21.02(and p1) - Unbound DNS Lookup Fails for random domains
-
Since upgrading to 21.02p1 unbound is failing to perform lookup to domains such as torproject.org
This is what I am seeing
21.02-RELEASE][admin@pfsense.localdomain]/root: host torproject.org 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: Host torproject.org not found: 3(NXDOMAIN) [21.02-RELEASE][admin@pfsense.localdomain]/root:However lookup to Google works
[21.02-RELEASE][admin@pfsense.localdomain]/root: host google.com 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: google.com has address 142.250.68.110 google.com has IPv6 address 2607:f8b0:4007:813::200e google.com mail is handled by 50 alt4.aspmx.l.google.com. google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com. google.com mail is handled by 40 alt3.aspmx.l.google.com. [21.02-RELEASE][admin@pfsense.localdomain]/root:I have also verified the DNS upstream lookup works.
[21.02-RELEASE][admin@pfsense.localdomain]/root: host torproject.org torproject.org has address 146.112.61.106 torproject.org has IPv6 address ::ffff:146.112.61.106 torproject.org mail is handled by 10 eugeni.torproject.org.My config is pretty much the default settings. I am not sure what I am missing.
Any help in diagnosing this will be great!
-
Default unbound settings for me :
[2.5.0-RELEASE][admin@me.net]/boot/kernel: host torproject.org 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: torproject.org has address 116.202.120.165 torproject.org has address 116.202.120.166 torproject.org has address 95.216.163.36 torproject.org has IPv6 address 2a01:4f8:fff0:4f:266:37ff:fe2c:5d19 torproject.org has IPv6 address 2a01:4f9:c010:19eb::1 torproject.org has IPv6 address 2a01:4f8:fff0:4f:266:37ff:feae:3bbc torproject.org mail is handled by 10 eugeni.torproject.org.Check the domain name yourself https://zonemaster.net/result/364ca0e0ed9a27db this one is very messy.
edit : the upstream DNS servers for unbound are the 13 root DNS internet servers.
If they can't find stuff, consider the domain name 'bad'. -
I know the domain is good. I can resolve when I point to Google to OpenDNS. It is local unbound service that is failing. I am looking at the logs and they are giving me nothing.
-
Here is my unbound config. Does anyone see anything off?
-
@hh77 said in 21.02(and p1) - Unbound DNS Lookup Fails for random domains:
Here is my unbound config. Does anyone see anything off?
It's unreadable.
It's here : /var/unbound/unbound.conf@hh77 said in 21.02(and p1) - Unbound DNS Lookup Fails for random domains:
I know the domain is good
Count the notices and warnings. If you know who the domain owner is, have him repair the issues.
-
@gertjan ok here is my config. what is crazy is I have been using pfsense for almost 5 years and this is the first time i have run into this issue
########################## # Unbound Configuration ########################## ## # Server configuration ## server: chroot: /var/unbound username: "unbound" directory: "/var/unbound" pidfile: "/var/run/unbound.pid" use-syslog: yes port: 53 verbosity: 1 hide-identity: yes hide-version: yes harden-glue: yes do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes do-daemonize: yes module-config: "validator iterator" unwanted-reply-threshold: 0 num-queries-per-thread: 4096 jostle-timeout: 200 infra-host-ttl: 900 infra-cache-numhosts: 10000 outgoing-num-tcp: 10 incoming-num-tcp: 10 edns-buffer-size: 1232 cache-max-ttl: 86400 cache-min-ttl: 0 harden-dnssec-stripped: yes msg-cache-size: 4m rrset-cache-size: 8m num-threads: 2 msg-cache-slabs: 2 rrset-cache-slabs: 2 infra-cache-slabs: 2 key-cache-slabs: 2 outgoing-range: 4096 #so-rcvbuf: 4m auto-trust-anchor-file: /var/unbound/root.key prefetch: no prefetch-key: no use-caps-for-id: no serve-expired: no aggressive-nsec: no # Statistics # Unbound Statistics statistics-interval: 0 extended-statistics: yes statistics-cumulative: yes # TLS Configuration tls-cert-bundle: "/etc/ssl/cert.pem" # Interface IP(s) to bind to interface-automatic: yes interface: 0.0.0.0 interface: ::0 # Outgoing interfaces to be used # DNS Rebinding # For DNS Rebinding prevention private-address: 127.0.0.0/8 private-address: 10.0.0.0/8 private-address: ::ffff:a00:0/104 private-address: 172.16.0.0/12 private-address: ::ffff:ac10:0/108 private-address: 169.254.0.0/16 private-address: ::ffff:a9fe:0/112 private-address: 192.168.0.0/16 private-address: ::ffff:c0a8:0/112 private-address: fd00::/8 private-address: fe80::/10 # Set private domains in case authoritative name server returns a Private IP address # Access lists include: /var/unbound/access_lists.conf # Static host entries include: /var/unbound/host_entries.conf # dhcp lease entries include: /var/unbound/dhcpleases_entries.conf # OpenVPN client entries include: /var/unbound/openvpn.*.conf # Domain overrides include: /var/unbound/domainoverrides.conf # Forwarding forward-zone: name: "." forward-addr: 208.67.220.220 # Unbound custom options server:include: /var/unbound/pfb_dnsbl.*conf -
@hh77 said in 21.02(and p1) - Unbound DNS Lookup Fails for random domains:
forward-zone:
name: "."
forward-addr: 208.67.220.220"208.67.220.220" == OpenDNS.
They are strict.
You could probably test with them, using their GUI, if they do resolve your domain, using your choice of lists.
I can image that domain name "torproject" could be listed ^^Do you have to forward to them ?
As said above, default pfSense resolver settings work fine. When debugging, you should not include third parties, that you don't control, into your setup. -
@gertjan I tried with no resolvers and DNS would not resolve anything.
-
Ok Now I am pretty sure something is wrong. I ran dig utility to resolve one of the name servers for the torproject, but I got a server fail
[21.02-RELEASE][admin@home.tncoffee.net]/root: dig ns1.torproject.org ; <<>> DiG 9.16.11 <<>> ns1.torproject.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49081 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ns1.torproject.org. IN A ;; Query time: 118 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 02 04:52:41 MST 2021 ;; MSG SIZE rcvd: 47I ran a packet capture and I am seeing the correct replies from upstream.
So pfsense is receiving the correct replies but is not processing them to the clients.
-
Use the detailed mode :
; <<>> DiG 9.16.11 <<>> ns1.torproject.org +trace ;; global options: +cmd . 72790 IN NS d.root-servers.net. . 72790 IN NS a.root-servers.net. . 72790 IN NS m.root-servers.net. . 72790 IN NS e.root-servers.net. . 72790 IN NS l.root-servers.net. . 72790 IN NS j.root-servers.net. . 72790 IN NS i.root-servers.net. . 72790 IN NS g.root-servers.net. . 72790 IN NS h.root-servers.net. . 72790 IN NS b.root-servers.net. . 72790 IN NS f.root-servers.net. . 72790 IN NS k.root-servers.net. . 72790 IN NS c.root-servers.net. . 72790 IN RRSIG NS 8 0 518400 20210315050000 20210302040000 42351 . X/QC4PBDzMgKPoiLj97sFNXfqknEFs0zF6lNeS2q4NZgANYt3RGNtoL8 jVxrwRic5I6K6s/olltVaOiFuFX3jPzzHmW7zGLpglRx4MF9CBkwl2pc 9HAojP82TH511mDRJLVxjdK+ZtWITw5T0qGw6FuhZkXIjnVvmgrlba8t sMmQH8jN8ypL/hyNRTh+jeqes6Gf+pkXKkDeA6M35lv4X8KElv/TxUI6 ewD6RtofgZQ949kSgx1237WN2UwTc4oavBg+XrASRX7vbR8zyKvccdGT X4VJk+yMQaFfQPsuJdRc2Q7x22WjQIvlNkdb2MGCu5EgEiRQrfroTQS4 WIeOvg== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 86400 IN DS 26974 8 2 4FEDE294C53F438A158C41D39489CD78A86BEB0D8A0AEAFF14745C0D 16E1DE32 org. 86400 IN RRSIG DS 8 1 86400 20210315050000 20210302040000 42351 . ZGfBMXVbsZER+UuyapgV05tUKFHMhrQUOC4hfLAyUUbW9ahWtInfk2Mq s/3QVWIckLJYBs/YLLQwXojZhZ0vOzhkCfgFFg94VUSHXTdqxEHZYHy4 KOLLdnmlTIdsxaD/6ncVUgbZvARFUbvmaX4JrnPYobLJ0wMTKQr3MjBo cuN0x9gGeqsQWT0/F37c2reFEVJSRj8xCuiNTh7Y9/c6w5Rw/YWCo+Tq MNdf0a5adLS++cbV/txQ3st4yxDFm/n32qCZn5YVUh6bJNRUE9lAALsR IBXC5BK7ZOYqaldkiJq4BCXB+Q6J0vFh1L9BUYDPeYjYWjS8XrcHoU0a XBTWUw== ;; Received 784 bytes from 199.7.91.13#53(d.root-servers.net) in 41 ms torproject.org. 86400 IN NS ns4.torproject.org. torproject.org. 86400 IN NS ns1.torproject.org. torproject.org. 86400 IN NS ns3.torproject.org. torproject.org. 86400 IN NS ns5.torproject.org. torproject.org. 86400 IN DS 28486 8 2 CEFD14514B18D5E31073BC9EA463C7852DE236742E23A4AB327E446C 608A76B9 torproject.org. 86400 IN RRSIG DS 8 2 86400 20210322153104 20210301143104 27558 org. Sf/gLk8MGdlB8m1jY869rdG1wSWZSfeu0+lnmjpoBGhY4ysKFEHZMvSZ stoQK1wF1dlHR2ap2NOCxCV7AbXJ64pETDCph+Qt9xjB4ryl5ziDu3mq 7qvRDE/IHp1oDClMG+TOZVMibtjFN7uOEZb99cH5YjgDaDJSW3crAHzy 0ns= ;; Received 474 bytes from 2001:500:b::1#53(c0.org.afilias-nst.info) in 313 ms ns1.torproject.org. 86400 IN A 38.229.72.12 ns1.torproject.org. 86400 IN RRSIG A 8 3 86400 20210408121210 20210227111550 55143 torproject.org. DeZeudOFY4u8Sci0GzYbnLBjeT4Ygr3LNB8s6dAs7/WFVgNrlk6eAGi1 FQ/C/QpmJ23RdyK8uRVqEokOpbL763oyrhjXPIZv5Zk9468+PxnXtXc8 S/XrI8+naVEz0lDDrRGYKLD+uRrPFonMbyguLwTZy2/UMB5aChg4sJkc u8aq+FVA0x0JkfyjVkZa50LtC7tCs5TE5ewM64YyXUdw9DTZTFbOCEK4 H9ZIa3gCGuxt8fUVfum3PZ5LpqabuTYb torproject.org. 86400 IN NS nsp.dnsnode.net. torproject.org. 86400 IN NS ns3.torproject.org. torproject.org. 86400 IN NS ns4.torproject.org. torproject.org. 86400 IN NS ns5.torproject.org. torproject.org. 86400 IN NS ns1.torproject.org. torproject.org. 86400 IN RRSIG NS 8 2 86400 20210406005215 20210225004545 55143 torproject.org. ww0k4m71ys7aIzd9vNGmmQ//XAYWbM6I5/x2b1qL9Ng+o8HdV9x+2pDr BY03a15BiIp+CG40Cyv3f3lcbZQgj+okvXQyaoIXO8LyTHSXSDWQpxkO btVXHiFQCHkwOjLWFwlMLMOPdYd4rPZQeJMAx2SSnqnUArwY3+2RzVIs 0X8pFquqj9hfF5UT9AO04dBY+HnvCHiHKHRlVp5dTlcGHTiMBTrTeDKj dHsBQtSMYdIiNdt0EZcmBO57JU2SBIRV ;; Received 2224 bytes from 89.45.235.22#53(ns5.torproject.org) in 61 msI've got an answer :
ns1.torproject.org. 86400 IN A 38.229.72.12For my PC's (clients) the answer is identical :
C:\Users\gwkro>nslookup ns1.torproject.org Serveur : pfsense.me.net Address: 2001:470:1f13:5d8:2::1 Réponse ne faisant pas autorité : Nom : ns1.torproject.org Address: 38.229.72.12 -
If I had to guess your problem is you blocking it
# Unbound custom options server:include: /var/unbound/pfb_dnsbl.*confTurn off pfblocker - does it resolve then.
I also have no problems resolving that.
$ dig torproject.org ; <<>> DiG 9.16.12 <<>> torproject.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63899 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;torproject.org. IN A ;; ANSWER SECTION: torproject.org. 3600 IN A 116.202.120.166 torproject.org. 3600 IN A 116.202.120.165 torproject.org. 3600 IN A 95.216.163.36 ;; Query time: 501 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Tue Mar 02 06:41:34 Central Standard Time 2021 ;; MSG SIZE rcvd: 91 -
@johnpoz I turned it off and still failing to resolve. is there a way I can do a debug?
-
@hh77 said in 21.02(and p1) - Unbound DNS Lookup Fails for random domains:
I turned it off and still failing to resolve.
Normal.
pfSense resolves and caches DNS answers. That part has been 'turned off' and the cache has been wiped.But your own device ?
If it is a windows device :ipconfig /flushdnsOther OS's have comparable commands.
And restart also your browser, as they might cache also.
edit :
@hh77 said in 21.02(and p1) - Unbound DNS Lookup Fails for random domains:
I can do a debug
Dono.
If your a windows user, after typing 'nslookup' you can typeset debugThen
torproject.organd sit back
-
@hh77 yup that resolved it. Allowing the unbound to use the root DNS servers did the trick. What is weird that I have always enabled the query upstream server option and not had an issue. I am not going to dwell on it. I glad I got this issue resolved. Now on to others!
