DNS Problems since upgrade to Core Update to 164

Since I upgraded to 164, my clients, which use ipfire as their dns, fail to get an ip address for several sites (including ipfire.org). I tracked it down to a problem with the DNS in ipfire. When switching to the Domain Name System page on the GUI, it normaly shows “working”, but when i hit “Check DNS Servers”, it takes a long time and afterwars the page shows “Broken”. Hovering the mouse cursor over the “error” message in the status column, the popup shows several messages like this:

truncated reply from n.n.n.n@53(UDP), retrying over TCP; connection timeout for n.n.n.n@53/TCP)…

where n.n.n.n stands for any DNS I try. These are my ISPs, but 1.1.1.1 or 8.8.8.8 are no better. Obviously, DNS is not completely broken, but does not get all input, hence the effect that some adress resolution works, but others not. I changed my pc to use the ISP’s DNS directly. This way I could write this message, but I lost my local name resolution this way and all my portable devices still have a problem. What can I do?

Greetings Andreas

Hi,

your description sounds like this thread, except that it is more detailed - tank you for this. :slight_smile:

Please answer these questions to give us an idea what the problem is:

  • What does your IPFire setup look like?
  • How is your IPFire connected to the internet (DSL/DHCP/…)?
  • Does this problem appear again after a reboot?
  • If so, what is the output of iptables -L -n -v on your IPFire machine?
  • Are there any errors or warnings being logged during boot or while executing the commands you mentioned above?
  • What does your firewall ruleset look like (screenshot)?

Also, please post the output of grep unbound /var/log/messages here, since these log messages are related to the DNS resolver we use in IPFire.

Thanks, and best regards,
Peter Müller

2 Likes

My ipfire setup is like this:

  • red us attached to a cable modem connected by ethernet to my cable provider, which is part of the swiss quickline the modem is configured in bridge mode and provides a static ip-adress to ipfire by dhcp
  • blue is the internal wifi adapter of the firewall
  • orange is a configured ethernet segment, but there are currently no hosts on this segment
  • green is an ethernet segment, connected to a switch that provides the internal connections

I rebooted everything completely (power off) including switches, but the problem remain
I’ll post output of iptables -L -n -v after completing this post, same with the screenshots and the exerpt from messages (don’t want to loose this text by screwing something up - don’t know this editor well)
I don’t see any warning when executing commands either with the web interface and/or ssh. I executed dmeg on ssh and do not see something disturbing me, but anywey: here is it’s output:

[ 70.486725] ath: EEPROM regdomain: 0x82f4
[ 70.486745] ath: EEPROM indicates we should expect a country code
[ 70.486750] ath: doing EEPROM country->regdmn map search
[ 70.486754] ath: country maps to regdmn code: 0x37
[ 70.486758] ath: Country alpha2 being used: CH
[ 70.486762] ath: Regpair used: 0x37
[ 70.486766] ath: regdomain 0x82f4 dynamically updated by user
[ 71.034102] RTL8211DN Gigabit Ethernet r8169-0-100:00: attached PHY driver (mii_bus:phy_addr=r8169-0-100:00, irq=MAC)
[ 71.304915] r8169 0000:01:00.0 green0: Link is Down
[ 71.526576] RTL8211DN Gigabit Ethernet r8169-0-300:00: attached PHY driver (mii_bus:phy_addr=r8169-0-300:00, irq=MAC)
[ 71.797787] r8169 0000:03:00.0 orange0: Link is Down
[ 71.999234] RTL8211DN Gigabit Ethernet r8169-0-200:00: attached PHY driver (mii_bus:phy_addr=r8169-0-200:00, irq=MAC)
[ 72.270600] r8169 0000:02:00.0 red0: Link is Down
[ 72.407454] 8021q: 802.1Q VLAN Support v1.8
[ 75.110495] r8169 0000:02:00.0 red0: Link is Up - 1Gbps/Full - flow control off
[ 82.854308] r8169 0000:01:00.0 green0: Link is Up - 100Mbps/Full - flow control off
[ 2547.976967] DROP_CTINVALID IN=blue0 OUT=red0 MAC=04:f0:21:1b:b5:9c:74:eb:80:ad:ec:4c:08:00 SRC=192.168.5.12 DST=151.101.37.108 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=30602 DF PROTO=TCP SPT=59181 DPT=443 WINDOW=399 RES=0x00 ACK RST URGP=0
[ 2547.977111] DROP_CTINVALID IN=blue0 OUT=red0 MAC=04:f0:21:1b:b5:9c:74:eb:80:ad:ec:4c:08:00 SRC=192.168.5.12 DST=23.211.5.164 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=11894 DF PROTO=TCP SPT=36837 DPT=443 WINDOW=427 RES=0x00 ACK RST URGP=0
[ 2547.978912] DROP_CTINVALID IN=blue0 OUT=red0 MAC=04:f0:21:1b:b5:9c:74:eb:80:ad:ec:4c:08:00 SRC=192.168.5.12 DST=147.75.83.64 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=20803 DF PROTO=TCP SPT=39708 DPT=443 WINDOW=399 RES=0x00 ACK RST URGP=0
[ 2547.979023] DROP_CTINVALID IN=blue0 OUT=red0 MAC=04:f0:21:1b:b5:9c:74:eb:80:ad:ec:4c:08:00 SRC=192.168.5.12 DST=23.211.5.60 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=65448 DF PROTO=TCP SPT=34430 DPT=443 WINDOW=897 RES=0x00 ACK RST URGP=0
[ 2547.979087] DROP_CTINVALID IN=blue0 OUT=red0 MAC=04:f0:21:1b:b5:9c:74:eb:80:ad:ec:4c:08:00 SRC=192.168.5.12 DST=23.211.5.60 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=24149 DF PROTO=TCP SPT=34429 DPT=443 WINDOW=1779 RES=0x00 ACK RST URGP=0
[ 2758.211209] DROP_TCP Scan IN=red0 OUT= MAC=00:0d:b9:3f:f6:69:00:01:5c:80:0a:46:08:00 SRC=181.226.115.97 DST=82.136.105.63 LEN=60 TOS=0x08 PREC=0x20 TTL=47 ID=7657 PROTO=TCP SPT=53001 DPT=19782 WINDOW=0 RES=0x00 URG ACK PSH RST SYN FIN URGP=54048
[ 3223.851410] DROP_CTINVALID IN=blue0 OUT=red0 MAC=04:f0:21:1b:b5:9c:74:eb:80:ad:ec:4c:08:00 SRC=192.168.5.12 DST=104.21.36.253 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=54708 DF PROTO=TCP SPT=39717 DPT=443 WINDOW=377 RES=0x00 ACK RST URGP=0
[ 3223.851524] DROP_CTINVALID IN=blue0 OUT=red0 MAC=04:f0:21:1b:b5:9c:74:eb:80:ad:ec:4c:08:00 SRC=192.168.5.12 DST=188.114.97.22 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=4978 DF PROTO=TCP SPT=45563 DPT=443 WINDOW=377 RES=0x00 ACK RST URGP=0
[ 3504.918334] DROP_CTINVALID IN=green0 OUT=red0 MAC=00:0d:b9:3f:f6:68:00:1d:09:84:b8:2f:08:00 SRC=192.168.2.21 DST=112.85.42.128 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=45148 DF PROTO=TCP SPT=22 DPT=30153 WINDOW=114 RES=0x00 ACK FIN URGP=0

So this is it for now. I’ll come back with the outupt requested asap
Andreas

Here are the requested files like this:

  • iptables.txt: Output of iptables -L -n -v
  • messages.txt: Output of grep unbound /var/log/messages
  • png-files: Screenshot of firewall rules and the block which is mentioned as first entry

Andreas
requestedfiles.zip (201.3 KB)

Additional Info: “No errors” is not 100% true. On the Domain Name System tab, ipfire says “Reverse lookup failed” for any DNS server mentioned there.

I upgraded to 164 without problems. Everything was working fine.

Then I turned on Drop packets from and to hostile networks. DNS stopped working. I got timeouts on my two ISP servers, 1.1.1.1 and 8.8.8.8.

I turned hostile networks back off. Still no DNS.

I restored a backup from last November and all is well.

Same issue with my IPFire installation. Just updated to 164 and all DNS traffic stopped working after I switched on the new function. Even deactivating and restoring the backup before the update did not help. Currently the clients can use DNS by modifying the DHCP server’s DNS option to use the ISP DNS servers.

But all the internal DNS clients are not reachable now. Is there maybe any quick workaround on the command line available to make DNS usable again?

I finally got it working again, same error as described here: Enabling Talos IPS rules cause trouble after upgrading to Core Update 164 - #27 by cbrown

Just switching to snort ruleset and rebooting the box solved the issue.

2 Likes

Geoblockiing and/or Intrusion Prevention definitely has something to do with the DNS Problem. I had both enabled when doing the upgarde to 164. Now I disabled both and rebooted - And DNS works again. Of course I’d like to have both GB and IPS back. So if I can help to investigate things further please let me know.
Andreas

Hi @andhotz

Can you confirm that you are using the Talos VRT rulesets in your IPS setup. If you remove those rulesets and use the Emerging Threats ruleset and turn on IPS does your DNS then work.

I am running CU164 with IPS using Emerging Threats and Abuse.ch rulesets and my DNS is working fine (TLS based).
It could be that the IPS problem with the Talos VRT rulesets mentioned in an earlier post could be causing an interference with the DNS.

1 Like

I confirm that my system uses the Talos VRT rules for registered users. Will try your suggestion asap

1 Like

Talos VRT ruleset seems to be the problem with 164 on my system. I re-endabled IPS with abuse.ch like suggested, and DNS kept on going. Then I turned on Geoblockin again, and DNS still seems to work - At least “check dns servers” immediately returns with a green OK. I’ll let it run now for a while and have an eye on it.
@pmueller: This is an update: After 16h and a reboot, all is still going well, and there is another thing: ipfire reacts much more snapier again since I removed Talos ruleset. I did not recognise this immediadely, but with 164 and Talos ruleset, not only DNS experienced problems with truncated replies from upstream DNS servers, but the whole system reaction was slugish. This is gone now.

4 Likes

Hi all,

although I am sorry Core Update 164 caused such trouble, I am glad this thread boils down to the known issue with Talos IPS rules, and we are not dealing with another bug. :slight_smile:

Therefore, I am closing this as a duplicate thread. Please post additional things related to this issue here, so we can keep track of this bug in one place.

Thanks for your understanding, and best regards,
Peter Müller

1 Like