I have been having this issue with ipfire_ since I installed it a few months back. Basically our ISP, Verizon FIOS, does not allow DNSSEC on the network.
I’ve implemented configuration changes to unbound as described here here except for the module-config change to iterator because it completely disabled all DNS lookups:
However, every couple of days I still get error: SERVFAIL : all the configured stub or forward servers failed, at zone . upstream server timeout and ipfire_ briefly loses connection to the internet. This wreaks havoc in our home. Both my wife and I are remote employees, with her being most impacted because of her job receiving inbound phone calls through her company’s hardware VPN.
I really don’t want to move to a different firewall, but if I can’t find a solution to this DNS problem, I’m going to have to.
IPFire is built with DNSSEC built in. It was installed back in Core Update 60 and since Core Update 106 it has been mandatory and can not be turned off.
I would also recommend using the DNS over TLS options so you have encrypted DNS searches via your chosen DNS providers. This will prevent your ISP from seeing any of your DNS traffic.
However if they just block all DNS related ports (53, 853, and 5353) unless you use their unprotected DNS server then I would suggest looking for another ISP.
An ISP that does not allow DNSSEC or encrypted DNS searches is a very poor ISP, exposing their customers to DNS man in the middle attacks and the like and some ISPs that do this also then redirect your DNS searches to send you to websites that the ISP wants to send you to.
Hopefully your ISP is not blocking all DNS ports except to their DNS IP and turning off the ISP DNS Servers and using some of the recommended DNS Servers in the IPFire list will get your DNS system working.
However if they just block all DNS related ports (53, 853, and 5353) unless you use their unprotected DNS server then I would suggest looking for another ISP.
This is a completely impractical recommendation. In many areas of the USA, only one ISP is available. ipfire_ is the only firewall software I’ve had a problem with using Verizon FIOS. I like it, but you’re absolutely off your rocker to recommend I stick with the software and change my service. It’s a non-starter. I’ve had this service for almost a decade and it is the most robust and fastest service available in our area.
I reenabled the trust anchor, disabled permissive mode, and restarted unbound, just to have a baseline of what’s happening for the community in case someone can help.
I’m now seeing what I saw before in the logs: info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 4 5.11.45.11 for DS resolver.arpa. while building chain of trust info: validation failure <_dns.resolver.arpa. SVCB IN>: no DNSSEC records from 76.76.2.0 for DS resolver.arpa. while building chain of trust
This will eventually happen for all the rest of the DNS servers as well.
I entered 45.11.45.11 and 76.76.2.0 as DNS servers into my system (disabling all others) and the overall system status is working and both of the DNS providers show a status of OK with a message of DNSSEC Validating when the mouse pointer is put over the OK symbol.
You could also try out the recursor mode. Leave the ISP DNS servers disabled and then disable all the DNS servers that you have entered.
The system will then go into Recursor mode and the overall status should show
From the wiki
Recursive Resolver
If there are no (working) DNS servers configured, the system will go into recursor mode. In this mode, it will contact the root servers to resolve queries and recursively work its way down the DNS tree without using any third-party resolvers.
Yes, I see that they’re all OK on my ipfire_ instance as well.
I’ll try recursor mode. I disabled all the DNS serves and it shows it is Working (Recursor Mode)
Your DNS config looks just like a standard config with DNSSEC enabled servers.
Except I get SERVFAIL and validation errors and eventually my ipfire_ system disconnects every couple of days during work, as noted above, causing problems for both my and my wife’s work product.
Hmmm. Here I’m thinking it is the DNS failures causing the disconnects. But you’re saying that’s not possible and it’s the other way around? My ONT is ~ 10 years old and on the outside of the house.
I’m not saying it is other way around. But without WAN connection, there is no name resolution possible.
What is the sequence of messages? Which other errors are logged in case of your DNS errors? The ‘status → Network ( others )’ is also good information. The gateway graph shows the ping time to the gateway ( logically the first hop in WAN ).
Still having DNS fails as a separate issue with the recursive resolver.
|18:15:09|unbound: [911:0]|error: SERVFAIL : all servers for this domain fail ed, at zone adsymptotic.com. from 108.162.192.241 got REFUSED|
|---|---|---|
|18:15:09|unbound: [911:0]|error: SERVFAIL : all servers for this domain failed, at zone adsymptotic.com. from 172.64.33.223 got REFUSED|
|18:14:42|unbound: [911:0]|error: SERVFAIL : all servers for this domain failed, at zone adsymptotic.com. from 173.245.59.223 got REFUSED|
|18:14:42|unbound: [911:0]|error: SERVFAIL : all servers for this domain fail ed, at zone adsymptotic.com. from 172.64.32.241 got REFUSED|
|18:14:19|unbound: [911:0]|error: SERVFAIL : all servers for this domain fail ed, at zone adsymptotic.com. from 172.64.32.241 got REFUSED|
|18:14:19|unbound: [911:0]|error: SERVFAIL : all servers for this domain failed, at zone adsymptotic.com. from 108.162.192.241 got REFUSED|
|18:14:11|unbound: [911:0]|error: SERVFAIL : all servers for this domain failed, at zone adsymptotic.com. from 173.245.58.241 got REFUSED|
|18:14:11|unbound: [911:0]|error: SERVFAIL : all servers for this domain fail ed, at zone adsymptotic.com. from 172.64.32.241 got REFUSED|
|18:13:18|unbound: [911:0]|error: SERVFAIL : all servers for this domain failed, at zone adsymptotic.com. from 108.162.193.223 got REFUSED|
|18:13:18|unbound: [911:0]|error: SERVFAIL : all servers for this domain fail ed, at zone adsymptotic.com. from 108.162.193.223 got REFUSED|
|16:39:22|unbound: [911:0]|error: SERVFAIL : exceeded the maximum nameserver nxdomains|
Everything is set back to normal except I did set domain-insecure: "home" this morning and restarted unbound after reading that servfailures could be from my local domain.
I’m seeing validation and servfail errors constantly in the logs from last night. I have pages and pages of them. Servfails happened every few seconds for all hours last night:
|07:39:05|unbound: [27287:0]|info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 1 49.112.112.112 for DS resolver.arpa. while building chain of trust|
|07:33:00|unbound: [27287:0]|info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 1 49.112.112.112 for DS resolver.arpa. while building chain of trust|
|07:30:25|unbound: [27287:0]|info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 1 49.112.112.112 for DS resolver.arpa. while building chain of trust|
|07:28:50|unbound: [27287:0]|info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 9 .9.9.9 for DS resolver.arpa. while building chain of trust|
|07:26:36|unbound: [27287:0]|info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 9 .9.9.9 for DS resolver.arpa. while building chain of trust|
|07:07:31|unbound: [27287:0]|info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 9 .9.9.9 for DS resolver.arpa. while building chain of trust|
|07:06:17|unbound: [27287:0]|info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 9 .9.9.9 for DS resolver.arpa. while building chain of trust|
|07:00:57|unbound: [27287:0]|info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 1 49.112.112.112 for DS resolver.arpa. while building chain of trust|
|03:23:23|unbound: [27287:0]|error: SERVFAIL : all the configured stub or for ward servers failed, at zone . no server to query nameserver addresses not usabl e have no nameserver names|
|---|---|---|
|03:23:23|unbound: [27287:0]|error: SERVFAIL : all the configured stub or forward serv ers failed, at zone . no server to query nameserver addresses not usable have no nameserver names|
|03:23:23|unbound: [27287:0]|error: SERVFAIL : all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable hav e no nameserver names|
|03:23:23|unbound: [27287:0]|error: SERVFAIL : all the configured stub or forward serv ers failed, at zone . no server to query nameserver addresses not usable have no nameserver names|
|03:23:21|unbound: [27287:0]|error: SERVFAIL : all the configured stub or forward serv ers failed, at zone . no server to query nameserver addresses not usable have no nameserver names|
|03:23:18|unbound: [27287:0]|error: SERVFAIL : all the configured stub or forward servers failed, at zone . no server to query nameserver address es not usable have no nameserver names|
|03:23:18|unbound: [27287:0]|error: SERVFAIL : all the configured stu b or forward servers failed, at zone . no server to query nameserver addresses n ot usable have no nameserver names|
|03:23:17|unbound: [27287:0]|error: SERVFAIL : all the configured stub or for ward servers failed, at zone . no server to query nameserver addresses not usabl e have no nameserver names|
Well, I will give you the backroom reason why some are not DNSSEC. Its because they are already using an encapsulation encryption, and the 0 day in DNSSEC will unmask the source ip address. This is why some systems including web hosting or an isp that run web hosting on their systems don’t use DNSSEC.
Your configuration is incorrect for your isp.
it should look like this:
My ISP’s DNS servers will not validate with DNSSEC, which is why the group suggested to NOT use the ISP’s DNS. Regardless, the same things happen with or without using my ISP’s DNS servers.
