah your going to have all kinds of issues!! You would only be able to resolve stuff that you have IPs to be able to ask those NS.
-
@johnpoz said in Strange issue - not sure how to fix:
dig h.root-servers.net
I just rebooted, so I am able to access feedly.com again. But who knows for how long?
This is the output:
; <<>> DiG 9.12.2-P1 <<>> h.root-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8969
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;h.root-servers.net. IN A;; ANSWER SECTION:
h.root-servers.net. 86400 IN A 198.97.190.53;; Query time: 3199 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 22 17:57:27 EST 2020
;; MSG SIZE rcvd: 63; <<>> DiG 9.12.2-P1 <<>> @198.97.190.53 com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49732
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;com. IN NS;; AUTHORITY SECTION:
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.;; ADDITIONAL SECTION:
a.gtld-servers.net. 172800 IN A 192.5.6.30
b.gtld-servers.net. 172800 IN A 192.33.14.30
c.gtld-servers.net. 172800 IN A 192.26.92.30
d.gtld-servers.net. 172800 IN A 192.31.80.30
e.gtld-servers.net. 172800 IN A 192.12.94.30
f.gtld-servers.net. 172800 IN A 192.35.51.30
g.gtld-servers.net. 172800 IN A 192.42.93.30
h.gtld-servers.net. 172800 IN A 192.54.112.30
i.gtld-servers.net. 172800 IN A 192.43.172.30
j.gtld-servers.net. 172800 IN A 192.48.79.30
k.gtld-servers.net. 172800 IN A 192.52.178.30
l.gtld-servers.net. 172800 IN A 192.41.162.30
m.gtld-servers.net. 172800 IN A 192.55.83.30
a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30
d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30
e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30
f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30
g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30
h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30
i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30
j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30
k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30
l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30
m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30;; Query time: 27 msec
;; SERVER: 198.97.190.53#53(198.97.190.53)
;; WHEN: Sat Feb 22 17:57:53 EST 2020
;; MSG SIZE rcvd: 828Does it matter that my DNS is set to 127.0.0.1?
-
That was after you rebooted.. Or was that before you rebooted... You shouldn't have to reboot - just restart unbound.
-
if you are resolving - then yes your dns should be set to loopback! That is unbound directly..
-
This was after I rebooted. Prior to that, I did in fact restart unbound manually, but it did not fix the problem. Rebooting always solves this issue, for some length of time, but then it always recurs
It occurs to me that the reason I can access sites in the browser that I have never accessed before even when I am experiencing this issue is that I am using Firefox, which internally sets its own DNS to cloudfare DNS. So it is probably bypassing the pfSense DNS and allowing me to access these sites. So it was masking the issue. Strangely though, it was still not allowing me to access feedly.com. So something is still being blocked somewhere at some point.
-
Other than rebooting, is there anything else I can try to get Unbound connected to the root servers when this occurs again?
-
@pfguy2018 said in Strange issue - not sure how to fix:
which internally sets its own DNS to cloudfare DNS
Mine doesn't - I have that shit turned off!! F that going to hand everything to cloudflare..
I would validate the query is actually going out, or not... Do a sniff on your wan - are you seeing dns going out.. Up the logging of unbound to see if you can see errors, etc.
If your saying restarting unbound doesn't fix it but reboot, then points to something with the connection... Sniff to see if your dns goes out and your just not getting an answer.
-
I don't see any errors in the unbound log at level 2 or 3 logging. I am not sure how to sniff the WAN traffic - can you point me to some instructions for how to do that?
-
Go to diag menu, packet capture - pick your wan interface.
-
Doing that, how do I check if the root servers are being queried?
