Hi all,
I just finished to looking for on related topic the same issue but I’m still in stuck with this DNS Issue.
I have IPFire 2.25 (armv5tel) - Core Update 143 but also on previous Core Update 142 it’s doesn’t work.
I configured my red0 with dhcp and I shoud retrieve DNS settings from my external router (so option “Use ISP-assigned DNS servers " is checked)”.
I also checked my outbound-control output but seems ok:
and if I capture on red0 interface with tcpdump I can see traffic on both directions.
So is not a matter od reachibility, if foced DNS is reachable but I don’t understand why is not setting correctly on Ipfire.
I did also another test due the fact that pakfire is not able to update due a dns error, if I insert on /etc/resolv.conf a DNS I’m able to perform the update.
Hi teejay, I tested with other DNS but as you can see on the output if I set the same DNS statically on /etc/resolv.conf file I’m able to run updates. Also on nslookup I’m also able to talk with DNS. Should not be an issue on my ISP.
Could you provide contents of lines in /var/log/messages beginning with unbound here?
We changed the Unbound configuration a while ago so it logs the exact case why a SERVFAIL
occurred. Perhaps this is helpful to know in order to say what is going wrong.
I assume your router is not in bridge mode and is natting, right? I strongly suspect your router as culprit when even 8.8.8.8 google DNS doesn’t work with DNSSEC.
this indeed looks like somebody is tampering with DNS queries - in the past, some
members of the (in German) popular FritzBox product family simply dropped UDP queries
to the root zone. :-/
Using DNS over TLS should solve this problem. Further information is available at:
I also have the DNS panel in the “Broken” state.
All DNS, including Google and Cloudflare, are in Error with “Reverse lookup failed” indicated
In this condition the whole network is stopped and I am forced to activate all the PCs on the router.
If we connect directly to the router, with the cable or with the Wi-Fi, we navigate without problems, so it is not a line problem.
My router is a Teltonika RUT950 and uses a Vodafone SIM for 4G connection and we have been using it for over a year.
Its internal IP address is 192.168.43.1 and Red’s address is obviously 192.168.43.2 with the gateway on 192.168.43.1.
Keep in mind that Ipfire has been active for months; for some time now I have detected occasional blocks on certain websites, but usually these blocks last a few seconds.It is annoying because in some cases unsaved work is lost.
However, I had never made it to the full block for a whole day.
I tried to change the DNS and obviously to start IPfire again, several times.
This is the screenshot
@pmueller@whitetiger and teejay in my case enable TLS is solving the issue. I will check also tomorrow if nothing will change and I will let you know. Thanks a lot fo the moment
@whitetiger: Please be more precise than just writing:
However, I had never made it to the full block for a whole day.
I assume your IPFire machine fails to resolve any given FQDN and returns SERVFAIL
instead. The question is: Why?
Could you provide contents of lines in /var/log/messages beginning with unbound here?
We changed the Unbound configuration a while ago so it logs the exact case why a SERVFAIL
occurred. Perhaps this is helpful to know in order to say what is going wrong.
This is the log in the Log/SystemLog with filter “DNS Unbound”
Just after IpFire restared
|18:01:48|unbound: [1893:0]|info: service stopped (unbound 1.10.0).|
|---|---|---|
|18:01:48|unbound: [1893:0]|info: server stats for thread 0: 666 queries, 1 answers from cache, 665 recursi ons, 0 prefetch, 0 rejected by ip ratelimiting|
|18:01:48|unbound: [1893:0]|info: server stats for thread 0: requestlist max 64 avg 37.8376 exceeded 0 jost led 0|
|18:01:48|unbound: [1893:0]|info: average recursion processing time 122.464313 sec|
|18:01:48|unbound: [1893:0]|info: histogram of recursion processing times|
|18:01:48|unbound: [1893:0]|info: [25%]=68.2251 median[50%]=114.286 [75%]=182.941|
|18:01:48|unbound: [1893:0]|info: lower(secs) upper(secs) recursions|
|18:01:48|unbound: [1893:0]|info: 0.262144 0.524288 2|
|18:01:48|unbound: [1893:0]|info: 0.524288 1.000000 6|
|18:01:48|unbound: [1893:0]|info: 2.000000 4.000000 4|
|18:01:48|unbound: [1893:0]|info: 4.000000 8.000000 11|
|18:01:48|unbound: [1893:0]|info: 8.000000 16.000000 28|
|18:01:48|unbound: [1893:0]|info: 16.000000 32.000000 41|
|18:01:48|unbound: [1893:0]|info: 32.000000 64.000000 59|
|18:01:48|unbound: [1893:0]|info: 64.000000 128.000000 231|
|18:01:48|unbound: [1893:0]|info: 128.000000 256.000000 272|
|18:01:48|unbound: [1893:0]|info: 256.000000 512.000000 11|
|18:06:38|unbound: [1893:0]|notice: init module 0: validator|
|18:06:38|unbound: [1893:0]|notice: init module 1: iterator|
|18:06:38|unbound: [1893:0]|info: start of service (unbound 1.10.0).|
|18:06:38|unbound: [1893:0]|error: SERVFAIL <. DNSKEY IN>: failed to get a delegation (eg. prime failure)|
|18:06:50|unbound: [1893:0]|info: service stopped (unbound 1.10.0).|
|18:06:50|unbound: [1893:0]|info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting|
|18:06:50|unbound: [1893:0]|info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0|
|18:06:50|unbound: [1893:0]|notice: Restart of unbound 1.10.0.|
|18:06:50|unbound: [1893:0]|notice: init module 0: validator|
|18:06:50|unbound: [1893:0]|notice: init module 1: iterator|
|18:06:50|unbound: [1893:0]|info: start of service (unbound 1.10.0).|
|18:07:41|unbound: [1893:0]|error: SERVFAIL <fireinfo.ipfire.org. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:07:41|unbound: [1893:0]|error: SERVFAIL <fireinfo.ipfire.org. AAAA IN>: failed to get a delegation (eg. prime failure)|
|18:07:41|unbound: [1893:0]|error: SERVFAIL <. DNSKEY IN>: failed to get a delegation (eg. prime failure)|
|18:07:41|unbound: [1893:0]|error: SERVFAIL <ping.ipfire.org. A IN>: failed to get a delegation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <mirror7.ipfire.org.localdomain. A IN>: failed to get a delegat ion (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <pakfire.ipfire.org. A IN>: failed to get a delegation (eg. pri me failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <pakfire.ipfire.org.localdomain. A IN>: failed to get a delegat ion (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <database.clamav.net. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <database.clamav.net.localdomain. A IN>: failed to get a delega tion (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <fireinfo.ipfire.org.localdomain. A IN>: failed to get a delega tion (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <current.cvd.clamav.net. TXT IN>: failed to get a delegation (e g. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org.localdomain. AAAA IN>: failed to get a d elegation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org.localdomain. A IN>: failed to get a dele gation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <ftp.cc.uoc.gr. A IN>: failed to get a delegation (eg. prime fa ilure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <ftp.cc.uoc.gr.localdomain. A IN>: failed to get a delegation ( eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <mirror7.ipfire.org. A IN>: failed to get a delegation (eg. pri me failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org.localdomain. AAAA IN>: failed to get a d elegation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org.localdomain. A IN>: failed to get a dele gation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <fireinfo.ipfire.org.localdomain. AAAA IN>: failed to get a del egation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <mtalk.google.com. A IN>: failed to get a delegation (eg. prime failure)|
|---|---|---|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <time-h.netgear.com. A IN>: failed to get a delegation (eg. pri me failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <activity.windows.com. A IN>: failed to get a delegation (eg. p rime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <clients4.google.com. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <ecoemeqy.localdomain. A IN>: failed to get a delegation (eg. p rime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <miasaaey.localdomain. A IN>: failed to get a delegation (eg. p rime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <community.ipfire.org. A IN>: failed to get a delegation (eg. p rime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <licensing.mp.microsoft.com. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <lsxsuqbbh.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <pwdfonirut.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <yirksczqrn.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <localdomain. A IN>: failed to get a delegation (eg. prime fail ure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <localdomain.localdomain. A IN>: failed to get a delegation (eg . prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <ncwufzsbdap.localdomain. A IN>: failed to get a delegation (eg . prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <lqzfjaykzfovz.localdomain. A IN>: failed to get a delegation ( eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <vjyemotlwrxqw.localdomain. A IN>: failed to get a delegation ( eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <besnqobuiaigve.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <igjdgwgfncbcof.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <mnylyejuejspcv.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <lp-push-server-136.lastpass.com. A IN>: failed to get a delega tion (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org.localdomain. AAAA IN>: failed to get a d elegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org.localdomain. A IN>: failed to get a dele gation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <dns.msftncsi.com. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <www.google.com. A IN>: failed to get a delegation (eg. prime f ailure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <wpad.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org.localdomain. AAAA IN>: failed to get a d elegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <_ldap._tcp.dc._msdcs.lan.localdomain. SRV IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org.localdomain. A IN>: failed to get a dele gation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <localdomain.localdomain. SRV IN>: failed to get a delegation ( eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <wpad.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <mtalk.google.com. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <google.com. A IN>: failed to get a delegation (eg. prime failu re)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <ipfire.org. A IN>: failed to get a delegation (eg. prime failu re)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <rgdnkox.localdomain. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <clients4.google.com. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <community.ipfire.org. A IN>: failed to get a delegation (eg. p rime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <aerjyfficu.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <localdomain. A IN>: failed to get a delegation (eg. prime fail ure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <localdomain.localdomain. A IN>: failed to get a delegation (eg . prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <lmbwiuonawio.localdomain. A IN>: failed to get a delegation (e g. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <lp-push-server-136.lastpass.com. A IN>: failed to get a delega tion (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <dns.msftncsi.com. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <www.google.com. A IN>: failed to get a delegation (eg. prime f ailure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|
Below are the screenshots.
This installation of iPfire has never seen many changes.
There is Clamav, IDS, Guardian.
In recent days, a VPN and a DDNS with DuckDNS has been activated, but it has never been tested because in the meantime we are no longer able to go to the Internet if not by connecting directly to the router’s Wi-Fi.
For some time I was struggling to visit some sites, I had also opened a post about it.
Since three days the block is total and I don’t remember making any other changes than activating or deactivating IDS.
Peter, I have to apologize even if it’s not my responsibility.
The only check I haven’t done is to call my ISP.
My router is under their management and in the past few days I had called it to make me activate port 1194 for OpenVPN.
By mistake, they activated the port, but blocked all the ethernet sockets.
I asked to reopen them and now it works.
I’m sorry, but I really never would have imagined this. There is the LED on, but without traffic. I blamed the Firewall and instead it was the router.
I take this opportunity to suggest inserting a page in the GUI with tools to check connectivity because it is not always possible to do tests via the console.
It would be convenient to do ping, tracert and also check what the external IP is and if the DDNS is running.
well, I am glad this is not an IPFire-related problem. Actually, because of such
scenarios, I try to avoid ISP-managed services/devices whenever possible.
The suggestion of a GUI for ping, traceroute, dig, etc. came up a while ago.
Although it does not sound like being very hard to implement, it simply has not
been done.