Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    23.01 breaks DNS resolver and pFblocker

    Scheduled Pinned Locked Moved General pfSense Questions
    23 Posts 9 Posters 4.2k Views 11 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG Offline
      Gertjan @llebgrate
      last edited by

      @llebgrate said in 23.01 breaks DNS resolver and pFblocker:

      I actually just caught it again. An entire page filled with these:

      Mar 6 20:18:33 unbound 84264 [84264:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

      Before unbound is started, some house keeping is done.
      unbound is started with a single command that asks it to download a copy of the DNSSEC root key file. Here you can see that file, at the top.
      One of the tasks is : prepare a good know copy of root DNSKEY, id 20236 (for now, as it can change when needed).

      The thing is, and this is probably your real issue :
      It can't !!
      This means your unbound isn't able to download a small file, 1 kilo byte file (here it is) from the Internet.
      That's not promising. Why would it have to try many times ?
      This smells 'uplink issues'.

      When you see :

      info: generate keytag query _ta-4f66. NULL IN

      you know the root key file has been downloaded successfully.
      Because hex 4f66 is 20326 decimal, the key ID.

      @llebgrate: good news : because you are forwarding, you have to trust the resolver you are forwarding to, you can disable DNSSEC.
      Still, it might be worthwhile why unbound has issues getting 'stuff' from the Internet.
      Something is impacting your traffic that was generated by unbound. That your DNS traffic, it's not much but very important.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      L 1 Reply Last reply Reply Quote 0
      • L Offline
        llebgrate @Gertjan
        last edited by llebgrate

        @gertjan appreciate the detailed reply.

        After some diagnostics on my end, it does not appear to be DNSSEC settings (I've re-enabled it w/out issue) but rather the Use SSL/TLS for outgoing DNS Queries to Forwarding Servers. I currently use Google DNS (8.8.8.8/8.8.4.4 > dns.google) and have not had any issues in many years with this enabled so not sure what happened since the upgrade. I have read that this setting is generally incompatible with DNSSEC, so I've unchecked both for now and everything is working just fine.

        1 Reply Last reply Reply Quote 0
        • stephenw10S Offline
          stephenw10 Netgate Administrator
          last edited by

          Generally you would not have DNSSec enabled with DoT but only because you will be in forwarding mod for DoT. You should be able to use them together but it's likely far less tested because there's little point.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.