Hallo,
have a silly problem:
we want to use IPFire as DNS-Server and thats why reconfigured Firewall like this WIKI (method 1)
https://wiki.ipfire.org/configuration/firewall/dns
But it’s the same like before “Status: Broken” :
? Where is the mistake ?
Hi,
Check the Name and the ip address.
The error says, they are not fit together.
Best regards
R.
Using dig:
the last one —> 98.56.255.146.in-addr.arpa. 3599 IN PTR doh-dot.applied-privacy.net.
the last-1 —> 37.141.49.185.in-addr.arpa. 3289 IN PTR www.getdnsapi.net.
maybe you can edit those entries and verify again
Did you try without Safe Search?
I’m trying it now on my VM …
Why have you configured DoT Server but choose only TCP instead of TLS?
Thanks - I checked before that at home - IPFire is in Office some kilometers from here:
:~$ nslookup 185.49.141.37
…
:~$ nslookup getdnsapi.net
Server: 127.0.0.53
Address: 127.0.0.53#53Non-authoritative answer:
Name: getdnsapi.net
Address: 185.49.141.37
May be some more informations can help:
tested too with UDP , TSL
TSL-Test looks the same
some Nameservers show “Error” , 4 are OK but all have Reverse lookup failed in rDNS
Hope that’s no problem of the VDSL-Router at RED ?
I am using dns2.digitalcourage.de as one of my dns servers in TLS mode and it is working fine, also with the overall status.
I had a period from 00:07 to 01:47 this morning where all my dns servers were not working and I have a large number of SERVFAIL messages in my logs from that period but since 01:47 there has been no problem.
grep the log for unbound messages
less /var/log/messages grep | unbound
and see what that shows.
Thanks ! See what happened:
[root@ipf ~]# less /var/log/messages grep | unbound
Apr 30 15:40:03 unbound[30489:0] error: can’t bind socket: Address already in use for 127.0.0.1 port 8953
Apr 30 15:40:03 unbound[30489:0] error: cannot open control interface 127.0.0.1 8953
Apr 30 15:40:03 unbound[30489:0] fatal error: could not open ports
What’s that ? What should I do ?
DNS with TLS should use Port 853, I thougt - which config file is wrong ?
That suggests that something else is using that address and port combination.
Try running netstat and see if port 8953 shows up in the output and if so what is shown as using it.
On my system I get
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 ipfire.domain:54570 dns2.digitalcourage:853 ESTABLISHED
As you say it should be using port 853.
You don’t have any firewall rules forcing the use of your DNS servers do you.
If yes, then maybe check the port numbers that have been used for a typo.
If no, then we are getting close to the limit of my knowledge.
Will wait to see what netstat shows.
Edit:
You can ignore what I put above.
Netstat won’t show any DNS server connection because unbound can’t start. Also we are not interested in what is using port 8953 because the DNS servers should be using 853 as you mentioned.
The only unbound file I find that mentions the port is
/etc/unbound/forward.conf
This stores the servers you have listed in the DNS WUI table.
Mine looks like this
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 46.182.19.48@853#dns2.digitalcourage.de
forward-addr: 185.49.141.37@853#getdnsapi.net
forward-addr: 81.3.27.54@853#recursor01.dns.ipfire.org
forward-addr: 89.233.43.71@853#unicast.censurfridns.dk
forward-addr: 185.95.218.42@853#dns.digitale-gesellschaft.ch
forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
You can see that port 853 is specified for each of the servers.
If one of yours has 8953 in place of 853 I would suggest deleting that server in the WUI table and recreating it. If they are all 853 then I don’t have any further ideas.
I did a quick check of the unbound.conf file and it does not mention the port number.
Thanks,
netstat said:
netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.l:mdbs_daemon localhost.localdo:56036 ESTABLISHED
tcp 0 0 localhost.localdo:56036 localhost.l:mdbs_daemon ESTABLISHED
tcp 1 0 localhost.localdo:50274 localhost.l:mdbs_daemon CLOSE_WAIT
tcp 1 0 localhost.localdo:55996 localhost.l:mdbs_daemon CLOSE_WAIT
tcp 1 0 localhost.localdo:50196 localhost.l:mdbs_daemon CLOSE_WAIT
tcp 1 0 localhost.localdo:56032 localhost.l:mdbs_daemon CLOSE_WAIT
tcp 0 200 ipf.firma.lan:rsh-spx p549dd666.dip0.t-:43892 ESTABLISHED
tcp 0 0 ipf.firma.lan:34246 a104-126-36-218.d:https ESTABLISHED
tcp 0 0 ipf.firma.lan:34246 a104-126-36-218.d:https ESTABLISHED
cat /etc/unbound/forward.conf
This file is automatically generated and any changes
will be overwritten. DO NOT EDIT!stub-zone:
name: **** edited for forum ****
stub-addr: 172.20.20.250stub-zone:
name:
stub-addr: 81.3.27.38stub-zone:
name: firma.lan
stub-addr: 172.20.20.250forward-zone:
name: “.”
forward-tls-upstream: yes
forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
sorry can only use 2 links
I just ran netstat on my system and found lots of port 8953 messages. Searching on this port it shows up as related to TCP. I suspect that they are showing up on my system because I changed the protocol to TCP for a test.
Edit: All those port 8953 entries are now gone after a few minutes.
If that message about port 8953 came about when you had selected TLS then your problem might be that one of your entries is not capable of running in TLS mode and was trying to use tcp only. Maybe that causes a problem to unbound - not sure.
Try disabling the two entries that show up as error in the status column of your table and see if unbound starts when you press save.
Edit:
The IP addresses for those two DNS servers are not in the wiki List of Public DNS Servers
Good - disabled entry 1 an entry 3 - both now disabled
Check DNS Servers > but the same …
Status: Broken
rDNS:failed for all six entries …
netstat shows
tcp 0 0 ipf.firma.lan:56994 dns2.digitalcourage:853 ESTABLISHED
but only seen some seconds - now it’s gone
Sorry. I have reached the end of my ability to help more.
If something comes to mind I will come back but hopefully there are other people who can help better.
Thank you very much - have a nice weekend !
Port 8953 is the default Unbound control port:
control-port: <port number>
The port number to listen on for IPv4 or IPv6 control interfaces,
default is 8953. If you change this and permissions have been
dropped, you must restart the server for the change to take ef-
fect.
Here’s the output from netstat:
[root@fw1 local.d]# netstat -pat
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN 8502/unbound
tcp 0 0 localhost.localdom:8953 0.0.0.0:* LISTEN 8502/unbound
tcp 0 0 0.0.0.0:rsh-spx 0.0.0.0:* LISTEN 9197/sshd: /usr/sbi
tcp 0 196 fw1.localdomain:rsh-spx 192.168.14.15:42204 ESTABLISHED 22484/sshd: root@pt
tcp6 0 0 [::]:81 [::]:* LISTEN 9213/httpd
tcp6 0 0 [::]:1013 [::]:* LISTEN 9213/httpd
tcp6 0 0 [::]:snpp [::]:* LISTEN 9213/httpdA silly question that happened to me. Do you have any Firewall rule by country preventing among others “A3 Worldwide Anycast Instance”.
I had one that prevented communication with Bad Countries and I put this one and the DNSs did not work for me. It was remove this group (A3 Worldwide Anycast Instance) and everything started working correctly.
It could also be a problem with the ISP since you may have a box called “Secure DNS” or something similar that prevents DNSs other than those of the ISP.
They are just ideas.
You will tell us 
.
Greetings.
I thought the same, and disabled “Location Block” - the same result…
ISP could be the reason - but how to check this ??