Blog - IPFire 2.25 - Core Update 142 released

@ms
This update brings a new kernel which is based on Linux 4.14.171.

Is not 4.14.173 correct?

yes please have a look at 2.25 Core 142 Testing seems that the blog text wasn’t corrected.

btw 142 final works well thanks for the work!

Same here, updated this morning.
All good for now, no problem found.

Best regards.

UT1

+1 for IPFire 2.25 (x86_64) - Core Update 142 with base system + hostapd

 Thanks!

Core 142 increased CPU and associated temperatures after upgrade from 141.
Consistent on all my IPFire boxes.

IPFire_2-25_Update142_CPU1023×894 123 KB

Yes it is. I fixed it. Sorry. I had a long week.

I would recommend that you collect more information about this and open a bug report to have a look at it.

with the core update to 142 the DNS resolution totally broke down.
i use pihole as my main DNS server and ipfire as my DHCP server.
ipfire has autonomous DNS resolution

after upgrading to 142 no DNS resolution could be done.
i had to revert to a previous CU version in order to make DNS work again

I am still having problems with DNS. The problem is intermittent and very annoying.

• I try to access community.ipfire.org and I can access.
• I try to log in with my username and cannot access people.ipfire.org.
• I access the IPFire Console and it says “Broken”.
• After a while, I go back to the IPFire DNS and put “Working”.
• So I can already access people.ipfire.org well.

imagen508×571 15.2 KB

• After a while (1 or 2 minutes) “Broken” appears again and so on.

I am looking in the LOGs and I can’t find anything. Is there a way to put it in -verbose mode?

If you use suricata try to disable it. If it now works try to increase the buffers for DNS and flood protection triggers in /etc/suricata/suricata.yaml

Unlucky.

I have disabled Suricata and for a minute it has been “Working” now instead it is “Broken”.

I try to ping people.ipfire.org and this appears:

C:\Users\rober>ping people.ipfire.org
La solicitud de ping no pudo encontrar el host people.ipfire.org. Compruebe el nombre y
vuelva a intentarlo.

I have had to put Google’s DNS directly on the PC.

With 141 the DNS worked correctly, but with 142, everything is a problem (I will not update any IPFire to this version). I’ll wait for 143 to see if it gets fixed. I can’t risk having these problems in Production.

What does unbound log?

Logs says this:

|10:53:59|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|---|---|---|
|10:53:29|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:53:28|unbound: [1927:0]|info: validation failure <ocsp.pki.goog. A IN>: no signatures from 8.8.8.8 and 8.8.8.8|
|10:49:31|unbound: [1927:0]|info: validation failure <ocsp.pki.goog. A IN>: no signatures from 8.8.4.4 and 8.8.4.4|
|10:46:33|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:43:13|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:37:08|unbound: [1927:0]|info: validation failure <ocsp.pki.goog. A IN>: no signatures from 8.8.8.8 and 8.8.4.4|
|10:36:04|unbound: [1927:0]|error: SERVFAIL <people.ipfire.org. A IN>: all the configured stub or forward s ervers failed, at zone .|
|10:35:57|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:34:22|unbound: [1927:0]|error: SERVFAIL <people.ipfire.org. A IN>: all the configured stub or forward s ervers failed, at zone .|
|10:30:35|unbound: [1927:0]|error: SERVFAIL <people.ipfire.org. A IN>: all the configured stub or forward s ervers failed, at zone .|
|10:30:14|unbound: [1927:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
|10:30:14|unbound: [1927:0]|info: start of service (unbound 1.9.6).|
|10:30:14|unbound: [1927:0]|notice: init module 1: iterator|
|10:30:14|unbound: [1927:0]|notice: init module 0: validator|
|10:30:14|unbound: [1927:0]|notice: Restart of unbound 1.9.6.|
|10:30:14|unbound: [1927:0]|info: 128.000000 256.000000 34|
|10:30:14|unbound: [1927:0]|info: 64.000000 128.000000 10|
|10:30:14|unbound: [1927:0]|info: 16.000000 32.000000 7|
|10:30:14|unbound: [1927:0]|info: 8.000000 16.000000 1|
|10:30:14|unbound: [1927:0]|info: 0.262144 0.524288 3|
|10:30:14|unbound: [1927:0]|info: 0.131072 0.262144 23|
|10:30:14|unbound: [1927:0]|info: 0.065536 0.131072 39|
|10:30:14|unbound: [1927:0]|info: 0.032768 0.065536 38|
|10:30:14|unbound: [1927:0]|info: 0.016384 0.032768 37|
|10:30:14|unbound: [1927:0]|info: 0.008192 0.016384 23|
|10:30:14|unbound: [1927:0]|info: 0.004096 0.008192 2|
|10:30:14|unbound: [1927:0]|info: 0.001024 0.002048 7|
|10:30:14|unbound: [1927:0]|info: 0.000000 0.000001 25|
|10:30:14|unbound: [1927:0]|info: lower(secs) upper(secs) recursions|
|10:30:14|unbound: [1927:0]|info: [25%]=0.0187088 median[50%]=0.0590686 [75%]=0.220828|
|10:30:14|unbound: [1927:0]|info: histogram of recursion processing times|
|10:30:14|unbound: [1927:0]|info: average recursion processing time 27.891083 sec|
|10:30:14|unbound: [1927:0]|info: server stats for thread 0: requestlist max 9 avg 3.40161 exceeded 0 jostl ed 0|
|10:30:14|unbound: [1927:0]|info: server stats for thread 0: 663 queries, 414 answers from cache, 249 recur sions, 0 prefetch, 0 rejected by ip ratelimiting|
|10:30:14|unbound: [1927:0]|info: service stopped (unbound 1.9.6).|
|10:29:30|unbound: [1927:0]|info: validation failure <people.ipfire.org. A IN>: no signatures from 8.8.4.4 and 8.8.8.8|
|10:29:26|unbound: [1927:0]|info: validation failure <community.ipfire.org. AAAA IN>: no signatures from 8. 8.4.4|
|10:27:54|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:27:34|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:27:29|unbound: [1927:0]|info: validation failure <ocsp.pki.goog. A IN>: no signatures from 8.8.4.4 and 8.8.8.8|
|10:27:24|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:27:03|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:26:54|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:26:33|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:26:24|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:26:13|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:26:03|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:25:33|unbound: [1927:0]|info: validation failure <wpad.northsecure.es. A IN>: No DNSKEY record for key es. while building chain of trust|
|10:24:33|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:24:02|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:23:32|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:23:24|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:23:12|unbound: [1927:0]|info: validation failure <www.google.es. A IN>: key for validation es. is marke d as invalid|
|10:23:03|unbound: [1927:0]|info: validation failure <incoming.telemetry.mozilla.org. A IN>: key for valida tion org. is marked as invalid|
|10:23:02|unbound: [1927:0]|info: validation failure <northsecure.dedyn.io.northsecure.es. AAAA IN>: No DNS KEY record for key es. while building chain of trust|
|10:23:02|unbound: [1927:0]|info: validation failure <Home.northsecure.es. A IN>: No DNSKEY record for key es. while building chain of trust|
|10:23:02|unbound: [1927:0]|info: validation failure <Home.northsecure.es. AAAA IN>: No DNSKEY record for k ey es. while building chain of trust|
|10:23:02|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:22:32|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:22:06|unbound: [1927:0]|info: validation failure <community.ipfire.org. A IN>: No DNSKEY record for key org. while building chain of trust|
|10:22:06|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:22:02|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:21:35|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:21:32|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:21:05|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:21:02|unbound: [1927:0]|info: validation failure <rink.hockeyapp.net.northsecure.es. A IN>: No DNSKEY r ecord for key es. while building chain of trust|
|10:21:02|unbound: [1927:0]|info: validation failure <rink.hockeyapp.net. A IN>: No DNSKEY record for key e s. while building chain of trust|
|10:21:02|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:20:35|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:20:31|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:20:16|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:20:05|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:20:01|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:19:35|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:19:31|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:19:13|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:19:01|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:18:31|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:17:56|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:17:37|unbound: [1927:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
|10:17:26|unbound: [1927:0]|info: start of service (unbound 1.9.6).|
|10:17:26|unbound: [1927:0]|notice: init module 1: iterator|
|10:17:26|unbound: [1927:0]|notice: init module 0: validator|
|10:17:26|unbound: [1927:0]|notice: Restart of unbound 1.9.6.|
|10:17:26|unbound: [1927:0]|info: 64.000000 128.000000 3|
|10:17:26|unbound: [1927:0]|info: 16.000000 32.000000 4|
|10:17:26|unbound: [1927:0]|info: 8.000000 16.000000 1|
|10:17:26|unbound: [1927:0]|info: 0.131072 0.262144 1|
|10:17:26|unbound: [1927:0]|info: 0.065536 0.131072 6|
|10:17:26|unbound: [1927:0]|info: 0.032768 0.065536 2|
|10:17:26|unbound: [1927:0]|info: 0.008192 0.016384 2|
|10:17:26|unbound: [1927:0]|info: 0.000000 0.000001 1|
|10:17:26|unbound: [1927:0]|info: lower(secs) upper(secs) recursions|
|10:17:26|unbound: [1927:0]|info: [25%]=0.065536 median[50%]=0.120149 [75%]=24|
|10:17:26|unbound: [1927:0]|info: histogram of recursion processing times|
|10:17:26|unbound: [1927:0]|info: average recursion processing time 23.284806 sec|
|10:17:26|unbound: [1927:0]|info: server stats for thread 0: requestlist max 5 avg 3.37037 exceeded 0 jostl ed 0|
|10:17:26|unbound: [1927:0]|info: server stats for thread 0: 27 queries, 1 answers from cache, 26 recursion s, 1 prefetch, 0 rejected by ip ratelimiting|
|10:17:26|unbound: [1927:0]|info: service stopped (unbound 1.9.6).|
|10:17:22|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:17:08|unbound: [1927:0]|error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers fa iled, at zone .|
|10:16:51|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:16:21|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:16:21|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:15:51|unbound: [1927:0]|error: SERVFAIL <es. DNSKEY IN>: all the configured stub or forward servers fai led, at zone .|
|10:15:46|unbound: [1927:0]|error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .|
|10:15:16|unbound: [1927:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
|10:15:16|unbound: [1927:0]|info: start of service (unbound 1.9.6).|
|10:15:16|unbound: [1927:0]|notice: init module 1: iterator|
|10:15:16|unbound: [1927:0]|notice: init module 0: validator|
|10:15:16|unbound: [1927:0]|notice: Restart of unbound 1.9.6.|
|10:15:16|unbound: [1927:0]|info: 8.000000 16.000000 2|
|10:15:16|unbound: [1927:0]|info: 4.000000 8.000000 2|
|10:15:16|unbound: [1927:0]|info: 2.000000 4.000000 1|
|10:15:16|unbound: [1927:0]|info: 1.000000 2.000000 1|
|10:15:16|unbound: [1927:0]|info: 0.524288 1.000000 3|
|10:15:16|unbound: [1927:0]|info: 0.262144 0.524288 2|
|10:15:16|unbound: [1927:0]|info: 0.131072 0.262144 7|
|10:15:16|unbound: [1927:0]|info: 0.065536 0.131072 8|
|10:15:16|unbound: [1927:0]|info: 0.032768 0.065536 5|
|10:15:16|unbound: [1927:0]|info: 0.016384 0.032768 2|
|10:15:16|unbound: [1927:0]|info: 0.008192 0.016384 2|
|10:15:16|unbound: [1927:0]|info: 0.000000 0.000001 1|
|10:15:16|unbound: [1927:0]|info: lower(secs) upper(secs) recursions|
|10:15:16|unbound: [1927:0]|info: [25%]=0.0589824 median[50%]=0.131072 [75%]=0.524288|
|10:15:16|unbound: [1927:0]|info: histogram of recursion processing times|
|10:15:16|unbound: [1927:0]|info: average recursion processing time 1.322041 sec|
|10:15:16|unbound: [1927:0]|info: server stats for thread 0: requestlist max 4 avg 1.79487 exceeded 0 jostl ed 0|
|10:15:16|unbound: [1927:0]|info: server stats for thread 0: 191 queries, 152 answers from cache, 39 recurs ions, 0 prefetch, 0 rejected by ip ratelimiting|
|10:15:16|unbound: [1927:0]|info: service stopped (unbound 1.9.6).|
|10:14:30|unbound: [1927:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
|10:14:27|unbound: [1927:0]|info: start of service (unbound 1.9.6).|
|10:14:27|unbound: [1927:0]|notice: init module 1: iterator|
|10:14:27|unbound: [1927:0]|notice: init module 0: validator|
|10:14:27|unbound: [1927:0]|notice: Restart of unbound 1.9.6.|
|10:14:27|unbound: [1927:0]|info: 64.000000 128.000000 31|
|10:14:27|unbound: [1927:0]|info: 32.000000 64.000000 63|
|10:14:27|unbound: [1927:0]|info: 16.000000 32.000000 46|
|10:14:27|unbound: [1927:0]|info: 8.000000 16.000000 87|
|10:14:27|unbound: [1927:0]|info: 4.000000 8.000000 43|
|10:14:27|unbound: [1927:0]|info: 2.000000 4.000000 31|
|10:14:27|unbound: [1927:0]|info: 1.000000 2.000000 15|
|10:14:27|unbound: [1927:0]|info: 0.524288 1.000000 44|
|10:14:27|unbound: [1927:0]|info: 0.262144 0.524288 335|
|10:14:27|unbound: [1927:0]|info: 0.131072 0.262144 888|
|10:14:27|unbound: [1927:0]|info: 0.065536 0.131072 958|
|10:14:27|unbound: [1927:0]|info: 0.032768 0.065536 1274|
|10:14:27|unbound: [1927:0]|info: 0.016384 0.032768 181|
|10:14:27|unbound: [1927:0]|info: 0.008192 0.016384 216|

Thanks.

i’m in the same situation, all worked fine until this night,
dns status is broken, this is a big issue for us because we are at home
for coronavirus, and if the firewall doesn’t work it’s a nightmare.
the only way to continue working was in smartworking in remote from their home.
i have 5 people that tomorrow morning will be blocked.

Any suggestion?

UT1

Edit : 19.30 in the afternoon.
i checked again and the dns system is working again.
I didn’t do anything. anybody else?

regards

UT1

When I first updated from Core 141 to Core 142 I had either no DNS or extremely slow DNS depending on the website.

Multiple reboots did not help. The only thing that helped me was turning off all of my current DNS settings. So I went from this:

Screen Shot 2020-03-23 at 11.49.29 AM904×438 26.5 KB

I clicked Save and tested various websites - all was back to normal and websites loaded quickly.

I turned everything back on (Protocol for DNS queries = TLS, Enable Safe Search = checked, QNAME Minimisation = Strict) and again everything was normal. This did not make sense to me…

All has been working fine since these changes.

EDIT: In a log I had many error: SERVFAIL type messages.

Looks like none of your resolvers work…

I believe for correct TLS authentication you will also want to use the FQDN of the DNS server. For instance, with cloudflare this is one.one.one.one.

Here’s a screenshot of my settings, they always test “OK” and I haven’t had any DNS issues (lookups are quite fast).

image979×484 17.9 KB

And the solution is…

Changing it or debug network connectivity issues?