DNS broken after update to 141/142

Hey Guys,

a few days ago i updated from 139 to 141 and then directly to 142.
From there i got massiv Problems with DNS, like many others. I tried several recommended soulutions, but nothings helped.
First: Booting the APU32c takes a long Time, unusually long, about 10min.
Unbound is up and running:

]# unbound-control status
version: 1.9.6
verbosity: 1
threads: 1
modules: 2 [ validator iterator ]
uptime: 42322 seconds
options: reuseport control
unbound (pid 28341) is running…

(serveral restarts did not solve my problems)

Name Resolution seems not to be working:

~]# /etc/init.d/unbound resolve de.wikipedia.com
;;
connection timed out;
no servers could be reached

Even when i try to reach e.g. de.wikipedia.org:
image

other URL’s are working fine, bit even IPFIRE.ORG cannor be reached. Pakfire is also not working…

i use the Google DNS, which are officially recommended, but somthing seems to be broken:


Status for each DNS is “OK”, but the Status in the Header says “Broken”)

Oh, and the Log is full of Errors:
nfigured stub or forward servers failed, at zone .

Mar 24 08:03:52 knox unbound: [28341:0] info: validation failure <www.eff.org. A IN>: key for validation org. is marked as invalid

Mar 24 08:04:01 knox unbound: [28341:0] info: validation failure <ocsp.int-x3.letsencrypt.org. A IN>: key for validation org. is marked as invalid

Mar 24 08:04:06 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:04:36 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:04:36 knox unbound: [28341:0] info: validation failure <de.wikipedia.com. A IN>: No DNSKEY record for key org. while building chain of trust

Mar 24 08:05:01 knox unbound: [28341:0] info: validation failure <2.de.pool.ntp.org. A IN>: key for validation org. is marked as invalid

Mar 24 08:05:01 knox unbound: [28341:0] info: validation failure <2.de.pool.ntp.org. AAAA IN>: key for validation org. is marked as invalid

Mar 24 08:05:01 knox unbound: [28341:0] info: validation failure <3.de.pool.ntp.org. AAAA IN>: key for validation org. is marked as invalid

Mar 24 08:05:01 knox unbound: [28341:0] info: validation failure <3.de.pool.ntp.org. A IN>: key for validation org. is marked as invalid

Mar 24 08:05:06 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:05:37 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:06:05 knox unbound: [28341:0] error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:06:07 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:07:07 knox unbound: [28341:0] info: validation failure <de.wikipedia.org. A IN>: No DNSKEY record for key org. while building chain of trust

Mar 24 08:07:37 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

Mar 24 08:08:07 knox unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: all the configured stub or forward servers failed, at zone .

As i said, i tried many of the recommended solutions of this Forum, but nothing helped.
Would be happy if someone would help me. If you need more Information, just call, i try to bring it.

tyvm

1 Like

It looks like you have something filtering DNS keys. I would suggest trying TLS or TCP.

Thank you for your fast reply.
What does it mean “Trying TLS or TCP”, do i have to set it in IPFire? If yes, where do i have to set it?
Thank you very much,

Yes,Look here

1 Like

Hm, this is not “TLS or TCP” there i set the ISP assigned DNS. Or can i set TLS this without checking the ISP-DNS?

You can set the protocol for DNS, too.
Default is UDP.

Do you read what i posted? I guess no :frowning:

The following protocols can be selected:

UDP: Send the queries by using UDP (default)
TCP: Send queries by using TCP
TLS: Use Transport-Layer-Security to send encrypted queries

Means UDP or TCP or TLS. :wink:

sure, but i thought the UDP/TCP/TLS-Setting were only active if i check “Use ISP-Assigned DNS-Servers” and not, when i have my custom DNS (Google or whatever)-
I will try it, tyvm!

Ty Guys, i switched to TLS and everything seems working now.
You saved my day :slight_smile:
TYVM!

1 Like

One question after all:
I got a bunch of Unbound-Messages that (i think) are not harmul, but nasty. Do you know how i can get rid of? Seems that only TLD’s are effected:

unbound: [28341:0] error: SERVFAIL <at. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:28 unbound: [28341:0] error: SERVFAIL <at. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:33 unbound: [28341:0] error: SERVFAIL <com. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:33 unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:48 unbound: [28341:0] error: SERVFAIL <de. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:46:07 unbound: [28341:0] error: SERVFAIL <de. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)

Now when i set the “Protocol for DNS Querys” to TCP, i don’t get any errors and both Status are “Working” and “OK”:


TY in advance

1 Like

I’ve also been having issues, on and off, with 2 of my DNS servers. I was getting errors on the rDNS also. At another person’s suggestion, I added 2 additional DNS servers, which seemed to work more reliably. I am guessing that the heavier load on the Internet now, with close to 7 billion people all banging on it with little else to do these days, might have put load on the 2 original servers I had always used for years. But maybe it has to do with core 142; I don’t know. However, since adding the 2 additional DNS servers, I’ve not noticed any problems resolving addresses.

I will switch my IPfire to use TLS and let it soak for a few days. I will report back if any problems. Either way, thank you for this thread! It reminds me to check out more options in general.

Ty Harry, interesting point! I will try it myself and’ll use two additional national DNS.

Reverse DNS not work for all servers but this is no problem. Also the LWL server has no reverse DNS entry. Often the the provider doesn’t support this.

I’ve been running 142 for the past 2 weeks now. Upgraded from 139. Experiencing the same problems. Cannot use TLS, it breaks pretty much immediately. UDP occasionally stops working for no reason, which has a knock on effect to the servers behind it. Hence I have stopped using it. The only DNS that seems to keep working without issues is DNS over TCP.

If security and privacy is such a concern, which TLS does not really provide, then maybe have the option to make ipFire its own DNS server, and access the root services directly. Just an idea.

I’ve been using “recursor mode” with TLS for several days, without the need to restart unbound. That’s an improvement over previous weeks with core 142

Because most installation don’t have issues with DNS ( IMHO ), it would help much if we could get more informations about the failing scenarios.

Let me know what you want me to do this side and post. I don’t really see any info in the logs saying or indicating what goes on strike.
On a side note, the DNS script I created to generate a blockporn.conf file breaks unbound. Have removed it will have a look at that. Seems something in unbound from 139-142 changed causing this. Or maybe the script was borked before, unbound was more forgiving and worked with what I was aiming to do.

And now i will be really off topic… bare with me. I came across how to integrate DNScrypt into unbound on FreeBSD. Is this something that can be moded to make it work on ipFire, or am I entering a world of hurt? https://forums.freebsd.org/threads/dnscrypt-proxy2-and-local-unbound-error-on-startup.72013/

Hi all,

after the update from 146 to 147 I had the problem that the DNS service was shown as “Broken” although the DNS servers were marked as OK and the internet did not work anymore.

I solved the problem very easily. The APU2 on which the IPfire is running just pulled the power plug. After the cold start everything ran again as before.
A reboot of the IPFire did not solve the problem. Only the cold start solved the problem.

Maybe this helps the one or the other =)

bye