No DNS Problems at Zone . Except IPFire in Logs

I am working on a separate chain with another issue, but its thought that my IPFire instance is having general DNS Problems, but I pulled all of June 20 logs and looked through them. I don’t see any problems with any other FQDN except servers located on IPFire domain. Below log is pictures of my configuration.

Once is a while I will click the test button and I will actually show the reverse DNS of the servers, but its more often than not that it doesn’t work.

These select FQDN’s at IPFire seem to be getting SERVFAIL at Zone .

17:20:51 unbound: [3282:0] notice: Restart of unbound 1.10.1.
17:20:51 unbound: [3282:0] notice: init module 0: validator
17:20:51 unbound: [3282:0] notice: init module 1: iterator
17:20:51 unbound: [3282:0] info: start of service (unbound 1.10.1).
17:21:21 unbound: [3282:0] error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .
17:21:42 unbound: [3282:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
17:21:56 unbound: [3282:0] error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward ser vers failed, at zone .
22:42:57 unbound: [3282:0] info: service stopped (unbound 1.10.1).
22:42:57 unbound: [3282:0] info: server stats for thread 0: 535 queries, 211 answers from cache, 324 recur sions, 1 prefetch, 0 rejected by ip ratelimiting
22:42:57 unbound: [3282:0] info: server stats for thread 0: requestlist max 2 avg 0.0738462 exceeded 0 jos tled 0
22:42:57 unbound: [3282:0] info: average recursion processing time 0.595632 sec
22:42:57 unbound: [3282:0] info: histogram of recursion processing times
22:42:57 unbound: [3282:0] info: [25%]=0.0171951 median[50%]=0.0303347 [75%]=0.0771012
22:42:57 unbound: [3282:0] info: lower(secs) upper(secs) recursions
22:42:57 unbound: [3282:0] info: 0.008192 0.016384 76
22:42:57 unbound: [3282:0] info: 0.016384 0.032768 101
22:42:57 unbound: [3282:0] info: 0.032768 0.065536 57
22:42:57 unbound: [3282:0] info: 0.065536 0.131072 51
22:42:57 unbound: [3282:0] info: 0.131072 0.262144 26
22:42:57 unbound: [3282:0] info: 0.262144 0.524288 7
22:42:57 unbound: [3282:0] info: 0.524288 1.000000 1
22:42:57 unbound: [3282:0] info: 16.000000 32.000000 4
22:42:57 unbound: [3282:0] info: 64.000000 128.000000 1
22:42:59 unbound: [22072:0] notice: init module 0: validator
22:42:59 unbound: [22072:0] notice: init module 1: iterator
22:42:59 unbound: [22072:0] info: start of service (unbound 1.10.1).
22:43:18 unbound: [22072:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
22:45:56 unbound: [22072:0] error: SERVFAIL <pakfire.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .
22:46:13 unbound: [22072:0] error: SERVFAIL <mirror1.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .
22:47:01 unbound: [22072:0] error: SERVFAIL <pakfire.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .
22:47:21 unbound: [22072:0] error: SERVFAIL <mirror1.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .
22:49:10 unbound: [22072:0] info: service stopped (unbound 1.10.1).
22:49:10 unbound: [22072:0] info: server stats for thread 0: 83 queries, 19 answers from cache, 64 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting
22:49:10 unbound: [22072:0] info: server stats for thread 0: requestlist max 4 avg 1.85938 exceeded 0 jostl ed 0
22:49:10 unbound: [22072:0] info: average recursion processing time 15.705883 sec
22:49:10 unbound: [22072:0] info: histogram of recursion processing times
22:49:10 unbound: [22072:0] info: [25%]=0.03072 median[50%]=10 [75%]=25.8667
22:49:10 unbound: [22072:0] info: lower(secs) upper(secs) recursions
22:49:10 unbound: [22072:0] info: 0.000000 0.000001 10
22:49:10 unbound: [22072:0] info: 0.008192 0.016384 2
22:49:10 unbound: [22072:0] info: 0.016384 0.032768 2
22:49:10 unbound: [22072:0] info: 0.032768 0.065536 2
22:49:10 unbound: [22072:0] info: 0.065536 0.131072 4
22:49:10 unbound: [22072:0] info: 0.131072 0.262144 2
22:49:10 unbound: [22072:0] info: 0.262144 0.524288 1
22:49:10 unbound: [22072:0] info: 2.000000 4.000000 1
22:49:10 unbound: [22072:0] info: 4.000000 8.000000 2
22:49:10 unbound: [22072:0] info: 8.000000 16.000000 6
22:49:10 unbound: [22072:0] info: 16.000000 32.000000 15
22:49:10 unbound: [22072:0] info: 32.000000 64.000000 6
22:49:10 unbound: [22072:0] info: 64.000000 128.000000 2
22:49:10 unbound: [22072:0] notice: Restart of unbound 1.10.1.
22:49:10 unbound: [22072:0] notice: init module 0: validator
22:49:10 unbound: [22072:0] notice: init module 1: iterator
22:49:10 unbound: [22072:0] info: start of service (unbound 1.10.1).
22:50:47 unbound: [22072:0] info: service stopped (unbound 1.10.1).
22:50:47 unbound: [22072:0] info: server stats for thread 0: 2 queries, 2 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
22:50:47 unbound: [22072:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
22:50:47 unbound: [22072:0] notice: Restart of unbound 1.10.1.
22:50:47 unbound: [22072:0] notice: init module 0: validator
22:50:47 unbound: [22072:0] notice: init module 1: iterator
22:50:47 unbound: [22072:0] info: start of service (unbound 1.10.1).
22:51:11 unbound: [22072:0] info: service stopped (unbound 1.10.1).
22:51:11 unbound: [22072:0] info: server stats for thread 0: 1 queries, 1 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
22:51:11 unbound: [22072:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
22:51:11 unbound: [22072:0] notice: Restart of unbound 1.10.1.
22:51:11 unbound: [22072:0] notice: init module 0: validator
22:51:11 unbound: [22072:0] notice: init module 1: iterator
22:51:11 unbound: [22072:0] info: start of service (unbound 1.10.1).
22:52:07 unbound: [22072:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
22:52:25 unbound: [22072:0] error: SERVFAIL <pakfire.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .
22:52:25 unbound: [22072:0] error: SERVFAIL <pakfire.ipfire.org. AAAA IN>: all the configured stub or forwa rd servers failed, at zone .
22:54:30 unbound: [22072:0] error: SERVFAIL <pakfire.ipfire.org. AAAA IN>: all the configured stub or forwa rd servers failed, at zone .
22:54:30 unbound: [22072:0] error: SERVFAIL <pakfire.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .
22:54:32 unbound: [22072:0] info: service stopped (unbound 1.10.1).
22:54:32 unbound: [22072:0] info: server stats for thread 0: 25 queries, 7 answers from cache, 18 recursion s, 0 prefetch, 0 rejected by ip ratelimiting
22:54:32 unbound: [22072:0] info: server stats for thread 0: requestlist max 3 avg 1.38889 exceeded 0 jostl ed 0
22:54:32 unbound: [22072:0] info: average recursion processing time 11.983201 sec
22:54:32 unbound: [22072:0] info: histogram of recursion processing times
22:54:32 unbound: [22072:0] info: [25%]=0.049152 median[50%]=0.131072 [75%]=23
22:54:32 unbound: [22072:0] info: lower(secs) upper(secs) recursions
22:54:32 unbound: [22072:0] info: 0.016384 0.032768 4
22:54:32 unbound: [22072:0] info: 0.032768 0.065536 1
22:54:32 unbound: [22072:0] info: 0.065536 0.131072 4
22:54:32 unbound: [22072:0] info: 4.000000 8.000000 1
22:54:32 unbound: [22072:0] info: 16.000000 32.000000 8
22:54:32 unbound: [22072:0] notice: Restart of unbound 1.10.1.
22:54:32 unbound: [22072:0] notice: init module 0: validator
22:54:32 unbound: [22072:0] notice: init module 1: iterator
22:54:32 unbound: [22072:0] info: start of service (unbound 1.10.1).
22:55:10 unbound: [22072:0] error: SERVFAIL <pakfire.ipfire.org. AAAA IN>: all the configured stub or forwa rd servers failed, at zone .
22:55:20 unbound: [22072:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
22:59:01 unbound: [22072:0] info: validation failure <mirror7.ipfire.org. A IN>: No DNSKEY record for key i pfire.org. while building chain of trust
23:00:47 unbound: [22072:0] info: service stopped (unbound 1.10.1).
23:00:47 unbound: [22072:0] info: server stats for thread 0: 46 queries, 27 answers from cache, 19 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting
23:00:47 unbound: [22072:0] info: server stats for thread 0: requestlist max 3 avg 1.36842 exceeded 0 jostl ed 0
23:00:47 unbound: [22072:0] info: average recursion processing time 40.911369 sec
23:00:47 unbound: [22072:0] info: histogram of recursion processing times
23:00:47 unbound: [22072:0] info: [25%]=0.101581 median[50%]=0.393216 [75%]=28
23:00:47 unbound: [22072:0] info: lower(secs) upper(secs) recursions
23:00:47 unbound: [22072:0] info: 0.008192 0.016384 1
23:00:47 unbound: [22072:0] info: 0.032768 0.065536 1
23:00:47 unbound: [22072:0] info: 0.065536 0.131072 5
23:00:47 unbound: [22072:0] info: 0.131072 0.262144 2
23:00:47 unbound: [22072:0] info: 0.262144 0.524288 1
23:00:47 unbound: [22072:0] info: 0.524288 1.000000 2
23:00:47 unbound: [22072:0] info: 16.000000 32.000000 3
23:00:47 unbound: [22072:0] info: 128.000000 256.000000 4
23:02:19 unbound: [3288:0] notice: init module 0: validator
23:02:19 unbound: [3288:0] notice: init module 1: iterator
23:02:19 unbound: [3288:0] info: start of service (unbound 1.10.1).
23:02:46 unbound: [3288:0] info: service stopped (unbound 1.10.1).
23:02:46 unbound: [3288:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
23:02:46 unbound: [3288:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
23:02:46 unbound: [3288:0] notice: Restart of unbound 1.10.1.
23:02:46 unbound: [3288:0] notice: init module 0: validator
23:02:46 unbound: [3288:0] notice: init module 1: iterator
23:02:46 unbound: [3288:0] info: start of service (unbound 1.10.1).
23:02:57 unbound: [3288:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
23:06:03 unbound: [3288:0] info: validation failure <fireinfo.ipfire.org. A IN>: No DNSKEY record for key ipfire.org. while building chain of trust
23:06:03 unbound: [3288:0] info: validation failure <fireinfo.ipfire.org. AAAA IN>: No DNSKEY record for k ey ipfire.org. while building chain of trust
23:11:27 unbound: [3288:0] error: SERVFAIL <downloads.ipfire.org. A IN>: all the configured stub or forwar d servers failed, at zone .
23:15:15 unbound: [3288:0] error: SERVFAIL <downloads.ipfire.org. A IN>: all the configured stub or forwar d servers failed, at zone .
23:19:49 unbound: [3288:0] error: SERVFAIL <downloads.ipfire.org. A IN>: all the configured stub or forwar d servers failed, at zone .
23:20:36 unbound: [3288:0] error: SERVFAIL <downloads.ipfire.org. A IN>: all the configured stub or forwar d servers failed, at zone .
23:20:36 unbound: [3288:0] error: SERVFAIL <downloads.ipfire.org. AAAA IN>: all the configured stub or for ward servers failed, at zone .
23:21:00 unbound: [3288:0] info: service stopped (unbound 1.10.1).
23:21:00 unbound: [3288:0] info: server stats for thread 0: 77 queries, 25 answers from cache, 52 recursio ns, 0 prefetch, 0 rejected by ip ratelimiting
23:21:00 unbound: [3288:0] info: server stats for thread 0: requestlist max 4 avg 1.19231 exceeded 0 jostl ed 0
23:21:00 unbound: [3288:0] info: average recursion processing time 21.010300 sec
23:21:00 unbound: [3288:0] info: histogram of recursion processing times
23:21:00 unbound: [3288:0] info: [25%]=0.016384 median[50%]=0.131072 [75%]=20
23:21:00 unbound: [3288:0] info: lower(secs) upper(secs) recursions
23:21:00 unbound: [3288:0] info: 0.000000 0.000001 9
23:21:00 unbound: [3288:0] info: 0.008192 0.016384 4
23:21:00 unbound: [3288:0] info: 0.016384 0.032768 6
23:21:00 unbound: [3288:0] info: 0.032768 0.065536 2
23:21:00 unbound: [3288:0] info: 0.065536 0.131072 5
23:21:00 unbound: [3288:0] info: 0.131072 0.262144 5
23:21:00 unbound: [3288:0] info: 1.000000 2.000000 1
23:21:00 unbound: [3288:0] info: 4.000000 8.000000 1
23:21:00 unbound: [3288:0] info: 8.000000 16.000000 3
23:21:00 unbound: [3288:0] info: 16.000000 32.000000 12
23:21:00 unbound: [3288:0] info: 128.000000 256.000000 4
23:21:00 unbound: [3288:0] notice: Restart of unbound 1.10.1.
23:21:00 unbound: [3288:0] notice: init module 0: validator
23:21:00 unbound: [3288:0] notice: init module 1: iterator
23:21:00 unbound: [3288:0] info: start of service (unbound 1.10.1).
23:21:33 unbound: [3288:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
23:21:44 unbound: [3288:0] error: SERVFAIL <downloads.ipfire.org. AAAA IN>: all the configured stub or for ward servers failed, at zone .

In your DHCP screen, you should have primary DNS as your ipfire ip (eg. 192.168.1.1, 10.0.0.1, …) instead of 8.8.8.8

2 Likes

I am sure I tried that before when I was implementing the IPFire instance, but I will try again. What should I enter here? The Green Interface address?

what is your green network?
example: if 192.168.5.* and the ipfire has ip 192.168.5.1, you should enter as DNS 192.168.5.1

1 Like

Hi Paul, yes that is what I was asking. If its the IP of the Interface of IPFire green, that is what you suggest I enter. I will make the change and test again.

I think its fixed now. IPFire using a single DNS on DHCP for green interface. Internal wifi running off of green interface is picking up the assigned DNS of green. Had to reboot once but expected. I think that may have also fixed the backup and timing issue as well. Odd though that it didn’t affect any other domain but ipfire.org. In any event, I will take that as a win! Thank you for looking at that for me.

Eric

2 Likes

Well my thought that its fixed shat the bed here about 20 minutes ago…

I swung that DHCP setting out to my green network to use the Green Interface IP. That apparently was a huge dang mistake, because now my production network is all flipped up. I am going to have to revert the changes back or something, and do something quick. At this point its screwing with my production workflow. Plus now, I have a broken text hovering over the DNS screen.

I am not sure what the heck happened, but I have a craptop of domains being logged in my unbound logs now, 3rd screenshot, complaining about a DNSSec Key. Never had used DNSSec yet, although it was on my agenda. Any idea what is going on? I gotta get this system up.

Eric, I see a few issues but first, I’d like to ask to describe your network, for example
ISP — cable modem — red (dhcp) ipfire ---- green (10.0.0.1) ---- rest of systems
Maybe there is a blue (wifi) and an orange (dmz) network. I don’t need your public ip.

The DNS screen is kinda of weird since the “ISP provided DNS” cannot be 192.168.1.254 (this is a non-routable address on the Internet). Unless, your ipfire firewall is behind something else (?router?)

My ISP is Cox Communications in the USA and this is my DNS screen. You can see the ISP provided DNS are crossed out – these are public ip’s. I use Cloudflare but I can use google as well. Status is Working, which is key – you need to fix your DNS to Status: Working.

You do not need to blur the DHCP screen since your internal network cannot be accessed from the outside (unless you define rules to do so). My DHCP screen looks like this:

Since your DNS is not working, you will see many errors in /var/log/messages

1 Like

Eric,
just as hint: search the forum for “DNS broken”. Maybe this can help.

I will draw up a visio for you. Will take me a bit.

This is a general flow of what I have.

I do not use a Blue Interface in IPFire. I only use Red and Green, Ingress and Egress. (Public and Private if you will)

The Egress of Green hits a GB Switch, then branches to both LAN (Physical Cat 8 STP), and CAT 8 STP to a High Powered Wifi Router.

On the Wifi Side, I work in the 10.x.x.0/24
On the LAN Side I work in the 172.x.x.0/24

IPFire picks up its DNS from the ISP Modem, but as you can see here, I do not opt to use my ISP DNS in IPFire DNS Configuration, as they are slow in resolution. Instead, I opted to use 8.8.8.8 and 8.8.4.4 from Google.

As you can see, I carried these Google DNS Servers through to the DHCP settings for the LAN. (Granted… the previous suggestion was to swing this to the address of the Green Interface in IPFire, that completely blew up in my face by many DNSSEC errors, although oddly enough, I don’t use DNSSEC, at least not yet anyhow.) After that fiasco this morning, I had to revert back to what you see in the DHCP screen for now for operability. What a pain that was.

Furthermore, as it stands this second, Google 8.8.8.8 and 8.8.4.4 DNS servers carry through to my WiFi Router via DHCP assignment.

I did see a note from one of ya’ll earlier. I will have to go see what that says as well.

Your “ISP modem” is no modem ( private IP, a modem delivers a public IP ), but a router.
I think this a source of your problems. You do double NAT. You should configure Your IPFire as ‘exposed host’ in the ISP router, to circumvent this problem.

I tried that before. It didn’t make a difference, and its not double natting, but is definitely a PAT situation. Its a 2 leg firewall. That is normal in corporate world.

Im not sure about this because you have not posted the second number of the red ip. If the address is 192.168.x.x on red there is a additional NAT before the IPFire because 192.168.x.x are private addresses and will not routed in the Internet so there must be an additional nat. (But this should not affect the dns problem)

What happens if you click on “Check DNS Servers” on the page?

1 Like

Hello Arne,

Due to the fact I couldn’t get a single DNS server on the Domain Name System page to resolve correctly, I removed my entries for Google DNS here and flipped on “ Use ISP Assigned DNS Servers ”. Proto = DNS / SafeSearch is turned off for “reasons” LOL… Main one is I don’t want it to mess with testing.

Recap…

  • Edge router is in Passthrough Mode for the Static Assigned IPFire Red Interface Address.
  • DNS setup in IPFire has been changed to use ISP assigned DNS
  • In respect to above, I removed both 8.8.8.8 and 8.8.4.4 for testing
    • The fact I can dig on IPFire and On any Green Device tells me that the passage of traffic is open through the Firewall out to the internet through the ISP Device to port 53 UDP.
  • A firewall Rule was created to allow Green to Red Service Group on Port 53 TCP/UDP for DNS.
    • Standard Green to Standard Red
  • DHCP for Green points to Interface of Green Network x.x.x.1, then the Global DNS of IPFire is set to point at the Gateway assigned by the ISP modem/router.
  • I have done everything that I can think of short of Walking the DNS packet from the IPFire Instance to the ISP Router.
  • Status still shows Broken no matter what I have tried.

I wonder if there is any specific DNS files that need to be modified to correct the “Broken Status”…

What I can say is that while standard DNS works fine, DNSSec does not…

Directly on IPFire with Red Static Assignment through ISP Modem/Router in Passthrough Mode.

[root@ipfire ~]# dig @172.16.17.1 +dnssec microsoft.com

; <<>> DiG 9.11.19 <<>> @172.16.17.1 +dnssec microsoft.com

; (1 server found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63435

;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags: do; udp: 1232

;; QUESTION SECTION:

;microsoft.com. IN A

;; ANSWER SECTION:

microsoft.com. 2190 IN A 40.112.72.205

microsoft.com. 2190 IN A 40.113.200.201

microsoft.com. 2190 IN A 13.77.161.179

microsoft.com. 2190 IN A 104.215.148.63

microsoft.com. 2190 IN A 40.76.4.15

;; Query time: 21 msec

;; SERVER: 172.16.17.1#53(172.16.17.1)

;; WHEN: Sun Jun 28 21:38:40 EDT 2020

;; MSG SIZE rcvd: 122

As you will notice, nothing was secured in DNSSec Request.

Weird Stuff ya’ll…

[root@ipfire dns]# cat settings

QNAME_MIN=standard

ENABLE_SAFE_SEARCH=off

USE_ISP_NAMESERVERS=on

PROTO=UDP

[root@ipfire dns]# pwd

/var/ipfire/dns

Note….I did find this site talking about the need for having TCP 53 enabled for DNSSEC due to size of response, and since I understand it that it is now a “Standard” for IPFire to use DNSSEC, I thought it would be a good idea to test with TCP, instead of UDP, and I yielded the same results… Not Secured…

https://tools.cisco.com/security/center/resources/dnssec_best_practices

Connectivity Over UDP and TCP port 53

Because most DNS traffic is sent over UDP port 53, any filtering of traffic that exists on the network is unlikely to impact future native DNS traffic that is traversing UDP port 53. However, if DNS traffic is not currently permitted to traverse TCP port 53, which is typically used for large DNS packets (that is, those greater than 512 bytes), any issues with DNS traffic over TCP port 53 will be exacerbated when DNSSEC packets begin arriving on the network, because many DNSSEC packets will be greater than 512 bytes due to the additional packet overhead of DNSSEC. If traffic using TCP port 53 is currently not permitted, or is being filtered to or from specific hosts or networks, then it may be necessary to account for new hosts and networks that could be sending DNSSEC traffic over TCP port 53.

Arne,

Also, here is some excerpts today from the DNS Unbound Log while I was testing. This was at the point I recycled the unbound service…

Note the complaint in the logs about DNSKey. I am not sure if this applies to my problem, but if it does, I am not sure how to correct it. I know quite a bit, but DNS isn’t my strongsuit.

13:59:24 unbound: [8051:0] info: start of service (unbound 1.10.1).
13:59:39 unbound: [8051:0] info: service stopped (unbound 1.10.1).
13:59:39 unbound: [8051:0] info: server stats for thread 0: 2 queries, 2 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
13:59:39 unbound: [8051:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
13:59:39 unbound: [8051:0] notice: Restart of unbound 1.10.1.
13:59:39 unbound: [8051:0] notice: init module 0: validator
13:59:39 unbound: [8051:0] notice: init module 1: iterator
13:59:39 unbound: [8051:0] info: start of service (unbound 1.10.1).
14:01:36 unbound: [8051:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
20:02:06 unbound: [8051:0] info: validation failure <ipfire.org. A IN>: No DNSKEY record for key ipfire.or g. while building chain of trust
20:16:09 unbound: [8051:0] info: validation failure <ipfire.org. A IN>: No DNSKEY record for key ipfire.or g. while building chain of trust
20:16:31 unbound: [8051:0] info: service stopped (unbound 1.10.1).
20:16:31 unbound: [8051:0] info: server stats for thread 0: 897 queries, 449 answers from cache, 448 recur sions, 0 prefetch, 0 rejected by ip ratelimiting
20:16:31 unbound: [8051:0] info: server stats for thread 0: requestlist max 3 avg 0.109375 exceeded 0 jost led 0
20:16:31 unbound: [8051:0] info: average recursion processing time 4.250656 sec
20:16:31 unbound: [8051:0] info: histogram of recursion processing times
20:16:31 unbound: [8051:0] info: [25%]=0.0241098 median[50%]=0.0488107 [75%]=0.101438
20:16:31 unbound: [8051:0] info: lower(secs) upper(secs) recursions
20:16:31 unbound: [8051:0] info: 0.000000 0.000001 1
20:16:31 unbound: [8051:0] info: 0.008192 0.016384 53

Which “edge router” do you use and how is it connected to the WAN?
This information can be useful for narrowing the problem.

Its just the generic crappy ISP device. Connected by Bi-Directional Fiber.

I think I found part of the problem. Apparently 8.8.8.8 and 8.8.4.4 Google DNS is not DNSSEC compatible. The second I deleted it all the way back and entered 1.1.1.1 crap started working. Wow… can’t believe that Google isn’t fully compatible lol.

1 Like