Unbound doesn't resolve 1 query

Nan0tEch

Hey,

I got a problem on my network where that unbound coudn't resolve a specific hostname "idp.iamfas.belgium.be" this site is part of verification chain for login in to your personal information like taxes, healthcare, etc. I didn't find for a while why i could not access these sites. Now i finally narrowed it down to Unbound not resolving "idp.iamfas.belgium.be", only working via a hotspot on my iPhone i could acces these site.

Screenshot 2023-10-19 at 13.34.30.png

I little workaround now is to put this in Unbound as a host override.
Screenshot 2023-10-19 at 13.44.26.png

Screenshot 2023-10-19 at 13.33.57.png

Why would Unbound not resolve this? In my experience is this the only site that does not work. I don't have Pfblocker.ng nor IDS/IPS like snort/ suricata running.

michmoor

@Nan0tEch

Are you using pfblocker
What are you using as an upstream dns server?

jrey

@Nan0tEch

How about other sites, do they resolve?

What response do you get directly from the pfSense "Diagnostics / DNS Lookup" page? (without your "work around" added of course)

What mode (configuration) do you have unbound setup?

that lookup works here.

johnpoz

@Nan0tEch yeah works here

; <<>> DiG 9.18.19-1+ubuntu22.04.1+isc+1-Ubuntu <<>> idp.iamfas.belgium.be
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24656
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;idp.iamfas.belgium.be. IN A

;; ANSWER SECTION:
idp.iamfas.belgium.be. 0 IN A 193.191.245.173

;; Query time: 519 msec
;; SERVER: 172.29.64.1#53(172.29.64.1) (UDP)
;; WHEN: Thu Oct 19 07:59:24 CDT 2023
;; MSG SIZE rcvd: 76

Are you actually resolving with unbound, or did you set it up to forward? If you forward with it - you should really turn off the dnssec check box, this can be problematic. When you forward, where you forward either does dnssec already, or it doesn't having it checked in unbound when you forward is going to be very problematic.

I would do a dig +trace on pfsense.. To see where having a problem if actually resolving..

[23.05.1-RELEASE][admin@sg4860.local.lan]/root: dig idp.iamfas.belgium.be +trace

; <<>> DiG 9.18.13 <<>> idp.iamfas.belgium.be +trace
;; global options: +cmd
.                       1796    IN      NS      g.root-servers.net.
.                       1796    IN      NS      h.root-servers.net.
.                       1796    IN      NS      f.root-servers.net.
.                       1796    IN      NS      i.root-servers.net.
.                       1796    IN      NS      b.root-servers.net.
.                       1796    IN      NS      c.root-servers.net.
.                       1796    IN      NS      j.root-servers.net.
.                       1796    IN      NS      m.root-servers.net.
.                       1796    IN      NS      l.root-servers.net.
.                       1796    IN      NS      k.root-servers.net.
.                       1796    IN      NS      d.root-servers.net.
.                       1796    IN      NS      a.root-servers.net.
.                       1796    IN      NS      e.root-servers.net.
.                       1796    IN      RRSIG   NS 8 0 518400 20231101050000 20231019040000 46780 . IukOurYUtYm8lf2n1cQMmEIRMNbLOwVl8QchZqSsYU6zC84W+eN3zxjd WrtL17WM2wlDubrZXN4S67kf3LW29NGA1z+dWmjaguhT994CNAYRVjIw rp+gKASLCFzfvo4xloNdmqGXT+OCxKql7VZcDWmykkegsKYZemsA72Mz N33Vpe6HZ+Ms9ILnerXXIgp6V7jcIlgmliuC0lw1oog9gN5Oz26BA7BA xZizfDsut5F/w5rlCjYBvPgEmsch/x8wa+zVKxzmPblMsSTnRdykOgYz sMmGAvXkqLiybvr2WrLVb6Cq0/LrkCrb6rgmHNOA1IUHDKexQVFZinBl CRw2GQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

be.                     172800  IN      NS      a.nsset.be.
be.                     172800  IN      NS      b.nsset.be.
be.                     172800  IN      NS      c.nsset.be.
be.                     172800  IN      NS      d.nsset.be.
be.                     172800  IN      NS      y.nsset.be.
be.                     172800  IN      NS      z.nsset.be.
be.                     86400   IN      DS      12664 8 2 75141E9B1188A95A7A855BF47E278A742A5E3F2DDEED8E995D749D48 F2F0E72D
be.                     86400   IN      DS      52756 8 2 5485AC33DD7C7ED237EA2A4BD269731C816960FE181042024484B5CE CA6ECC9F
be.                     86400   IN      RRSIG   DS 8 1 86400 20231101050000 20231019040000 46780 . wLmCC1YLIQviN84a4es1UAlPJ74HLkH/o5zt73ANunp1QIb8rWDyClzC Fu3AdeKH5TGkY90vNzI05l1gMOItlaSDmUjrH9GCxPsuWgVr+wBENdGO FNECl8NLVSVaCyzyVM8iIGcH4yMpQnx1L1CV9gh1bPu+SanXL19ry2w3 Ih1syzjnn/L7EATofm3+khlw6kmxB7rQZMtiOMJscrgbLNo+k8N0DvDb s0U/iByFi8nMCrEh4aCUQffypQiPgMSVx49umkLVuJtOiayYafnN21RU easp658XISS5L2qNGaFtwrdMBT1AHmBmhgj5lsCne4a/rNMOuzsQUOY4 ihXx4Q==
;; Received 799 bytes from 192.58.128.30#53(j.root-servers.net) in 8 ms

belgium.be.             86400   IN      NS      dns1w.fgov.be.
belgium.be.             86400   IN      NS      dns2s.belgium.be.
belgium.be.             86400   IN      NS      dns3a.westeurope.cloudapp.azure.com.
belgium.be.             86400   IN      DS      53104 8 2 2791CCD511ACEBDFB5E17C8571A23F92ED7EBF0B9469369C5F8F9984 B377D96D
belgium.be.             86400   IN      RRSIG   DS 8 2 86400 20231109133608 20231018232401 39561 be. q5g3d1LT0ymHEMMSS/MAE0VjDWzT5BEUcGUyjjbud8TjejaHXwvYE/2O fwoaWzAO/Kw4WpOzDXzHfaxLtaWmJHzb0c5L5IV7VhN+8p/0mJ/rnqS6 YzTSOaxWcNGLmIbVKb3M8NkMJ41rnPGydPlc9l8x0tJzq5kQJw/zKhwc MQY=
;; Received 442 bytes from 194.0.44.1#53(d.nsset.be) in 155 ms

iamfas.belgium.be.      14400   IN      NS      dnsintera.fediap.be.
iamfas.belgium.be.      14400   IN      NS      dnsinterb.fediap.be.
21U7EA1A4OGIII8E67S2UN5JRO9MUTIE.belgium.be. 900 IN NSEC3 1 0 10 8812FCCE89325928251E0F 22BE99BFM4CHTNMRLSID2I6PTN9ME75Q NS
21U7EA1A4OGIII8E67S2UN5JRO9MUTIE.belgium.be. 900 IN RRSIG NSEC3 8 3 900 20231023074503 20231019072905 53178 belgium.be. Mv2kYYTxRN8HIiieUwedr+bZff+ON3WdMckme+XzBO4T3bmRVwP+mSuk IYHAXCx/+CGkg/OJinX++CwKYoDLOFwZhjdrW4bpMTiAUCmdm+siGm+l 5vDqy9tgxFlfKdOZuS2Ue/6DW2k05PgWMl8G/gulYnKDpVBrmRuwsZnm y6SIRM4bUqfPvze6QuuQdPd215iURMz0MUs1vqBkoQVdz3p0+YrHogUK buqvyjaTeVN7xsa9T+qQjJOMXjHY8BMprQQwRF7xVis1B5CDn1G3TIGI +oh2UJE8bZXd+Odc0hmk3Eou9JiTGInsGfIolZzf4OlqNpjGQvBo4DdT D7PCoQ==
;; Received 516 bytes from 193.191.212.2#53(dns1w.fgov.be) in 111 ms

idp.iamfas.belgium.be.  14400   IN      A       193.191.245.173
iamfas.belgium.be.      3600    IN      NS      dnsinterc.fediap.eu.
iamfas.belgium.be.      3600    IN      NS      dnsinterb.fediap.be.
iamfas.belgium.be.      3600    IN      NS      dnsintera.fediap.be.
;; Received 286 bytes from 2a01:690:7:101::af11#53(dnsintera.fediap.be) in 128 ms

[23.05.1-RELEASE][admin@sg4860.local.lan]/root:

Nan0tEch

@michmoor said in Unbound doesn't resolve 1 query:

@Nan0tEch

Are you using pfblocker

What are you using as an upstream dns server?

Nope pfblocker is installed but not running.
Unbound is using the root servers.

@johnpoz

I have removed the host override and used the command
dig idp.iamfas.belgium.be +trace on pfsense command prompt page.

Now it resolves the ip adress ?!

While thinking about the problem i think i get it, the goverment sites don't like it when i am using my vpn, unbound is using my vpn connection also for its outgoing communication. when i set unbound to use only WAN, it works. Maybe the dns servers from belgium.be are checking if i use a vpn while resolving the query and denying the request.

; <<>> DiG 9.18.14 <<>> idp.iamfas.belgium.be +trace
;; global options: +cmd
.			86277	IN	NS	g.root-servers.net.
.			86277	IN	NS	h.root-servers.net.
.			86277	IN	NS	k.root-servers.net.
.			86277	IN	NS	j.root-servers.net.
.			86277	IN	NS	i.root-servers.net.
.			86277	IN	NS	d.root-servers.net.
.			86277	IN	NS	e.root-servers.net.
.			86277	IN	NS	b.root-servers.net.
.			86277	IN	NS	m.root-servers.net.
.			86277	IN	NS	l.root-servers.net.
.			86277	IN	NS	c.root-servers.net.
.			86277	IN	NS	a.root-servers.net.
.			86277	IN	NS	f.root-servers.net.
.			86277	IN	RRSIG	NS 8 0 518400 20231101140000 20231019130000 46780 . uZvJYdFE+YQcCHkU0fx9doyn2S4TbWQa3iHBkVtohfTbCLwWKukoKJUE zU+D35/TrT5lKvpkX7Os7eKbyOlbghuwLBrlgqLrM6c+N3d/PKWMA2a5 xfItQwFNQ5Pnaz7FFAITXZJj9Kxkzk5Dce2HFET2pooHh9cLlxQrQc+7 aUbRCcmweVjt/AhqpYghB+OpiEPhTcDfmGARhxy9zsi9LmW/k/7RWeGF ryPlsUJnJbYYQorcc6nsaQ2I/+4YbSitWw8HEUfGoBqX6WvfTAbIr3Rj 6EI3ce415Oj1/W5UOTllXksGYzJkz7BFoQlyp2OZVjTaesn0dQy6VkBI yJbCKg==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

be.			172800	IN	NS	d.nsset.be.
be.			172800	IN	NS	c.nsset.be.
be.			172800	IN	NS	y.nsset.be.
be.			172800	IN	NS	b.nsset.be.
be.			172800	IN	NS	z.nsset.be.
be.			172800	IN	NS	a.nsset.be.
be.			86400	IN	DS	12664 8 2 75141E9B1188A95A7A855BF47E278A742A5E3F2DDEED8E995D749D48 F2F0E72D
be.			86400	IN	DS	52756 8 2 5485AC33DD7C7ED237EA2A4BD269731C816960FE181042024484B5CE CA6ECC9F
be.			86400	IN	RRSIG	DS 8 1 86400 20231101140000 20231019130000 46780 . AbEfgVHGufRzO2hbQHy8fwFOWHckdel8UIracOCRmkm2se8Dz28N+lHQ dsq4lgYwHuyhRqSdzgkAP6wLpwO0pBt0CrGKk87bnJ/Y2BW0/ATmQTKv t1CDNwvH1m8k8oN1wY1Oct9BvwVnyhPQkWN3aci+vgGK7s07QurlLLae BaGs55YniR2A31av3lbw/WDmZst+s9KQT3Tb79tqSd6L4hQb1uuH8Hi8 rp2uag9zpoICakh/RfNOG0Yp+jvqn2BAvds27VVkm4LWc5g0lNwnMnSC 63XPKrgcq41i9/wg+yP9hVU3gAsnYisYiLQVakB7dtYCL4UcMj5gZKyz 3EvRgg==
;; Received 799 bytes from 198.41.0.4#53(a.root-servers.net) in 30 ms

belgium.be.		86400	IN	NS	dns1w.fgov.be.
belgium.be.		86400	IN	NS	dns2s.belgium.be.
belgium.be.		86400	IN	NS	dns3a.westeurope.cloudapp.azure.com.
belgium.be.		86400	IN	DS	53104 8 2 2791CCD511ACEBDFB5E17C8571A23F92ED7EBF0B9469369C5F8F9984 B377D96D
belgium.be.		86400	IN	RRSIG	DS 8 2 86400 20231109133608 20231018232401 39561 be. q5g3d1LT0ymHEMMSS/MAE0VjDWzT5BEUcGUyjjbud8TjejaHXwvYE/2O fwoaWzAO/Kw4WpOzDXzHfaxLtaWmJHzb0c5L5IV7VhN+8p/0mJ/rnqS6 YzTSOaxWcNGLmIbVKb3M8NkMJ41rnPGydPlc9l8x0tJzq5kQJw/zKhwc MQY=
;; Received 442 bytes from 194.0.43.1#53(c.nsset.be) in 37 ms

;; UDP setup with 2001:6a8:8e00:2::2000#53(2001:6a8:8e00:2::2000) for idp.iamfas.belgium.be failed: host unreachable.
;; UDP setup with 2001:6a8:8e00:2::2000#53(2001:6a8:8e00:2::2000) for idp.iamfas.belgium.be failed: host unreachable.
;; UDP setup with 2001:6a8:8e00:2::2000#53(2001:6a8:8e00:2::2000) for idp.iamfas.belgium.be failed: host unreachable.
;; UDP setup with 2001:6a8:8e00:2::1000#53(2001:6a8:8e00:2::1000) for idp.iamfas.belgium.be failed: host unreachable.
iamfas.belgium.be.	14400	IN	NS	dnsintera.fediap.be.
iamfas.belgium.be.	14400	IN	NS	dnsinterb.fediap.be.
21U7EA1A4OGIII8E67S2UN5JRO9MUTIE.belgium.be. 900 IN NSEC3 1 0 10 8812FCCE89325928251E0F 22BE99BFM4CHTNMRLSID2I6PTN9ME75Q NS
21U7EA1A4OGIII8E67S2UN5JRO9MUTIE.belgium.be. 900 IN RRSIG NSEC3 8 3 900 20231023074503 20231019072905 53178 belgium.be. Mv2kYYTxRN8HIiieUwedr+bZff+ON3WdMckme+XzBO4T3bmRVwP+mSuk IYHAXCx/+CGkg/OJinX++CwKYoDLOFwZhjdrW4bpMTiAUCmdm+siGm+l 5vDqy9tgxFlfKdOZuS2Ue/6DW2k05PgWMl8G/gulYnKDpVBrmRuwsZnm y6SIRM4bUqfPvze6QuuQdPd215iURMz0MUs1vqBkoQVdz3p0+YrHogUK buqvyjaTeVN7xsa9T+qQjJOMXjHY8BMprQQwRF7xVis1B5CDn1G3TIGI +oh2UJE8bZXd+Odc0hmk3Eou9JiTGInsGfIolZzf4OlqNpjGQvBo4DdT D7PCoQ==
;; Received 516 bytes from 193.191.213.2#53(dns2s.belgium.be) in 26 ms

idp.iamfas.belgium.be.	14400	IN	A	193.191.245.173
iamfas.belgium.be.	3600	IN	NS	dnsintera.fediap.be.
iamfas.belgium.be.	3600	IN	NS	dnsinterb.fediap.be.
iamfas.belgium.be.	3600	IN	NS	dnsinterc.fediap.eu.
;; Received 286 bytes from 85.91.175.50#53(dnsinterb.fediap.be) in 22 ms

johnpoz

@Nan0tEch said in Unbound doesn't resolve 1 query:

checking if i use a vpn while resolving the query and denying the request.

This is quite possible for sure..