Unbound doesn't resolve 1 query
-
Hey,
I got a problem on my network where that unbound coudn't resolve a specific hostname "idp.iamfas.belgium.be" this site is part of verification chain for login in to your personal information like taxes, healthcare, etc. I didn't find for a while why i could not access these sites. Now i finally narrowed it down to Unbound not resolving "idp.iamfas.belgium.be", only working via a hotspot on my iPhone i could acces these site.
I little workaround now is to put this in Unbound as a host override.
Why would Unbound not resolve this? In my experience is this the only site that does not work. I don't have Pfblocker.ng nor IDS/IPS like snort/ suricata running.
-
- Are you using pfblocker
- What are you using as an upstream dns server?
-
How about other sites, do they resolve?
What response do you get directly from the pfSense "Diagnostics / DNS Lookup" page? (without your "work around" added of course)
What mode (configuration) do you have unbound setup?
that lookup works here.
-
@Nan0tEch yeah works here
; <<>> DiG 9.18.19-1+ubuntu22.04.1+isc+1-Ubuntu <<>> idp.iamfas.belgium.be
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24656
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available;; QUESTION SECTION:
;idp.iamfas.belgium.be. IN A;; ANSWER SECTION:
idp.iamfas.belgium.be. 0 IN A 193.191.245.173;; Query time: 519 msec
;; SERVER: 172.29.64.1#53(172.29.64.1) (UDP)
;; WHEN: Thu Oct 19 07:59:24 CDT 2023
;; MSG SIZE rcvd: 76Are you actually resolving with unbound, or did you set it up to forward? If you forward with it - you should really turn off the dnssec check box, this can be problematic. When you forward, where you forward either does dnssec already, or it doesn't having it checked in unbound when you forward is going to be very problematic.
I would do a dig +trace on pfsense.. To see where having a problem if actually resolving..
[23.05.1-RELEASE][admin@sg4860.local.lan]/root: dig idp.iamfas.belgium.be +trace ; <<>> DiG 9.18.13 <<>> idp.iamfas.belgium.be +trace ;; global options: +cmd . 1796 IN NS g.root-servers.net. . 1796 IN NS h.root-servers.net. . 1796 IN NS f.root-servers.net. . 1796 IN NS i.root-servers.net. . 1796 IN NS b.root-servers.net. . 1796 IN NS c.root-servers.net. . 1796 IN NS j.root-servers.net. . 1796 IN NS m.root-servers.net. . 1796 IN NS l.root-servers.net. . 1796 IN NS k.root-servers.net. . 1796 IN NS d.root-servers.net. . 1796 IN NS a.root-servers.net. . 1796 IN NS e.root-servers.net. . 1796 IN RRSIG NS 8 0 518400 20231101050000 20231019040000 46780 . IukOurYUtYm8lf2n1cQMmEIRMNbLOwVl8QchZqSsYU6zC84W+eN3zxjd WrtL17WM2wlDubrZXN4S67kf3LW29NGA1z+dWmjaguhT994CNAYRVjIw rp+gKASLCFzfvo4xloNdmqGXT+OCxKql7VZcDWmykkegsKYZemsA72Mz N33Vpe6HZ+Ms9ILnerXXIgp6V7jcIlgmliuC0lw1oog9gN5Oz26BA7BA xZizfDsut5F/w5rlCjYBvPgEmsch/x8wa+zVKxzmPblMsSTnRdykOgYz sMmGAvXkqLiybvr2WrLVb6Cq0/LrkCrb6rgmHNOA1IUHDKexQVFZinBl CRw2GQ== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms be. 172800 IN NS a.nsset.be. be. 172800 IN NS b.nsset.be. be. 172800 IN NS c.nsset.be. be. 172800 IN NS d.nsset.be. be. 172800 IN NS y.nsset.be. be. 172800 IN NS z.nsset.be. be. 86400 IN DS 12664 8 2 75141E9B1188A95A7A855BF47E278A742A5E3F2DDEED8E995D749D48 F2F0E72D be. 86400 IN DS 52756 8 2 5485AC33DD7C7ED237EA2A4BD269731C816960FE181042024484B5CE CA6ECC9F be. 86400 IN RRSIG DS 8 1 86400 20231101050000 20231019040000 46780 . wLmCC1YLIQviN84a4es1UAlPJ74HLkH/o5zt73ANunp1QIb8rWDyClzC Fu3AdeKH5TGkY90vNzI05l1gMOItlaSDmUjrH9GCxPsuWgVr+wBENdGO FNECl8NLVSVaCyzyVM8iIGcH4yMpQnx1L1CV9gh1bPu+SanXL19ry2w3 Ih1syzjnn/L7EATofm3+khlw6kmxB7rQZMtiOMJscrgbLNo+k8N0DvDb s0U/iByFi8nMCrEh4aCUQffypQiPgMSVx49umkLVuJtOiayYafnN21RU easp658XISS5L2qNGaFtwrdMBT1AHmBmhgj5lsCne4a/rNMOuzsQUOY4 ihXx4Q== ;; Received 799 bytes from 192.58.128.30#53(j.root-servers.net) in 8 ms belgium.be. 86400 IN NS dns1w.fgov.be. belgium.be. 86400 IN NS dns2s.belgium.be. belgium.be. 86400 IN NS dns3a.westeurope.cloudapp.azure.com. belgium.be. 86400 IN DS 53104 8 2 2791CCD511ACEBDFB5E17C8571A23F92ED7EBF0B9469369C5F8F9984 B377D96D belgium.be. 86400 IN RRSIG DS 8 2 86400 20231109133608 20231018232401 39561 be. q5g3d1LT0ymHEMMSS/MAE0VjDWzT5BEUcGUyjjbud8TjejaHXwvYE/2O fwoaWzAO/Kw4WpOzDXzHfaxLtaWmJHzb0c5L5IV7VhN+8p/0mJ/rnqS6 YzTSOaxWcNGLmIbVKb3M8NkMJ41rnPGydPlc9l8x0tJzq5kQJw/zKhwc MQY= ;; Received 442 bytes from 194.0.44.1#53(d.nsset.be) in 155 ms iamfas.belgium.be. 14400 IN NS dnsintera.fediap.be. iamfas.belgium.be. 14400 IN NS dnsinterb.fediap.be. 21U7EA1A4OGIII8E67S2UN5JRO9MUTIE.belgium.be. 900 IN NSEC3 1 0 10 8812FCCE89325928251E0F 22BE99BFM4CHTNMRLSID2I6PTN9ME75Q NS 21U7EA1A4OGIII8E67S2UN5JRO9MUTIE.belgium.be. 900 IN RRSIG NSEC3 8 3 900 20231023074503 20231019072905 53178 belgium.be. Mv2kYYTxRN8HIiieUwedr+bZff+ON3WdMckme+XzBO4T3bmRVwP+mSuk IYHAXCx/+CGkg/OJinX++CwKYoDLOFwZhjdrW4bpMTiAUCmdm+siGm+l 5vDqy9tgxFlfKdOZuS2Ue/6DW2k05PgWMl8G/gulYnKDpVBrmRuwsZnm y6SIRM4bUqfPvze6QuuQdPd215iURMz0MUs1vqBkoQVdz3p0+YrHogUK buqvyjaTeVN7xsa9T+qQjJOMXjHY8BMprQQwRF7xVis1B5CDn1G3TIGI +oh2UJE8bZXd+Odc0hmk3Eou9JiTGInsGfIolZzf4OlqNpjGQvBo4DdT D7PCoQ== ;; Received 516 bytes from 193.191.212.2#53(dns1w.fgov.be) in 111 ms idp.iamfas.belgium.be. 14400 IN A 193.191.245.173 iamfas.belgium.be. 3600 IN NS dnsinterc.fediap.eu. iamfas.belgium.be. 3600 IN NS dnsinterb.fediap.be. iamfas.belgium.be. 3600 IN NS dnsintera.fediap.be. ;; Received 286 bytes from 2a01:690:7:101::af11#53(dnsintera.fediap.be) in 128 ms [23.05.1-RELEASE][admin@sg4860.local.lan]/root:
-
@michmoor said in Unbound doesn't resolve 1 query:
- Are you using pfblocker
- What are you using as an upstream dns server?
- Nope pfblocker is installed but not running.
- Unbound is using the root servers.
I have removed the host override and used the command
dig idp.iamfas.belgium.be +trace on pfsense command prompt page.Now it resolves the ip adress ?!
While thinking about the problem i think i get it, the goverment sites don't like it when i am using my vpn, unbound is using my vpn connection also for its outgoing communication. when i set unbound to use only WAN, it works. Maybe the dns servers from belgium.be are checking if i use a vpn while resolving the query and denying the request.
; <<>> DiG 9.18.14 <<>> idp.iamfas.belgium.be +trace ;; global options: +cmd . 86277 IN NS g.root-servers.net. . 86277 IN NS h.root-servers.net. . 86277 IN NS k.root-servers.net. . 86277 IN NS j.root-servers.net. . 86277 IN NS i.root-servers.net. . 86277 IN NS d.root-servers.net. . 86277 IN NS e.root-servers.net. . 86277 IN NS b.root-servers.net. . 86277 IN NS m.root-servers.net. . 86277 IN NS l.root-servers.net. . 86277 IN NS c.root-servers.net. . 86277 IN NS a.root-servers.net. . 86277 IN NS f.root-servers.net. . 86277 IN RRSIG NS 8 0 518400 20231101140000 20231019130000 46780 . uZvJYdFE+YQcCHkU0fx9doyn2S4TbWQa3iHBkVtohfTbCLwWKukoKJUE zU+D35/TrT5lKvpkX7Os7eKbyOlbghuwLBrlgqLrM6c+N3d/PKWMA2a5 xfItQwFNQ5Pnaz7FFAITXZJj9Kxkzk5Dce2HFET2pooHh9cLlxQrQc+7 aUbRCcmweVjt/AhqpYghB+OpiEPhTcDfmGARhxy9zsi9LmW/k/7RWeGF ryPlsUJnJbYYQorcc6nsaQ2I/+4YbSitWw8HEUfGoBqX6WvfTAbIr3Rj 6EI3ce415Oj1/W5UOTllXksGYzJkz7BFoQlyp2OZVjTaesn0dQy6VkBI yJbCKg== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms be. 172800 IN NS d.nsset.be. be. 172800 IN NS c.nsset.be. be. 172800 IN NS y.nsset.be. be. 172800 IN NS b.nsset.be. be. 172800 IN NS z.nsset.be. be. 172800 IN NS a.nsset.be. be. 86400 IN DS 12664 8 2 75141E9B1188A95A7A855BF47E278A742A5E3F2DDEED8E995D749D48 F2F0E72D be. 86400 IN DS 52756 8 2 5485AC33DD7C7ED237EA2A4BD269731C816960FE181042024484B5CE CA6ECC9F be. 86400 IN RRSIG DS 8 1 86400 20231101140000 20231019130000 46780 . AbEfgVHGufRzO2hbQHy8fwFOWHckdel8UIracOCRmkm2se8Dz28N+lHQ dsq4lgYwHuyhRqSdzgkAP6wLpwO0pBt0CrGKk87bnJ/Y2BW0/ATmQTKv t1CDNwvH1m8k8oN1wY1Oct9BvwVnyhPQkWN3aci+vgGK7s07QurlLLae BaGs55YniR2A31av3lbw/WDmZst+s9KQT3Tb79tqSd6L4hQb1uuH8Hi8 rp2uag9zpoICakh/RfNOG0Yp+jvqn2BAvds27VVkm4LWc5g0lNwnMnSC 63XPKrgcq41i9/wg+yP9hVU3gAsnYisYiLQVakB7dtYCL4UcMj5gZKyz 3EvRgg== ;; Received 799 bytes from 198.41.0.4#53(a.root-servers.net) in 30 ms belgium.be. 86400 IN NS dns1w.fgov.be. belgium.be. 86400 IN NS dns2s.belgium.be. belgium.be. 86400 IN NS dns3a.westeurope.cloudapp.azure.com. belgium.be. 86400 IN DS 53104 8 2 2791CCD511ACEBDFB5E17C8571A23F92ED7EBF0B9469369C5F8F9984 B377D96D belgium.be. 86400 IN RRSIG DS 8 2 86400 20231109133608 20231018232401 39561 be. q5g3d1LT0ymHEMMSS/MAE0VjDWzT5BEUcGUyjjbud8TjejaHXwvYE/2O fwoaWzAO/Kw4WpOzDXzHfaxLtaWmJHzb0c5L5IV7VhN+8p/0mJ/rnqS6 YzTSOaxWcNGLmIbVKb3M8NkMJ41rnPGydPlc9l8x0tJzq5kQJw/zKhwc MQY= ;; Received 442 bytes from 194.0.43.1#53(c.nsset.be) in 37 ms ;; UDP setup with 2001:6a8:8e00:2::2000#53(2001:6a8:8e00:2::2000) for idp.iamfas.belgium.be failed: host unreachable. ;; UDP setup with 2001:6a8:8e00:2::2000#53(2001:6a8:8e00:2::2000) for idp.iamfas.belgium.be failed: host unreachable. ;; UDP setup with 2001:6a8:8e00:2::2000#53(2001:6a8:8e00:2::2000) for idp.iamfas.belgium.be failed: host unreachable. ;; UDP setup with 2001:6a8:8e00:2::1000#53(2001:6a8:8e00:2::1000) for idp.iamfas.belgium.be failed: host unreachable. iamfas.belgium.be. 14400 IN NS dnsintera.fediap.be. iamfas.belgium.be. 14400 IN NS dnsinterb.fediap.be. 21U7EA1A4OGIII8E67S2UN5JRO9MUTIE.belgium.be. 900 IN NSEC3 1 0 10 8812FCCE89325928251E0F 22BE99BFM4CHTNMRLSID2I6PTN9ME75Q NS 21U7EA1A4OGIII8E67S2UN5JRO9MUTIE.belgium.be. 900 IN RRSIG NSEC3 8 3 900 20231023074503 20231019072905 53178 belgium.be. Mv2kYYTxRN8HIiieUwedr+bZff+ON3WdMckme+XzBO4T3bmRVwP+mSuk IYHAXCx/+CGkg/OJinX++CwKYoDLOFwZhjdrW4bpMTiAUCmdm+siGm+l 5vDqy9tgxFlfKdOZuS2Ue/6DW2k05PgWMl8G/gulYnKDpVBrmRuwsZnm y6SIRM4bUqfPvze6QuuQdPd215iURMz0MUs1vqBkoQVdz3p0+YrHogUK buqvyjaTeVN7xsa9T+qQjJOMXjHY8BMprQQwRF7xVis1B5CDn1G3TIGI +oh2UJE8bZXd+Odc0hmk3Eou9JiTGInsGfIolZzf4OlqNpjGQvBo4DdT D7PCoQ== ;; Received 516 bytes from 193.191.213.2#53(dns2s.belgium.be) in 26 ms idp.iamfas.belgium.be. 14400 IN A 193.191.245.173 iamfas.belgium.be. 3600 IN NS dnsintera.fediap.be. iamfas.belgium.be. 3600 IN NS dnsinterb.fediap.be. iamfas.belgium.be. 3600 IN NS dnsinterc.fediap.eu. ;; Received 286 bytes from 85.91.175.50#53(dnsinterb.fediap.be) in 22 ms
-
@Nan0tEch said in Unbound doesn't resolve 1 query:
checking if i use a vpn while resolving the query and denying the request.
This is quite possible for sure..