Domain Name System Status:Broken | 141

I had the same problem behind ISP router.
Had to fall back to standard DNS udp.
TLS did not work

Hi Shaun,

I am using standard UDP DNS port 53, have firewall ports open, and even added host names in the IPFire config. I am not using TLS.

image1245×780 50.2 KB

But you are using Safe Search.
Don’t know, if this matters. But it is worth a try.

Hi Bernhard,

Safe mode was an accident. Glad you pointed that out. I was up late last night testing and left it on by mistake.

Eric

have you enables IPS / Suricata? on some systems/isp there is a problem that IPS blocks DNS connections from unbound.

If not try unbound-anchor to update the root key.

Arne, question…

Will the unbound-anchor help bind DNSSEC so that my DNS requests are secured? I know it sounds like a noob question, but still have a few problems. While I can get DNS resolve on A records, none are DNSSEC responses. Would this help to regenerate the root certificate and key?

This is the key that fixed my network/domain name system problem of Status: Broken, when all the status’ were “OK” for the nameservers . My problem is the same, but different direction.

Unbound was not running (“ps ax | grep unbound”). I ran the

unbound -dd

on the ipfire command line. This showed me an error in the local-data at line 31 and unbound exited again.

Jul 08 18:51:13 unbound[10559:0] error: error parsing local-data at 31 ‘Roku Express.xx.yy.com 60 IN A 192.168.1.82’: Syntax error, could not parse the RR’s type
Jul 08 18:51:13 unbound[10559:0] error: Bad local-data RR Roku Express.xx.yy.com 60 IN A 192.168.1.82
Jul 08 18:51:13 unbound[10559:0] fatal error: Could not set up local zones

That looked similar to the “network/Edit Hosts” menu of current hosts. At first I did not see the error. Now I see it all the time. NO Spaces are allowed in URLs. So shortening the “Roku Express” to “RokuExpress” in hosts, retrying “unbound -dd” on the command line worked.

Checking the Status in network/Domain Name System, reveals “Working”.

Your mileage may vary (YMMV). Why? because of flakey configurations that are not checked at menu entry time. The DNS/unbound is still a work in progress, but much much much better than before. Thanks to the developers.

The hostname check will be corrected with one of the next core updates.
The problem is known. But if you don’t use unallowed characters in hostnames/URLs there is no problem.

Did anyone ever find solution to this? I have same problem. Seems lik ever sense ipfire updated everything is unstable at best. Feel more like floating this thing down the river :{

Hello,

I am currently not aware of any severe bugs in the DNS stack…

If there is anything, I will need at least some log files.

-Michael

I’m still using TCP for DNS queries.

If I go with UDP if stops working when it feels like it, time varies. Not sure what or how quitting time is decided. Using TLS it pretty much goes on strike within a few minutes of the change. Between you and me, I have a sneaky suspicion it works for the government and is expecting a raise.

Then I would recommend following Michael’s advice to provide some logs for investigation to identify what is causing the problems that you are experiencing.

I have been using TLS DNS since it became available and I have had a rock solid performance with no issues at all.
If TLS goes on strike for you within a few minutes of the change then that should show up in the logs.

At 11:56 I changed TCP to TLS and now it says
Status: Broken
8<— snip from log, to be viewed in reverse order, the SERVFAIL goes on forever

12h08 swapped to UDP and this is the result…
Status: Working
8<— snip from log, to be viewed in reverse order, nothing is unresolved

Hi.

It may be useless, but to try …

In TLS Hostname put “dns.google”.

It should look like this:

imagen954×387 12.2 KB

Tell us the results.

Regads.

That’s already there. Was one of the first things I did, see below

And this is the result…

Screen Shot 2020-10-07 at 12.16.30 PM926×277 22.4 KB

It took about 10min to fail with UDP as well… as said. Only TCP seems to keep working without issues. The machine is on Core 149

The log snip from when I changed over from TLS to TCP…
It’s now 12h26 and no new entries of SERVFAIL show up. Browsing etc. works

Hi @troll-op,

I am definitely no expert on unbound and dns but I am wondering if there is something wrong in your unbound.conf or forward.conf files. Could you provide the contents of them. They are in /etc/unbound

At the least I can then compare them with mine and see if I can see anything unusually different.

cat /etc/unbound/unbound.conf 
    #
    # Unbound configuration file for IPFire
    #
    # The full documentation is available at:
    # https://nlnetlabs.nl/documentation/unbound/unbound.conf/
    #

    server:
    	# Common Server Options
    	chroot: ""
    	directory: "/etc/unbound"
    	username: "nobody"
    	do-ip6: no

    	# System Tuning
    	include: "/etc/unbound/tuning.conf"

    	# Logging Options
    	use-syslog: yes
    	log-time-ascii: yes

    	# Unbound Statistics
    	statistics-interval: 86400
    	extended-statistics: yes

    	# Prefetching
    	prefetch: yes
    	prefetch-key: yes

    	# Randomise any cached responses
    	rrset-roundrobin: yes

    	# Privacy Options
    	hide-identity: yes
    	hide-version: yes

    	# DNSSEC
    	auto-trust-anchor-file: "/var/lib/unbound/root.key"
    	val-log-level: 1
    	log-servfail: yes

    	# Hardening Options
    	harden-large-queries: yes
    	harden-referral-path: yes
    	aggressive-nsec: yes

    	# TLS
    	tls-cert-bundle: /etc/ssl/certs/ca-bundle.crt

    	# EDNS Buffer Size (#12240)
    	edns-buffer-size: 1232

    	# Harden against DNS cache poisoning
    	unwanted-reply-threshold: 1000000

    	# Listen on all interfaces
    	interface-automatic: yes
    	interface: 0.0.0.0

    	# Allow access from everywhere
    	access-control: 0.0.0.0/0 allow

    	# Bootstrap root servers
    	root-hints: "/etc/unbound/root.hints"

    	# Include DHCP leases
    	include: "/etc/unbound/dhcp-leases.conf"

    	# Include hosts
    	include: "/etc/unbound/hosts.conf"

    	# Include any forward zones
    	include: "/etc/unbound/forward.conf"

    remote-control:
    	control-enable: yes
    	control-use-cert: no
    	control-interface: 127.0.0.1

    # Import any local configurations
    include: "/etc/unbound/local.d/*.conf"

The forward.conf is auto generated by the server when you make changes in the WebGUI but sure…

cat /etc/unbound/forward.conf 
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!

# Force using TCP for upstream servers only
server:
	tcp-upstream: yes

forward-zone:
	name: "."
	forward-addr: 8.8.8.8
	forward-addr: 8.8.4.4