DNS broken after update to 141/142

Yes,Look here

Hm, this is not “TLS or TCP” there i set the ISP assigned DNS. Or can i set TLS this without checking the ISP-DNS?

You can set the protocol for DNS, too.
Default is UDP.

Do you read what i posted? I guess no

The following protocols can be selected:

UDP: Send the queries by using UDP (default)
TCP: Send queries by using TCP
TLS: Use Transport-Layer-Security to send encrypted queries

Means UDP or TCP or TLS.

sure, but i thought the UDP/TCP/TLS-Setting were only active if i check “Use ISP-Assigned DNS-Servers” and not, when i have my custom DNS (Google or whatever)-
I will try it, tyvm!

Ty Guys, i switched to TLS and everything seems working now.
You saved my day
TYVM!

One question after all:
I got a bunch of Unbound-Messages that (i think) are not harmul, but nasty. Do you know how i can get rid of? Seems that only TLD’s are effected:

unbound: [28341:0] error: SERVFAIL <at. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:28 unbound: [28341:0] error: SERVFAIL <at. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:33 unbound: [28341:0] error: SERVFAIL <com. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:33 unbound: [28341:0] error: SERVFAIL <org. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:42:48 unbound: [28341:0] error: SERVFAIL <de. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)
Mar 24 13:46:07 unbound: [28341:0] error: SERVFAIL <de. DNSKEY IN>: request has exceeded the maximum dependency depth (eg. nameserver lookup recursion)

Now when i set the “Protocol for DNS Querys” to TCP, i don’t get any errors and both Status are “Working” and “OK”:

image957×184 15 KB

I’ve also been having issues, on and off, with 2 of my DNS servers. I was getting errors on the rDNS also. At another person’s suggestion, I added 2 additional DNS servers, which seemed to work more reliably. I am guessing that the heavier load on the Internet now, with close to 7 billion people all banging on it with little else to do these days, might have put load on the 2 original servers I had always used for years. But maybe it has to do with core 142; I don’t know. However, since adding the 2 additional DNS servers, I’ve not noticed any problems resolving addresses.

I will switch my IPfire to use TLS and let it soak for a few days. I will report back if any problems. Either way, thank you for this thread! It reminds me to check out more options in general.

Ty Harry, interesting point! I will try it myself and’ll use two additional national DNS.

Reverse DNS not work for all servers but this is no problem. Also the LWL server has no reverse DNS entry. Often the the provider doesn’t support this.

I’ve been running 142 for the past 2 weeks now. Upgraded from 139. Experiencing the same problems. Cannot use TLS, it breaks pretty much immediately. UDP occasionally stops working for no reason, which has a knock on effect to the servers behind it. Hence I have stopped using it. The only DNS that seems to keep working without issues is DNS over TCP.

If security and privacy is such a concern, which TLS does not really provide, then maybe have the option to make ipFire its own DNS server, and access the root services directly. Just an idea.

I’ve been using “recursor mode” with TLS for several days, without the need to restart unbound. That’s an improvement over previous weeks with core 142

Because most installation don’t have issues with DNS ( IMHO ), it would help much if we could get more informations about the failing scenarios.

Let me know what you want me to do this side and post. I don’t really see any info in the logs saying or indicating what goes on strike.
On a side note, the DNS script I created to generate a blockporn.conf file breaks unbound. Have removed it will have a look at that. Seems something in unbound from 139-142 changed causing this. Or maybe the script was borked before, unbound was more forgiving and worked with what I was aiming to do.

And now i will be really off topic… bare with me. I came across how to integrate DNScrypt into unbound on FreeBSD. Is this something that can be moded to make it work on ipFire, or am I entering a world of hurt? https://forums.freebsd.org/threads/dnscrypt-proxy2-and-local-unbound-error-on-startup.72013/

Hi all,

after the update from 146 to 147 I had the problem that the DNS service was shown as “Broken” although the DNS servers were marked as OK and the internet did not work anymore.

I solved the problem very easily. The APU2 on which the IPfire is running just pulled the power plug. After the cold start everything ran again as before.
A reboot of the IPFire did not solve the problem. Only the cold start solved the problem.

Maybe this helps the one or the other =)

bye

It looks like unbound is still having issues.
Unknown how to fix permanently.
TCP is being used, status is WORKING, for the time being.
TLS goes to BROKEN status.

When you look in the log for unbound, this stuff is filling the log.

08:39:58 unbound: [1773:0] error: SERVFAIL <www.google.com. A IN>: all the configured stub or forward serv ers failed, at zone .
08:39:58 unbound: [1773:0] error: SERVFAIL <googleads.g.doubleclick.net. A IN>: all the configured stub or forward servers failed, at zone .
08:39:58 unbound: [1773:0] error: SERVFAIL <r5---sn-qxoedn7k.googlevideo.com. A IN>: all the configured st ub or forward servers failed, at zone .
08:39:58 unbound: [1773:0] error: SERVFAIL <r5---sn-qxo7rn7e.googlevideo.com. A IN>: all the configured st ub or forward servers failed, at zone .
08:39:58 unbound: [1773:0] error: SERVFAIL <play.google.com. A IN>: all the configured stub or forward ser vers failed, at zone .
08:39:57 unbound: [1773:0] error: SERVFAIL <www.youtube.com. A IN>: all the configured stub or forward ser vers failed, at zone .
08:39:46 unbound: [1773:0] error: SERVFAIL <r4---sn-qxo7rn7l.googlevideo.com. A IN>: all the configured st ub or forward servers failed, at zone .
08:39:46 unbound: [1773:0] error: SERVFAIL <i.ytimg.com. A IN>: all the configured stub or forward servers failed, at zone .
08:39:46 unbound: [1773:0] error: SERVFAIL <yt3.ggpht.com. A IN>: all the configured stub or forward serve rs failed, at zone .
08:39:38 unbound: [1773:0] error: SERVFAIL <youtubei.googleapis.com. A IN>: all the configured stub or for ward servers failed, at zone .
08:39:38 unbound: [1773:0] error: SERVFAIL <mqtt-mini.facebook.com. A IN>: all the configured stub or forw ard servers failed, at zone .
08:39:38 unbound: [1773:0] error: SERVFAIL <ssl.gstatic.com. A IN>: all the configured stub or forward ser vers failed, at zone .
08:39:31 unbound: [1773:0] error: SERVFAIL <s.yimg.com. A IN>: all the configured stub or forward servers failed, at zone .
08:39:20 unbound: [1773:0] error: SERVFAIL <m.dlx.addthis.com. A IN>: all the configured stub or forward s ervers failed, at zone .
08:39:20 unbound: [1773:0] error: SERVFAIL <tps11041.doubleverify.com. A IN>: all the configured stub or f orward servers failed, at zone .
Older Newer

Then later in morning I found this also

This is a re occurring problem for me. This has been happening for multiple updates. Other than sites not connecting, DNS status broken or error, logs with the above SERVFAIL, what other indications are there to check?

What is the solution, so these errors can stop and IPFIRE as a whole just works?

Everybody seems to be hitting and missing on procedures to follow for detection and resolution.
I can live with the reboots, but …
Right now it is failing the wife test.

4 posts were split to a new topic: Integrate DNScrypt into unbound on ipfire