Error serve DNS

Hi everyone,

I’m trying to figure out an issue that’s been driving me a bit crazy, but I haven’t managed to solve it yet. I’m not sure whether it’s caused by my configuration or if there’s something in IPFire that isn’t working as expected.

This concerns my test setup.

Here’s how my configuration is structured: I have my ISP’s router, and right after it, an IPFire system running the latest Core Update 200. On its green network, I’ve connected a second machine that I use for testing, also running IPFire, with its red interface set to DHCP.

If I connect my PC directly to the green network of the main firewall, everything works perfectly and I can browse without any issues.
However, if I connect my PC to the green network of the test firewall, I can’t access the internet. After checking, I noticed that the DNS server service is constantly stopped.

I also ran another test: when I connect the test IPFire directly to the ISP router, after a reboot the DNS service starts and works perfectly.

I’ve checked the DNS server logs, but I can’t find any clear reason why the service isn’t starting.

Has anyone experienced something similar or have any idea what might be causing this behavior?

Thanks in advance for any help!

ipfire650×188 13 KB

I am running the same sort of set up as I have a main IPFire FW and I then have a complete VM network with a vm ipfire with green, blue and orange vm pc’s. Connection to the internet is fine and the DNS server on my testbed system works with no issues.

What do you have set up in the Domain Name System WUI page of your Test Firewall?

my test machine’s DNS server configuration

dnsipfire1334×1100 75.7 KB

In this case your ISP assigned DNS Server is your primary IPFire.

It should work with that but to remove any problem with going via two IPFire DNS servers uncheck the Use ISP-assigned DNS servers.

After doing that and pressing the Save button, if the top left Status indicator still has a red Broken what message do you get when you place your mouse pointer over the red Broken?

You have mentioned that the DNS server on that IPFire is not running at times.

After pressing the Save button the unbound DNS server should start running. If the top left status becomes a green Working and the unbound status is running then wait till the top left status message becomes a red Broken again. Confirm that the unbound status is not running. Then look in the Logs - System Logs - DNS: Unbound selection in the drop down box and see what messages are there from the time that it was working to when it stopped running.

Are the main IPFire and the test ipfire both running standard IPFire setups or have you got any unofficial addons or modification on one or both.
If the latter then I would remove those, ensuring that everything has been fully removed and/or returned to it original condition and then see if the same problem still occurs.

The main IPFire installation has no additional unofficial modules.
This is the logo of the test machine.

18:25:44 	unbound: [1552:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:25:44 	unbound: [1552:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:25:12 	unbound: [1552:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:25:12 	unbound: [1552:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:24:39 	unbound: [1552:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:24:23 	unbound: [1552:0] 	info: validation failure <xfr.dbl.ipfire.org. A IN>: key for validation . is marked as invalid because of a previous
18:24:14 	unbound: [1552:0] 	error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone . upstream server timeout
18:23:37 	unbound: [1552:0] 	info: validation failure <mirror1.ipfire.org.localdomain. A IN>: key for validation . is marked as invalid because of a previous
18:23:37 	unbound: [1552:0] 	info: validation failure <mirror1.ipfire.org. A IN>: key for validation . is marked as invalid because of a previous
18:23:35 	unbound: [1552:0] 	info: validation failure <0.ipfire.pool.ntp.org. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:23:35 	unbound: [1552:0] 	info: validation failure <fireinfo.ipfire.org.localdomain. AAAA IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:23:35 	unbound: [1552:0] 	info: validation failure <pakfire.ipfire.org. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:23:35 	unbound: [1552:0] 	info: validation failure <xfr.dbl.ipfire.org. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:23:35 	unbound: [1552:0] 	info: validation failure <fireinfo.ipfire.org. AAAA IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:23:35 	unbound: [1552:0] 	info: validation failure <fireinfo.ipfire.org.localdomain. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:23:35 	unbound: [1552:0] 	info: validation failure <fireinfo.ipfire.org. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:23:35 	unbound: [1552:0] 	info: validation failure <pakfire.ipfire.org.localdomain. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:23:35 	unbound: [1552:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:23:05 	unbound: [1552:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:23:05 	unbound: [1552:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:22:35 	unbound: [1552:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:22:35 	unbound: [1552:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:22:05 	unbound: [1552:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:22:05 	unbound: [1552:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:21:35 	unbound: [1552:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:21:35 	unbound: [1552:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:21:05 	unbound: [1552:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:21:05 	unbound: [1552:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:21:05 	unbound: [1552:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:20:35 	unbound: [1552:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:20:35 	unbound: [1552:0] 	error: SERVFAIL <fireinfo.ipfire.org.localdomain. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
18:20:15 	unbound: [1552:0] 	error: doh.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:20:15 	unbound: [1552:0] 	error: dating.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:20:15 	unbound: [1552:0] 	error: ads.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:20:15 	unbound: [1552:0] 	error: SERVFAIL <xfr.dbl.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone . upstream server timeout
18:20:09 	unbound: [1552:0] 	error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone . upstream server timeout
18:19:42 	unbound: [1552:0] 	error: ads.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:19:42 	unbound: [1552:0] 	error: dating.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:19:42 	unbound: [1552:0] 	error: doh.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:19:42 	unbound: [1552:0] 	error: SERVFAIL <xfr.dbl.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone . upstream server timeout
18:19:36 	unbound: [1552:0] 	error: dating.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:19:36 	unbound: [1552:0] 	error: SERVFAIL <xfr.dbl.ipfire.org. A IN>: SERVFAIL in cache
18:19:36 	unbound: [1552:0] 	error: doh.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:19:36 	unbound: [1552:0] 	error: SERVFAIL <xfr.dbl.ipfire.org. A IN>: SERVFAIL in cache
18:19:36 	unbound: [1552:0] 	error: ads.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:19:36 	unbound: [1552:0] 	error: SERVFAIL <xfr.dbl.ipfire.org. A IN>: SERVFAIL in cache
18:19:33 	unbound: [1552:0] 	error: doh.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:19:33 	unbound: [1552:0] 	error: dating.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:19:33 	unbound: [1552:0] 	error: ads.rpz.ipfire.org.: failed lookup, cannot probe to master xfr.dbl.ipfire.org
18:19:33 	unbound: [1552:0] 	error: SERVFAIL <xfr.dbl.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone . upstream server timeout
18:19:33 	unbound: [1552:0] 	error: SERVFAIL <. DNSKEY IN>: all the configured stub or forward servers failed, at zone . upstream server timeout
18:19:33 	unbound: [1552:0] 	info: start of service (unbound 1.24.2).
18:19:33 	unbound: [1552:0] 	notice: init module 2: iterator
18:19:33 	unbound: [1552:0] 	notice: init module 1: validator
18:19:33 	unbound: [1552:0] 	notice: init module 0: respip
18:18:38 	unbound: [1542:0] 	info: 1.000000 2.000000 1
18:18:38 	unbound: [1542:0] 	info: 0.524288 1.000000 1
18:18:38 	unbound: [1542:0] 	info: 0.016384 0.032768 1
18:18:38 	unbound: [1542:0] 	info: 0.002048 0.004096 1
18:18:38 	unbound: [1542:0] 	info: lower(secs) upper(secs) recursions
18:18:38 	unbound: [1542:0] 	info: [25%]=0.004096 median[50%]=0.032768 [75%]=1
18:18:38 	unbound: [1542:0] 	info: histogram of recursion processing times
18:18:38 	unbound: [1542:0] 	info: average recursion processing time 0.562737 sec
18:18:38 	unbound: [1542:0] 	info: server stats for thread 0: requestlist max 9 avg 5.70345 exceeded 0 jostled 0
18:18:38 	unbound: [1542:0] 	info: server stats for thread 0: 294 queries, 149 answers from cache, 145 recursions, 0 prefetch, 0 rejected by ip ratelimiting
18:18:38 	unbound: [1542:0] 	info: service stopped (unbound 1.24.2).
18:18:32 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:18:32 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:16:42 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:16:42 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:16:16 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:16:16 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:15:31 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:15:31 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:14:52 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:14:52 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:14:21 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:07:57 	unbound: [1542:0] 	info: validation failure <xfr.dbl.ipfire.org. A IN>: key for validation . is marked as invalid because of a previous
18:07:57 	unbound: [1542:0] 	info: validation failure <location.ipfire.org.localdomain. AAAA IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 192.168.10.1 upstream server timeout] for trust anchor . while building chain of trust
18:07:57 	unbound: [1542:0] 	info: validation failure <location.ipfire.org. AAAA IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 192.168.10.1 upstream server timeout] for trust anchor . while building chain of trust
18:07:57 	unbound: [1542:0] 	info: validation failure <_v1._db.location.ipfire.org. TXT IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 192.168.10.1 upstream server timeout] for trust anchor . while building chain of trust
18:07:57 	unbound: [1542:0] 	info: validation failure <location.ipfire.org.localdomain. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 192.168.10.1 upstream server timeout] for trust anchor . while building chain of trust
18:07:57 	unbound: [1542:0] 	info: validation failure <location.ipfire.org. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 192.168.10.1 upstream server timeout] for trust anchor . while building chain of trust
18:07:57 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:07:15 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:07:15 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:06:30 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:06:30 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:05:44 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:05:44 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:04:59 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:04:59 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:04:15 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:04:15 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:03:45 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:01:33 	unbound: [1542:0] 	info: validation failure <xfr.dbl.ipfire.org. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:01:33 	unbound: [1542:0] 	info: validation failure <pakfire.ipfire.org.localdomain. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:01:33 	unbound: [1542:0] 	info: validation failure <pakfire.ipfire.org. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:01:33 	unbound: [1542:0] 	info: validation failure <mirror1.ipfire.org.localdomain. A IN>: key for validation . is marked as invalid because of a previous
18:01:33 	unbound: [1542:0] 	info: validation failure <mirror1.ipfire.org. A IN>: key for validation . is marked as invalid because of a previous
18:01:33 	unbound: [1542:0] 	info: validation failure <ping.ipfire.org. A IN>: no DNSKEY rrset [all the configured stub or forward servers failed, at zone . from 8.8.4.4 upstream server timeout] for trust anchor . while building chain of trust
18:01:33 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:00:48 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:00:48 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
18:00:03 	unbound: [1542:0] 	info: generate keytag query _ta-4a5c-4f66. NULL IN
18:00:03 	unbound: [1542:0] 	info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN 

The upstream DNS server (presumably the externally connected router) not doing DNSSEC?

The upstream DNS server is another IPFire installation

Unbound on IPFire doesn’t DNSSEC, as far as I know.

Another idea. Some days before, I also had DNS problems. After some investigation I found an old ‘improvement’, the denial of service.arpa and resolver.arpa.
See Stop service.arpa requests being sent to upstream DNS, for example.

That was fixed in CU195 with an update in unbound to 1.23.0.

Those logs show a working unbound that is not getting any response from the internet as you mentioned.

What IP ranges do you have for your red network of the test ipfire (production green network) and for your green network on the test ipfire?

There has to be some configuration error problem here somewhere as it just worked for me without any problems. In fact I have 4 IPFire vm’s on my green network so that I am able to test out n2n openvpn, ipsec & wireguard on different end ipfire systems.

Main firewall
Red static IP 192.168.1.2/24
Green 192.168.10.1/24
Test firewall
Red dynamic IP 192.168.10.64/24
Green 192.168.11.1/24
As mentioned, if I connect the laptop to the green port of the main firewall, it works perfectly.

As seen in you picture your main IPFire’s Domain name system is not working.

You could try TCP.

I would recommend not using your ISP DNS.

and use DNS over TLS.. this is more secure.

You can find a list of recommended DNS providers.

Oh, this isn’t correct, if the chosen DNS Provider has DNSSEC enabled (most have, but only this one without blocklist the real one), you will get the signature with the answer. To 100% and in the logs you could find errors because of verification from time to time. There was a time DNSSEC was disabled on the Server side, because of a critical bug, where you could steal subdomains, with a very simple hack which could freeze the biggest DNS Server in seconds, but this was fixed.
If you use an e-mail client which has the feature, enable also DANE ;D

Ipfire support DNSSEC almost 10 years www.ipfire.org - Rolling out DNSSEC to the masses

This side is a small and wonderful tool, to test if it is working–> https://dnscheck.tools/

If this is no more the case, then please infos to me, as fast as possible

Edit: little jump scare on my side, but you can test DNSSEC also with “dig” in linux terminal, but don’t try common ones like google.com or ipfire.com (my scare :D), better use web.de or ipfire.org, with the last two you can verify DNSSEC is working.

dig DNSKEY +dnssec

btw. what does it mean if this command gives only an e-mail? this domain is not in use and may be buyable? For ipfire.com this is the case.

best regards

Good morning,

the issue has been resolved, although the identified solution does not appear to be entirely logically consistent.

I performed multiple attempts, including a complete reformat of the test machine on two occasions.

Since I was unable to identify the root cause, I decided to start from scratch, executing all operations sequentially and carefully verifying each step in order to detect any potential errors.

Given that version 199 was functioning correctly, I proceeded with a fresh installation starting from that release.

Once the installation was completed, I configured the system according to my standard test procedure: the “red” interface set to DHCP and the “green” interface configured with a static IP address on the test network, as previously described in an earlier post.

After completing the configuration, I verified that the system was working correctly: network navigation was fully operational and the DHCP server was running.

Subsequently, I initiated the upgrade process to the test version.

Upon completion of the upgrade and after the reboot, I performed the necessary checks and, to my surprise, the system was functioning correctly without any issues.

I then decided to repeat the entire procedure starting from the ISO of version 200.

Following the same steps, after rebooting with the test version, the issue described earlier occurred: the DHCP server does not start.

The procedure was repeated twice to rule out any operational errors, confirming that the issue only occurs when starting from the ISO of version 200.

As mentioned earlier, the observed behavior does not appear logically consistent, and at this time it is unclear what may be causing it.

I just did a fresh install of CU200 onto my vm testbed IPFire which is connected to my production IPFire on the green network, as you have described.

The dhcp server started and is running with no problems for me.

Can you please show the dhcp server wui page for your test IPFire.

I need to format the machine and load version 200.
I’ll do it this weekend as soon as I can.

I have been able to reproduce the dhcp server not running after a fresh install but only by not specifying any dynamic dhcp on the green interface.

Screenshot_2026-04-13_11-31-49474×334 3.31 KB

Here I did not check the Enabled box for the DHCP server configuration and just pressed the OK button.

This causes the dhcpd.conf file to have no leases, fixed or dynamic, to supply to any client and therefore the dhcp server will not start. In fact the IPFire install won’t even try and start the dhcp server.

When you did your install, did you fill out a dynamic range for the DHCP server configuration and enable it?

Hi Adolf,
Let’s talk about the test machine, obviously.
The red network is in DHCP.
The green line your image refers to, I can confirm that DHCP is disabled, also because I only connect to one PC for testing.

Then that is why your dhcp server is not running. That is not specific to CU200, it will apply to any CU.

You can have the dhcp server disabled, that is no problem, you just have to then specify all IP’s on your clients as static ones.

With the dhcp server not working on my test ipfire system its DNS system is connected through to my production IPFire and is working with no problems.

Screenshot_2026-04-13_11-58-02995×606 29.9 KB

and I can access web sites on the internet via my client (with static IP) connected on the Green network of my test ipfire.

So I still can’t reproduce the problem you are seeing.

Can you confirm that with your CU199 fresh install on your test ipfire your test DNS was working and stayed working when updated to CU200 but with a fresh install of CU200 your DNS is showing as broken.