ISP DHCP assigned DNS broken


I have what appears to me a mysterious issue with DNS.

This started between 13:00 & 14:00 ET May 4th.

When my IPFIRE PC boots the ISP does dhcp on the red network and assigns two dns servers from the isp. ( and both can be ping’d from inside the firewall…)

But, on the dns page of IPFIRE a check dns shows them as broken. And, nothing behind the firewall can access the web.

If I add a public dns server ( or or the all is good.

Before yesterday, the ISP DNS servers worked with no issues.

Any suggestions as to what might have happened or how to further trouble shoot?

A side question: Why, with no DNS (i.e. the situation with no public DNS servers and only the ISP servers) do streaming apps on my tv (inside the firewall) work fine?

do you have a rule to intercept all the dns requests from you LAN and redirect them to IPFire? If not, the answer is quite straightforward, the streaming app in the TV is accessing directly its own preferred DNS server.


If you hold the mouse pointer over the broken status for each dns server a message box will come up telling you why IPFire see’s it as broken. You can also get more details if you look in the System Logs menu and choose the DNS server option in the dropdown box (might be unbound, i can’t precisely remember)


Hover over, shows: DNSSEC not supported.

And the log has plenty of these lines referencing the ISP DNS IP:

info: validation failure < PTR IN>: no DNSSEC records from for DS while building chain of trust
06:51:57 unbound: [1718:0] info: validation failure < A IN>: no signatures from and

Some homework for you: you should read this blog post from @pmueller

Another home work is the wiki article about DNSSEC :wink:

@bbitsch I just modified that wiki page, as the video linked on youtube is not available anymore. Feel free to revert it if you do not like it.

Thanks for the “homework”. I think I did read the blog back when it was initially posted. But, having no issues at that point it didn’t register.

Having read those:

My ISP DNS does not do DNSSEC…as of 14:00 yesterday. I have been running ipfire for years and the ISP has provided the DNS servers. Why would they turn off DNSSEC support? Or has something else changed. When I left the house yesterday at 13:30, it was working. When I returned home at 15:00 it was not. I have no problem believing a for profit company did something dumb…

From the “homework” it would appear I should select from the provided list one or two public DNS providers. Is there a way to tell IPFIRE to not use the DHCP provided ones? (If for no other reason than to avoid repeated messages in the log?)

From the “homework” I take it is not a good idea to whitelist the ISP DNS servers.

@cfusco , no problem. :wink:
IMHO, for basic things a text is more precise than a video.

@drmacro , don’t exactly know where it is stated, but ISP’s DNS servers do not always support DNSSEC ( temporary or permanent ).

Go to WUI, choose Network/Domain Name System, un-check Use ISP-assigned DNS servers. This is my page. I also use DNS over TLS and QNAME Minimization (more private setting).

EDIT: you should also consider preventing your internal network from using any other DNS, by redirecting their requests to IPFire.


That is what has happened. IPFire will consider any DNS Server that does not support DNSSEC as broken and that has been the case for some time.

It could be that your ISP has a problem with their DNSSEC validation and have turned it off while they fix it.
You would need to ask them why DNSSEC is no longer supported since 14:00 on 4th May.

Not all but many ISP’s aim to monetise your DNS traffic by using it to direct you preferentially to certain sites or provide it to advertisers for your browsing.

I think my ISP is not the sort to likely do that but just in case I still disable the ISP DNS Servers and also use DNS over TLS (TLS option in IPFire) as that then encrypts my DNS traffic so the ISP is unable to see the specifics of the websites I am trying to access.
Of course you still need to trust the DNS servers that you are using to not interfere or log your data etc, so I have selected 5 servers from the DNS over TLS list each from a different European country and where I have read through their privacy policy and done some general searching on them to convince myself that they are worth my trust.


also they frequently are obliged to implement what their government says its clients are not supposed to see, and therefore they break the integrity of the DNS as a way to censor Internet.

1 Like

I wonder if the change at my ISP has anything to do with the Colorado blocking PORNHUB? :rofl:

Though, I’m not in Colorado…

Possible, especially if they intend to redirect their customers to a web page saying “no ponhub for you. Signed: your overloads”.

1 Like

When it was announced the searches from Colorado IP’s for “VPN” increased something like 6X.


The Net interprets censorship as damage and routes around it --John Gilmore

EDIT: I wont link it here, even if it is safe for work. If you go to the link the Colorado government doesn’t wont you to go, and after the main DNS name you add /insights you will see their sysadmin blog posts. Search for 2022 year in review, there you can see a map of US states, with overlaid their preferred search term. You can see what search term the “Coloradans” got in trouble for. The whole analysis is very entertaining, possibly more than the “classical” content.


the people of Colorado have know idea how much more there ISP is going to spy on them.
they don’t understand what they are asking for when they ask ? force there ISP to filter and block
the internet based on users / Children. this is bad.

1 Like