Pakfire can't "refresh list"

mirobot · 26 November 2019 15:22

After doing a new installation of IPfire, I have no Add ons, because Pakfire can’t “refresh list”. So I cannot install samba …

The system-logs:

IPfire:
|13:58:31|ipfire: |DHCP on GREEN: DHCP server enabled. Restarting.|
|—|—|—|
|13:58:42|ipfire: |Rebooting IPFire|
|14:02:07|ipfire: |NTP synchronisation event|
|15:02:07|ipfire: |NTP synchronisation event|

DNS:Unbound

15:24:04	unbound: [1394:1]	info: validation failure ?0. A IN
15:24:04	unbound: [1394:0]	info: validation failure ?0.localdomain. A IN
16:16:06	unbound: [1394:1]	info: validation failure pakfire.ipfire.org. A IN
16:16:06	unbound: [1394:1]	info: validation failure pakfire.ipfire.org.localdomain. A IN

Pakfire

16:16:06	pakfire:	DOWNLOAD STARTED: 2.23-x86_64/lists/server-list .db
16:16:06	pakfire:	DOWNLOAD INFO: Host: pakfire .ipfire. org (HTTP) - File: 2.23-x86_64/lists/server -list.db
16:16:06	pakfire:	DOWNLOAD INFO: 2.23-x86_64/lists/server-list .db has size of bytes
16:16:06	pakfire:	DOWNLOAD INFO: HTTP-Status-Code: 500 - 500 Can’t connect to pakfire.ipfire.org: 80 (Bad hostname ‘pakfire.ipfire. org’)
16:16:06	pakfire:	Giving up: There was no chance to get the file 2.23-x86_64/lists/server-list. db from any available server. There was an error on the way. Please fix it.
16:16:06	pakfire:	MIRROR ERROR: Could not find or download a server list

ms · 26 November 2019 21:34

Your DNS does not seem to work…

mirobot · 27 November 2019 07:08

Ok, it’s a DNS problem. NTP seems to be ok, time is synced.
Any ideas to solve the DNS problem?
In the DHCP configuration I chose 1.1.1.1 ( Cloudfare) as Primary DNS and 8.8.8.8 as secondary DNS.

ms · 27 November 2019 13:12

Can you ping the DNS servers?

mirobot · 27 November 2019 13:33

Yes, I can ping the DNS. I also tried to ping the Timeservers an it works. Pakfire sayd: “MIRROR ERROR: Could not find or download a server list”

Do I have to open a special port for pakfire by a Firewall Rule?

ms · 28 November 2019 11:10

It might be that you blocked the firewall’s access to port 53 (UDP and TCP) for DNS.

In that case, you need to create an extra rule to those two IP addresses and DNS should be working then.

mirobot · 2 February 2022 14:17

Sorry for bumping the topic, but the problem is not solved after a new setup.

Could you give some instructions where and how to create the new Port53-Rule?

Thanks, Miro

pmueller · 2 February 2022 21:04

Hi,

a while ago, I wrote a blog post on general firewall configuration recommendations for IPFire users. It also covers firewall rules for DNS traffic.

However, I think it would be easier if you could post a screenshot of the firewall rules configured on your IPFire machine here.

Thanks, and best regards,
Peter Müller

mirobot · 3 February 2022 15:51

At the moment there is only one rule. Here comes the screenshot:

Many thanks, Miro

pmueller · 6 February 2022 12:16

Hi,

thanks for reporting back.

Off-topic question: What are you doing on port 113 of your IPFire machine?

This screenshot given, a firewall rule does not seem to cause your problem. Could you post a screenshot of your DNS configuration, too? Also, what is the output of these two commands on IPFire:

dig soa ipfire.org
grep "unbound" /var/log/messages

Thanks, and best regards,
Peter Müller

mirobot · 7 February 2022 17:28

Thanks, Peter. This is my DNS configuration:

mirobot · 7 February 2022 17:28

The port 113 rule is not activated. I do nothing with it at the moment. Here comes the output:

mirobot · 7 February 2022 17:29

And the dig soa output:

anon42188109 · 7 February 2022 17:47

why do you have 192.168.2.1 gateway as one of the DNS ? can you uncheck it?

mirobot · 8 February 2022 07:47

why do you have 192.168.2.1 gateway as one of the DNS ? can you uncheck it?

That’s right, thank you. Done.

Btw: Should I use ISP-assigned DNS servers?

trish · 8 February 2022 18:46

Hi Miro, welcome to the community

No, you should not use your ISP 's DNS servers.

You should use DNS servers that are on the recommended list
they use TLS, have DNSSEC working, they don’t filter or data-mine results.

Here is a decent list just to start:
[Digitale Gesellschaft (CH) 185.95.218.42 ‘dns1.digitale-gesellschaft.ch’

[Freifunk München e.V.] 5.1.66.255 anycast01.ffmuc.net

(EDIT: censurfri.dk is down at this moment, replaced it)

And here is a complete list:

Here are some references if you get the time to skim through
https://wiki.ipfire.org/search?q=dns

pmueller · 8 February 2022 18:59

Hi,

this would be my first suspicion for the root cause of your problems, too.

Did that change anything? What does the Pakfire log say if you try to fetch a new list?

You can also do the latter via the command line - in a successful case, it should look like this:

[root@maverick ~]# pakfire update
server-list.db       100.00% |=============================>|   981.00 B
packages_list.db     100.00% |=============================>|    4.30 KB
core-list.db         100.00% |=============================>|   903.00 B

Thanks, and best regards,
Peter Müller