Network name is not known suddenly by the firewall

Hello,
my firewall (build 155) was know running for two weeks and suddenly some
network names where no longer seen by the system.

ping ipcam1..lan
gets the message (sorry germany OS)
ping: ipcam1..lan: Der Name oder der Dienst ist nicht bekannt
Which means “Name or service is not known”.

After I reboot only the IPFire system, I for the same command a proper
ping command, where the ip address is listed correct.

I noticed this after the last updated as well, but thought a reboot was already
needed, but for me now, it looks like a memory leak.

Best regards
R.

I assume the two dots are a typo – it should be ping ipcam1.lan

In my env, ping fx.lan works but ping fx..lan does not.

Hi ritchie, I had a similar DNS issue, it would sometimes just stop working, another strange thing, HP.com would not resolve untill a reboot of the firewall, but just one domain at a time along with internal DNS failures.

I finally changed my DNS resolver which was cloudflare to something else, my internal name resolution has not stopped since, I don’t know why but it fixed it and the random external failures also stopped.

Edit: I am using DoT (DNS over TLS)

Hello Paul,

the ping is working normally correct.
I just edit the text to avoid giving to much information of my network, which is not needed for the problem.
The text "< name > " was replace by the website.

Hello HomeRcide,

I am using the dns server of my provider (german netcologne).
Are we talking about these settings ?

I am using the standard setting UDP ?
Should I change this ?
If, how ?

But why does it suddenly not work for local names ?

Best regards
R.

I’m not sure why in my case using cloudflare was causing issues for internal resolution, maybe it was partly crashing unbound, all I know I changed it and my problems have not come back.
I can’t say if this will fix your issues or not.

Yes on the DNS settings, maybe try changing those to something with TLS support, not all providers have DoT DNS servers, so simply changing from UDP to TLS on the provided servers likely wont work.

This Blog post helps explain the added privacy of using DNS over TLS (DoT),
I recommend reading it. https://blog.ipfire.org/post/dns-configuration-recommendations-for-ipfire-users

Here is a link for setting up IPFire DNS over TLS, it also has a list of some TLS providers, there are likely more but this is a good starting point.
https://wiki.ipfire.org/configuration/network/dns-server

Even if this is not the fix in your case this is a safer configuration for you.

Here is a quick example of mine,

I don’t much like using Google for my DNS, I need to find a TLS provider that is low latency and not google, I should do it now since I keep forgetting.

Also take note NOT to use an internal domain name that resolves to a real internet domain, as example I just last night saw someone using netgear.com for their internal domain name!

Hello Ritchie!

Maybe a DHCP server setting is incorrect. Check NetworkDHCP Server and look at Primary DNS:.

Mine is set to the IP address of my IPFire box. What is your Primary DNS set to?

FYI - Blue is set to a different address…

Hi,
This Setup is already Changed.
I have Setup the dns also to the ip address of the Firewall.

Best regards
R.

Hello,

the failure is shown today again. After changing the settings in the “Domain Name Server”,
(just disable use ISP-Assigned DNS servers")
and press save, the function was working again without reboot.

Can give this an idea what happen?

i found the following logs

5:48:56 unbound: [2852:0] info: [25%]=0.0045186 median[50%]=0.00949129 [75%]=0.0217958
15:48:56 unbound: [2852:0] info: histogram of recursion processing times
15:48:56 unbound: [2852:0] info: average recursion processing time 0.023271 sec
15:48:56 unbound: [2852:0] info: server stats for thread 0: requestlist max 12 avg 0.540796 exceeded 0 jos tled 0
15:48:56 unbound: [2852:0] info: server stats for thread 0: 12592 queries, 9090 answers from cache, 3502 r ecursions, 89 prefetch, 0 rejected by ip ratelimiting
15:48:56 unbound: [2852:0] info: service stopped (unbound 1.13.1).
07:58:20 unbound: [2852:0] info: generate keytag query _ta-4a5c-4f66. NULL IN

by pressing the “save” button, the service was started again.

I check also the file “unbound” because of
this thread : Local DNS problems after update to core 144 - #8 by erikvl
The file has include this patch.

Best regards
R.

It does appear this may be an issue with Unbound 1.13.1
and not specific to IPFire.

I did an Internet search for

I found many issues about unbound stopping with this version,
I’m not aware of any fixes, some people have possible work arounds with mixed results.
1.13.1 is still the current version.

Maybe do a search and some reading, I don’t want to link those articles in here since they are very easy to find and the possible work arounds may not be the safest approach.

Hi,

Thanks for the information.
I have also add two additional other DNS server, to check, if is a problem of the dns server of my provider.

But all of them do not support TLS up to now.

Best regards
R.

Hello,

maybe a watchdog is a good workaround, until the real reason is found.

Best regards
R.

In the wiki there is a page that gives DNS servers supporting TLS about half way down.

https://wiki.ipfire.org/dns/public-servers

I am using:-

recursor01.dns.lightningwirelabs.com
doh-dot.applied-privacy.net
dns2.digitalcourage.de
dns1.digitale-gesellschaft.ch

with no issues with my DNS. Maybe give these or some of them a go.

1 Like

Hi,

Perhaps monit could be of help:

Despite not having any problems with unbound 1.13.1 I use monit and the following file in /etc/monit.d/:

# IPFire - monit control file - unbound
check process unbound with pidfile "/var/run/unbound.pid"
	not every "40-50 2 * * 1"
	start program = "/etc/init.d/unbound start"
	stop program = "/etc/init.d/unbound stop"
	if not exist then alert
	if not exist for 2 cycles then restart
	if 3 restarts within 3 cycles then alert

Important: monit comes with a standard control file - /etc/monit.rc - that you have to adapt according to your requirements! Read the comments in this file.

HTH,
Matthias

Hi mfischer, you got me curious since you said you are not having issues, I did have nearly the same problem as ritchie, with one or two DNS servers configured I had issues, after adding a third it so far seems fine.
How many do you have enabled?

It will be interesting to see how many Matthias has configured.

I have six configured in my system and I have not had any problems. There is an occasional SERVFAIL but the numbers are quite low and any spikes I have had were when I unplugged the connection between my IPFire and the Fibre mode converter box.

I’m hoping I don’t need to add more, I don’t have full trust in most U.S. servers, I guess it shouldn’t matter if I add a few servers with higher latency as backups.

It also would be nice to be able to set the server order regardless of latency.

Hi,

current: nine.

There once were ten, but I deactivated 145.100.185.16 some days ago, because of certificate errors.

ISP is Telekom/Germany - running DNS/NTP redirecting rules through fwoptions.cgi. No seen problems, no alerts from monit, no unbound restarts…

HTH,
Matthias

1 Like

Hi,
Since i have four Server entered, the stopp of the service is Not Seen up to now.

Best regards R.

Great, glad to hear it.