Using dig:
the last one —> 98.56.255.146.in-addr.arpa. 3599 IN PTR doh-dot.applied-privacy.net.
the last-1 —> 37.141.49.185.in-addr.arpa. 3289 IN PTR www.getdnsapi.net.
maybe you can edit those entries and verify again
I am using dns2.digitalcourage.de as one of my dns servers in TLS mode and it is working fine, also with the overall status.
I had a period from 00:07 to 01:47 this morning where all my dns servers were not working and I have a large number of SERVFAIL messages in my logs from that period but since 01:47 there has been no problem.
[root@ipf ~]# less /var/log/messages grep | unbound
Apr 30 15:40:03 unbound[30489:0] error: can’t bind socket: Address already in use for 127.0.0.1 port 8953
Apr 30 15:40:03 unbound[30489:0] error: cannot open control interface 127.0.0.1 8953
Apr 30 15:40:03 unbound[30489:0] fatal error: could not open ports
What’s that ? What should I do ?
DNS with TLS should use Port 853, I thougt - which config file is wrong ?
That suggests that something else is using that address and port combination.
Try running netstat and see if port 8953 shows up in the output and if so what is shown as using it.
On my system I get
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 ipfire.domain:54570 dns2.digitalcourage:853 ESTABLISHED
As you say it should be using port 853.
You don’t have any firewall rules forcing the use of your DNS servers do you.
If yes, then maybe check the port numbers that have been used for a typo.
If no, then we are getting close to the limit of my knowledge.
Will wait to see what netstat shows.
Edit:
You can ignore what I put above.
Netstat won’t show any DNS server connection because unbound can’t start. Also we are not interested in what is using port 8953 because the DNS servers should be using 853 as you mentioned.
The only unbound file I find that mentions the port is
/etc/unbound/forward.conf
This stores the servers you have listed in the DNS WUI table.
Mine looks like this
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 46.182.19.48@853#dns2.digitalcourage.de
forward-addr: 185.49.141.37@853#getdnsapi.net
forward-addr: 81.3.27.54@853#recursor01.dns.ipfire.org
forward-addr: 89.233.43.71@853#unicast.censurfridns.dk
forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
You can see that port 853 is specified for each of the servers.
If one of yours has 8953 in place of 853 I would suggest deleting that server in the WUI table and recreating it. If they are all 853 then I don’t have any further ideas.
I did a quick check of the unbound.conf file and it does not mention the port number.
I just ran netstat on my system and found lots of port 8953 messages. Searching on this port it shows up as related to TCP. I suspect that they are showing up on my system because I changed the protocol to TCP for a test.
Edit: All those port 8953 entries are now gone after a few minutes.
If that message about port 8953 came about when you had selected TLS then your problem might be that one of your entries is not capable of running in TLS mode and was trying to use tcp only. Maybe that causes a problem to unbound - not sure.
Try disabling the two entries that show up as error in the status column of your table and see if unbound starts when you press save.
Edit:
The IP addresses for those two DNS servers are not in the wiki List of Public DNS Servers
control-port: <port number>
The port number to listen on for IPv4 or IPv6 control interfaces,
default is 8953. If you change this and permissions have been
dropped, you must restart the server for the change to take ef-
fect.
Here’s the output from netstat:
[root@fw1 local.d]# netstat -pat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN 8502/unbound
tcp 0 0 localhost.localdom:8953 0.0.0.0:* LISTEN 8502/unbound
tcp 0 0 0.0.0.0:rsh-spx 0.0.0.0:* LISTEN 9197/sshd: /usr/sbi
tcp 0 196 fw1.localdomain:rsh-spx 192.168.14.15:42204 ESTABLISHED 22484/sshd: root@pt
tcp6 0 0 [::]:81 [::]:* LISTEN 9213/httpd
tcp6 0 0 [::]:1013 [::]:* LISTEN 9213/httpd
tcp6 0 0 [::]:snpp [::]:* LISTEN 9213/httpd
A silly question that happened to me. Do you have any Firewall rule by country preventing among others “A3 Worldwide Anycast Instance”.
I had one that prevented communication with Bad Countries and I put this one and the DNSs did not work for me. It was remove this group (A3 Worldwide Anycast Instance) and everything started working correctly.
It could also be a problem with the ISP since you may have a box called “Secure DNS” or something similar that prevents DNSs other than those of the ISP.