Troubleshooting unbound issue - not getting result for query

micahbf

Hello!

I've got unbound set up to in forwarding mode, forwarding everything with TLS to nextdns.io.

I've been trying to get to the bottom of a DNS issue, where doing a lookup of youtu.be from a client comes up empty:

dig @192.168.1.1 youtu.be
; <<>> DiG 9.10.6 <<>> @192.168.1.1 youtu.be
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49134
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;youtu.be.			IN	A

;; Query time: 807 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Nov 23 16:01:57 CST 2020
;; MSG SIZE  rcvd: 37

If I go to Diagnostics > DNS Lookup, it resolves correctly:

If I query the DNS server directly, it also resolves correctly:

kdig +tls-hostname=[redacted].dns.nextdns.io @45.90.28.0 youtu.be
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 41518
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1220 B; ext-rcode: NOERROR
;; PADDING: 71 B

;; QUESTION SECTION:
;; youtu.be.           		IN	A

;; ANSWER SECTION:
youtu.be.           	146	IN	A	216.58.192.238

;; Received 128 B
;; Time 2020-11-23 16:24:10 CST
;; From 45.90.28.0@853(TCP) in 22.0 ms

I have restarted unbound, which did not help.

Scratching my head here, any leads would be appreciated!

micahbf

I should also add that resolving other domains works fine.

dig @192.168.1.1 youtube.com

; <<>> DiG 9.10.6 <<>> @192.168.1.1 youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28852
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;youtube.com.			IN	A

;; ANSWER SECTION:
youtube.com.		300	IN	A	64.233.185.91
youtube.com.		300	IN	A	64.233.185.93
youtube.com.		300	IN	A	64.233.185.190
youtube.com.		300	IN	A	64.233.185.136

;; Query time: 317 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Nov 23 16:31:02 CST 2020
;; MSG SIZE  rcvd: 104

micahbf

Also, I noticed that SERVFAIL on the response, but I don't see anything in the unbound logs.

micahbf

Hope you all are enjoying this livestream :)

Seems to be some DNSSEC issue, as when I do dig +cdflag it works.

I tried unchecking "Harden DNSSEC Data" but that has not resolved the issue.

bmeeks

So you never say what type of client is failing to resolve the hostname, and more importantly, if that client using only your pfSense firewall IP for DNS? Do you by chance have some other DNS server being provided to that client?

The fact the host resolves correctly from the firewall means pfSense is working fine. So if the client is asking pfSense, it should also be getting the same answer as you are receiving on the firewall directly.

Do you by chance have the pfBlockerNG-devel package installed with the DNSBL feature enabled? Do you have any other packages installed that might be interfering with the lookup from that client?

To be honest, your post is confusing. You say the hostname does not resolve on a client, but then everything else you are doing is isolated to just the pfSense firewall itself and you never give us any info about that client. What troubleshooting have you done now on the client since your efforts posted above prove the pfSense side of the DNS equation is working?

micahbf

Well, here's DNS not working from pfsense:

I do not have pfBlockerNG or any other DNS blockers installed.

johnpoz

@micahbf said in Troubleshooting unbound issue - not getting result for query:

I tried unchecking "Harden DNSSEC Data" but that has not resolved the issue.

Because that is meaningless when you forward.. So no that has nothing to do with it.

SERVFAIL can mean a lot of things. Its a general failure that something went wrong.. And can not give you an answer..

Where exactly are you setting +cdflag? On your client when you query pfsense? If you are forwarding you shouldn't be asking for dnssec at all.. When you forward, were you forward is doing dnssec or its not. You asking for it does nothing of worth..

youtu.be is not dnssec signed btw..

But I see that the google ns for that domain, have some issues

"ns4.google.com serial (343717709) differs from ns1.google.com serial (343814713)"

Also you say your not using any blocklist - but nextdns does support blocklists.

micahbf

Setting +cdflag running dig from pfsense itself works:

johnpoz

I would suggest you turn off dnssec in unbound, if your going to forward.. that is what the +cdflag does. nextdns does dnssec, so there is no reason for unbound to be doing anything with dnssec if your going to forward.

It only makes sense to do if your resolving.

micahbf

@johnpoz said in Troubleshooting unbound issue - not getting result for query:

I would suggest you turn off dnssec in unbound, if your going to forward.. that is what the +cdflag does. nextdns does dnssec, so there is no reason for unbound to be doing anything with dnssec if your going to forward.

It only makes sense to do if your resolving.

Thank you, I will give that a shot! And will report back here with the requisite unbound config.

johnpoz

So for example - here is them returning servfail for something that fails dnssec..

dig @45.90.28.85 www.dnssec-failed.org

; <<>> DiG 9.16.8 <<>> @45.90.28.85 www.dnssec-failed.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47731
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; Query time: 360 msec
;; SERVER: 45.90.28.85#53(45.90.28.85)
;; WHEN: Mon Nov 23 18:49:07 Central Standard Time 2020
;; MSG SIZE  rcvd: 39

No reason to ask for dnssec

https://help.nextdns.io/en/articles/3941225-does-nextdns-implement-dnssec
Yes. NextDNS is a validating DNSSEC resolver. This means that for domains implemeting DNSSEC, NextDNS will cryptographically ensure that the response provided matches the intended response of the domain operator.

Here I told them with the +cdflag to ignore

C:\>dig @45.90.28.85 www.dnssec-failed.org +cdflag

; <<>> DiG 9.16.8 <<>> @45.90.28.85 www.dnssec-failed.org +cdflag
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13575
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;www.dnssec-failed.org.         IN      A

;; ANSWER SECTION:
www.dnssec-failed.org.  7060    IN      A       69.252.193.191
www.dnssec-failed.org.  7060    IN      A       68.87.109.242

;; Query time: 15 msec
;; SERVER: 45.90.28.85#53(45.90.28.85)
;; WHEN: Mon Nov 23 18:51:27 Central Standard Time 2020
;; MSG SIZE  rcvd: 82

If your going to forward to a dnssec resolver - asking for dnssec could lead to some issues. Forwarding to something that doesn't do dnssec and asking for it - doesn't really do anything.

The only time dnssec on unbound makes any sense is when your resolving - which you are not.

micahbf

Added this to unbound's custom config:

server:
    val-permissive-mode: yes

And it's working.

Thank you @johnpoz for the guidance!

Gertjan

@micahbf said in Troubleshooting unbound issue - not getting result for query:

server:
val-permissive-mode: yes

Just shut down DNSSEC .
Now your instructing unbound to do DNSSEC, and at the end it discards results.

See https://forum.netgate.com/topic/83829/dns-resolver-dnssec-in-permissive-mode or the unbound doc.

micahbf

Got it. Just unchecked "Enable DNSSEC support" and all is well.