Unbound Not Resolving One Website

johnpoz

@cnliberal said in Unbound Not Resolving One Website:

mycarle.com

The best thing to do if your having an issue resolving something is do a trace.. So you can see where it failing..

example: here is from my pfsense

[21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig mycarle.com +trace

; <<>> DiG 9.16.16 <<>> mycarle.com +trace
;; global options: +cmd
.                       83375   IN      NS      g.root-servers.net.
.                       83375   IN      NS      b.root-servers.net.
.                       83375   IN      NS      f.root-servers.net.
.                       83375   IN      NS      a.root-servers.net.
.                       83375   IN      NS      e.root-servers.net.
.                       83375   IN      NS      k.root-servers.net.
.                       83375   IN      NS      c.root-servers.net.
.                       83375   IN      NS      j.root-servers.net.
.                       83375   IN      NS      i.root-servers.net.
.                       83375   IN      NS      d.root-servers.net.
.                       83375   IN      NS      m.root-servers.net.
.                       83375   IN      NS      l.root-servers.net.
.                       83375   IN      NS      h.root-servers.net.
.                       83375   IN      RRSIG   NS 8 0 518400 20211011170000 20210928160000 26838 . m3tJoQFhfGlQ8ShQao2SgWWeVUvSQjgYYOOeh8ZW3Yp40hkgEtc/vfAu UUywjfgZxUS+cnFNhR6/Na+bJkdPwOTWAcwG9hJ0EyHgXuB8WsVuYfz7 O3O+5rp0R0KgMwqr7XvWtnjrEZE0oNUJ0x5yTxYFEC/GpwwEv2PGO6Uz j216PvS46EmgrdhnriSsHWmpgoVEQocacvdum72TUhB1O+rKEBNeKigz Nb2vpiK/O3Q/6WRWdpeBGxPunuoPfBXzxktuf7YwhIvlR5epIqDdSI7u jYRjt+WtFg5dbcbuY2e/0pPVHPPNE7mMmPf6Kp5WQlIWlYvPOA2MaQaE mkFcyw==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20211011170000 20210928160000 26838 . dz5+BvATPepAOfvNyP1wJkrXXdPo+N5Gufucmciys7+ZdjMeniY+0IOu 5zhy9dQP+gJKIoXLxYOw1zd+MvXGn03c1a9y3hywPTQJbktx9jT0pV6p w0UhWZIwtc7wR3WBweDkITBorKmjhSpgEZSIHMDmpfVc+/iy/Uzx9H2D cV74B2IWj74WdMqdhxlL8L4yGppLH/ZcuvCTY+vw7oONC17OKo5tOUX/ geJSjZIOZRKlHKLOVqsxVaFuEsEbm8r4ngF1puZ52+v51i9mTR/ocH6S SREDDXIN8UG9wCNV2QYwI/gFmRvK5ODZAiyTA1CtNS2DkZPFRuoiHV45 fY4xDg==
;; Received 1171 bytes from 2001:500:2d::d#53(d.root-servers.net) in 13 ms

mycarle.com.            172800  IN      NS      ns1.carle.com.
mycarle.com.            172800  IN      NS      ns2.carle.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20211003042352 20210926031352 39343 com. fdKztlvTFtfJm793/ER3F5+kzv7I1SUP3+JqqHCbk5HotOwsZeqzU4U4 DqkanSWZkzl2rC4qL8Q02oo6F53HSZgaVXEzCAcRRj2gRIlhCsL+0iQx X7SLPer7CVmSf1Fm9DL82E1Y4RBemd8K9+8xeRd+VoPA0x+0Z/afPO7B Em6wmLHmxBoYEdG6HAuWvLnNresmCnk8YvKPsc3wElk2yQ==
9KBKP4MEJEBFMKRSLJM5PH0GRH9NCMLJ.com. 86400 IN NSEC3 1 1 0 - 9KBKVCBIRR01VIHNCEQP77AKN4ASTBFL NS DS RRSIG
9KBKP4MEJEBFMKRSLJM5PH0GRH9NCMLJ.com. 86400 IN RRSIG NSEC3 8 2 86400 20211004052307 20210927041307 39343 com. uoAWnfjnCRJ5Kt6Rvw0cv2GUNnG8k5x+YwD+ooHFMYLbq5ZR4CkfkejU JsXyG2Toe/1yjLedRO9PLk78Jb51J9zI7YC+vGexYyGSjKVwtgxZEXQz 9pY5pGU+jOc5L4rE6kLdB7c5aXQV31wiIMlp/Hq6z4xfPl+jNfq58VwO xMLI7iKeESMOPvDTkAkktHq45znjvbBZabo/+C0SSAMgVA==
;; Received 663 bytes from 192.54.112.30#53(h.gtld-servers.net) in 16 ms

mycarle.com.            3600    IN      A       199.184.120.238
;; Received 56 bytes from 199.184.120.10#53(ns1.carle.com) in 17 ms

[21.05.1-RELEASE][admin@sg4860.local.lan]/root: 

You can get a bit cleaner and easy to read trace by not doing dnssec

[21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig mycarle.com +trace +nodnssec

; <<>> DiG 9.16.16 <<>> mycarle.com +trace +nodnssec
;; global options: +cmd
.                       83294   IN      NS      d.root-servers.net.
.                       83294   IN      NS      m.root-servers.net.
.                       83294   IN      NS      l.root-servers.net.
.                       83294   IN      NS      h.root-servers.net.
.                       83294   IN      NS      g.root-servers.net.
.                       83294   IN      NS      b.root-servers.net.
.                       83294   IN      NS      f.root-servers.net.
.                       83294   IN      NS      a.root-servers.net.
.                       83294   IN      NS      e.root-servers.net.
.                       83294   IN      NS      k.root-servers.net.
.                       83294   IN      NS      c.root-servers.net.
.                       83294   IN      NS      j.root-servers.net.
.                       83294   IN      NS      i.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
;; Received 836 bytes from 198.41.0.4#53(a.root-servers.net) in 14 ms

mycarle.com.            172800  IN      NS      ns1.carle.com.
mycarle.com.            172800  IN      NS      ns2.carle.com.
;; Received 114 bytes from 2001:502:1ca1::30#53(e.gtld-servers.net) in 33 ms

mycarle.com.            3600    IN      A       199.184.120.238
;; Received 56 bytes from 199.184.120.10#53(ns1.carle.com) in 26 ms

[21.05.1-RELEASE][admin@sg4860.local.lan]/root: 

If your having issues with ipv6 - maybe, you can have did do only ipv4

[21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig -4 mycarle.com +trace +nodnssec

; <<>> DiG 9.16.16 <<>> -4 mycarle.com +trace +nodnssec
;; global options: +cmd
.                       83163   IN      NS      d.root-servers.net.
.                       83163   IN      NS      m.root-servers.net.
.                       83163   IN      NS      l.root-servers.net.
.                       83163   IN      NS      h.root-servers.net.
.                       83163   IN      NS      g.root-servers.net.
.                       83163   IN      NS      b.root-servers.net.
.                       83163   IN      NS      f.root-servers.net.
.                       83163   IN      NS      a.root-servers.net.
.                       83163   IN      NS      e.root-servers.net.
.                       83163   IN      NS      k.root-servers.net.
.                       83163   IN      NS      c.root-servers.net.
.                       83163   IN      NS      j.root-servers.net.
.                       83163   IN      NS      i.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
;; Received 836 bytes from 192.203.230.10#53(e.root-servers.net) in 14 ms

mycarle.com.            172800  IN      NS      ns1.carle.com.
mycarle.com.            172800  IN      NS      ns2.carle.com.
;; Received 114 bytes from 192.52.178.30#53(k.gtld-servers.net) in 34 ms

mycarle.com.            3600    IN      A       199.184.120.238
;; Received 56 bytes from 199.184.120.100#53(ns2.carle.com) in 23 ms

[21.05.1-RELEASE][admin@sg4860.local.lan]/root: 

CNLiberal

@johnpoz

[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: dig mycarle.com +trace +nodnssec

; <<>> DiG 9.14.12 <<>> mycarle.com +trace +nodnssec
;; global options: +cmd
.                       84604   IN      NS      a.root-servers.net.
.                       84604   IN      NS      b.root-servers.net.
.                       84604   IN      NS      c.root-servers.net.
.                       84604   IN      NS      d.root-servers.net.
.                       84604   IN      NS      e.root-servers.net.
.                       84604   IN      NS      f.root-servers.net.
.                       84604   IN      NS      g.root-servers.net.
.                       84604   IN      NS      h.root-servers.net.
.                       84604   IN      NS      i.root-servers.net.
.                       84604   IN      NS      j.root-servers.net.
.                       84604   IN      NS      k.root-servers.net.
.                       84604   IN      NS      l.root-servers.net.
.                       84604   IN      NS      m.root-servers.net.

;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
;; Received 864 bytes from 192.36.148.17#53(i.root-servers.net) in 204 ms

mycarle.com.            172800  IN      NS      ns1.carle.com.
mycarle.com.            172800  IN      NS      ns2.carle.com.
couldn't get address for 'ns1.carle.com': not found
couldn't get address for 'ns2.carle.com': not found
dig: couldn't get address for 'ns1.carle.com': no more
[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: 

I'm not sure why it couldn't get addresses for ns1 and ns2. As I said, from the outside, this works as expected.

johnpoz

@cnliberal well that explains why its failing for sure.. Can you query any of the gtld servers directly?

[21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig @a.gtld-servers.net carle.com ns

; <<>> DiG 9.16.16 <<>> @a.gtld-servers.net carle.com ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49649
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;carle.com.                     IN      NS

;; AUTHORITY SECTION:
carle.com.              172800  IN      NS      ns1.carle.com.
carle.com.              172800  IN      NS      ns2.carle.com.

;; ADDITIONAL SECTION:
ns1.carle.com.          172800  IN      A       199.184.120.10
ns2.carle.com.          172800  IN      A       199.184.120.100

;; Query time: 33 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Tue Sep 28 15:40:31 CDT 2021
;; MSG SIZE  rcvd: 106

[21.05.1-RELEASE][admin@sg4860.local.lan]/root:

Not being able to query for ns of some domain, points to not being able to even talk to the gtld level servers.. Since that is where you would get their addresses from, see my query above.

This would be a bigger problem then just 1 domain.

A direct dig trace would take unbound and pfblocker, etc out of the path - since you would be just talking directly to all the servers. You would only pull roots from local unbound.

CNLiberal

@johnpoz

Looks like querying the name servers directly does work.

[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: dig @a.gtld-servers.net carle.com ns

; <<>> DiG 9.14.12 <<>> @a.gtld-servers.net carle.com ns
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49044
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;carle.com.                     IN      NS

;; AUTHORITY SECTION:
carle.com.              172800  IN      NS      ns1.carle.com.
carle.com.              172800  IN      NS      ns2.carle.com.

;; ADDITIONAL SECTION:
ns1.carle.com.          172800  IN      A       199.184.120.10
ns2.carle.com.          172800  IN      A       199.184.120.100

;; Query time: 201 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Tue Sep 28 14:44:09 MDT 2021
;; MSG SIZE  rcvd: 106

[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: 

johnpoz

@cnliberal ok so you can talk to that one, which is good.. You could try the others..

Try your trace with the -4 I used above, to take ipv6 out of the picture.. Its possible when you did the first trace maybe it failed trying to talk to gltd via ipv6?

Also try directly to query the ns1 and ns2 of carle.com, to validate you can actually talk to them.. Use the IP if you have to, etc.

CNLiberal

@johnpoz

I've tried querying the b.gtld server and I'm getting a successful resolution. I then tried querying the ns1.carle.com and it's IP, but get no response:

[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: dig -4 @b.gtld-servers.net carle.com ns

; <<>> DiG 9.14.12 <<>> -4 @b.gtld-servers.net carle.com ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34366
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;carle.com.                     IN      NS

;; AUTHORITY SECTION:
carle.com.              172800  IN      NS      ns1.carle.com.
carle.com.              172800  IN      NS      ns2.carle.com.

;; ADDITIONAL SECTION:
ns1.carle.com.          172800  IN      A       199.184.120.10
ns2.carle.com.          172800  IN      A       199.184.120.100

;; Query time: 238 msec
;; SERVER: 192.33.14.30#53(192.33.14.30)
;; WHEN: Tue Sep 28 14:55:10 MDT 2021
;; MSG SIZE  rcvd: 106

[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: dig @ns1.carle.com ns carle.com
dig: couldn't get address for 'ns1.carle.com': not found
[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: dig @199.184.120.10 ns carle.com

; <<>> DiG 9.14.12 <<>> @199.184.120.10 ns carle.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: dig @199.184.120.100 ns carle.com

; <<>> DiG 9.14.12 <<>> @199.184.120.100 ns carle.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: dig @ns2.carle.com ns carle.com
dig: couldn't get address for 'ns2.carle.com': not found
[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: 

johnpoz

@cnliberal So you can not talk directly to their name servers. Problem with connectivity then.. Could be peering issue with your ISP, could be routing issue - could be block upstream, etc..

Simple workaround for now - you can check later to see if connectivity is returned.. Is just setup a domain override for that specific domain.. for example

Then use dns lookup in diag to validate pfsense can resolve..

This tells unbound - hey if you need to lookup something in that domain - ask googledns, you could use your isp dns, or whatever other dns you want, say cloudflare, etc.

Problem you might have is connectivity problem to that whole network, since they seem to be on the same network as their name servers 199.184.120, so if you having problem talking to that network. Then possible even if you can look it up you can not get there.

edit: oh my bad your domain override should be for mycarle.com - but again.. They seem to be on the same network as the ns, so if you can not talk to the ns.. you prob can not get to the website either, even if you can look it up..

CNLiberal

@johnpoz

What's interesting is if I traceroute the 199.184.120.100 IP, the first IP hit is 10.1.110.1. I'm not sure what that is, as my network is a 10.0.0.0/20:

[2.4.5-RELEASE][root@pfsense.theoltmanfamily.net]/root: traceroute 199.184.120.100
traceroute to 199.184.120.100 (199.184.120.100), 64 hops max, 40 byte packets
 1  10.1.110.1 (10.1.110.1)  171.401 ms  174.149 ms  175.139 ms
 2  unn-143-244-55-254.datapacket.com (143.244.55.254)  172.262 ms  172.304 ms  171.684 ms
 3  be6206.ccr31.buh01.atlas.cogentco.com (149.6.50.81)  171.968 ms  172.827 ms  172.142 ms
 4  be3262.ccr31.bud01.atlas.cogentco.com (154.54.38.245)  183.770 ms  183.556 ms  184.761 ms
 5  be3261.ccr21.bts01.atlas.cogentco.com (130.117.3.137)  189.259 ms
    be3263.ccr22.bts01.atlas.cogentco.com (154.54.59.177)  190.207 ms
    be3261.ccr21.bts01.atlas.cogentco.com (130.117.3.137)  186.550 ms
 6  be2988.ccr51.vie01.atlas.cogentco.com (154.54.59.86)  190.060 ms
    be3463.ccr52.vie01.atlas.cogentco.com (154.54.59.185)  188.315 ms  189.341 ms
 7  be2974.ccr21.muc03.atlas.cogentco.com (154.54.58.5)  193.388 ms
    be3462.ccr22.muc03.atlas.cogentco.com (154.54.59.182)  194.559 ms
    be2974.ccr21.muc03.atlas.cogentco.com (154.54.58.5)  193.825 ms
 8  be2960.ccr42.fra03.atlas.cogentco.com (154.54.36.253)  200.969 ms  199.455 ms  199.248 ms
 9  be2813.ccr41.ams03.atlas.cogentco.com (130.117.0.121)  205.865 ms  205.938 ms  210.122 ms
10  be12488.ccr42.lon13.atlas.cogentco.com (130.117.51.41)  302.444 ms
    be12194.ccr41.lon13.atlas.cogentco.com (154.54.56.93)  315.861 ms
    be12488.ccr42.lon13.atlas.cogentco.com (130.117.51.41)  302.643 ms
11  be3627.ccr41.jfk02.atlas.cogentco.com (66.28.4.197)  305.662 ms
    be2490.ccr42.jfk02.atlas.cogentco.com (154.54.42.85)  302.000 ms  306.395 ms
12  be2889.ccr21.cle04.atlas.cogentco.com (154.54.47.49)  304.928 ms
    be2890.ccr22.cle04.atlas.cogentco.com (154.54.82.245)  301.623 ms
    be2889.ccr21.cle04.atlas.cogentco.com (154.54.47.49)  303.392 ms
13  be3043.ccr22.ymq01.atlas.cogentco.com (154.54.44.166)  311.022 ms
    be2718.ccr42.ord01.atlas.cogentco.com (154.54.7.129)  301.886 ms
    be2879.ccr22.cle04.atlas.cogentco.com (154.54.29.173)  305.511 ms
14  be2521.agr21.ord01.atlas.cogentco.com (154.54.80.254)  302.207 ms
    be2522.agr21.ord01.atlas.cogentco.com (154.54.81.62)  301.770 ms
    be3260.ccr32.yyz02.atlas.cogentco.com (154.54.42.89)  313.150 ms
15  te0-0-2-1.nr12.b010917-1.ord01.atlas.cogentco.com (154.24.64.26)  302.277 ms  301.634 ms
    be2522.agr21.ord01.atlas.cogentco.com (154.54.81.62)  304.195 ms
16  38.142.189.218 (38.142.189.218)  306.163 ms
    te0-0-2-1.nr12.b010917-1.ord01.atlas.cogentco.com (154.24.64.26)  302.129 ms
    38.142.189.218 (38.142.189.218)  302.507 ms
17  38.106.130.90 (38.106.130.90)  305.424 ms
    be2523.agr22.ord01.atlas.cogentco.com (154.54.81.102)  301.628 ms
    38.106.130.90 (38.106.130.90)  305.254 ms
18  38.106.130.90 (38.106.130.90)  310.162 ms
    te0-0-2-2.nr12.b010917-1.ord01.atlas.cogentco.com (154.24.64.30)  303.546 ms
    te0-0-2-1.nr12.b010917-1.ord01.atlas.cogentco.com (154.24.64.26)  308.624 ms
19  * * *
20  * * *
21  * * *
22  * * *

johnpoz

@cnliberal said in Unbound Not Resolving One Website:

the first IP hit is 10.1.110.1. I'm not sure what that is, as my network is a 10.0.0.0/20:

Well either your mistaken with what your network is.. Or your going out a vpn? your doing that from pfsense.. So that first hop would be your isp device IP.. Which could be anything.. What is the IP of pfsense wan?

is the /20 your lan network? When you traceroute from pfsense, the first hop would be its gateway..

Edit: keep in mind that device along the trace doesn't always have to answer with IP you would expect.. See here

That first 50.x.x.x hop is not my gateway, and see that 2nd hop freaking 10 address.. That clearly is not "correct" ;) But its inside the isp network - so could be..

My gateway is in the 64.x address

CNLiberal

@johnpoz BOOM. That was the answer. VPN! I have a VPN running and the IP I'm receiving is a 10.1.110.0 IP. I'm assuming that Unbound was using that VPN connection for some reason?? That sounds like something I'd do. I'll go down that path and let you know.

johnpoz

@cnliberal if your using a vpn - its quite possible said site blocks known vpn IPs.. Ransomware loves to target medical sites, etc. So yeah could see them blocking all known vpn, or bad rep ips, etc. etc. .

CNLiberal

@johnpoz That's exactly what I think. However, I'm not sure why DNS is going over that particular VPN. I'm not seeing explicit rules that reference that VPN Tunnel.

johnpoz

@cnliberal said in Unbound Not Resolving One Website:

I'm not seeing explicit rules that reference that VPN Tunnel.

You pull routes from vpn, it becomes default.. If you pull routes from multiple last one that connected would set as default..

Not just dns - from your traceroute you could see which default route you took.

CNLiberal

@johnpoz OK, I've checked the "Don't Pull Routes" from that VPN connection and things seem to be working correctly. I don't think this will affect any other connections I have. We shall see! Thank you VERY much for the assist!

johnpoz

@cnliberal if your actually policy routing the stuff you want to use the vpn, like a specific vlan, or specific devices IPs you should be fine.

But be aware - depending on how tight your tinfoil hat is, your dns is going to be leaking now ;) <rolleyes>

CNLiberal

@johnpoz This is true about DNS leakage. I'm not sure of a better way to accomplish certain internal IPs using the VPN for all traffic including DNS resolution. I do have policy routing in that I have certain IPs running over the VPN tunnel.

johnpoz

@cnliberal if your worried about specific clients - best to point them to specific dns that policy routes through your vpn.

If my tinfoil hat was that tight - I would run a different dns on my network where I point such clients, with a domain override to ask pfsense for local resources. That way queries from this dns could be policy routed out a vpn. Or even run multiple name servers on your network depending.. That either forward or resolve - either way makes it very easy to policy route their traffic when they actually on the network vs actually being pfsense.

If you run multiple ones you are also sure there is no cache sharing for different clients or different forwarders. With vm and dockers it really simple to spin up as many different copies of something that you might want to run, etc.

Spinning up say a pihole via docker is pretty simple - run 20 of those if you so desired on some box/nas/pi on your network with their own IPs and able to policy route whatever you want from anything, etc.

Just because pfsense runs unbound or bind. Doesn't mean it always makes sense to use that for everything - depending on your needs/wants.

Gertjan

@cnliberal

Check the domain name with https://www.zonemaster.net/domain_check.

The next time you 'rent' a domain name, check the quality of the registrar's services.
Issues like "ns1.carle.com" and "ns2.carle.com" are using the same AS, and are even in the same network. That's not ok.
You can correct this, by adding a third one (or remove the second and replace it for another, elsewhere). Slave DNS name services can be found for free on the Internet.

Issues like :

is also something that had to be dealt with, many years ago.

Who is this registrar, the local hobby club ? ;)

You're aware now that there are 13 'main root servers'. These know where to find all the top name severs, the ones know all about 'com', 'org', 'net', etc.
These top level name servers have many 'clones'.
The bottleneck are the (minimum) two domain name servers, your "ns1.carle.com" and "ns2.carle.com". These two have, of course, firewall rules that to filter out 'abuse'.
And guess what, what is the third reason why people use VPN's ? Right : to abuse a max.
( the third reason : just to loose some money, and the second : hiding their public WAN IP )
Which means : when you connect to your VPN, and you get an IP that was 'used' for some abusive activity, the IP will get blacklisted for a while.
At that moment, you, withthat VPN WAN IP, will have issues when resolving domain name that are registered (known to) "ns1.carle.com" and "ns2.carle.com".