certain website takling long to respond or erro nx dns
-
Greetings.
I'm using pfblockerng for blacklisting domains. I came across a strange issue of DNS resolving , indeed that domain isnot in black-list by pfblocker. But when I nslookup from my windows client machine
nslookup portal.accaglobal.com Server: pfSense.local.landomain Address: 172.x159.x <== this my local-pfsense-IP DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to pfSense.local.landomain timed-out
Trying to access portal.accaglobal.com via browser.
This site can’t be reachedportal.accaglobal.com’s DNS address could not be found. Diagnosing the problem. Try running Windows Network Diagnostics. DNS_PROBE_STARTED
This is from my linux clould server
nslookup portal.accaglobal.com Server: 185.12.64.1 Address: 185.12.64.1#53 Non-authoritative answer: portal.accaglobal.com canonical name = epflecw.x.incapdns.net. Name: epflecw.x.incapdns.net Address: 45.60.73.34
When I ping portal.accaglobal.com this is very unusual behavior
ping portal.accaglobal.com Ping request could not find host portal.accaglobal.com. Please check the name and try again. Now again ping after a while ping portal.accaglobal.com Pinging epflecw.x.incapdns.net [45.60.79.34] with 32 bytes of data: Reply from 45.60.79.34: bytes=32 time=80ms TTL=53 Reply from 45.60.79.34: bytes=32 time=83ms TTL=53 Reply from 45.60.79.34: bytes=32 time=80ms TTL=53 Reply from 45.60.79.34: bytes=32 time=80ms TTL=53 Ping statistics for 45.60.79.34: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 80ms, Maximum = 83ms, Average = 80ms
Any one have any idea what could be an issue.
Regards
-
@scorpoin
Do you allow UDP access to pfSense at port 53? -
@scorpoin said in certain website takling long to respond or erro nx dns:
portal.accaglobal.com
its quite possible its taking longer to resolve than the client is willing to wait..
Are you just resolving, or have you setup unbound to forward. If your just resolving which is out of the box how pfsense works.. Do a trace from pfsense to see where you might be running into a problem with the resolve process.
Example
[23.05.1-RELEASE][admin@sg4860.local.lan]/var/db: dig portal.accaglobal.com +trace ; <<>> DiG 9.18.13 <<>> portal.accaglobal.com +trace ;; global options: +cmd . 46790 IN NS g.root-servers.net. . 46790 IN NS h.root-servers.net. . 46790 IN NS i.root-servers.net. . 46790 IN NS j.root-servers.net. . 46790 IN NS k.root-servers.net. . 46790 IN NS l.root-servers.net. . 46790 IN NS m.root-servers.net. . 46790 IN NS a.root-servers.net. . 46790 IN NS b.root-servers.net. . 46790 IN NS c.root-servers.net. . 46790 IN NS d.root-servers.net. . 46790 IN NS e.root-servers.net. . 46790 IN NS f.root-servers.net. . 46790 IN RRSIG NS 8 0 518400 20231118170000 20231105160000 46780 . kI5bmOPd8KuD73TRLnMSFMqAiZkx9TjMxX7nToa3GZr4zzdR8QbKh+Tw ykMnJQgCsgwtnABMpZxch7akLp5G1bda6e54ityo9n//xkndR78yLLMv Pscyqgzn8KoX5pBOqyo9034Qj3qME4m026rxeJsk5DPZn0f10BXX7HZ7 Tnz/CiAWEMkFEFAmBRr2MVLx8jITwFn9CTxlPBNk508DvS2wEQ5plsKw B5q5nLqil9Jn07Ket2EeJ13WbluFRRqssu+y6kZlWkX4Bs8UCHK+8KPQ //o2oFnh3+9z+P98YJSGbKb5F/z7ui/cr9VYdpn95DB0DmCVHPtM4PWv eP7WlA== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms ;; communications error to 2001:500:2::c#53: timed out ;; communications error to 2001:500:2::c#53: timed out ;; communications error to 2001:500:2::c#53: timed out com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20231119050000 20231106040000 46780 . 0wIhUrS3YPBfsb/1Hp/vud5jAZ3Y+cLRNHgBNvhxK9YNW8IJvxrkoy5v g3bKG5hb92I0PN6oivHxJSFCo8xnDZZMJfkrflKRV4aHttI/2Z8/y7O6 kJxUKlbyd20qC0SaefjfYnwgU/CiFuSUGDpZ/MYUuUR6Cx2RtzEXYFoA cm8kbwS79tgxkhKkIL1GBOjyTnPKdv1YuFwNYed3g4dsPnICRVxjArZR A3/jo4esrRXRtedVd44MgWTmVmoUdbqC0ajO7cnryCL0S9j1FAw04lqc 1TLJ7/Fzka8XTvHI28NjWXgyV9Qe/yjw1XLOF+xhY5wd1Dk3VCcMmYyd 1+heNQ== ;; Received 1212 bytes from 192.112.36.4#53(g.root-servers.net) in 21 ms accaglobal.com. 172800 IN NS ns-86.awsdns-10.com. accaglobal.com. 172800 IN NS ns-718.awsdns-25.net. accaglobal.com. 172800 IN NS ns-1677.awsdns-17.co.uk. accaglobal.com. 172800 IN NS ns-1428.awsdns-50.org. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20231111045959 20231104034959 63246 com. DHASN2jwlbAJwKBOIrFwFUDAievuxFffiPX8RB+kIg2yGGrPEytMrVqK fYQ6JP6rh+vCQbdYcfhFw102V6AtMvWJ/Waid6WeT9jmvuOpv4/ABkeH I5pDkCQLnNuVC75LPyu4+7O6ynJPa+K0yJd27uKWtcs9vPkhUD8b8Qnt laY9QUylU+L4PbnYFkqVNUxTy1MGN+HUQhNhSWQtZuADMA== VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN NSEC3 1 1 0 - VMP6D1HJAD95FV1LHBQPGSVNHCR5UR5V NS DS RRSIG VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN RRSIG NSEC3 8 2 86400 20231112052327 20231105041327 63246 com. go0WbkwaVF9mKRCqascQxZKF/9uTQ4lQmNUgCqUShrYFRgDIo5Bsyupa gdfqWXa+PT2fNmpkUqmkyN8mZ5672FoJmHeJzMVBztni1ANQaGN3ETKL k2pg9q/nTJta2kAaD9CoDewfXA0BGve7b7vCvJwLTdWr9Nx49SzW9UcG hk3Ir8APn4yCyRQdQJ1pJ8LQrdNvVJ42nrYv9Bf90yGpQg== ;; Received 751 bytes from 2001:503:39c1::30#53(i.gtld-servers.net) in 47 ms portal.accaglobal.com. 3600 IN NS ns1.uk.atos.net. portal.accaglobal.com. 3600 IN NS ns2.uk.atos.net. portal.accaglobal.com. 3600 IN NS ns3.uk.atos.net. ;; Received 115 bytes from 205.251.194.206#53(ns-718.awsdns-25.net) in 32 ms portal.accaglobal.com. 30 IN CNAME epflecw.x.incapdns.net. ;; Received 114 bytes from 157.203.177.100#53(ns1.uk.atos.net) in 113 ms [23.05.1-RELEASE][admin@sg4860.local.lan]/var/db:
;; communications error to 2001:500:2::c#53: timed out
;; communications error to 2001:500:2::c#53: timed out
;; communications error to 2001:500:2::c#53: timed outFor whatever reason looks like I was having problem with some IPv6 NS.. I have unbound set not to use IPv6, but with a trace that is not taken into account. If I want to do the trace with only IPv4 I see no such issue.
[23.05.1-RELEASE][admin@sg4860.local.lan]/var/db: dig -4 portal.accaglobal.com +trace ; <<>> DiG 9.18.13 <<>> -4 portal.accaglobal.com +trace ;; global options: +cmd . 46637 IN NS g.root-servers.net. . 46637 IN NS h.root-servers.net. . 46637 IN NS i.root-servers.net. . 46637 IN NS j.root-servers.net. . 46637 IN NS k.root-servers.net. . 46637 IN NS l.root-servers.net. . 46637 IN NS m.root-servers.net. . 46637 IN NS a.root-servers.net. . 46637 IN NS b.root-servers.net. . 46637 IN NS c.root-servers.net. . 46637 IN NS d.root-servers.net. . 46637 IN NS e.root-servers.net. . 46637 IN NS f.root-servers.net. . 46637 IN RRSIG NS 8 0 518400 20231118170000 20231105160000 46780 . kI5bmOPd8KuD73TRLnMSFMqAiZkx9TjMxX7nToa3GZr4zzdR8QbKh+Tw ykMnJQgCsgwtnABMpZxch7akLp5G1bda6e54ityo9n//xkndR78yLLMv Pscyqgzn8KoX5pBOqyo9034Qj3qME4m026rxeJsk5DPZn0f10BXX7HZ7 Tnz/CiAWEMkFEFAmBRr2MVLx8jITwFn9CTxlPBNk508DvS2wEQ5plsKw B5q5nLqil9Jn07Ket2EeJ13WbluFRRqssu+y6kZlWkX4Bs8UCHK+8KPQ //o2oFnh3+9z+P98YJSGbKb5F/z7ui/cr9VYdpn95DB0DmCVHPtM4PWv eP7WlA== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20231119050000 20231106040000 46780 . 0wIhUrS3YPBfsb/1Hp/vud5jAZ3Y+cLRNHgBNvhxK9YNW8IJvxrkoy5v g3bKG5hb92I0PN6oivHxJSFCo8xnDZZMJfkrflKRV4aHttI/2Z8/y7O6 kJxUKlbyd20qC0SaefjfYnwgU/CiFuSUGDpZ/MYUuUR6Cx2RtzEXYFoA cm8kbwS79tgxkhKkIL1GBOjyTnPKdv1YuFwNYed3g4dsPnICRVxjArZR A3/jo4esrRXRtedVd44MgWTmVmoUdbqC0ajO7cnryCL0S9j1FAw04lqc 1TLJ7/Fzka8XTvHI28NjWXgyV9Qe/yjw1XLOF+xhY5wd1Dk3VCcMmYyd 1+heNQ== ;; Received 1181 bytes from 198.97.190.53#53(h.root-servers.net) in 28 ms accaglobal.com. 172800 IN NS ns-86.awsdns-10.com. accaglobal.com. 172800 IN NS ns-718.awsdns-25.net. accaglobal.com. 172800 IN NS ns-1677.awsdns-17.co.uk. accaglobal.com. 172800 IN NS ns-1428.awsdns-50.org. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20231111045959 20231104034959 63246 com. DHASN2jwlbAJwKBOIrFwFUDAievuxFffiPX8RB+kIg2yGGrPEytMrVqK fYQ6JP6rh+vCQbdYcfhFw102V6AtMvWJ/Waid6WeT9jmvuOpv4/ABkeH I5pDkCQLnNuVC75LPyu4+7O6ynJPa+K0yJd27uKWtcs9vPkhUD8b8Qnt laY9QUylU+L4PbnYFkqVNUxTy1MGN+HUQhNhSWQtZuADMA== VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN NSEC3 1 1 0 - VMP6D1HJAD95FV1LHBQPGSVNHCR5UR5V NS DS RRSIG VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN RRSIG NSEC3 8 2 86400 20231112052327 20231105041327 63246 com. go0WbkwaVF9mKRCqascQxZKF/9uTQ4lQmNUgCqUShrYFRgDIo5Bsyupa gdfqWXa+PT2fNmpkUqmkyN8mZ5672FoJmHeJzMVBztni1ANQaGN3ETKL k2pg9q/nTJta2kAaD9CoDewfXA0BGve7b7vCvJwLTdWr9Nx49SzW9UcG hk3Ir8APn4yCyRQdQJ1pJ8LQrdNvVJ42nrYv9Bf90yGpQg== ;; Received 751 bytes from 192.52.178.30#53(k.gtld-servers.net) in 8 ms portal.accaglobal.com. 3600 IN NS ns1.uk.atos.net. portal.accaglobal.com. 3600 IN NS ns2.uk.atos.net. portal.accaglobal.com. 3600 IN NS ns3.uk.atos.net. ;; Received 115 bytes from 205.251.198.141#53(ns-1677.awsdns-17.co.uk) in 9 ms portal.accaglobal.com. 30 IN CNAME epflecw.x.incapdns.net. ;; Received 114 bytes from 157.203.176.100#53(ns2.uk.atos.net) in 109 ms [23.05.1-RELEASE][admin@sg4860.local.lan]/var/db:
If you are using unbound in its default state of resolving, and you are having issues - good place to start to figure out "why" is to do the +trace from pfsense.
also notice a very short ttl, that 30 seconds.. If you are having issues say talking to those authoritative NS, and the ttl is only 30 seconds.. Your not going to cache it very long even after you talk to it..
Somethings you can do to help alleviate such issues.. Set the min ttl to something, yeah its not normally good practice to do that - but then again stupid domains didn't use to set ridiculously low like 30 seconds.. I have mine set to 3600 (1 hour) and I have yet to run into an issue where I couldn't get to something.. Another thing is to set serve zero - this will serve up the last known good, even if the ttl had expired, it will then in the background refresh the record..
-
@johnpoz
Thanks for you prompt response,[2.7.0-RELEASE][myuser@mypfsense]/var/db: dig portal.accaglobal.com +trace ; <<>> DiG 9.18.14 <<>> portal.accaglobal.com +trace ;; global options: +cmd . 57616 IN NS e.root-servers.net. . 57616 IN NS c.root-servers.net. . 57616 IN NS i.root-servers.net. . 57616 IN NS h.root-servers.net. . 57616 IN NS k.root-servers.net. . 57616 IN NS m.root-servers.net. . 57616 IN NS b.root-servers.net. . 57616 IN NS f.root-servers.net. . 57616 IN NS g.root-servers.net. . 57616 IN NS j.root-servers.net. . 57616 IN NS l.root-servers.net. . 57616 IN NS d.root-servers.net. . 57616 IN NS a.root-servers.net. . 57616 IN RRSIG NS 8 0 518400 20231120210000 20231107200000 46780 . AY+2ByyT/znyXYNeZ8nomAGyKwJKsfh/40WSIVy7T1n1e1+EFLeJ7CqK F+tkEF3+qOV5QJaoogC/hdQveiFdTUFtVh/L7oHCre5H+1f7MyIbcghO osIs0z+dJjq3tn/LXBBGbyNVEljkWlbJ7P5kEDuiW8zfRiT13pfNGf2u /5/iQQG7zLvTLmFpwzPgbvB8YvGTArY0VnCz0KEFlmX8Z4HfwnBg5WJY 87Op1bMbMoLcyiIvz7TbkjWaPhM81NMeL16DopaxkSU47JfmZb5quny/ ReTYaBqK3wV5L95C802YeUZ/RRrYmBT5V1oe9AawlwkqHO10y1nPZVVN 3SpWVg== ;; Received 1097 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20231120210000 20231107200000 46780 . fE0SpcPK2lcIkWMqwWtoh3Q/C6f+nTi1Z8H+9WDfdK3aNmbSNs8xsHq3 L71Ph+yu+pzf3tDHYy4YqUmpirkpFQmBcevKO5hv0fwgPZsd4xrectpT ipEr9e/ZyawUwoMkH6hohZiH9BeGtbmAshOZRgED/ceOV7VurX3u1A4L o0BEmvCgt+As2OWbacGMG3/egu6vsxoWfpAwaBNZsTxO9zEa4DdWIVDJ JaF10Ax+KHna0tVPvu2U1QGOWpXO4vQyCLqNKejpicF0bQMXsUSC9cHX gxbJ5sZipuNIkQ7m6azvNODXHD5u0JtEP+yRpZ8qrCR1pMvU4et//3K8 59evqQ== ;; Received 1181 bytes from 192.58.128.30#53(j.root-servers.net) in 191 ms accaglobal.com. 172800 IN NS ns-86.awsdns-10.com. accaglobal.com. 172800 IN NS ns-718.awsdns-25.net. accaglobal.com. 172800 IN NS ns-1677.awsdns-17.co.uk. accaglobal.com. 172800 IN NS ns-1428.awsdns-50.org. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20231114052550 20231107041550 63246 com. Qeg8YllC8KbvaizuSmn3Jlaro97H5qydstgnIDAE9qEXbMUxqrt5ZJ/x tlFiZ9Y9O1ep/ZuIhe5BAzPLMAPDUCzahuBq1VNN5BvQMwx53bMSij+V cPBLPd45H9yACQH0W6fw4Omy4Zj/De9a36P7Q/5+/P7f4ItDuWLsqakG 7qpeIkIS7CwJdpcS5hL8lomNNsaboST+YSCNtDptHRr4iA== VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN NSEC3 1 1 0 - VMP6D1HJAD95FV1LHBQPGSVNHCR5UR5V NS DS RRSIG VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN RRSIG NSEC3 8 2 86400 20231112052327 20231105041327 63246 com. go0WbkwaVF9mKRCqascQxZKF/9uTQ4lQmNUgCqUShrYFRgDIo5Bsyupa gdfqWXa+PT2fNmpkUqmkyN8mZ5672FoJmHeJzMVBztni1ANQaGN3ETKL k2pg9q/nTJta2kAaD9CoDewfXA0BGve7b7vCvJwLTdWr9Nx49SzW9UcG hk3Ir8APn4yCyRQdQJ1pJ8LQrdNvVJ42nrYv9Bf90yGpQg== ;; Received 751 bytes from 192.12.94.30#53(e.gtld-servers.net) in 117 ms ;; UDP setup with 2600:9000:5302:ce00::1#53(2600:9000:5302:ce00::1) for portal.accaglobal.com failed: host unreachable. ;; UDP setup with 2600:9000:5302:ce00::1#53(2600:9000:5302:ce00::1) for portal.accaglobal.com failed: host unreachable. ;; UDP setup with 2600:9000:5302:ce00::1#53(2600:9000:5302:ce00::1) for portal.accaglobal.com failed: host unreachable. ;; UDP setup with 2600:9000:5306:8d00::1#53(2600:9000:5306:8d00::1) for portal.accaglobal.com failed: host unreachable. portal.accaglobal.com. 3600 IN NS ns1.uk.atos.net. portal.accaglobal.com. 3600 IN NS ns2.uk.atos.net. portal.accaglobal.com. 3600 IN NS ns3.uk.atos.net. ;; Received 115 bytes from 205.251.198.141#53(ns-1677.awsdns-17.co.uk) in 121 ms portal.accaglobal.com. 30 IN CNAME epflecw.x.incapdns.net. ;; Received 114 bytes from 157.203.176.100#53(ns2.uk.atos.net) in 139 ms
yes Im using unbound for resolve and forward as well. I have disabled ipv6 on pfsense only using ipv4 and also blocked port 53 udp for ipv6 :/ .
Above is the dig result from pfsense.
Regards
-
@scorpoin said in certain website takling long to respond or erro nx dns:
portal.accaglobal.com. 30 IN CNAME epflecw.x.incapdns.net.
So with a trace, you have to now do a trace to that cname epflecw.x.incapdns.net.
But you were able to get that - so now you should do a trace to that fqdn.
Does a client resolve it? Test from a machine on your network that uses pfsense for dns.
-
This is not an isolated issue.
https://forum.netgate.com/topic/183918/unbound-resolver-failed-to-resolve-host/
And there is another user on another topic talking about the same issues. This unbound dns looks like it's hanging with scotch tape
-
@maverickws said in certain website takling long to respond or erro nx dns:
This unbound dns looks like it's hanging with scotch tape
I wouldn't say that - I have been using unbound on pfsense since its been just a package. And other than the whole restart on dhcp, which I have never used - I have never had any issues with it at all..
-
Well, I understand what you're saying, but truth be told when I'm looking around about pfSense and DNS Resolver, I have to say (and this is a perception only, doesn't hold as true) but most topics have people configuring DNS Forwarding, and external DNS resolvers right off the bat.
So I would believe that masks the issues with unbound and a number of people won't come across said issues because of this.
Also, I'm not sure if this has anything to do with the DNS resolver settings, some combination that doesn't work well, could it be because I have 2 WAN's, I mean, really don't know. But it's been an awful experience. And it seems no one's paying much attention to these issues. -
@maverickws said in certain website takling long to respond or erro nx dns:
people configuring DNS Forwarding
Yeah wouldn't be me - I don't have any use for that. The great thing when they brought unbound in was that it was a resolver, not a forwarder like dnsmasq..
If a user had choice between forwarding and resolving - I personally don't get why you would forward, why hand off your dns to any specific anyone. Now if you have some need be it real or not for forwarding over tls, then ok. Maybe I have never seen any issues because I don't foward be it in the clear or not. And when I have an issue with dns, I know how to troubleshoot it vs just blaming pfsense/unbound.
I can tell you for sure - if your going to forward, you shouldn't have dnssec enabled.. And maybe pfsense could of done a better job of stating that. But that is going to be problematic, and I have been saying it for years and years.
If me, if user enabled forwarding - the default should be to disable dnssec, and if user tried to re-enable it, should of been a big warning. But hey you can also take the stance - users of pfsense you would "hope" are not your typical user and understands such things. But then again we have a lot of users wanting to use pfsense, that really don't understand these protocols at say a level that you would hope.
-
Well, I'm really not looking to forward. If I were to forward, I'd set up a resolver and forward to my resolver. But having the unbound package right here, doesn't make much sense I believe.
So I completely agree on your comments on the DNS Forwarding part.What tests do you suggest that can add to the debugging here?
-
@maverickws if your resolving +trace is your friend, can you actually talk to all the ns in the line to get to the authoritative ns. If you can - then need to check that their dnssec is not messed up
great site for issues with dnssec is
When you trace if it ends at a cname, you would then have to trace that cname, and sometimes that just ends up pointing to another cname, which you would have to evaluate the resolving with that, etc.
-
@johnpoz so the issue is intermittent, if you look at my topic you'l notice the issue resolves by itself, after a while.
I know dnsviz actually use it every so often, but my failure is not definitive, I mean, unbound doesn't resolve right away, takes a long time to respond or whatever, but after a few minutes those same domains that were failing before, are then working. Without any intervention.So if it was an issue with DNSSEC, it wouldn't resolve by itself after a few minutes without intervention. Today these issues included even this forum address:
% host forum.netgate.com ;; connection timed out; no servers could be reached
If I do it using pfSense > Diagnostics > NS Lookup or what is, I get either an error or a huge response time.
Tracing is making me look for issues on the wrong place. I get your debugging options, but I don't think they apply here.
-
@maverickws said in certain website takling long to respond or erro nx dns:
Today these issues included even this forum address:
There was an outage earlier.. There was someone that is logging outages to the forums - another thread.. And I have just after this morning and couldn't get there added it to my monitoring.
You need to troubleshoot a specific issue, one site dns might not be working, another site dns might be working but you can not get there because another network issue along the path, or the site is just having an issue..
-
@johnpoz this was actually maybe like 2 and half hours ago, but anyway forum outage means what?
Is it an outage on the web server/db or whatever, or is it a failure in resolving the DNS of the forum? Is the forum server also it's DNS server? Was the outage on Netgate's DNS? -
@maverickws all I remember, is this morning when I first went to go to forums it wasn't working.. Then a bit latter I checked and all working.. I then added it to my monitoring..
So the issue was some time before when I first added it
When first saw the problem, said oh maybe they still having issues from the other day when there was an extended one.. Not exactly sure when it was, but I know when looked at the page - it was showing the little error that lost connectivity, and tried to refresh and failed.. Went and got some coffee, looked at some other stuff and by that time it was working. Some time not long after that I decided to add it to my monitoring.
-
@johnpoz actually your description fits perfectly in my issue.
The lost connectivity is because you were no longer resolving correctly "forum.netgate.com" - so it couldn't connect, didn't know where.You went for a coffee and when coming back already worked. Fits as a glove on my description:
@maverickws said in certain website takling long to respond or erro nx dns:
but my failure is not definitive, I mean, unbound doesn't resolve right away, takes a long time to respond or whatever, but after a few minutes those same domains that were failing before, are then working. Without any intervention.
This is exactly the same, your unbound is failing, you went for a coffee and it worked. That's it.
Did the forum actually have an outage? Was it a DNS outage? Was it a CDN outage? Was it your resolver? -
@maverickws said in certain website takling long to respond or erro nx dns:
your unbound is failing
No my unbound is not failing - I have had zero issues with anything else.. Seems like without any sort of diagnoses your just jumping to the conclusion your unbound is the problem..
If it happens again I will look into it before going to get a cup of coffee, but every other site looked at before going back to the forums worked just fine.
as it a DNS outage? Was it a CDN outage? Was it your resolver?
I am not sure - I wasn't too concerned.. All I can tell you is they had a major outage yesterday.. And this morning I did see a problem, but normally it is pretty solid.. But they do run into issues now and then.. If I see it happen again I will look into if unbound had any issues resolving it, or if was still in cache and changed, etc.
You need to troubleshoot a specific issue, not just jump to well unbound is broke..
-
@johnpoz said in certain website takling long to respond or erro nx dns:
but every other site looked at before going back to the forums worked just fine.
The every other sites that I visit also work fine, unless they don't. But the percentage is minimal, for sure.
About jumping on conclusions, from an outage "yesterday", you're jumping to the conclusion there was a forum outage today, are you not?So why am I not entitled to relate your description of the issue to my description of the issue, since the behaviour fits perfectly in what I described earlier, and on the "taking long to respond" remarks of the other users? (notice the title says "certain websites" not "all websites at a given moment").
We all can jump to conclusions at a given time, for sure. And that can make you overlook the actual issue, can it not?
-