Huge DNS issues from time to time

Hello community,
we have a slightly big problem since the last few updates with our DNS resolution. We are having a network of IPFire´s in our region which are connecting via OpenVPN to a central point.

I have some boxes which are randomly failing to look up the address needed to connect to the central station. This is shown in the log file:

 PWn2n[31818]: RESOLVE: Cannot resolve host address: my.domain.de:1204 (Name or service not known)

and this

ASSE unbound: [2085:0] error: SERVFAIL <my.domain.de. A IN>: all the configured stub or forward servers failed, at zone .
Oct 20 05:37:07 MYIPFIRE unbound: [2085:0] error: SERVFAIL <my.domain.de. AAAA IN>: all the configured stub or forward servers failed, at zone .
Oct 20 05:37:07 MYIPFIRE unbound: [2085:0] error: SERVFAIL <my.domain.de.localdomain. A IN>: all the configured stub or forward servers failed, at zone .
Oct 20 05:37:07 MYIPFIRE unbound: [2085:0] error: SERVFAIL <my.domain.de.localdomain. AAAA IN>: all the configured stub or forward servers failed, at zone .
Oct 20 05:37:07 MYIPFIRE PWAL31818]: RESOLVE: Cannot resolve host address: my.domain.de:1204 (Name or service not known)

After rebooting those machines automatically in the night with the Connection Scheduler everything is working again as expected.

Do you have any clues about that? I surely can provide more logs if needed.

I really need to fix this somehow.

Thanks in advance!

Have you enabled suricata? I have somtimes the problem that suricata blocks the outgoing connections of unbound and have not found the reason yet. (nothing in the logs)

Well you are giving quite few information, don’t you? (e.g. external or internal DNS in the central VPN zone?, do you forward DNS or not, etc.)

My first rough guess would be your DHCP settings esp. your TTL on blue VPN zone. Also check your NTP time settings, second usual suspect.

Hi,
Suricata is not enabled, at least not on the IPFire which has the DNS issues. Its activated though at the central station for RED and GREEN. The location filter is also turned off.

As DNS we are using 1.1.1.1 or 8.8.8.8, we are not giving any DHCP options via OpenVPN . The VPN is just for transferring data from one Siemens SPS to another one. I couldn´t find any TTL options so far.

NTP seems to be fine on all machines.

Edit:
I forgot to mention that the DHCP-Server is turned on at the outside machines but in fact we don´t need it there. There is just one client (SPS) at each site and they are using fixed addresses.

2 questions:
Within the Web GUI, under the Networking > Domain Name System, what do you have selected Protocol for DNS queries ?
And also in the Web GUI, under Firewall > Firewall Options, Default firewall behaviour Outgoing is it set to Allowed or to Blocked?

Hi,
Its set to UDP. The self initiated connections are allowed. The connections from within the local network are blocked.

It would be helpful, if you could be more specific about your network(s).

What do you wanna know about it?

As i said, we have a central point with an IPFire and several machines outside in the field. Some of them are connected via DSL, some with LTE. All of them are running IPFire 64Bit. All of them running on machines from the TX-Team. The machines should connect via OpenVPN N2N. I have stopped on updating my IPFire´s because of this DNS issues. As i said, restarting the whole machine helps with these issues. Im not a 100% certain if a simple restart of unbound wouldn´t be enough either, cause i haven´t tested that, but i guess it would help.

Please let me know what kind of informations you need and i will provide them if i can.

Best wishes!

What release are you on?

The central is on U147, most of the IPFire´s outside are on the same version.

I do have a machine on U151 and a few more on U150, i haven´t seen this problems on this machines there so far. But they are running U150 just a few days now, maybe a week.