Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS not resolving

    Scheduled Pinned Locked Moved DHCP and DNS
    13 Posts 4 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WaxBear_79
      last edited by

      Hello,
      I've been having some problems setting up my SG-1100.
      The DNS resolver doesn't work, whatever I try.
      I've reset everything to the factory defaults, changed nothing (except for WAN -> PPPoE)
      In the services everything appears to be running, but when I do a DNS lookup diag, 127.0.0.1: No Repsonse.
      Pinging external addresses works, so internet access is fine.
      I did notice this error in the logs every time I restart the service:
      Mar 17 19:31:24 php-fpm 364 /services_unbound.php: Unbound /var/unbound/root.key file is corrupt, removing and recreating.
      I'm probably missing something, but I have no idea what...

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        is it pfsense 2.4.4-p3 ? i can find this king of trouble only for old version of pfsense
        anyway you can try to repair that file from console with

        unbound-anchor -a "/var/unbound/root.key"
        

        if it does not work open a ticket at https://go.netgate.com and ask for instruction on how to reinstall pfsense

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        1 Reply Last reply Reply Quote 0
        • W
          WaxBear_79
          last edited by

          @kiokoman said in DNS not resolving:

          unbound-anchor -a "/var/unbound/root.key"

          Thanks for the fast reply.
          It's the latest version: 2.4.4-RELEASE-p3 (arm64)
          Unfortunately, the repair didn't help much.
          I did get it to work in forward mode without DNSSEC, so I'm saved for the moment.
          I'll put in a ticket to request the factory image to reinstall pfsense.

          1 Reply Last reply Reply Quote 0
          • W
            WaxBear_79
            last edited by

            Ok, I've found some time and restored the factory image I got from netgate support.
            I've retried, but did not help.
            My modem is configured in bridge mode, and now i've set it to router, and reconfigured my WAN interface, and now I can run the unbound-anchor without any problems!
            Does anybody know what could be the cause of this? Or how I could analyze what's blocking the root.key update?

            1 Reply Last reply Reply Quote 0
            • kiokomanK
              kiokoman LAYER 8
              last edited by kiokoman

              probably a routing issue, that command download stuff from internet
              maybe try with
              unbound-anchor -4 -a "/var/unbound/root.key"

              you can use truss to see what's happening if it does not work
              truss unbound-anchor -4 -a "/var/unbound/root.key"

              ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
              Please do not use chat/PM to ask for help
              we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
              Don't forget to Upvote with the 👍 button for any post you find to be helpful.

              1 Reply Last reply Reply Quote 1
              • GertjanG
                Gertjan
                last edited by

                Look also here https://forum.netgate.com/topic/143841/netgate-sg-1100-2-4-4-release-p3-unbound-won-t-start - same issue ?

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • W
                  WaxBear_79
                  last edited by

                  @Gertjan No, I had stumbled upon that thread and removed the certificates to test, but still got the same error.
                  @kiokoman Tried it, but no luck, couldn't get the root.key to be verified. But it did somewhat point me in the right direction. Certain things weren't getting through.

                  I had an older router/modem lying around, and I swapped the current one with the one had had lying around. Set it to bridge, started the PPPoE session and now everything seems to be working fine. Ran the unbound-anchor command and immediately got the response success: the anchor is ok

                  Don't know what causes this this to fail on the newer modem, but now it works and that's all I care about ;)

                  Thanks for your help!

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • kiokomanK
                    kiokoman LAYER 8
                    last edited by

                    uhm maybe a firmware bug on that modem 🤷

                    ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                    Please do not use chat/PM to ask for help
                    we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                    Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                    1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @WaxBear_79
                      last edited by

                      @WaxBear_79 said in DNS not resolving:

                      the anchor is ok

                      Make a copy of it ! Or know that you can download it yourself from : https://www.iana.org/dnssec/files and as you can see it's really signed :)
                      Know that that anchor - root key file can change !
                      See the root key (anchor) here in action : every DNSSEC protected domain has this root key (20326) as the starting trusted key. Those who govern that root key can decide to rotate it - but this one is there to stay for a while.

                      Btw : for your mental health : try do some DNNSEC yourself on your domain(s) (when just DNS is simply boring) : you'll love it. When you've done that, go for DANE support. Your domain and certs will stand against any possible imaginable Internet fail and hack, as they said ...

                      Also : domains that host critical system update files should be DNSSEC protected. If not, a DNS spoof would get our routers update/upgrade code from .... somewhere else. That would kill that brand instantly. Hey Netgate, Listening ? DNSSEC isn't 'hard' anymore.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 Reply Last reply Reply Quote 1
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        @Gertjan said in DNS not resolving:

                        Hey Netgate, Listening ? DNSSEC isn't 'hard' anymore.

                        I concur, not sure why netgate.com isn't signed..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • kiokomanK
                          kiokoman LAYER 8
                          last edited by

                          ahh regitrar are like mafia, most of them ask money to add dnssec like it's something special they need to do, godaddy ask for 40$ year for that 👎

                          ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                          Please do not use chat/PM to ask for help
                          we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                          Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                          GertjanG 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Registars I have don't ask for anything extra, namecheap and dyndot..

                            And even if they did, pretty sure netgate could afford the $40 ;)

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • GertjanG
                              Gertjan @kiokoman
                              last edited by Gertjan

                              @kiokoman said in DNS not resolving:

                              ahh regitrar are like mafia, most of them ask money to add ...

                              Not mafia. They are members of the free world. Any one can ask money for their services.
                              Maybe you a have registrar with real people that actuality answer the phone and think with you ^^ That's worth some €.

                              Most registrars have a web interface to 'admin' your domain yourself. Or an API, or a web interface that uses their own API to update the registrar manipulations. No need to call them for that (and if you tried, you would be waiting for them, they have to answer the guy that bought a domain name before yesterday, uploaded a site yesterday and wanted to know why his site isn't listed rank 1 Google today).

                              I do rotate my KSK's manually every xx months using my registrars web interface because it's somewhat time critical over a several weeks period. ZSK can be done on the DNS server itself - I'm not using my domain registrar facilities. "bind" has been made to that just fine.
                              Here you have an out-phasing ZSK on one of my domains : "39459"' : ZSK's are easy to handle.
                              KSK's, on the other hand, ask for some concentration. An error WILL blow you site of the Internet and a "restart service" will not bring it back.

                              Btw : sorry - went out of subject .... which was
                              "/var/unbound/root.key" using PPPoE (using SG1100 ?) (using non-public pfSEnse firmware ?) refuses to refresh.

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.