DNS not resolving

  • Hello,
    I've been having some problems setting up my SG-1100.
    The DNS resolver doesn't work, whatever I try.
    I've reset everything to the factory defaults, changed nothing (except for WAN -> PPPoE)
    In the services everything appears to be running, but when I do a DNS lookup diag, No Repsonse.
    Pinging external addresses works, so internet access is fine.
    I did notice this error in the logs every time I restart the service:
    Mar 17 19:31:24 php-fpm 364 /services_unbound.php: Unbound /var/unbound/root.key file is corrupt, removing and recreating.
    I'm probably missing something, but I have no idea what...

  • LAYER 8

    is it pfsense 2.4.4-p3 ? i can find this king of trouble only for old version of pfsense
    anyway you can try to repair that file from console with

    unbound-anchor -a "/var/unbound/root.key"

    if it does not work open a ticket at https://go.netgate.com and ask for instruction on how to reinstall pfsense

  • @kiokoman said in DNS not resolving:

    unbound-anchor -a "/var/unbound/root.key"

    Thanks for the fast reply.
    It's the latest version: 2.4.4-RELEASE-p3 (arm64)
    Unfortunately, the repair didn't help much.
    I did get it to work in forward mode without DNSSEC, so I'm saved for the moment.
    I'll put in a ticket to request the factory image to reinstall pfsense.

  • Ok, I've found some time and restored the factory image I got from netgate support.
    I've retried, but did not help.
    My modem is configured in bridge mode, and now i've set it to router, and reconfigured my WAN interface, and now I can run the unbound-anchor without any problems!
    Does anybody know what could be the cause of this? Or how I could analyze what's blocking the root.key update?

  • LAYER 8

    probably a routing issue, that command download stuff from internet
    maybe try with
    unbound-anchor -4 -a "/var/unbound/root.key"

    you can use truss to see what's happening if it does not work
    truss unbound-anchor -4 -a "/var/unbound/root.key"

  • @Gertjan No, I had stumbled upon that thread and removed the certificates to test, but still got the same error.
    @kiokoman Tried it, but no luck, couldn't get the root.key to be verified. But it did somewhat point me in the right direction. Certain things weren't getting through.

    I had an older router/modem lying around, and I swapped the current one with the one had had lying around. Set it to bridge, started the PPPoE session and now everything seems to be working fine. Ran the unbound-anchor command and immediately got the response success: the anchor is ok

    Don't know what causes this this to fail on the newer modem, but now it works and that's all I care about ;)

    Thanks for your help!

  • LAYER 8

    uhm maybe a firmware bug on that modem 🤷

  • @WaxBear_79 said in DNS not resolving:

    the anchor is ok

    Make a copy of it ! Or know that you can download it yourself from : https://www.iana.org/dnssec/files and as you can see it's really signed :)
    Know that that anchor - root key file can change !
    See the root key (anchor) here in action : every DNSSEC protected domain has this root key (20326) as the starting trusted key. Those who govern that root key can decide to rotate it - but this one is there to stay for a while.

    Btw : for your mental health : try do some DNNSEC yourself on your domain(s) (when just DNS is simply boring) : you'll love it. When you've done that, go for DANE support. Your domain and certs will stand against any possible imaginable Internet fail and hack, as they said ...

    Also : domains that host critical system update files should be DNSSEC protected. If not, a DNS spoof would get our routers update/upgrade code from .... somewhere else. That would kill that brand instantly. Hey Netgate, Listening ? DNSSEC isn't 'hard' anymore.

  • LAYER 8 Global Moderator

    @Gertjan said in DNS not resolving:

    Hey Netgate, Listening ? DNSSEC isn't 'hard' anymore.

    I concur, not sure why netgate.com isn't signed..

  • LAYER 8

    ahh regitrar are like mafia, most of them ask money to add dnssec like it's something special they need to do, godaddy ask for 40$ year for that 👎

  • LAYER 8 Global Moderator

    Registars I have don't ask for anything extra, namecheap and dyndot..

    And even if they did, pretty sure netgate could afford the $40 ;)

  • @kiokoman said in DNS not resolving:

    ahh regitrar are like mafia, most of them ask money to add ...

    Not mafia. They are members of the free world. Any one can ask money for their services.
    Maybe you a have registrar with real people that actuality answer the phone and think with you ^^ That's worth some €.

    Most registrars have a web interface to 'admin' your domain yourself. Or an API, or a web interface that uses their own API to update the registrar manipulations. No need to call them for that (and if you tried, you would be waiting for them, they have to answer the guy that bought a domain name before yesterday, uploaded a site yesterday and wanted to know why his site isn't listed rank 1 Google today).

    I do rotate my KSK's manually every xx months using my registrars web interface because it's somewhat time critical over a several weeks period. ZSK can be done on the DNS server itself - I'm not using my domain registrar facilities. "bind" has been made to that just fine.
    Here you have an out-phasing ZSK on one of my domains : "39459"' : ZSK's are easy to handle.
    KSK's, on the other hand, ask for some concentration. An error WILL blow you site of the Internet and a "restart service" will not bring it back.

    Btw : sorry - went out of subject .... which was
    "/var/unbound/root.key" using PPPoE (using SG1100 ?) (using non-public pfSEnse firmware ?) refuses to refresh.

Log in to reply