Local DNS problem after update core 153

I have something strange going on in Unbound since my last Ipfire update with core update 153.
For example I can’t resolve the ipfire.org domain but also other domains!
Here is the error message I have in the logs

...
Feb  9 23:54:53 myipfire unbound: [1731:0] info: validation failure <time-a.timefreq.bldrdoc.gov. 
AAAA IN>: key for validation bldrdoc.gov. is marked as invalid
Feb  9 23:54:53 myipfire unbound: [1731:0] info: validation failure <time-b.timefreq.bldrdoc.gov. 
AAAA IN>: key for validation bldrdoc.gov. is marked as invalid
...
Feb  9 23:58:13 myipfire unbound: [2596:0] info: validation failure <45.143.166.83.in-addr.arpa. PTR IN>: key for validation in-addr.arpa. is marked as invalid
Feb  9 23:58:14 myipfire unbound: [2596:0] info: validation failure <www.ipfire.org. A IN>: key for validation ipfire.org. is marked as invalid
...
Feb  9 23:55:49 myipfire unbound: [2596:0] info: validation failure <api.met.no. A IN>: No DNSKEY record from 103.247.36.9 for key met.no. while building chain of trust
Feb  9 23:55:49 myipfire unbound: [2596:0] info: validation failure <api.met.no. AAAA IN>: No DNSKEY record from 103.247.36.9 for key met.no. while building chain of trust
...
Feb  9 23:56:02 myipfire unbound: [2596:0] info: validation failure <195.195.97.37.in-addr.arpa. PTR IN>: key for validation in-addr.arpa. is marked as invalid
Feb  9 23:56:03 myipfire unbound: [2596:0] info: validation failure <44.143.166.83.in-addr.arpa. PTR IN>: No DNSKEY record from 172.14.15.16 for key in-addr.arpa. while 
...
Feb  9 23:56:04 myipfire unbound: [2596:0] info: validation failure <www.ipfire.org. A IN>: No DNSKEY record from 103.247.37.9 for key ipfire.org. while building chain of trust
Feb  9 23:56:04 myipfire unbound: [2596:0] info: validation failure <ipfire.org. DNSKEY IN>: No DNSKEY record from 103.247.37.9 for key ipfire.org. while building chain of trust
...

I have Ipfire installed on 3 sites and I have the same problem on all 3 sites :sleepy:

Does anyone have the same worries ?
Is there a bug with Unbound ?

Thanks

Please add a screenshot of your DNS settings (DNS Servers and DNS Configuration) at menu Network > Domain Name System

Hi Jon,
Thank for your answer :wink:
Here is my screenshot

Many thanks

Looks like a few Reverse lookup failed type errors, eh?

Let’s try a few things:

  • Disable all of the DNS in your list - just as a test
  • Add a Quad9 DNS server @ 9.9.9.9
    • this is the DNS server I use so I know it works!
    • this is just for testing, you can change later
  • Change the Protocol for DNS queries from UDP to TLS. And click Save

Now try the domains that did not resolve. Does ipfire.org work OK?

EDIT: added image of my setup

Thanks Jon for your answer.
My firewalls are in production…I will have to check this out of working hours.

I’ll keep you informed…thanks again :wink:

Hi Jon,

I was finally able to have a little time to do the above test :wink:
With the Protocol for DNS queries field set to “TLS”, if I enter the DNS of Quad9…no problem, it works fine on these DNS.
On the other hand for the DNS of my DNS provider named DNSFilter, only UDP and TCP works !
look at my capture bellow

The problem is that if I disable Quad9’s DNS, I get the errors I described when I opened this post in the firewall log and the sites with the ipfire.org domain or other sites don’t work !
So…is there anything to do on Ipfire or should I contact DNSFilter support ?
Thanks

If DNSFilter doesn’t provide DNS over TLS, you cannot change this in IPFire.

1 Like

What about the problem I described in my first post…is it possible that some domains (such as ipfire.org) don’t accept not to be contacted via anything other than TLS ?

There is a link at DNSFilter that talks about TLS:

https://docs.dnsfilter.com/docs/dns-over-tls

Apparently I would have to put this information

ssl-upstream: yes
name: "."
forward-addr: 103.247.36.36@853
forward-addr: 103.247.37.37@853

…in a Unbound conf file.

how can I make this setting in Unbound without it being rewritten by Ipfire?

Thanks

The above is bad.

Do this instead → Add a new DNS server and then Save this:

This doesn’t help!
dnsfilter does not support TLS.

Ugh! It is suppose to!


But … dig +dnssec dns1.dnsfilter.com does not provide the ad flag. Why?

dig +dnssec dns1.dnsfilter.com

; <<>> DiG 9.11.3-1ubuntu1.14-Ubuntu <<>> +dnssec dns1.dnsfilter.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45288
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;dns1.dnsfilter.com.		IN	A

;; ANSWER SECTION:
dns1.dnsfilter.com.	20960	IN	A	103.247.36.36
2 Likes

@tikok974 - time to contact dnsfilter.com and ask them why…

1 Like

Thank you all for your answers :wink:

@jon, I had already set the DNSFilter addresses correctly in the interface (as shown in my screenshot) but this did not change the problem.

I have created a ticket at DNSFilter and am waiting for their response.

I sent them back to our discussion here so they have all the details.
We’ll wait for their answer…I’ll keep you posted.

Thanks

1 Like

I just checkerd with both server IPs/host names.
Both with error.

1 Like