Intermitent nxdomain error
-
Hi everyone,
Long time lurker, first time poster here...
I have a server running pfsense 2.5.1-RELEASE (amd64) with pfBlockerNG-devel 3.0.0_16.
I encounter occasional nxdomain error (at least once a day). Usually, it works after I refresh the page in my browser, but sometimes I have to wait a few seconds or a minute before the request finally works.
My server is configured as a DNS resolver for my local zone (*.home.[edited].be) and should forward everything else to my ISP DNS or google public DNS... Or at least that's what I intended to do, don't hesitate to tell me if I misconfigured something.
Here is my dashboard:
General setup:
DNS resolver (general settings):
And here are the (loooooooooong...) logs of an error.
I tried to access amazon.fr (which, by the way, should already be cached), and received a nxdomain error.
I reloaded the page and it worked that time.
dns-request_amazon.fr_2021-08-05.txtDoes someone have a clue about what's wrong?
Have a nice day,
Cedric -
Well first thing that jumps out is your forwarding and also asking for dnssec - that is just problematic and pointless. Where you forward to either already does dnssec without you asking for or it, or it doesn't - you asking for it does nothing but add extra queries.
That log is what exactly? Its just repeating info that all happened at the very same second?
Aug 5 11:09:08
by the way, should already be cached
Only for the length of the ttl you got back from where you forwarded too, which could be anything from the actual ttl, to like 1 second.. Depending on what was left in the cache when you asked for what you were ask for where you forwarded too.
And then only if unbound doesn't restart.. Which I see your using pfblocker, which could cause restarts, and delay how long it takes to start as well.
example - here I asked google for amazon.fr, and it would only cache that for 31 seconds. And then it would have to ask again.
;; QUESTION SECTION: ;amazon.fr. IN A ;; ANSWER SECTION: amazon.fr. 31 IN A 52.95.120.39 amazon.fr. 31 IN A 52.95.116.113 amazon.fr. 31 IN A 54.239.33.91 ;; Query time: 23 msec ;; SERVER: 8.8.8.8#53(8.8.8.8)
And since google is anycast - you might actually get answers back from different caches. So if you ask once you might get 17 seconds, you ask again and maybe only 50 seconds, etc. etc.
Here I asked, and then asked again 4 seconds later and got 17 vs what should of been 46 seconds.
;; ANSWER SECTION: amazon.fr. 50 IN A 52.95.116.113 amazon.fr. 50 IN A 52.95.120.39 amazon.fr. 50 IN A 54.239.33.91 ;; Query time: 20 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Aug 05 06:18:19 Central Daylight Time 2021 ;; MSG SIZE rcvd: 86 ;; QUESTION SECTION: ;amazon.fr. IN A ;; ANSWER SECTION: amazon.fr. 17 IN A 54.239.33.91 amazon.fr. 17 IN A 52.95.116.113 amazon.fr. 17 IN A 52.95.120.39 ;; Query time: 23 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Aug 05 06:18:23 Central Daylight Time 2021 ;; MSG SIZE rcvd: 86
google does dnssec out of the box for anything you ask for, no need to ask for it - does your isp dns?
example - asking for this fqdn will fail, because its dnssec is bad..
$ dig @8.8.8.8 www.dnssec-failed.org ; <<>> DiG 9.16.18 <<>> @8.8.8.8 www.dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 9951 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; Query time: 109 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Aug 05 06:36:58 Central Daylight Time 2021 ;; MSG SIZE rcvd: 50
But if ask something that isn't doing dnssec - it will answer..
$ dig @9.9.9.10 www.dnssec-failed.org ; <<>> DiG 9.16.18 <<>> @9.9.9.10 www.dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32933 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; ANSWER SECTION: www.dnssec-failed.org. 7200 IN A 69.252.193.191 www.dnssec-failed.org. 7200 IN A 68.87.109.242 ;; Query time: 70 msec ;; SERVER: 9.9.9.10#53(9.9.9.10) ;; WHEN: Thu Aug 05 06:39:13 Central Daylight Time 2021 ;; MSG SIZE rcvd: 82
Using different forwards that can give you different info than what you want is bad idea. If you want to use dnssec, then only forward to ns that are doing dnssec, if you want filtering for example only ns that does the exact same filtering.. Because you can never be sure where you are going to forward and get an answer from. So if you have different ns listed that you could ask and they could return different data, be it filtered or not or non dnssec vs dnssec you really have no idea what your going to get..
-
@johnpoz said in Intermitent nxdomain error:
Well first thing that jumps out is your forwarding and also asking for dnssec - that is just problematic and pointless. Where you forward to either already does dnssec without you asking for or it, or it doesn't - you asking for it does nothing but add extra queries.
That makes sense, I'll disable DNSSEC. I understood it as "Support DNSSEC" and not "make DNSSEC mandatory".
@johnpoz said in Intermitent nxdomain error:
That log is what exactly? Its just repeating info that all happened at the very same second?
Aug 5 11:09:08
The log is from Status / System Logs / System / DNS Resolver.
I have set the log level of the DNS resolver to 3 (Query level information).@johnpoz said in Intermitent nxdomain error:
by the way, should already be cached
Only for the length of the ttl you got back from where you forwarded too, which could be anything from the actual ttl, to like 1 second.. Depending on what was left in the cache when you asked for what you were ask for where you forwarded too.
And then only if unbound doesn't restart.. Which I see your using pfblocker, which could cause restarts, and delay how long it takes to start as well.
example - here I asked google for amazon.fr, and it would only cache that for 31 seconds. And then it would have to ask again.
And since google is anycast - you might actually get answers back from different caches. So if you ask once you might get 17 seconds, you ask again and maybe only 50 seconds, etc. etc.
Here I asked, and then asked again 4 seconds later and got 17 vs what should of been 46 seconds.
Ok I understand. I didn't realize TTL would be so low.
google does dnssec out of the box for anything you ask for, no need to ask for it - does your isp dns?
My ISP does not seem to support DNSSEC :
$ dig @62.197.111.140 www.dnssec-failed.org ; <<>> DiG 9.16.1-Ubuntu <<>> @62.197.111.140 www.dnssec-failed.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9528 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 11 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 244b7105efb9689b06af6ca3610c0c03a75fd658b71cf482 (good) ;; QUESTION SECTION: ;www.dnssec-failed.org. IN A ;; ANSWER SECTION: www.dnssec-failed.org. 7200 IN A 69.252.193.191 www.dnssec-failed.org. 7200 IN A 68.87.109.242
example - asking for this fqdn will fail, because its dnssec is bad..
But if ask something that isn't doing dnssec - it will answer..
Using different forwards that can give you different info than what you want is bad idea. If you want to use dnssec, then only forward to ns that are doing dnssec, if you want filtering for example only ns that does the exact same filtering.. Because you can never be sure where you are going to forward and get an answer from. So if you have different ns listed that you could ask and they could return different data, be it filtered or not or non dnssec vs dnssec you really have no idea what your going to get..
That clearly explains my issue. I suppose the first query was answered by my ISP, but dropped because of the non-support of DNSSEC.
The second request might then have been answered by google DNS.
That also explains why I sometimes have to wait a few seconds up to a minute for the second request to succeed.I have disabled DNSSEC and removed my ISP's DNS.
I'll test for a few days to be sure the issue is solved.Thanks a lot for your great explanation
-
@cri said in Intermitent nxdomain error:
I suppose the first query was answered by my ISP, but dropped because of the non-support of DNSSEC.
No asking for dnssec and not getting back dnssec info doesn't mean it fails.. Asking for dnssec to a forwarder that doesn't do dnssec doesn't mean its going to do dnssec or even be able to send you what you ask for or resolve what you asked for. But asking for dnssec and not getting back dnssec info doesn't mean the query would fail.
But again if where you forward isn't doing dnssec, there is no point in asking for dnssec info. Which it is not suppose to hurt, other than asking for stuff that may or may not resolve with that forwarder.. It for sure can be problematic.. and at very min causes extra queries. That are not going to be very useful.
Not all domains or even tld support dnssec.. The tld .fr doesn't support dnssec anyway. So amazon.fr would never pass dnssec, but trying to do it on amazon.fr doesn't mean the query would fail. dnssec fails when the domain dnssec info is wrong in some way. If its not setup for dnssec then it would just resolve even though you are doing dnssec..
-
Hi @johnpoz ,
I just wanted to tell you that the issue hasn't occurred once since I changed the setting per your suggestion. It's been running without issue for two months now.
Thanks a lot for your help
-
@cri glad to hear.. Thanks for followup.