Ipfire error after update - dns servers

Hi, after applying the IPFire update I came up with a problem that I cannot understand
i have an I5 machine with two lan cards (Red, Green) plus a Wifi card for Blu
I went from IPFire 2.27 core 159 to core 160
the problem is that it seems that in loaded dns servers it does not work, in fact whatever url I write tells me site unreachable, checking the log I find errors but from a quick check it seems that all are a consequence of the lack of dns
instead connecting to the consol this error comes out
I have no idea what could have happened or what could have gone wrong

ipfire error after update

Hi @tratru

Those are warning messages and are not a problem.

See this post re the BCP 177 violation entry

See this post re the RTNETLINK answers entry

If you are having a problem with DNS then you need to look at the Network - Domain Name System WUI menu entry.
What is the overall status near the top of the page and if you press the “Check DNS Servers” button what status do you get for each individual DNS server that is listed?

On the Status - Services WUI menu does the DNS Proxy Server show as RUNNING or STOPPED?


if I check the dns it gives me all error
for the other points I have to check, I’ll do it as soon as I get home

8 posts were split to a new topic: DNS errors on enabled servers but sites resolve normally

after a few attempts to figure out what happened, I reloaded everything and reconfigured
after a few hours of operation the problem reappeared
the DNS service is broken

What error hints do you get when you place the mouse pointer over the Error message for the individual DNS Servers.

Does an error hint message get shown when you place the mouse pointer over the overall Broken status at the top left.

What messages are shown in the unbound logs either from the Logs - System Logs WUI menu, selecting DNS: Unbound in the dropdown box or from the console by

less /var/log/messages | grep unbound

These error messages and log contents are needed to be able to figure out what is happening with your system.

1 Like

I checked what you recommended
the log file is present

Oct 13 17:21:55 IPF unbound: [1571:0] notice: init module 0: validator
Oct 13 17:21:55 IPF unbound: [1571:0] notice: init module 1: iterator
Oct 13 17:21:55 IPF unbound: [1571:0] info: start of service (unbound 1.13.1).
Oct 13 17:21:55 IPF unbound: [1571:0] error: SERVFAIL <. DNSKEY IN>: all the configured stub or forward servers failed, at zone .
Oct 13 17:22:02 IPF unbound: [1571:0] info: service stopped (unbound 1.13.1).
Oct 13 17:22:02 IPF unbound: [1571:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Oct 13 17:22:02 IPF unbound: [1571:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Oct 13 17:22:02 IPF unbound: [1571:0] notice: Restart of unbound 1.13.1.
Oct 13 17:22:02 IPF unbound: [1571:0] notice: init module 0: validator
Oct 13 17:22:02 IPF unbound: [1571:0] notice: init module 1: iterator
Oct 13 17:22:02 IPF unbound: [1571:0] info: start of service (unbound 1.13.1).

and the active processes are the following

You are not getting any response to any of your DNS servers. This makes me wonder if you actually have a working connection to the internet via your ISP.

On the System - Home WUI menu page do you have IP addresses show against the Internet and Gateway lines and is the status showing Connected - (some time period) or is it showing Connecting…

If it shows connected what do you get if you run
ping -c4
in the console or via ssh.

This IP is for ipfire.org and using the IP address doesn’t require DNS so will test if you have a working internet connection.

Thanks for your answer, the system is connected and my connection of my ISP is working, I also executed the ping command indicated by you and it works, another test followed is to connect a PC to the router bypassing IPFire I navigate without problems

Okay so the internet connection is working but DNS isn’t.
I would have expected many more
messages in your log with the internet connection working. I would expect to see messages for each DNS server that you have enabled.

Try running the following command in the console.

kdig @ +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=cloudflare-dns.com -d

This will run a DNS lookup of the cloudflare-dns.com DNS server on and will show where the DNS communication is breaking down.

Please post the response from this command.

[root@IPF ~]# ping -c4 www.google.com
ping: www.google.com: Name or service not known
[root@IPF ~]# ping -c4
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=54 time=20.9 ms
64 bytes from icmp_seq=2 ttl=54 time=21.0 ms
64 bytes from icmp_seq=3 ttl=54 time=20.9 ms
64 bytes from icmp_seq=4 ttl=54 time=20.8 ms

— ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 20.820/20.906/20.987/0.064 ms
[root@IPF ~]# kdig @ +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=cloudflare-dns.com -d
;; DEBUG: Querying for owner(.), class(1), type(2), server(, port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 certificates from ‘/etc/ssl/certs/ca-bundle.crt’
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare, Inc.,CN=cloudflare-dns.com
;; DEBUG: SHA-256 PIN: od9obscoXQND56/DikypZrJkXGvbQV5Y61QGfcNitHo=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG: SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 37809
;; Flags: qr aa rd ra; QUERY: 1; ANSWER: 14; AUTHORITY: 0; ADDITIONAL: 27

;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 303 B

;; . IN NS

. 510462 IN NS a.root-servers.net.
. 510462 IN NS b.root-servers.net.
. 510462 IN NS c.root-servers.net.
. 510462 IN NS d.root-servers.net.
. 510462 IN NS e.root-servers.net.
. 510462 IN NS f.root-servers.net.
. 510462 IN NS g.root-servers.net.
. 510462 IN NS h.root-servers.net.
. 510462 IN NS i.root-servers.net.
. 510462 IN NS j.root-servers.net.
. 510462 IN NS k.root-servers.net.
. 510462 IN NS l.root-servers.net.
. 510462 IN NS m.root-servers.net.
. 510462 IN RRSIG NS 8 0 518400 20211027050000 20211014040000 14748 . AyFtsQrpwwSy0+C61ypK1nW1OaCWqVclTERhGgTdDsB5kZ4o2YPt6tIxRKWI3diywnnpl6o5N8qUZMk3EYuVvkznhltcmRkbZkOe+tShhQjyhyVbdGKuNTN/fkfX1Ndgs272oAWDy9UmVksjMcj0APsSk3SGd3saUovorzx0zonKq6i1GBPmDzo3s0SvR52z76H0KYmHNwtlC7r8M6RhNMNzQx8K4PWqklCxsUoBOlfsmiHCBPipHnbDL8NIwsB5QIGeHCpxXn75zRuITNbtpPZYvUNFSy17w5FqphBbytbFGGZmLy5JZxfz1Izq/hOFy1yuzCkK1Z4Lk9XfeM5tIw==

a.root-servers.net. 510462 IN A
a.root-servers.net. 510462 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 510462 IN A
b.root-servers.net. 510462 IN AAAA 2001:500:200::b
c.root-servers.net. 510462 IN A
c.root-servers.net. 510462 IN AAAA 2001:500:2::c
d.root-servers.net. 510462 IN A
d.root-servers.net. 510462 IN AAAA 2001:500:2d::d
e.root-servers.net. 510462 IN A
e.root-servers.net. 510462 IN AAAA 2001:500:a8::e
f.root-servers.net. 510462 IN A
f.root-servers.net. 510462 IN AAAA 2001:500:2f::f
g.root-servers.net. 510462 IN A
g.root-servers.net. 510462 IN AAAA 2001:500:12::d0d
h.root-servers.net. 510462 IN A
h.root-servers.net. 510462 IN AAAA 2001:500:1::53
i.root-servers.net. 510462 IN A
i.root-servers.net. 510462 IN AAAA 2001:7fe::53
j.root-servers.net. 510462 IN A
j.root-servers.net. 510462 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 510462 IN A
k.root-servers.net. 510462 IN AAAA 2001:7fd::1
l.root-servers.net. 510462 IN A
l.root-servers.net. 510462 IN AAAA 2001:500:9f::42
m.root-servers.net. 510462 IN A
m.root-servers.net. 510462 IN AAAA 2001:dc3::35

;; Received 1404 B
;; Time 2021-10-14 19:00:55 CEST
;; From in 26.0 ms
[root@IPF ~]#

That is a totally correct DNS response from cloudfare-dns.com.

So Internet connection is working and access to DNS servers is working.

unbound is running based on your logs and your active processes list.

This suggests that there must be a structural error in your DNS server definitions.

Are you running TLS as your protocol for DNS queries and did you change this from TCP or UDP previously?

If yes then the likelihood is that you have not added in the TLS Hostname after changing from TCP/UDP to TLS.

I have checked and if you try and enter a TLS entry without a hostname then you get an error message saying that the hostname is missing.

However if you have a set of DNS servers specified without hostnames under TCP or UDP and then change the protocol from TCP/UDP to TLS IPFire does not flag up that the hostnames are missing but unbound will fail to make the DNS over TLS communication as this requires the TLS hostname to be specified.

Holding the mouse pointer over the Error message for the DNS servers should show up “No TLS hostname given”

Check the list of DNS servers in the wiki for the TLS hostnames for the various DNS servers you have specified.


Thanks for the advice given, I found what it was, I indicate it in order to help other users

My problem was in the model of my ISP, an update of the modem’s FW had been performed, the same had a bug that randomly blocked DNS calls for a period of time
downgraded and everything still works
thanks again for the support provided