DNS defective & ipfire website also not accessible

Networking DNS
1

Hello all,

I have problems with the DNS.

At the DNS in ipfire was previously only the IP “46.182.19.48” of “Digitalcourage e.V.” deposited. In the middle of the day I could no longer call up websites and suspected the DNS. In the web console the status was now “broken” at “Domain Name System” and the message “Reverse Lookup failed”.

Out of previous problems I had added more DNS servers as a test and deactivated the old entry. Now the web access or the DNS resolution worked. But calling the ipfire community or logging in still failed and I had to create this entry here over the net my company.

Here are some pictures.

image
image981×520 19.8 KB

image
image982×264 12.2 KB

Diese DNS Server Konfiguration funktioniert wohl aber ich kann mich weiterhin nicht am Forum anmelden.
https://people.ipfire.org/sso/discourse

image
image979×259 10.8 KB

image
image834×297 12.1 KB

Which Public DNS do you have and what can be the cause for the spontaneous occurrence of the error.

Ps.: My ISP is Pyur (Tele Columbus)

2

Here is my DNS page

Screenshot_2021-06-16_19-01-32
Screenshot_2021-06-16_19-01-32970×655 48.6 KB

Everything IPFire wise is accessible for me.

Could your ISP be having a problem.

What does your log say if you grep for unbound

less /var/log/messages | grep unbound
1 Like
3

Today DNS is again displayed as defective although it was ok yesterday.

image
image992×513 19.8 KB 

||Line 84302: Jun 16 23:16:14 router unbound: [2714:0] error: SERVFAIL <pakfire.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
|---|---|
||Line 84320: Jun 16 23:16:29 router unbound: [2714:0] error: SERVFAIL <mirror1.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
||Line 84690: Jun 16 23:36:22 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 84984: Jun 16 23:54:07 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 85641: Jun 17 00:39:41 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 86062: Jun 17 01:10:00 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 86636: Jun 17 01:41:22 router unbound: [2714:0] info: generate keytag query _ta-4a5c-4f66. NULL IN|
||Line 89340: Jun 17 04:53:59 router unbound: [2714:0] error: SERVFAIL <fireinfo.ipfire.org. AAAA IN>: all the configured stub or forward servers failed, at zone .|
||Line 89341: Jun 17 04:53:59 router unbound: [2714:0] error: SERVFAIL <fireinfo.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .|
||Line 91373: Jun 17 07:18:41 router unbound: [2714:0] info: validation failure <config.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91374: Jun 17 07:18:41 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91375: Jun 17 07:18:41 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91387: Jun 17 07:19:35 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91388: Jun 17 07:19:35 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91454: Jun 17 07:23:27 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91455: Jun 17 07:23:27 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91475: Jun 17 07:24:21 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91476: Jun 17 07:24:21 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91549: Jun 17 07:28:16 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91550: Jun 17 07:28:16 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91575: Jun 17 07:29:10 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91576: Jun 17 07:29:10 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91617: Jun 17 07:33:05 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91618: Jun 17 07:33:05 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91638: Jun 17 07:34:00 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91639: Jun 17 07:34:00 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: key for validation nos-avg.cz. is marked as invalid|
||Line 91703: Jun 17 07:37:55 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. TXT IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91704: Jun 17 07:37:55 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: No DNSKEY record for key nos-avg.cz. while building chain of trust|
||Line 91731: Jun 17 07:38:49 router unbound: [2714:0] info: validation failure <_nos._tcp.nos-avg.cz. SRV IN>: key for validation nos-avg.cz. is marked as invalid|
4

I am not very knowledgeable on this at all, just trying stuff that I have used in the past after seeing it being used by others on this forum.

The “validation failure” message seems to be related to having problems confirming the DNSSEC status.
The “SERVFAIL” message is where it is having trouble getting a DNS response back when trying to connect to pakfire.ipfire.org so there appears to be a problem accessing the cloudflare DNS servers.

Try the following kdig command to see what comes back from cloudflare. Hopefully it is correct as I normally use it for DNS over TLS server connections so I have modified it to use udp (default) as that is what your connection is set up for.

kdig cloudflare-dns.com @1.1.1.1 +dnssec +bufsize=1232 -d

This should tell us how far the DNS connection is getting. This needs to be run when you still get the overall defekt status being shown on your DNS WUI page

1 Like
5 
[root@router ~]# kdig cloudflare-dns.com @1.1.1.1 +dnssec +bufsize=1232 -d
;; DEBUG: Querying for owner(cloudflare-dns.com.), class(1), type(1), server(1.1.1.1), port(53), protocol(UDP)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35088
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 3; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; cloudflare-dns.com.          IN      A

;; ANSWER SECTION:
cloudflare-dns.com.     14      IN      RRSIG   A 13 2 300 20210618120709 20210616100709 34505 cloudflare-dns.com. UOEPlvtWUwqRaFgJig8dpdvySOJHn94Lhq5tNr+NB+ykE4ADJMJePC44zCbxOUsgI2A7R42Bww9Z5IjSRAdUrg==
cloudflare-dns.com.     14      IN      A       104.16.248.249
cloudflare-dns.com.     14      IN      A       104.16.249.249

;; Received 193 B
;; Time 2021-06-17 13:12:04 CEST
;; From 1.1.1.1@53(UDP) in 13.6 ms
6

I have now switched back to the DNS servers from the ISP and it looks like this.

image
image974×486 17.5 KB

If I use my own DSN and activate TLS, this is what I get.

image
image955×440 17.5 KB

If I use my own DSN and activate TCP, this is what I get.

image
image965×448 17.2 KB

7

Well the kdig shows no errors at all from the Cloudfare DNS server.

I don’t understand that if you are getting those SERVFAIL and validation failure messages in your logs.

I am not sure where to go from here.

Your use of Digitalcourage with TCP seems to be working.
Let us know if it stays like that or not.

8

I don’t believe that this has anything to do with your problem but Digitalcourage on their website

https://digitalcourage.de/support/zensurfreier-dns-server

recommend moving from dns2.digitalcourage.de to dns3.digitalcourage.de which has a different IP.
The IPFire wiki dns server list has been updated for this.

Although they will probably eventually shut this server down as they did for dns.digitalcourage.de it is still working at the moment so this is more just for information.

9

With the dns3.digitalcourage.de the error comes again.

grafik
grafik986×471 18.1 KB

With this, the DNS works for me again and actually he now uses the DNS servers from my ISP even if I do not find that good. I can now also access the ipfire forum from home again, which did not work permanently with the previous DNS servers.

grafik
grafik987×513 19.8 KB

10

Well :crossed_fingers: that it stays working for you.

I don’t really understand what is happening but if it works then you are in operation and getting input from more experienced members is not so urgent. Hopefully other people can recognise what the underlying root cause is.

11

Just to eliminate complexity. Have you tried DNS without the both safe surfing features?

12

Here are my variants

grafik
grafik986×504 18.7 KB

With TLS

grafik
grafik996×525 23 KB

With TCP and Safe Search

grafik
grafik982×514 21.9 KB

13

If you put your mouse cursor over the ‘Error’, what error messages do you see?

1 Like
14

No TLS hostname give

grafik
grafik1230×599 85.5 KB

With TLS → DNSSEC Validating

grafik
grafik997×529 22.8 KB

15

In case of TLS you must specify the TLS host name.
See

1 Like
16

Hello Bernhardt,

your hint was the right one because I had forgotten to store the TLS hostname.
Embarrassing :roll_eyes:

grafik
grafik990×508 19.4 KB

grafik

@all → Thanks for your help

2 Likes