Number of DNS issues and frustration

First off, thanks much for ipfire. I’ve been using ipfire for a couple of years now and I’d been helpful – but I still feel basically like a newbie. I’ve spent some time on the wiki and been patient with the UI but a couple of things still aren’t working right. I’m running IPFire 2.25 (x86_64) - Core Update 152.

  • The DNS proxy does not seem to work with my verizon DNS servers. Google’s 8.8.8.8 and 8.8.4.4 sort of work (see next bullet), but if I check off the “Use ISP-assigned DNS servers” then no names resolve. I can do a dig @71.243.0.12 google.com when I’ve logged into my ipfire router via ssh but the forwards don’t work. I’ve tried UDP and TCP and I don’t have any firewall rules that should stop it.
  • When I click on check DNS servers it says “broken” which I guess is the issue. If there is some sanity check issue with the servers, is there some way that the UI can show that they are somehow not worthy? Maybe a checkbox that says “yeah use them anyway”?
  • Even with Google’s 8.8.8.8 and 8.8.4.4 configured into the name server list, I can’t resolve (for example community.ipfire.org. Other domains seem to work fine but some smallish subset doesn’t. Again, a dig @8.8.8.8 of those domains from the server works fine.
  • When I load the /cgi-bin/dns.cgi URL on my server, it takes good ~7 seconds to render. My network and the router are not loaded. Is it trying to mine some bitcoin or something?

Thanks much for any help,
gray

Not sure I can help.
Could you post your Domain name system setup.
I see post similar to this now and then.
Have you tried DNS over TCP.
I have Verizon and and their router DMZ blocks DOT!

1 Like

Hi Gray and welcome to the IPFire Community!

For the short term, please go to the Intrusion Prevention System (menu Firewall > Intrusion Prevention System) and make sure it is set to STOPPED. It can be enable/started when we get things working.

 

Please include a screenshot of the Domain Name System webpage (menu Network > Domain Name System).

I tried the 71.243.0.12 DNS server and I get an error. Maybe it doesn’t like me since I am not on the Verizon network (I can ping the address). So for now, let’s stick with the Google DNS.

[root@ipfire ~]# dig +dnssec ipfire.org @71.243.0.12 

; <<>> DiG 9.11.21 <<>> +dnssec ipfire.org @71.243.0.12
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@ipfire ~]# dig ipfire.org @71.243.0.12 

; <<>> DiG 9.11.21 <<>> ipfire.org @71.243.0.12
;; global options: +cmd
;; connection timed out; no servers could be reached

My DNS page take about the same (8-9 seconds). It may be dependent on how many servers added. I have twelve added.
No bitcoin mining. I’d be pretty pissed unhappy if that was true!

1 Like

Thanks Jon. Really appreciate your help.

Here’s my Domain Name System screengrab.

Dig +dnssec does work for me from the ipfire box.

dig +dnssec community.ipfire.org @71.243.0.12

; <<>> DiG 9.11.21 <<>> +dnssec ipfire.org @71.243.0.12
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5642
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;ipfire.org. IN A

;; ANSWER SECTION:
community.ipfire.org. 3600 IN A 81.3.27.38

;; Query time: 8 msec
;; SERVER: 71.243.0.12#53(71.243.0.12)
;; WHEN: Tue Nov 24 09:35:17 EST 2020
;; MSG SIZE rcvd: 55

But this still times out from anywhere inside of my network:

/Users/graywatson {GrayMac} dig @10.0.1.1 community.ipfire.org

; <<>> DiG 9.10.6 <<>> @10.0.1.1 community.ipfire.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Ok. This is interesting. As you recommended, I disabled intrusion detection and it did resolve the DNS issues. On that page I noticed that the ruleset had not been updated since 2018. I did not see a button for “Update ruleset now” but pressing save that it should still update weekly (I was already et to that) seems to have updated it to now. When I turn intrusion detection back on, it now seems to be working. Hrmmmmm.

Ok. More interesting stuff. When I disable intrusion detection, the Domain Name System page loads tons faster and now I see the rDNS responses. So ipfire is getting in the way of itself there.

When I then test the verizon nameservers they are still coming back as “broken” and the Google 2 are the only ones that seem to work.

Sorry Shaun. Didn’t see your answer. Thanks for it. I did try DNS over TCP and it did not work.

Would their not supporting DOT be the issue with ipfire saying that they are “broken”?

Based on what you are seeing I am guessing the two Verizon servers do not support DNSSEC and that is why they show up Broken.

I think you did the perfect test with dig +dnssec community.ipfire.org @71.243.0.12

$ dig +dnssec community.ipfire.org @71.243.0.12
; <<>> DiG 9.11.21 <<>> +dnssec ipfire.org @71.243.0.12
. . .
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
. . .

Look at ;; flags: qr rd ra; there should be a ad in there.

I’m trying to find a good article for you but I haven’t come across one. You may want to research DNSSEC and testing.

So I would suggest turning off the ISP servers. And picking a different DNS server that does support DNSSEC.

Google is OK. I use and like Quad9. There are lots of good alternatives.

3 Likes

Missed one!

I ran into the exact same things. My old rules did not work with the new ISP (Suricata). And my DNS stopped working. I went thru the high level rules, one by one, to find the main category that did not work. I am guessing (and the key word is guess) that the rule I turned off was emerging-policy.rules.

EDIT: read this:

Just to add something for comparison, this is what works for me:

1 Like

good idea! This is what works for me!

1 Like