I had the same problem behind ISP router.
Had to fall back to standard DNS udp.
TLS did not work
Hi Shaun,
I am using standard UDP DNS port 53, have firewall ports open, and even added host names in the IPFire config. I am not using TLS.
But you are using Safe Search.
Don’t know, if this matters. But it is worth a try.
Hi Bernhard,
Safe mode was an accident. Glad you pointed that out. I was up late last night testing and left it on by mistake.
Eric
have you enables IPS / Suricata? on some systems/isp there is a problem that IPS blocks DNS connections from unbound.
If not try unbound-anchor to update the root key.
Arne, question…
Will the unbound-anchor help bind DNSSEC so that my DNS requests are secured? I know it sounds like a noob question, but still have a few problems. While I can get DNS resolve on A records, none are DNSSEC responses. Would this help to regenerate the root certificate and key?
This is the key that fixed my network/domain name system problem of Status: Broken, when all the status’ were “OK” for the nameservers . My problem is the same, but different direction.
Unbound was not running (“ps ax | grep unbound”). I ran the
unbound -dd
on the ipfire command line. This showed me an error in the local-data at line 31 and unbound exited again.
Jul 08 18:51:13 unbound[10559:0] error: error parsing local-data at 31 ‘Roku Express.xx.yy.com 60 IN A 192.168.1.82’: Syntax error, could not parse the RR’s type
Jul 08 18:51:13 unbound[10559:0] error: Bad local-data RR Roku Express.xx.yy.com 60 IN A 192.168.1.82
Jul 08 18:51:13 unbound[10559:0] fatal error: Could not set up local zones
That looked similar to the “network/Edit Hosts” menu of current hosts. At first I did not see the error. Now I see it all the time. NO Spaces are allowed in URLs. So shortening the “Roku Express” to “RokuExpress” in hosts, retrying “unbound -dd” on the command line worked.
Checking the Status in network/Domain Name System, reveals “Working”.
Your mileage may vary (YMMV). Why? because of flakey configurations that are not checked at menu entry time. The DNS/unbound is still a work in progress, but much much much better than before. Thanks to the developers.
The hostname check will be corrected with one of the next core updates.
The problem is known. But if you don’t use unallowed characters in hostnames/URLs there is no problem.
Did anyone ever find solution to this? I have same problem. Seems lik ever sense ipfire updated everything is unstable at best. Feel more like floating this thing down the river :{
Hello,
I am currently not aware of any severe bugs in the DNS stack…
If there is anything, I will need at least some log files.
-Michael
I’m still using TCP for DNS queries.
If I go with UDP if stops working when it feels like it, time varies. Not sure what or how quitting time is decided. Using TLS it pretty much goes on strike within a few minutes of the change. Between you and me, I have a sneaky suspicion it works for the government and is expecting a raise.
Then I would recommend following Michael’s advice to provide some logs for investigation to identify what is causing the problems that you are experiencing.
I have been using TLS DNS since it became available and I have had a rock solid performance with no issues at all.
If TLS goes on strike for you within a few minutes of the change then that should show up in the logs.
At 11:56 I changed TCP to TLS and now it says
Status: Broken
8<— snip from log, to be viewed in reverse order, the SERVFAIL goes on forever
11:56:52 | unbound: [21828:0] | error: SERVFAIL <forcesafesearch.google.com. A IN>: all the configured stub or forward servers failed, at zone . |
---|---|---|
11:56:52 | unbound: [21828:0] | error: SERVFAIL <safe.duckduckgo.com. A IN>: all the configured stub or forward servers failed, at zone . |
11:56:52 | unbound: [21828:0] | error: SERVFAIL <strict.bing.com. A IN>: all the configured stub or forward ser vers failed, at zone . |
11:56:52 | unbound: [21828:0] | error: SERVFAIL <client.teamviewer.com. A IN>: all the configured stub or forwa rd servers failed, at zone . |
11:56:52 | unbound: [21828:0] | error: SERVFAIL <client.teamviewer.com. AAAA IN>: all the configured stub or fo rward servers failed, at zone . |
11:56:30 | unbound: [21828:0] | info: start of service (unbound 1.11.0). |
11:56:30 | unbound: [21828:0] | notice: init module 1: iterator |
11:56:30 | unbound: [21828:0] | notice: init module 0: validator |
11:56:30 | unbound: [21828:0] | notice: Restart of unbound 1.11.0. |
11:56:30 | unbound: [21828:0] | info: 32.000000 64.000000 22 |
11:56:30 | unbound: [21828:0] | info: 16.000000 32.000000 25 |
11:56:30 | unbound: [21828:0] | info: 8.000000 16.000000 32 |
11:56:30 | unbound: [21828:0] | info: 4.000000 8.000000 37 |
11:56:30 | unbound: [21828:0] | info: 2.000000 4.000000 106 |
11:56:30 | unbound: [21828:0] | info: 1.000000 2.000000 222 |
11:56:30 | unbound: [21828:0] | info: 0.524288 1.000000 325 |
11:56:30 | unbound: [21828:0] | info: 0.262144 0.524288 566 |
11:56:30 | unbound: [21828:0] | info: 0.131072 0.262144 292 |
11:56:30 | unbound: [21828:0] | info: 0.065536 0.131072 264 |
11:56:30 | unbound: [21828:0] | info: 0.032768 0.065536 444 |
11:56:30 | unbound: [21828:0] | info: 0.016384 0.032768 6 |
11:56:30 | unbound: [21828:0] | info: 0.008192 0.016384 2 |
11:56:30 | unbound: [21828:0] | info: 0.001024 0.002048 1 |
11:56:30 | unbound: [21828:0] | info: 0.000000 0.000001 127 |
11:56:30 | unbound: [21828:0] | info: lower(secs) upper(secs) recursions |
11:56:30 | unbound: [21828:0] | info: [25%]=0.0749072 median[50%]=0.308228 [75%]=0.745677 |
11:56:30 | unbound: [21828:0] | info: histogram of recursion processing times |
11:56:30 | unbound: [21828:0] | info: average recursion processing time 1.337007 sec |
11:56:30 | unbound: [21828:0] | info: server stats for thread 0: requestlist max 22 avg 1.08006 exceeded 0 jost led 0 |
11:56:30 | unbound: [21828:0] | info: server stats for thread 0: 27001 queries, 24528 answers from cache, 2473 recursions, 150 prefetch, 0 rejected by ip ratelimiting |
11:56:30 | unbound: [21828:0] | info: service stopped (unbound 1.11.0). |
12h08 swapped to UDP and this is the result…
Status: Working
8<— snip from log, to be viewed in reverse order, nothing is unresolved
12:08:47 | unbound: [21828:0] | info: generate keytag query _ta-4a5c-4f66. NULL IN |
---|---|---|
12:08:47 | unbound: [21828:0] | info: start of service (unbound 1.11.0). |
12:08:47 | unbound: [21828:0] | notice: init module 1: iterator |
12:08:47 | unbound: [21828:0] | notice: init module 0: validator |
12:08:47 | unbound: [21828:0] | notice: Restart of unbound 1.11.0. |
12:08:47 | unbound: [21828:0] | info: 1.000000 2.000000 2 |
12:08:47 | unbound: [21828:0] | info: 0.524288 1.000000 2 |
12:08:47 | unbound: [21828:0] | info: 0.262144 0.524288 4 |
12:08:47 | unbound: [21828:0] | info: 0.131072 0.262144 15 |
12:08:47 | unbound: [21828:0] | info: 0.065536 0.131072 13 |
12:08:47 | unbound: [21828:0] | info: 0.032768 0.065536 13 |
12:08:47 | unbound: [21828:0] | info: 0.016384 0.032768 23 |
12:08:47 | unbound: [21828:0] | info: 0.000000 0.000001 16 |
12:08:47 | unbound: [21828:0] | info: lower(secs) upper(secs) recursions |
12:08:47 | unbound: [21828:0] | info: [25%]=0.0206581 median[50%]=0.0453711 [75%]=0.13981 |
12:08:47 | unbound: [21828:0] | info: histogram of recursion processing times |
12:08:47 | unbound: [21828:0] | info: average recursion processing time 0.116188 sec |
12:08:47 | unbound: [21828:0] | info: server stats for thread 0: requestlist max 4 avg 0.852273 exceeded 0 jost led 0 |
12:08:47 | unbound: [21828:0] | info: server stats for thread 0: 156 queries, 68 answers from cache, 88 recursi ons, 0 prefetch, 0 rejected by ip ratelimiting |
12:08:47 | unbound: [21828:0] | info: service stopped (unbound 1.11.0). |
Hi.
It may be useless, but to try …
In TLS Hostname put “dns.google”.
It should look like this:
Tell us the results.
Regads.
That’s already there. Was one of the first things I did, see below
And this is the result…
It took about 10min to fail with UDP as well… as said. Only TCP seems to keep working without issues. The machine is on Core 149
The log snip from when I changed over from TLS to TCP…
It’s now 12h26 and no new entries of SERVFAIL show up. Browsing etc. works
12:21:46 | unbound: [21828:0] | info: generate keytag query _ta-4a5c-4f66. NULL IN |
---|---|---|
12:21:46 | unbound: [21828:0] | info: start of service (unbound 1.11.0). |
12:21:45 | unbound: [21828:0] | notice: init module 1: iterator |
12:21:45 | unbound: [21828:0] | notice: init module 0: validator |
12:21:45 | unbound: [21828:0] | notice: Restart of unbound 1.11.0. |
12:21:45 | unbound: [21828:0] | info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0 |
12:21:45 | unbound: [21828:0] | info: server stats for thread 0: 1 queries, 0 answers from cache, 1 recursions, 0 prefetch, 0 rejected by ip ratelimiting |
12:21:45 | unbound: [21828:0] | info: service stopped (unbound 1.11.0). |
12:21:45 | unbound: [21828:0] | info: start of service (unbound 1.11.0). |
12:21:45 | unbound: [21828:0] | notice: init module 1: iterator |
12:21:45 | unbound: [21828:0] | notice: init module 0: validator |
12:21:45 | unbound: [21828:0] | notice: Restart of unbound 1.11.0. |
12:21:45 | unbound: [21828:0] | info: server stats for thread 0: requestlist max 1 avg 0.5 exceeded 0 jostled 0 |
12:21:45 | unbound: [21828:0] | info: server stats for thread 0: 2 queries, 0 answers from cache, 2 recursions, 0 prefetch, 0 rejected by ip ratelimiting |
12:21:45 | unbound: [21828:0] | info: service stopped (unbound 1.11.0). |
12:21:45 | unbound: [21828:0] | info: start of service (unbound 1.11.0). |
12:21:45 | unbound: [21828:0] | notice: init module 1: iterator |
12:21:45 | unbound: [21828:0] | notice: init module 0: validator |
12:21:45 | unbound: [21828:0] | notice: Restart of unbound 1.11.0. |
12:21:45 | unbound: [21828:0] | info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0 |
12:21:45 | unbound: [21828:0] | info: server stats for thread 0: 1 queries, 0 answers from cache, 1 recursions, 0 prefetch, 0 rejected by ip ratelimiting |
12:21:45 | unbound: [21828:0] | info: service stopped (unbound 1.11.0). |
12:21:45 | unbound: [21828:0] | info: start of service (unbound 1.11.0). |
12:21:45 | unbound: [21828:0] | notice: init module 1: iterator |
12:21:45 | unbound: [21828:0] | notice: init module 0: validator |
12:21:45 | unbound: [21828:0] | notice: Restart of unbound 1.11.0. |
12:21:45 | unbound: [21828:0] | info: server stats for thread 0: requestlist max 10 avg 8.11111 exceeded 0 jost led 0 |
12:21:45 | unbound: [21828:0] | info: server stats for thread 0: 63 queries, 0 answers from cache, 63 recursion s, 0 prefetch, 0 rejected by ip ratelimiting |
12:21:45 | unbound: [21828:0] | info: service stopped (unbound 1.11.0). |
12:21:32 | unbound: [21828:0] | info: start of service (unbound 1.11.0). |
12:21:32 | unbound: [21828:0] | notice: init module 1: iterator |
12:21:32 | unbound: [21828:0] | notice: init module 0: validator |
12:21:32 | unbound: [21828:0] | notice: Restart of unbound 1.11.0. |
12:21:32 | unbound: [21828:0] | info: 16.000000 32.000000 6 |
12:21:32 | unbound: [21828:0] | info: 8.000000 16.000000 11 |
12:21:32 | unbound: [21828:0] | info: 4.000000 8.000000 4 |
12:21:32 | unbound: [21828:0] | info: 0.000000 0.000001 135 |
12:21:32 | unbound: [21828:0] | info: lower(secs) upper(secs) recursions |
12:21:32 | unbound: [21828:0] | info: [25%]=2.88889e-07 median[50%]=5.77778e-07 [75%]=8.66667e-07 |
12:21:32 | unbound: [21828:0] | info: histogram of recursion processing times |
12:21:32 | unbound: [21828:0] | info: average recursion processing time 2.124487 sec |
12:21:32 | unbound: [21828:0] | info: server stats for thread 0: requestlist max 1 avg 0.15625 exceeded 0 jostl ed 0 |
12:21:32 | unbound: [21828:0] | info: server stats for thread 0: 742 queries, 586 answers from cache, 156 recur sions, 4 prefetch, 0 rejected by ip ratelimiting |
12:21:32 | unbound: [21828:0] | info: service stopped (unbound 1.11.0). |
12:21:32 | unbound: [21828:0] | error: SERVFAIL <twitter.com. A IN>: all the configured stub or forward servers failed, at zone . |
12:21:32 | unbound: [21828:0] | error: SERVFAIL <www.reddit.com. A IN>: all the configured stub or forward serv ers failed, at zone . |
12:21:32 | unbound: [21828:0] | error: SERVFAIL <www.wikipedia.org. A IN>: all the configured stub or forward s ervers failed, at zone . |
12:21:32 | unbound: [21828:0] | error: SERVFAIL <www.facebook.com. A IN>: all the configured stub or forward se rvers failed, at zone . |
12:21:32 | unbound: [21828:0] | error: SERVFAIL <www.youtube.com. A IN>: all the configured stub or forward ser vers failed, at zone . |
12:21:31 | unbound: [21828:0] | error: SERVFAIL <tracker.publicbt.com. A IN>: all the configured stub or forwar d servers failed, at zone . |
12:21:25 | unbound: [21828:0] | error: SERVFAIL <snippets.cdn.mozilla.net. A IN>: all the configured stub or fo rward servers failed, at zone . |
12:21:25 | unbound: [21828:0] | error: SERVFAIL <incoming.telemetry.mozilla.org. A IN>: all the configured stub or forward servers failed, at zone . |
12:21:25 | unbound: [21828:0] | error: SERVFAIL <firefox.settings.services.mozilla.com. A IN>: all the configur ed stub or forward servers failed, at zone . |
12:21:25 | unbound: [21828:0] | error: SERVFAIL <content-signature-2.cdn.mozilla.net. A IN>: all the configured stub or forward servers failed, at zone . |
12:21:23 | unbound: [21828:0] | error: SERVFAIL <play.google.com. A IN>: all the configured stub or forward ser vers failed, at zone . |
12:21:23 | unbound: [21828:0] | error: SERVFAIL <push.services.mozilla.com. A IN>: all the configured stub or f orward servers failed, at zone . |
12:21:23 | unbound: [21828:0] | error: SERVFAIL <location.services.mozilla.com. A IN>: all the configured stub or forward servers failed, at zone . |
12:21:22 | unbound: [21828:0] | error: SERVFAIL <detectportal.firefox.com. A IN>: all the configured stub or fo rward servers failed, at zone . |
12:21:19 | unbound: [21828:0] | error: SERVFAIL <public.popcorn-tracker.org. A IN>: all the configured stub or forward servers failed, at zone . |
12:21:15 | unbound: [21828:0] | error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone . |
Hi @troll-op,
I am definitely no expert on unbound and dns but I am wondering if there is something wrong in your unbound.conf or forward.conf files. Could you provide the contents of them. They are in /etc/unbound
At the least I can then compare them with mine and see if I can see anything unusually different.
cat /etc/unbound/unbound.conf
#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://nlnetlabs.nl/documentation/unbound/unbound.conf/
#
server:
# Common Server Options
chroot: ""
directory: "/etc/unbound"
username: "nobody"
do-ip6: no
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
use-syslog: yes
log-time-ascii: yes
# Unbound Statistics
statistics-interval: 86400
extended-statistics: yes
# Prefetching
prefetch: yes
prefetch-key: yes
# Randomise any cached responses
rrset-roundrobin: yes
# Privacy Options
hide-identity: yes
hide-version: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-log-level: 1
log-servfail: yes
# Hardening Options
harden-large-queries: yes
harden-referral-path: yes
aggressive-nsec: yes
# TLS
tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt
# EDNS Buffer Size (#12240)
edns-buffer-size: 1232
# Harden against DNS cache poisoning
unwanted-reply-threshold: 1000000
# Listen on all interfaces
interface-automatic: yes
interface: 0.0.0.0
# Allow access from everywhere
access-control: 0.0.0.0/0 allow
# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
# Include hosts
include: "/etc/unbound/hosts.conf"
# Include any forward zones
include: "/etc/unbound/forward.conf"
remote-control:
control-enable: yes
control-use-cert: no
control-interface: 127.0.0.1
# Import any local configurations
include: "/etc/unbound/local.d/*.conf"
The forward.conf is auto generated by the server when you make changes in the WebGUI but sure…
cat /etc/unbound/forward.conf
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!
# Force using TCP for upstream servers only
server:
tcp-upstream: yes
forward-zone:
name: "."
forward-addr: 8.8.8.8
forward-addr: 8.8.4.4