ATT Fiber DNS Issue
-
BACKGROUND
Never encountered this before in my 7+ years on ATT Fiber
Last night my Amazon echo briefly announced that it was having trouble connecting to the internet. I did not think too much about it.
This morning I noticed NTP was using a server from time.nist.gov pool instead of my local Stratum 0 GPS+PPS due to a small offset so I restarted it, but then NTP could not resolve time.nist.gov.
error resolving pool time.nist.gov: Address family for hostname not supported (1)CONFIG
I have not made any changes in over a year.
- Quad9
- Upstream DoT encryption and DNSSEC enabled
- NAT rule to forward unencrypted DNS queries to unbound
- NVG599 modem in pass through mode (Software Version 11.6.0h1d51 after reboot)
- pfSense WAN/LAN IPv6 disabled.
THINGS I TRIED FIRST
- Restarting NTP
- Restarting unbound
- Nslookup and ping time.nist.gov failed.
WHAT ULTIMATELY FIXED IT
- Even though the ONT and modem (lights and GUI) indicated I had an internet connection, rebooting the ONT and modem seems to have fixed it.
QUESTIONS
- Anyone know of any changes ATT is making on the backend or with the NVG599 firmware?
- If it occurs again, what else should I look for?
-
@elvisimprsntr said in ATT Fiber DNS Issue:
Quad9
Upstream DoT encryption and DNSSEC enabledIf your using quad9, dnssec should not be enabled locally.. Using any forwarder this should not be enabled.
https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/
Disable DNSSEC Validation
Since Quad9 already performs DNSSEC validation, DNSSEC being enabled in the forwarder will cause a duplication of the DNSSEC process, significantly reducing performance and potentially causing false BOGUS responses.
-
@johnpoz said in ATT Fiber DNS Issue:
Disable DNSSEC Validation
Thanks. Disabled and ran Steve Gibson's DNS Spoofability Test to confirm DNSSEC is enabled.
-
Update:
With pfSense DNSSEC disabled, unable to resolve DNS queries for static mappings in DHCP Server.
Rebooted multiple times with the same result.
Restored to previous config, rebooted, and everything is working again.
-
@elvisimprsntr dnssec has ZERO to do with your static mappings - ZERO!!!
Not sure what else you changed or what happen, but it has ZERO to do with dnssec.
-
The only change I intentionally made was disable DNSSEC, but comparing the two config files it also removed the following
<regdhcp></regdhcp> <regdhcpstatic></regdhcpstatic>I did not make this change via the GUI.
I'm taking the "if it ain't broke, don't fix it" position.
-
@elvisimprsntr did you switch to kea vs isc, previously or currently.
-
I switched to KEA a long time ago.
In case it is relevant, I have all the recommended patches applied on 2.7.2
-
@elvisimprsntr Well maybe your change in the config in unbound cleared up the old config and so is not loading your statics - but kea doesn't even support statics..
What specific version of pfsense are you running - they have made some progress in kea with latest + versions.. I have not paid attention to much to the kea changes in +, since I have no plans on switching until they have all the kinks worked out, etc.
But when kea first came out it did not support registration of dhcp reservations. Are you running 24.11 - registrations were to be working in 24.11 version.
But there might be a config you might have to do even if run 24.11 because you can now do it per interface, or globally, etc..
"DNS Registration can be configured on a per-interface or global manner, with the ability to enable or disable specific interfaces as needed."
-
Running 2.7.2 with all the latest patches applied.
Now that I think about it, I recall reading posts when KEA was first advertised of others having static mapping problems, but I never had a problem.
So it seems with those two settings, KEA does support it.
-
@elvisimprsntr no kea in 2.7.2 does not support it - not from the release notes.
You might of had left over in unbound your old statics - but your change in your config on unbound cleared them, and kea did not reload them.
If you are CE and you want to use reservations in unbound, I would suggest you move back to isc for the time being. 2.8 will prob bring the registration feature of kea in 24.11
-
I switched to KEA when I first saw the banner that ISC was being deprecated and recommended switching to KEA.
I have never had a problem until I tried to disable DNSSEC.
Since it seems to be working, I'll stick with KEA.
-
@elvisimprsntr do new ones get added? Do you have dnssec disabled? Or did you just load up your last config?
-
- Just restored previous config with DNSSEC enabled.
- I have made recent changes to static mapping and they get added.
- I even have some DNS host overrides that work as well.
Not sure what to tell ya, but KEA has always worked for me.
-
E elvisimprsntr referenced this topic
