Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS not working after update to 2.4.5-RELEASE-p1

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 3 Posters 570 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MarekAndreansky
      last edited by

      Can't resolve any hostnames, tried turning forwarding on and off without any effect.

      Which logs would help in troubleshooting?

      The DNS resolver logs show

      "info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN"
      

      I have pfBlockerNG installed as well, tried disabling but that did not help.

      1 Reply Last reply Reply Quote 0
      • M
        MarekAndreansky
        last edited by

        Disabling DNSSEC Support in DNS Resolver / General Settings did allow me to resolve dns.

        But am surprised this broke after the update.

        1 Reply Last reply Reply Quote 0
        • M
          marcnarc
          last edited by

          My DNS just stopped working a couple of hours ago. I'm on plain 2.4.5, using the DNS Resolver, and I had DNSSEC enabled. This has been working fine for months.

          It looks like a recent update of the /var/unbound/root.key file maybe made things ooky?

          [2.4.5-RELEASE][root@mirage.home]/var/unbound: unbound-host -C /var/unbound/unbound.conf -t A google.com
          [1592681234] libunbound[71916:0] notice: init module 0: validator
          [1592681234] libunbound[71916:0] error: unable to open /root.key for reading: No such file or directory
          [1592681234] libunbound[71916:0] error: error reading auto-trust-anchor-file: /var/unbound/root.key
          [1592681234] libunbound[71916:0] error: validator: error in trustanchors config
          [1592681234] libunbound[71916:0] error: validator: could not apply configuration settings.
          [1592681234] libunbound[71916:0] error: module init for module validator failed
          resolve error: initialization failure
          

          I tried deleting the file and restarting unbound (which re-creates the file) but no luck. While in this state, the unbound process was chewing up the CPU, and my state table was full.

          The bad root.key file is (I have no idea if this is truly bad or not):

          ; autotrust trust anchor file
          ;;id: . 1
          ;;last_queried: 1592677389 ;;Sat Jun 20 14:23:09 2020
          ;;last_success: 1592677389 ;;Sat Jun 20 14:23:09 2020
          ;;next_probe_time: 1592719788 ;;Sun Jun 21 02:09:48 2020
          ;;query_failed: 0
          ;;query_interval: 43200
          ;;retry_time: 8640
          .       86400   IN      DNSKEY  257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1592144646 ;;Sun Jun 14 10:24:06 2020
          

          Things only started working again when I disabled DNSSEC. (Or when I enabled Forwarding Mode, but I prefer to do my own DNS resolution.)

          Lovely way to spend a couple of hours on a sunny Saturday afternoon! 😃

          1 Reply Last reply Reply Quote 0
          • J
            jward311
            last edited by

            I'm glad I'm not the only one. I thought I was going crazy this morning. I applied the update a couple of days ago and all went fine. This morning after making one firewall rule change, I had issues resolving DNS. I use DNS-over-TLS and only when I toggled (Unchecked & saved - Rechecked & saved) the "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" under the DNS Resolver settings, did it start resolving properly. Very strange.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.