Four years without DNS in IPFire. Problem is unbound DNSSec

Good evening,

Excuse my poor English.

It have been four years without DNS in IPFire . So strange for a router distribution.

After core 141 , DNS didn’t work anymore, no matter how much installations or which core I install. I tried all cores up to 184, today core, and I did dozens of fresh installations.

I work always with Virtualbox, but I am not sure Virtualbox it’s the problem. I have simple installations, with a RED network card connected to NAT in VirtualBox and receiving DHCP, and a GREEN network card connected to Virtualbox internal network with IP 192.168.100.1.

I have read some IPFire user messages telling DNS don’t work for years. There are simple workarounds:

• For the clients receiving DHCP from IPFire, just configure in the DHCP that the DNS server it’s something different that IPFire: 1.1.1.1 , 4.4.4.4 , or 8.8.8.8 should save the day.

• For the IPFire machine, if we need internet for updating (packfire update and packfire upgrade) we just can rewrite /etc/resolv.conf and change the DNS to 1.1.1.1 and that saves the day.

I don’t know IPFire internals, but problem should be “Unbound” service. Also in every boot the file /var/messages/log it’s just full of “unbound” error messages.

So I just stop unbound with:

# /etc/init.d/unbound stop

and start it again with:

# unbound -vvvvv

but there are just so much messages I don’t understand:

# cat /var/log/messages | grep unbound | less

But … does it seems like the problem comes from unbound DNSSec? Yes!

# /etc/init.d/unbound stop
# nano /etc/unbound/unbound.conf

If in this unbound configuration file I comment (#) this line of DNSSEC: auto-trust-anchor-file , and then I start unbound again, finally I can ping www.google.es . DNS is finally working

Well , so now I know that problem is with Unbound DNSSec. But can somebody help me to fix it without stopping DNSsec in Unbound? Maybe the explanation is in here:

From this document I understand that /var/lib/unbound/root.key should be world readable and unbound writable , but the owner is user nobody and the permissions are rw-r--r-- . Anyway if unbound runs as user nobody, this is fine.

Thanks in advance

I just check change RED card from VirtualBox Nat to VirtualBox Bridge, but that don’t fix the problem.

Last four years all my IPFire installations have been with VirtualBox 6 and 7.

Last core update I remember with DNS working was 140. First core update I remember with DNS don’t working was 144.

Since my job office network have a DNS caché that maybe give some problems with DNSSec requests, I also tried from my home network, but without luck.

First things I did four years ago when DNS stop working was check the changes from core update 140 to 144, and read IPFire DNS docs.

Does anybody have fresh installations of IPFire in VirtualBox with DNS working ?

Go to https://ipfire:444/cgi-bin/dns.cgi address in your WebGUI and add your prefered DNS service there.

IPFire’s unbound installation demands DNSSEC and can handle it!
But for a functioning DNS request using DNSSEC it is mandatory that the configured DNS servers can handle DNSSEC.

Hi Porkyle,

What I already tried four years ago:

1. Checking and re-checking and re-rechecking all IPFire Web configuration

2. Reading the docs

3. Reading the changes between core updates

When I added my prefered DNS, as you asked, and as I did all these years, all the messages I got are broken/error

Since then, for the machines inside my VirtualBox internal network I configure IPFire DHCP to serve a diferent DNS than IPFire, and for IPFire I edit /etc/resolv.conf everytime I want to do a pakfire update.

Now that I have one week holiday what I am going to try is to check where is the issue. Maybe it’s the way my job and home networks handle DNSSec, and then it’s not a problem with IPFire. My next steps I am going to do to dissect the problem are:

• Virtualize IPFire with KVM instead of VirtualBox to check if it is VirtualBox problem.

• Take my Virtualbox IPFire to many different networks to check if it is a problem of DNSSec in my home network.

• Maybe Virtualize in VirtualBox PFSense with DNSSec to check if it is a problem of my network.

• Maybe Virtualize Debian 12 with Unbound

Hi Bernhard

I know there is a problem with DNSSec in my job network. But I tried with my home network too and it’s also failing. So it’s bad luck if my home ISP also have problems handling DNSSec.

In my job network there is an old DNS caché, and when I install a VirtualBox Debian with Bind service, in the file /etc/bind/named.conf.options/ I have to write dnssec-validation no; for the forwarding to work.

But in my home network DNSSec should work just fine. My next steps it’s to check if there is a problem with DNSSec in my home network, and if there is some issue virtualizing with VirtualBox.

To rule out issues with the virtualization, you can try an installation on bare metal with your config.

How is your network configured, if you assume problems with DNSSEC in it?

I just tried IPFire virtualized with Virt-Manager/KVM and I have the same issue with DNSSec

I just tried PFSense virtualized with VirtualBox . In the DNS resolver with DNSSec enabled, it didn’t work until I unchecked the box that says: “Harden DNSSEC Data: ( DNSSEC data is required for trust-anchored zones. )” . When I uncheck that, DNS resolving for the clients in the green internal network start working, even with the box DNSec checked.

So I assume that the problem is with both my home network and my job network (shame, this is bad luck). I don’t have anything unusual with my home network: standard Spanish ISP with its standard ISP router, that I never configured.

My next two checks to double confirm that the problem is my network and not IPFire will be:

• Copy my IPFire VirtualBox machine to my laptop, and then try DNS resolving in as much networks as I can.

• Check the home ISP router configuration, that is the default configuration.

I know IPFire policy is mandatory DNSSec:

www.ipfire.org - DNS configuration recommendations for IPFire users

But it would be great an option in IPFire webconfig to disable DNSSec for users that have problems with DNSSec in their networks.

Thanks for your help Bernhard.

Greetings from Barcelona

Check the home ISP router default configuration

My home network ISP is Finetwork, that uses Vodafone network, and the ISP router is Sercomm w1-h500s . The ISP router firmware have a box enabled by default that says “DNS seguro” (DNSSec ?) . Nothing extra to configure with DNSSec in the home router. That’s all.

For my desktop PC where I virtualize IPFire, I use 1.1.1.1 DNS instead of the default ISP DNS.

I am going to check the IPFire virtual machine in other networks

I think it should not matter what dns your desktop PC or ISP router is using since IPFire uses it’s own dns service.

It is still possible that your desktop PC or ISP router is blocking IPFire virtual machines DNS requests. Could be their Firewall, Antivirus or some other service what breaks it.

EDIT:
Long time since I used VirtualBox but when I used My IPFire Red was connected to desktop PC bridged lan interface. Green was internal iterface to other VMs

P.S
https://www.virtualbox.org/manual/ch06.html#networkingmodes

Shame! Today I tried my IPFire VirtualBox in a “café network” and it worked.
The issue with IPFire DNS all this four years it was with my home network. My Spain ISP (Fitel/Vodafone) is not working with DNSSec, I still don’t know why.

A respectable ISP should transport DNSSEC packets!
Another thing are the DNS servers of this ISP. They may not ‘speak’ DNSSEC, therefore they are not usable with IPFire’s DNS server unbound.

What I do with rogue ISP’s (such as Comcast with that horrid SecurityEdge product) is to turn on TLS for DNS. Have to include the rDNS name (such as “dns.google” for 8.8.8.8 and 8.8.4.4). As the traffic is encrypted, your ISP can’t grab the DNS traffic and redirect it.