Since the DNSSEC changes (I think Core 136-137) has been implemented I had to stop using IPFIRE because it became unworkable : too many DNS-errors (in my mail-server.)
Let me explain the situation:
Provider -> FritzBox (DNS-ip=DNS Provider) -> IPFIRE (DNS-ip=DNS FritzBox) -> MailServer (DNS-ip=DNS IPFIRE) The Mail-server reports a lot connection-errors due to "DNS-server seems to have a technical problem"
When I remove IPFIRE:
Provider -> FritzBox (DNS-ip=DNS Provider) -> MailServer (DNS-ip=DNS FritzBox) The Mail-server reports NO ERRORS at all
It might be that DNSSEC is indeed filtering spoofed or broken records because the signatures do not match. Your FritzBox router does not do that and might let the malicious ones pass.
In case of spoofed / broken records, I would suppose they would always been filtered. But that’s not the case !
Sometimes there no errors for a couple of hours, sometimes there are a series of errors followed by some correct connections and then again some errors.
It’s happening for different IMAP/POP-servers, I couldn’t find any “rule” in what’s happening.
Very weird and very annoying as I had to stop using IPFIRE due to that.
Sure, no. But I did notice some other connectivity problems with other sites (in my browser a.s.o) but they were probably also DNS-related as they disappeared too. I have been patient and continued using IPFIRE till 138.
When the IPFIRE is in use, it’s DNS is the DNS of the FritzBox.
The DNS of the FritzBox are those of my provider Pri:212.71.0.2 Sec:212.71.8.11 And remember, the problem I have, is only when IPFIRE is active in the upstream-chain. In other words, there are NO problems without IPFIRE, so I wonder why knowing the nameservers of my provider can be of any use (IMHO IPFIRE does not talk to it)
When I find the time I’ll insert IPFIRE again in the upstream-chain (which is not done in 1-2-3).
But if I remember well I have already tested with the provider-DNS specified in IPFIRE, and AFIK this didn’t change anything.
Problems like these are the reasons why it should (as a workaround) be possible to disable DNSsec completely.
Now I have to remove IPFIRE completely and loose also all the other protections provided by IPFIRE.
I know this has been asked before by others, and the answer was NO.
The result is NO IPFIRE at all
Don’t know what is best
Why. There is no default rule that prevents you from using an other DNS Servers in your network. You can simply set an other IP as DNS via DHCP. And an Upstream Proxy for pakfire. In this case the DNS of the IPFire is not used at all.
Because Arne wrote that my ISP’s servers didn’t work, I changed the DNS-servers in my Fritz!Box (see situation explanation in an earlier post) to 1.1.1.1 & 1.0.0.1.
And indeed that worked without problems in 139 till … I installed 141 a couple of days ago !
Now the same (identical) problems (also) with those DNS-servers in 141
I’m really getting annoyed with that ongoing DNSSEC story, the more not all specialists are convinced about the effectivity / need for it, which seems to be the reason not many DNS-servers seem to be DNSSEC-enabled