Hi teejay, I tested with other DNS but as you can see on the output if I set the same DNS statically on /etc/resolv.conf file I’m able to run updates. Also on nslookup I’m also able to talk with DNS. Should not be an issue on my ISP.
Hi,
your ISPs DNS resolver might be overloaded.
Could you provide contents of lines in /var/log/messages beginning with unbound here?
We changed the Unbound configuration a while ago so it logs the exact case why a SERVFAIL
occurred. Perhaps this is helpful to know in order to say what is going wrong.
Thanks, and best regards,
Peter Müller
Hi Peter,
thanks for your input, here the /var/log/message related to unbound logs:
Apr 27 11:22:40 HOST unbound: [17896:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: failed to prime trust anchor – DNSKEY rrset is not secure . DNSKEY IN
Apr 27 11:22:40 HOST unbound: [17896:0] info: validation failure <. DNSKEY IN>: no signatures from 8.8.8.8 for trust anchor . while building chain of trust
Kind Regards
I assume your router is not in bridge mode and is natting, right? I strongly suspect your router as culprit when even 8.8.8.8 google DNS doesn’t work with DNSSEC.
Here’s a simliar case:
Hi,
this indeed looks like somebody is tampering with DNS queries - in the past, some
members of the (in German) popular FritzBox product family simply dropped UDP queries
to the root zone. :-/
Using DNS over TLS should solve this problem. Further information is available at:
Thanks, and best regards,
Peter Müller
I also have the DNS panel in the “Broken” state.
All DNS, including Google and Cloudflare, are in Error with “Reverse lookup failed” indicated
In this condition the whole network is stopped and I am forced to activate all the PCs on the router.
If we connect directly to the router, with the cable or with the Wi-Fi, we navigate without problems, so it is not a line problem.
My router is a Teltonika RUT950 and uses a Vodafone SIM for 4G connection and we have been using it for over a year.
Its internal IP address is 192.168.43.1 and Red’s address is obviously 192.168.43.2 with the gateway on 192.168.43.1.
Keep in mind that Ipfire has been active for months; for some time now I have detected occasional blocks on certain websites, but usually these blocks last a few seconds.It is annoying because in some cases unsaved work is lost.
However, I had never made it to the full block for a whole day.
I tried to change the DNS and obviously to start IPfire again, several times.
This is the screenshot
@pmueller @whitetiger and teejay in my case enable TLS is solving the issue. I will check also tomorrow if nothing will change and I will let you know. Thanks a lot fo the moment
@whitetiger: Please be more precise than just writing:
However, I had never made it to the full block for a whole day.
I assume your IPFire machine fails to resolve any given FQDN and returns SERVFAIL
instead. The question is: Why?
Could you provide contents of lines in /var/log/messages beginning with unbound here?
We changed the Unbound configuration a while ago so it logs the exact case why a SERVFAIL
occurred. Perhaps this is helpful to know in order to say what is going wrong.
This is the log in the Log/SystemLog with filter “DNS Unbound”
Just after IpFire restared
|18:01:48|unbound: [1893:0]|info: service stopped (unbound 1.10.0).|
|---|---|---|
|18:01:48|unbound: [1893:0]|info: server stats for thread 0: 666 queries, 1 answers from cache, 665 recursi ons, 0 prefetch, 0 rejected by ip ratelimiting|
|18:01:48|unbound: [1893:0]|info: server stats for thread 0: requestlist max 64 avg 37.8376 exceeded 0 jost led 0|
|18:01:48|unbound: [1893:0]|info: average recursion processing time 122.464313 sec|
|18:01:48|unbound: [1893:0]|info: histogram of recursion processing times|
|18:01:48|unbound: [1893:0]|info: [25%]=68.2251 median[50%]=114.286 [75%]=182.941|
|18:01:48|unbound: [1893:0]|info: lower(secs) upper(secs) recursions|
|18:01:48|unbound: [1893:0]|info: 0.262144 0.524288 2|
|18:01:48|unbound: [1893:0]|info: 0.524288 1.000000 6|
|18:01:48|unbound: [1893:0]|info: 2.000000 4.000000 4|
|18:01:48|unbound: [1893:0]|info: 4.000000 8.000000 11|
|18:01:48|unbound: [1893:0]|info: 8.000000 16.000000 28|
|18:01:48|unbound: [1893:0]|info: 16.000000 32.000000 41|
|18:01:48|unbound: [1893:0]|info: 32.000000 64.000000 59|
|18:01:48|unbound: [1893:0]|info: 64.000000 128.000000 231|
|18:01:48|unbound: [1893:0]|info: 128.000000 256.000000 272|
|18:01:48|unbound: [1893:0]|info: 256.000000 512.000000 11|
|18:06:38|unbound: [1893:0]|notice: init module 0: validator|
|18:06:38|unbound: [1893:0]|notice: init module 1: iterator|
|18:06:38|unbound: [1893:0]|info: start of service (unbound 1.10.0).|
|18:06:38|unbound: [1893:0]|error: SERVFAIL <. DNSKEY IN>: failed to get a delegation (eg. prime failure)|
|18:06:50|unbound: [1893:0]|info: service stopped (unbound 1.10.0).|
|18:06:50|unbound: [1893:0]|info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting|
|18:06:50|unbound: [1893:0]|info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0|
|18:06:50|unbound: [1893:0]|notice: Restart of unbound 1.10.0.|
|18:06:50|unbound: [1893:0]|notice: init module 0: validator|
|18:06:50|unbound: [1893:0]|notice: init module 1: iterator|
|18:06:50|unbound: [1893:0]|info: start of service (unbound 1.10.0).|
|18:07:41|unbound: [1893:0]|error: SERVFAIL <fireinfo.ipfire.org. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:07:41|unbound: [1893:0]|error: SERVFAIL <fireinfo.ipfire.org. AAAA IN>: failed to get a delegation (eg. prime failure)|
|18:07:41|unbound: [1893:0]|error: SERVFAIL <. DNSKEY IN>: failed to get a delegation (eg. prime failure)|
|18:07:41|unbound: [1893:0]|error: SERVFAIL <ping.ipfire.org. A IN>: failed to get a delegation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <mirror7.ipfire.org.localdomain. A IN>: failed to get a delegat ion (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <pakfire.ipfire.org. A IN>: failed to get a delegation (eg. pri me failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <pakfire.ipfire.org.localdomain. A IN>: failed to get a delegat ion (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <database.clamav.net. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <database.clamav.net.localdomain. A IN>: failed to get a delega tion (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <fireinfo.ipfire.org.localdomain. A IN>: failed to get a delega tion (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <current.cvd.clamav.net. TXT IN>: failed to get a delegation (e g. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org.localdomain. AAAA IN>: failed to get a d elegation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org.localdomain. A IN>: failed to get a dele gation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <ftp.cc.uoc.gr. A IN>: failed to get a delegation (eg. prime fa ilure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <ftp.cc.uoc.gr.localdomain. A IN>: failed to get a delegation ( eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <mirror7.ipfire.org. A IN>: failed to get a delegation (eg. pri me failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org.localdomain. AAAA IN>: failed to get a d elegation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org.localdomain. A IN>: failed to get a dele gation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <fireinfo.ipfire.org.localdomain. AAAA IN>: failed to get a del egation (eg. prime failure)|
|18:10:47|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|
This is after http://ipfire.org
|18:22:31|unbound: [1893:0]|error: SERVFAIL <mtalk.google.com. A IN>: failed to get a delegation (eg. prime failure)|
|---|---|---|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <time-h.netgear.com. A IN>: failed to get a delegation (eg. pri me failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <activity.windows.com. A IN>: failed to get a delegation (eg. p rime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <clients4.google.com. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <ecoemeqy.localdomain. A IN>: failed to get a delegation (eg. p rime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <miasaaey.localdomain. A IN>: failed to get a delegation (eg. p rime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <community.ipfire.org. A IN>: failed to get a delegation (eg. p rime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <licensing.mp.microsoft.com. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <lsxsuqbbh.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <pwdfonirut.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <yirksczqrn.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <localdomain. A IN>: failed to get a delegation (eg. prime fail ure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <localdomain.localdomain. A IN>: failed to get a delegation (eg . prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <ncwufzsbdap.localdomain. A IN>: failed to get a delegation (eg . prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <lqzfjaykzfovz.localdomain. A IN>: failed to get a delegation ( eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <vjyemotlwrxqw.localdomain. A IN>: failed to get a delegation ( eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <besnqobuiaigve.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <igjdgwgfncbcof.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <mnylyejuejspcv.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <lp-push-server-136.lastpass.com. A IN>: failed to get a delega tion (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org.localdomain. AAAA IN>: failed to get a d elegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org.localdomain. A IN>: failed to get a dele gation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <dns.msftncsi.com. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <www.google.com. A IN>: failed to get a delegation (eg. prime f ailure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <wpad.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org.localdomain. AAAA IN>: failed to get a d elegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <_ldap._tcp.dc._msdcs.lan.localdomain. SRV IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org.localdomain. A IN>: failed to get a dele gation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <1.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <localdomain.localdomain. SRV IN>: failed to get a delegation ( eg. prime failure)|
|18:22:31|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <wpad.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <mtalk.google.com. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <google.com. A IN>: failed to get a delegation (eg. prime failu re)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <ipfire.org. A IN>: failed to get a delegation (eg. prime failu re)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <rgdnkox.localdomain. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <clients4.google.com. A IN>: failed to get a delegation (eg. pr ime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <community.ipfire.org. A IN>: failed to get a delegation (eg. p rime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <aerjyfficu.localdomain. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <localdomain. A IN>: failed to get a delegation (eg. prime fail ure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <localdomain.localdomain. A IN>: failed to get a delegation (eg . prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <lmbwiuonawio.localdomain. A IN>: failed to get a delegation (e g. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <lp-push-server-136.lastpass.com. A IN>: failed to get a delega tion (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <dns.msftncsi.com. A IN>: failed to get a delegation (eg. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <www.google.com. A IN>: failed to get a delegation (eg. prime f ailure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. AAAA IN>: failed to get a delegation (e g. prime failure)|
|18:25:01|unbound: [1893:0]|error: SERVFAIL <0.ipfire.pool.ntp.org. A IN>: failed to get a delegation (eg. prime failure)|Hi,
this should not happen indeed:
error: SERVFAIL <. DNSKEY IN>: failed to get a delegation (eg. prime failure)
Could you post a screenshot of your current DNS settings and firewall rules, please?
(Perhaps traffic to port 853/TCP is not allowed?)
Thanks, and best regards,
Peter Müller
Below are the screenshots.
This installation of iPfire has never seen many changes.
There is Clamav, IDS, Guardian.
In recent days, a VPN and a DDNS with DuckDNS has been activated, but it has never been tested because in the meantime we are no longer able to go to the Internet if not by connecting directly to the router’s Wi-Fi.
For some time I was struggling to visit some sites, I had also opened a post about it.
Since three days the block is total and I don’t remember making any other changes than activating or deactivating IDS.
Hi,
this is interesting as there should not be any interference between you
and Google’s public DNS resolvers.
Could you try different DNS resolvers please? Perhaps those of your ISP?
If this works, I would like to ask you to install the mtr addon, run
the following command and post its results here:
mtr -b -z 8.8.8.8
That way, we’ll see if there is any network overload or similar beyond
your router.
Thanks, and best regards,
Peter Müller
I had tried yesterday with the provider’s DNS, but without success.
Do I still have to launch mtr?
Hi,
yes please, if possible. But without a working DNS I doubt you will be
able to install the mtr addon.
Does pinging 8.8.8.8 work?
Thanks, and best regards,
Peter Müller
Peter, I have to apologize even if it’s not my responsibility.
The only check I haven’t done is to call my ISP.
My router is under their management and in the past few days I had called it to make me activate port 1194 for OpenVPN.
By mistake, they activated the port, but blocked all the ethernet sockets.
I asked to reopen them and now it works.
I’m sorry, but I really never would have imagined this. There is the LED on, but without traffic. I blamed the Firewall and instead it was the router.
I take this opportunity to suggest inserting a page in the GUI with tools to check connectivity because it is not always possible to do tests via the console.
It would be convenient to do ping, tracert and also check what the external IP is and if the DDNS is running.
Thank you very much for your support.
Hi,
well, I am glad this is not an IPFire-related problem. Actually, because of such
scenarios, I try to avoid ISP-managed services/devices whenever possible. 
The suggestion of a GUI for ping, traceroute, dig, etc. came up a while ago.
Although it does not sound like being very hard to implement, it simply has not
been done.
Feel free to change this, further development information is available at https://wiki.ipfire.org/devel . 
Thanks, and best regards,
Peter Müller
2 Likes
There is an Error 500 on the wiki
It’s working for me.