DNS broken after update to 141/142

psyops · 24 March 2020 07:40

Hey Guys,

a few days ago i updated from 139 to 141 and then directly to 142.
From there i got massiv Problems with DNS, like many others. I tried several recommended soulutions, but nothings helped.
First: Booting the APU32c takes a long Time, unusually long, about 10min.
Unbound is up and running:

]# unbound-control status
version: 1.9.6
verbosity: 1
threads: 1
modules: 2 [ validator iterator ]
uptime: 42322 seconds
options: reuseport control
unbound (pid 28341) is running…

(serveral restarts did not solve my problems)

Name Resolution seems not to be working:

~]# /etc/init.d/unbound resolve de.wikipedia.com
;;
connection timed out;
no servers could be reached

Even when i try to reach e.g. de.wikipedia.org:

other URL’s are working fine, bit even IPFIRE.ORG cannor be reached. Pakfire is also not working…

i use the Google DNS, which are officially recommended, but somthing seems to be broken:

Status for each DNS is “OK”, but the Status in the Header says “Broken”)

Oh, and the Log is full of Errors:
nfigured stub or forward servers failed, at zone .

Mar 24 08:03:52 knox unbound: [28341:0] info: validation failure <www.eff.org. A IN>: key for validation org. is marked as invalid

Mar 24 08:04:01 knox unbound: [28341:0] info: validation failure <ocsp.int-x3.letsencrypt.org. A IN>: key for validation org. is marked as invalid

Mar 24 08:04:06 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:04:36 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:04:36 knox unbound: [28341:0] info: validation failure <de.wikipedia.com. A IN>: No DNSKEY record for key org. while building chain of trust

Mar 24 08:05:01 knox unbound: [28341:0] info: validation failure <2.de.pool.ntp.org. A IN>: key for validation org. is marked as invalid

Mar 24 08:05:01 knox unbound: [28341:0] info: validation failure <2.de.pool.ntp.org. AAAA IN>: key for validation org. is marked as invalid

Mar 24 08:05:01 knox unbound: [28341:0] info: validation failure <3.de.pool.ntp.org. AAAA IN>: key for validation org. is marked as invalid

Mar 24 08:05:01 knox unbound: [28341:0] info: validation failure <3.de.pool.ntp.org. A IN>: key for validation org. is marked as invalid

Mar 24 08:05:06 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:05:37 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:06:05 knox unbound: [28341:0] error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:06:07 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:07:07 knox unbound: [28341:0] info: validation failure <de.wikipedia.org. A IN>: No DNSKEY record for key org. while building chain of trust

Mar 24 08:07:37 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:08:07 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

As i said, i tried many of the recommended solutions of this Forum, but nothing helped.
Would be happy if someone would help me. If you need more Information, just call, i try to bring it.

tyvm

ms · 24 March 2020 08:03

It looks like you have something filtering DNS keys. I would suggest trying TLS or TCP.

psyops · 24 March 2020 09:36

Thank you for your fast reply.
What does it mean “Trying TLS or TCP”, do i have to set it in IPFire? If yes, where do i have to set it?
Thank you very much,

anon33261557 · 24 March 2020 11:09

Yes,Look here

psyops · 24 March 2020 11:37

Hm, this is not “TLS or TCP” there i set the ISP assigned DNS. Or can i set TLS this without checking the ISP-DNS?

bbitsch · 24 March 2020 11:40

You can set the protocol for DNS, too.
Default is UDP.

anon33261557 · 24 March 2020 11:48

Do you read what i posted? I guess no

The following protocols can be selected:

UDP: Send the queries by using UDP (default)
TCP: Send queries by using TCP
TLS: Use Transport-Layer-Security to send encrypted queries

bbitsch · 24 March 2020 12:04

Means UDP or TCP or TLS.

psyops · 24 March 2020 12:30

sure, but i thought the UDP/TCP/TLS-Setting were only active if i check “Use ISP-Assigned DNS-Servers” and not, when i have my custom DNS (Google or whatever)-
I will try it, tyvm!

psyops · 24 March 2020 12:35

Ty Guys, i switched to TLS and everything seems working now.
You saved my day
TYVM!

psyops · 24 March 2020 12:54

One question after all:
I got a bunch of Unbound-Messages that (i think) are not harmul, but nasty. Do you know how i can get rid of? Seems that only TLD’s are effected:

unbound: [28341:0] error: SERVFAIL <at. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:28 unbound: [28341:0] error: SERVFAIL <at. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:33 unbound: [28341:0] error: SERVFAIL <com. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:33 unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:48 unbound: [28341:0] error: SERVFAIL <de. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:46:07 unbound: [28341:0] error: SERVFAIL <de. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)

psyops · 24 March 2020 13:54

Now when i set the “Protocol for DNS Querys” to TCP, i don’t get any errors and both Status are “Working” and “OK”:

TY in advance

retiredipcop · 27 March 2020 19:40

I’ve also been having issues, on and off, with 2 of my DNS servers. I was getting errors on the rDNS also. At another person’s suggestion, I added 2 additional DNS servers, which seemed to work more reliably. I am guessing that the heavier load on the Internet now, with close to 7 billion people all banging on it with little else to do these days, might have put load on the 2 original servers I had always used for years. But maybe it has to do with core 142; I don’t know. However, since adding the 2 additional DNS servers, I’ve not noticed any problems resolving addresses.

I will switch my IPfire to use TLS and let it soak for a few days. I will report back if any problems. Either way, thank you for this thread! It reminds me to check out more options in general.

psyops · 28 March 2020 08:17

Ty Harry, interesting point! I will try it myself and’ll use two additional national DNS.

arne_f · 30 March 2020 14:22

Reverse DNS not work for all servers but this is no problem. Also the LWL server has no reverse DNS entry. Often the the provider doesn’t support this.

troll-op · 4 April 2020 15:31

I’ve been running 142 for the past 2 weeks now. Upgraded from 139. Experiencing the same problems. Cannot use TLS, it breaks pretty much immediately. UDP occasionally stops working for no reason, which has a knock on effect to the servers behind it. Hence I have stopped using it. The only DNS that seems to keep working without issues is DNS over TCP.

If security and privacy is such a concern, which TLS does not really provide, then maybe have the option to make ipFire its own DNS server, and access the root services directly. Just an idea.

rodneyp · 5 April 2020 05:04

I’ve been using “recursor mode” with TLS for several days, without the need to restart unbound. That’s an improvement over previous weeks with core 142

bbitsch · 5 April 2020 08:59

Because most installation don’t have issues with DNS ( IMHO ), it would help much if we could get more informations about the failing scenarios.

troll-op · 6 April 2020 13:20

Let me know what you want me to do this side and post. I don’t really see any info in the logs saying or indicating what goes on strike.
On a side note, the DNS script I created to generate a blockporn.conf file breaks unbound. Have removed it will have a look at that. Seems something in unbound from 139-142 changed causing this. Or maybe the script was borked before, unbound was more forgiving and worked with what I was aiming to do.

And now i will be really off topic… bare with me. I came across how to integrate DNScrypt into unbound on FreeBSD. Is this something that can be moded to make it work on ipFire, or am I entering a world of hurt? https://forums.freebsd.org/threads/dnscrypt-proxy2-and-local-unbound-error-on-startup.72013/

chico_muc · 30 July 2020 10:31

Hi all,

after the update from 146 to 147 I had the problem that the DNS service was shown as “Broken” although the DNS servers were marked as OK and the internet did not work anymore.

I solved the problem very easily. The APU2 on which the IPfire is running just pulled the power plug. After the cold start everything ran again as before.
A reboot of the IPFire did not solve the problem. Only the cold start solved the problem.

Maybe this helps the one or the other =)

bye