2.25 Core 142 Testing

a first quick test it run’s smoothly so far.

runs here now some days without problems

In my case it has not gone so well.

With version 141 the module “Domain Name System” was going perfectly (minus the “safe search” that didn’t work), but with the “IPFire 2.25 (i586) - Core Update 142 Development Build: master / e53c38ae” it is giving me a lot of problems.

It looks like this:

Thanks to this problem, I can’t navigate well.

It has been in the wake of trying the “Enable Safe Search” that seemed to work. Now, I can’t navigate.

What could I do?.

Greetings.

@roberto
Look here

I saw there some unbound specific patches. Maybe this build help.

There are some late fixes so i rebuild the update.
Set pakfire tree to testing on pakfire page.
Go to console and restart unbound. (then dns should work)
Set /opt/pakfire/db/core/mine to 141
Run pakfire update --force
and pakfire upgrade
to reinstall.

Hi @arne_f

Bad news, I have applied what you have recommended to me and it is still “broken”. I´ve now “IPFire 2.25 (i586) - Core Update 142 Development Build: master/b3bc092d” version.

Here is DNS: Unbound log:

|08:03:41|unbound: [5278:0]|info: validation failure <pakfire.ipfire.org. A IN>: key for validation fw01.ip fire.org. is marked as invalid|
|---|---|---|
|08:03:29|unbound: [5278:0]|info: validation failure <ping.ipfire.org. A IN>: SERVFAIL no DS for DS fw01.ip fire.org. while building chain of trust|
|08:03:29|unbound: [5278:0]|error: SERVFAIL <fw01.ipfire.org. DS IN>: all the configured stub or forward se rvers failed, at zone .|
|08:03:08|unbound: [5278:0]|error: SERVFAIL <mirror1.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
|08:03:00|unbound: [5278:0]|error: SERVFAIL <pakfire.ipfire.org. AAAA IN>: all the configured stub or forwa rd servers failed, at zone .|
|08:02:59|unbound: [5278:0]|error: SERVFAIL <fw01.ipfire.org. DS IN>: all the configured stub or forward se rvers failed, at zone .|
|08:02:47|unbound: [5278:0]|error: SERVFAIL <pakfire.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
|08:02:29|unbound: [5278:0]|error: SERVFAIL <fw01.ipfire.org. DS IN>: all the configured stub or forward se rvers failed, at zone .|
|08:01:58|unbound: [5278:0]|error: SERVFAIL <fw01.ipfire.org. DS IN>: all the configured stub or forward se rvers failed, at zone .|
|08:01:28|unbound: [5278:0]|error: SERVFAIL <fw01.ipfire.org. DS IN>: all the configured stub or forward se rvers failed, at zone .|
|08:00:30|unbound: [5278:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|08:00:00|unbound: [5278:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
|07:59:36|unbound: [5278:0]|info: start of service (unbound 1.9.6).|
|07:59:36|unbound: [5278:0]|notice: init module 1: iterator|
|07:59:36|unbound: [5278:0]|notice: init module 0: validator|
|07:59:34|unbound: [1926:0]|info: 16.000000 32.000000 5|
|07:59:34|unbound: [1926:0]|info: 2.000000 4.000000 1|
|07:59:34|unbound: [1926:0]|info: 1.000000 2.000000 1|
|07:59:34|unbound: [1926:0]|info: 0.262144 0.524288 1|
|07:59:34|unbound: [1926:0]|info: 0.131072 0.262144 2|
|07:59:34|unbound: [1926:0]|info: 0.065536 0.131072 6|
|07:59:34|unbound: [1926:0]|info: 0.032768 0.065536 8|
|07:59:34|unbound: [1926:0]|info: 0.016384 0.032768 5|
|07:59:34|unbound: [1926:0]|info: 0.008192 0.016384 4|
|07:59:34|unbound: [1926:0]|info: 0.004096 0.008192 2|
|07:59:34|unbound: [1926:0]|info: 0.000000 0.000001 1|
|07:59:34|unbound: [1926:0]|info: lower(secs) upper(secs) recursions|
|07:59:34|unbound: [1926:0]|info: [25%]=0.0229376 median[50%]=0.057344 [75%]=0.196608|
|07:59:34|unbound: [1926:0]|info: histogram of recursion processing times|
|07:59:34|unbound: [1926:0]|info: average recursion processing time 3.951402 sec|
|07:59:34|unbound: [1926:0]|info: server stats for thread 0: requestlist max 3 avg 0.888889 exceeded 0 jost led 0|
|07:59:34|unbound: [1926:0]|info: server stats for thread 0: 161 queries, 125 answers from cache, 36 recurs ions, 0 prefetch, 0 rejected by ip ratelimiting|
|07:59:34|unbound: [1926:0]|info: service stopped (unbound 1.9.6).|
|07:59:20|unbound: [1926:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|07:57:34|unbound: [1926:0]|error: SERVFAIL <216.58.202.4.in-addr.arpa. PTR IN>: all the configured stub or forward servers failed, at zone .|
|07:55:53|unbound: [1926:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|07:55:16|unbound: [1926:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|07:55:04|unbound: [1926:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
|07:54:46|unbound: [1926:0]|info: start of service (unbound 1.9.6).|
|07:54:46|unbound: [1926:0]|notice: init module 1: iterator|
|07:54:46|unbound: [1926:0]|notice: init module 0: validator|
|07:54:46|unbound: [1926:0]|notice: Restart of unbound 1.9.6.|
|07:54:46|unbound: [1926:0]|info: 32.000000 64.000000 7|
|07:54:46|unbound: [1926:0]|info: 16.000000 32.000000 12|
|07:54:46|unbound: [1926:0]|info: 8.000000 16.000000 1|
|07:54:46|unbound: [1926:0]|info: 0.262144 0.524288 2|
|07:54:46|unbound: [1926:0]|info: 0.131072 0.262144 2|
|07:54:46|unbound: [1926:0]|info: 0.065536 0.131072 5|
|07:54:46|unbound: [1926:0]|info: 0.032768 0.065536 11|
|07:54:46|unbound: [1926:0]|info: lower(secs) upper(secs) recursions|
|07:54:46|unbound: [1926:0]|info: [25%]=0.0625571 median[50%]=0.524288 [75%]=28|
|07:54:46|unbound: [1926:0]|info: histogram of recursion processing times|
|07:54:46|unbound: [1926:0]|info: average recursion processing time 15.762504 sec|
|07:54:46|unbound: [1926:0]|info: server stats for thread 0: requestlist max 3 avg 1.675 exceeded 0 jostled 0|
|07:54:46|unbound: [1926:0]|info: server stats for thread 0: 46 queries, 6 answers from cache, 40 recursion s, 0 prefetch, 0 rejected by ip ratelimiting|
|07:54:46|unbound: [1926:0]|info: service stopped (unbound 1.9.6).|
|07:54:45|unbound: [1926:0]|info: validation failure <ping.ipfire.org. A IN>: no signatures from 8.8.8.8 an d 8.8.4.4|
|07:54:16|unbound: [1926:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|07:53:54|unbound: [1926:0]|error: SERVFAIL <mirror1.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
|07:53:44|unbound: [1926:0]|error: SERVFAIL <pakfire.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
|07:53:17|unbound: [1926:0]|error: SERVFAIL <fireinfo.ipfire.org. AAAA IN>: all the configured stub or forw ard servers failed, at zone .|
|07:53:17|unbound: [1926:0]|error: SERVFAIL <fireinfo.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
|07:52:50|unbound: [1926:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|07:52:44|unbound: [1926:0]|info: validation failure <Home. AAAA IN>: no NSEC3 records from 8.8.4.4 for DS Home. while building chain of trust|
|07:52:42|unbound: [1926:0]|info: validation failure <northsecure.dedyn.io. AAAA IN>: no signatures from 8. 8.4.4|
|07:51:58|unbound: [1926:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
|07:51:58|unbound: [1926:0]|info: start of service (unbound 1.9.6).|
|07:51:58|unbound: [1926:0]|notice: init module 1: iterator|
|07:51:58|unbound: [1926:0]|notice: init module 0: validator|
|07:51:58|unbound: [1926:0]|notice: Restart of unbound 1.9.6.|

Do you need more log?. tell me which.

Thank you.

can’t reproduce this. All works fine in the same build version as your’s. But I use 64 bit.

Looks like something blocks access to the dns servers.
Have you enabled suricata? If yes try to disable it for testing…

Hi @arne_f

I have checked the Suricata log and have not seen anything. I have it marked only in RED. I have disabled it and it remains the same.

With Core 141 it´s works fine.

Thanks.

I don´t know if this is normal:

[root@bs ~]# /etc/init.d/unbound restart
Stopping Unbound DNS Proxy...                                          [  OK  ]
Starting Unbound DNS Proxy...                                          [  OK  ]
[root@bs ~]# unbound
Mar 06 12:46:11 unbound[4804:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953
Mar 06 12:46:11 unbound[4804:0] error: cannot open control interface 127.0.0.1 8953
Mar 06 12:46:11 unbound[4804:0] fatal error: could not open ports
[root@bs ~]#

Grettings

with unbound i got the same like you

try unbound-control status instead.

Thanks @anon65703081.

[root@bs ~]# unbound-control status
version: 1.9.6
verbosity: 1
threads: 1
modules: 2 [ validator iterator ]
uptime: 5048 seconds
options: reuseport control
unbound (pid 326) is running...
[root@bs ~]# 

I imagined. It’s like trying to execute an already executed process.

Now, mysteriously and without doing anything, it appears like this:

If I click on “Save”, it appears like this:

Well, finally I think works Ok:

I have done the steps that appear in: https://dnssec.vs.uni-due.de/ and in the end, after much research, put Working. I don’t know if this will have been but in the end it seems to work.

What does not work now is the “Enable Safe Search”. I put “Porn” and it appears everything.

Greetings.

UPDATE (next day): Now, without doing anything, it is broken. It works randomly or directly, it doesn’t work. I will wait for a solution.

Same here. Maybe it’s requiered that ipfire is the dns-server for the clients?

Safe-Search is based on DNS and the clients has to use the IPFire DNS to get this working.
https://support.google.com/websearch/answer/186669?hl=en

I´ve IPFire as DNS Server and nothing. I can see all.

01:05 PM: In this moment ist working. The operation is similar to a fairground shotgun. :grin:

03:11 PM: Is broken, Without touching anything.

08:33 PM: Working.

8:24 AM Next Day: Broken.

After the changes suggested by Matthias: Working

Hey community,

Testing core142:

I installed: IPFire 2.25 (x86_64) - core142 Development Build: master/b3bc092d
with datarestore from core141

  • Problems so far:
    1.) no entries in WUI Protokolle/Firewall-Protokolldateien
    2.) missing /etc/host.allow and host.deny since core141

  • Comments:
    looks good, up and running (but fw-logs missing)
    DoT without problems
    good: pakfire/konfiguraton - testing later

yours
bh

/etc/hosts.deny and allow are leftovers from tcp-wrapper package which was removed loooong ago.
Also the creation of this files by setup was already removed with core122 not in 141

https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=d97ba75fe5634055850deda7a594d52e901dbe75

Hi,

@roberto:
At first, I had exactly the same errors as you.

After upgrading from Core 139 to Core 141 - prior to rebooting - I manually installed unbound 1.10.0 for testing.

But: this new version (32bit) was built under Core 139!

Because of this, the installation archive of the new version contained the old configuration files: ‘/etc/init.d/unbound’, ‘/etc/unbound/unbound.conf’ and ‘/usr/sbin/unbound-dhcp-leases-bridge’ (The current master version of the last file seems to be identical to Core 141).

After rebooting, DNS was working (somehow), but with the same errors as yours:

Mar 06 12:46:11 unbound[4804:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953
Mar 06 12:46:11 unbound[4804:0] error: cannot open control interface 127.0.0.1 8953
Mar 06 12:46:11 unbound[4804:0] fatal error: could not open ports

I had to stop ‘unbound’, copied the configuration files from Core 141, restarted ‘unbound’, waited - and now DNS is working since then.

So, as a suggestion, I would recommend you replace at least the ‘unbound’-initscript and ‘unbound.conf’ with the files from Core 141.

You find them here:
unbound-initscript
unbound.conf

HTH,
Matthias

1 Like