DNS queries for arduino.cc are dropped by IPS

On Ubuntu x86_64 and Ubuntu ARM updates fail on the LAN. To overcome the problem I have to “ifconfig enp2s0 down” and updates work over Wifi, i.e PC/SBC Wifi → cable Modem → Internet.

  Last login: Tue Oct 26 22:12:29 2021 from 192.168.0.11
root@sdrbox1:~# aptitude update
Ign http://archive.canonical.com/ubuntu vivid InRelease             
Ign http://security.ubuntu.com/ubuntu impish-security InRelease
Ign http://mirror.bytemark.co.uk/ubuntu impish InRelease
Ign http://mirror.bytemark.co.uk/ubuntu impish-updates InRelease    
Ign http://archive.canonical.com/ubuntu vivid InRelease             
Ign http://security.ubuntu.com/ubuntu impish-security InRelease
Ign http://mirror.bytemark.co.uk/ubuntu impish-security InRelease   
Ign http://archive.canonical.com/ubuntu vivid InRelease             
Ign http://security.ubuntu.com/ubuntu impish-security InRelease
Ign http://mirror.bytemark.co.uk/ubuntu impish-backports InRelease  
Err http://archive.canonical.com/ubuntu vivid InRelease             
  Connection failed [IP: 91.189.92.191 80]
Err http://security.ubuntu.com/ubuntu impish-security InRelease
  Connection failed [IP: 91.189.91.38 80]
Ign http://mirror.bytemark.co.uk/ubuntu impish InRelease
0% [Waiting for headers]

On Wifi only

===========

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.14  netmask 255.255.255.0  broadcast 192.168.0.255
        inet6 fe80::c99c:9738:d109:5610  prefixlen 64  scopeid 0x20<link>
        ether 00:0d:81:ae:c0:8a  txqueuelen 1000  (Ethernet)
        RX packets 40163  bytes 13806176 (13.8 MB)
        RX errors 0  dropped 178  overruns 0  frame 0
        TX packets 16177  bytes 1642159 (1.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

root@JetsonNano:~# ifconfig eth0 down
root@JetsonNano:~# aptitude update
Get: 1 file:/var/cuda-repo-10-2-local-10.2.89  InRelease
Ign file:/var/cuda-repo-10-2-local-10.2.89  InRelease
Get: 2 file:/var/visionworks-repo  InRelease
Ign file:/var/visionworks-repo  InRelease
Get: 3 file:/var/visionworks-sfm-repo  InRelease
Ign file:/var/visionworks-sfm-repo  InRelease
Get: 4 file:/var/visionworks-tracking-repo  InRelease
Ign file:/var/visionworks-tracking-repo  InRelease
Get: 5 file:/var/cuda-repo-10-2-local-10.2.89  Release [574 B]
Get: 6 file:/var/visionworks-repo  Release [2,001 B]
Get: 7 file:/var/visionworks-sfm-repo  Release [2,005 B]                                                                                           
Get: 8 file:/var/visionworks-tracking-repo  Release [2,010 B]                                                                                      
Get: 9 file:/var/cuda-repo-10-2-local-10.2.89  Release [574 B]                                                                                     
Get: 10 file:/var/visionworks-repo  Release [2,001 B]                                                                                                                           
Get: 11 file:/var/visionworks-sfm-repo  Release [2,005 B]                                                                                                          
Get: 12 file:/var/visionworks-tracking-repo  Release [2,010 B]                                                                                                     
Get: 13 http://gb.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]                                                                                                               
Get: 14 https://repo.download.nvidia.com/jetson/common r32.5 InRelease [2,552 B]                         
Get: 15 https://repo.download.nvidia.com/jetson/t210 r32.5 InRelease [2,565 B]                                           
Get: 16 http://gb.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]                                         
Get: 17 http://ports.ubuntu.com/ubuntu-ports bionic-security InRelease [88.7 kB]     
Get: 18 http://gb.archive.ubuntu.com/ubuntu bionic InRelease [242 kB]               
Get: 19 http://gb.archive.ubuntu.com/ubuntu bionic-updates/main Translation-en [442 kB]           
Get: 20 http://gb.archive.ubuntu.com/ubuntu bionic-updates/main arm64 DEP-11 Metadata [287 kB]
Get: 21 http://gb.archive.ubuntu.com/ubuntu bionic-updates/main arm64 DEP-11 Metadata [287 kB]

@sboyce - Hello.

None of the above is related to IPFire.

Maybe this was posted on the wrong support website?!?

I appears that the cable modem is in routing mode ?

If so, then it’s wired address needs to be set as “Gateway” in IPFire. It’s unclear why an upgrade to core 160 would break a previously working IPFire.

I notice port 443 in all the messages. Port 443 is enabled https, adding http to it didn’t make a difference. “http://91.189.91.38:443” or “https;//91.189.91.38:443” fail.
No problems with only Wifi configured.

Err https://security.ubuntu.com/ubuntu impish-security/universe amd64 dnsutils all 1:9.16.15-1ubuntu1.1
  Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::15). - connect (101: Network is unreachable) Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::18). - connect (101: Network is unreachable)
Err https://security.ubuntu.com/ubuntu impish-security/main amd64 php8.0-gd amd64 8.0.8-1ubuntu0.1
  Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::15). - connect (101: Network is unreachable) Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::18). - connect (101: Network is unreachable)
Err https://security.ubuntu.com/ubuntu impish-security/main amd64 libapache2-mod-php8.0 amd64 8.0.8-1ubuntu0.1
  Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::15). - connect (101: Network is unreachable) Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::18). - connect (101: Network is unreachable)
Err https://security.ubuntu.com/ubuntu impish-security/main amd64 php8.0-cli amd64 8.0.8-1ubuntu0.1
  Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::15). - connect (101: Network is unreachable) Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::18). - connect (101: Network is unreachable)
Err https://security.ubuntu.com/ubuntu impish-security/main amd64 php8.0-common amd64 8.0.8-1ubuntu0.1
  Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::15). - connect (101: Network is unreachable) Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::18). - connect (101: Network is unreachable)
0% [Working]E: Failed to fetch https://security.ubuntu.com/ubuntu/pool/main/t/tzdata/tzdata_2021e-0ubuntu0.21.10_all.deb: Could not connect to security.ubuntu.com:443 (91.189.91.38). - connect (111: Connection refused) Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::15). - connect (101: Network is unreachable) Could not connect to security.ubuntu.com:443 (91.189.91.39). - connect (111: Connection refused) Cannot initiate the connection to security.ubuntu.com:443 (2001:67c:1562::18). - connect (101: Network is unreachable)

You opened a thread with a subject implying a problem with IPFire, and you post logs referring to an ubuntu machine.

Are you running with The Web Proxy or Web Proxy and Update Accelerator enabled. If yes, try disabling them first to see if that helps.

If no or it doesn’t improve things then you need to show us the logs of your ipfire machine.

Run the update on your ubuntu machine and then look at the unbound logs in the System Log menu of the WUI or run a grep on /var/log/messages for unbound

I sent email replies which haven’t appeared in this topic and there isn’t anywhere to attach the /var/log/messages.
Web Proxy is not enabled.
To get the problem All I have to do is “apt-get update” from any Ubuntu x86_64 or ARM SBC.

lancelot@slipstream:~/ftp/NOV21> grep unbound messages
Oct 31 00:14:45 ipfire unbound: [1772:0] error: SERVFAIL <support.mozilla.org. AAAA IN>: all the configured stub or forward servers failed, at zone .
Oct 31 00:19:56 ipfire unbound: [1772:0] error: SERVFAIL <support.mozilla.org. A IN>: all the configured stub or forward servers failed, at zone .
Oct 31 00:35:43 ipfire unbound: [1772:0] info: server stats for thread 0: 88308 queries, 33354 answers from cache, 54954 recursions, 1858 prefetch, 0 rejected by ip ratelimiting
Oct 31 00:35:43 ipfire unbound: [1772:0] info: server stats for thread 0: requestlist max 23 avg 1.57674 exceeded 0 jostled 0
Oct 31 00:35:43 ipfire unbound: [1772:0] info: average recursion processing time 2.222309 sec
Oct 31 00:35:43 ipfire unbound: [1772:0] info: histogram of recursion processing times
Oct 31 00:35:43 ipfire unbound: [1772:0] info: [25%]=0.0204344 median[50%]=0.0296541 [75%]=0.0561313
Oct 31 00:35:43 ipfire unbound: [1772:0] info: lower(secs) upper(secs) recursions
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.000000 0.000001 3822
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.000016 0.000032 1
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.000032 0.000064 1
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.000128 0.000256 1
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.000256 0.000512 3
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.000512 0.001024 19
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.001024 0.002048 25
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.002048 0.004096 84
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.004096 0.008192 117
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.008192 0.016384 3630
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.016384 0.032768 24414
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.032768 0.065536 12761
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.065536 0.131072 7274
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.131072 0.262144 1997
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.262144 0.524288 390
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 0.524288 1.000000 121
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 1.000000 2.000000 29
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 2.000000 4.000000 14
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 4.000000 8.000000 7
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 8.000000 16.000000 12
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 16.000000 32.000000 32
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 32.000000 64.000000 33
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 64.000000 128.000000 43
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 128.000000 256.000000 24
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 256.000000 512.000000 39
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 512.000000 1024.000000 4
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 1024.000000 2048.000000 49
Oct 31 00:35:43 ipfire unbound: [1772:0] info: 2048.000000 4096.000000 8
Oct 31 00:40:17 ipfire unbound: [1772:0] error: SERVFAIL <c2shb.ssp.yahoo.com. A IN>: all the configured stub or forward servers failed, at zone .
Oct 31 00:43:29 ipfire unbound: [1772:0] error: SERVFAIL <support.mozilla.org. AAAA IN>: all the configured stub or forward servers failed, at zone .
Oct 31 00:43:30 ipfire unbound: [1772:0] error: SERVFAIL <support.mozilla.org. A IN>: all the configured stub or forward servers failed, at zone .
Oct 31 00:46:03 ipfire unbound: [1772:0] info: validation failure <5814efa5-d41d-4a89-b176-1cc26fae87cd.prmutv.co. A IN>: covering NSEC3 was not opt-out in an opt-out DS NOERROR/NODATA case from 8.8.8.8 for DS 5814efa5-d41d-4a89-b176-1cc26fae87cd.prmutv.co. while buildin
g chain of trust
Oct 31 00:46:15 ipfire unbound: [1772:0] error: SERVFAIL <c2shb.ssp.yahoo.com. AAAA IN>: all the configured stub or forward servers failed, at zone .
Oct 31 00:48:20 ipfire unbound: [1772:0] error: SERVFAIL <c2shb.ssp.yahoo.com. A IN>: all the configured stub or forward servers failed, at zone .
Oct 31 01:52:03 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: no NSEC3 records from 208.67.222.222 for DS undefined. while building chain of trust
Oct 31 01:22:34 ipfire unbound: [1772:0] info: validation failure <ocsp.sectigo.com. AAAA IN>: no signatures from 194.168.4.100 and cache
Oct 31 03:41:03 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: no DNSSEC records from 194.168.8.100 for DS undefined. while building chain of trust
Oct 31 03:48:03 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: no DNSSEC records from 194.168.4.100 for DS undefined. while building chain of trust
Oct 31 03:49:03 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: key for validation undefined. is marked as invalid
Oct 31 03:50:03 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: no NSEC3 records from 208.67.220.220 for DS undefined. while building chain of trust
Oct 31 03:51:03 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: key for validation undefined. is marked as invalid
Oct 31 08:19:04 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: no NSEC3 records from 208.67.220.220 for DS undefined. while building chain of trust
Oct 31 08:20:04 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: key for validation undefined. is marked as invalid
Oct 31 08:21:04 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: no NSEC3 records from 208.67.222.222 for DS undefined. while building chain of trust
Oct 31 08:27:43 ipfire unbound: [1772:0] info: validation failure <a.fsdn.com. A IN>: no signatures from 194.168.8.100 and cache
Oct 31 08:27:43 ipfire unbound: [1772:0] info: validation failure <a.fsdn.com. AAAA IN>: no signatures from 194.168.4.100 and cache
Oct 31 08:31:50 ipfire unbound: [1772:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Oct 31 09:16:04 ipfire unbound: [1772:0] info: validation failure <undefined. A IN>: no NSEC3 records from 208.67.220.220 for DS undefined. while building chain of trust
Oct 31 09:33:59 ipfire unbound: [1772:0] info: validation failure <local. SOA IN>: no NSEC3 records from 208.67.222.222 for DS local. while building chain of trust
Oct 31 11:03:30 ipfire unbound: [1772:0] info: validation failure <pop3.blueyonder.co.uk. A IN>: no DNSSEC records from 194.168.8.100 for DS as9143.net. while building chain of trust
Oct 31 11:03:30 ipfire unbound: [1772:0] info: validation failure <pop3.blueyonder.co.uk. AAAA IN>: no DNSSEC records from 194.168.8.100 for DS as9143.net. while building chain of trust
Oct 31 11:25:35 ipfire unbound: [1772:0] error: SERVFAIL <pixel.advertising.com. A IN>: all the configured stub or forward servers failed, at zone .
Oct 31 11:25:35 ipfire unbound: [1772:0] error: SERVFAIL <pixel.advertising.com. AAAA IN>: all the configured stub or forward servers failed, at zone .
Oct 31 11:25:35 ipfire unbound: [1772:0] error: SERVFAIL <ups.analytics.yahoo.com. AAAA IN>: all the configured stub or forward servers failed, at zone .
Oct 31 11:25:35 ipfire unbound: [1772:0] error: SERVFAIL <ups.analytics.yahoo.com. A IN>: all the configured stub or forward servers failed, at zone .
Oct 31 11:27:40 ipfire unbound: [1772:0] error: SERVFAIL <ups.analytics.yahoo.com. A IN>: all the configured stub or forward servers failed, at zone .
Oct 31 11:28:05 ipfire unbound: [1772:0] error: SERVFAIL <support.mozilla.org. AAAA IN>: all the configured stub or forward servers failed, at zone .
Oct 31 11:28:10 ipfire unbound: [1772:0] error: SERVFAIL <api.mantis-intelligence.com. A IN>: all the configured stub or forward servers failed, at zone .
Oct 31 11:28:24 ipfire unbound: [1772:0] error: SERVFAIL <ups.analytics.yahoo.com. A IN>: all the configured stub or forward servers failed, at zone .
Oct 31 11:28:34 ipfire unbound: [1772:0] error: SERVFAIL <api.mantis-intelligence.com. AAAA IN>: all the configured stub or forward servers failed, at zone .
Oct 31 11:29:41 ipfire unbound: [1772:0] error: SERVFAIL <support.mozilla.org. A IN>: all the configured stub or forward servers failed, at zone .

The 7th icon along above where you compose your replies is an upload icon. If you save the logs or whatever as a text file or if you have a screenshot as an image then you can use this icon to upload the required info to your reply.

Your unbound messages indicate that unbound is physically working but all the SERVFAIL messages and the messages about validation failures indicate that you have a problem with your DNS Servers.

What overall status do you have at the top left-hand side of the Network - Domain Name System menu. The status should be showing Working in green. Also if you press the Check DNS Servers button what status do you get for each of the DNS servers you have setup.

If the status of the individual servers is not a green OK but a red Error then if you hold your mouse pointer over the status sign a small box should come up giving a short message about the cause of the error.

If possible can you show a screenshot of your Domain Name System page.

Here is a screenshot of my page:-

Screenshot_2021-11-05_18-19-471009×714 52.2 KB

Here it is.

IPFire-DNS1018×766 71 KB

Still the same problem when ISP Assigned DNS’s disabled.

Disabled-ISP-Assigned1017×741 70.9 KB

Okay, with the ISP dns disabled what do you now get in the unbound log when you try the update on your lan pc.

As a check, when you have problems doing the update are you able to browse the Internet successfully?

I added 1.1.1.1 (Cloudflare), checked as OK.
This is crazy as I am also seeing unbound errors from openSUSE boxes except updates and everything else are working. This is with TLS set instead of UDP.

TLS1023×736 64.2 KB

Nov 6 11:30:31 ipfire unbound: [1772:0] error: SERVFAIL <linux.teamviewer.com. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:32 ipfire unbound: [1772:0] error: SERVFAIL <repo.vivaldi.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:32 ipfire unbound: [1772:0] error: SERVFAIL <repo.vivaldi.com. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:32 ipfire unbound: [1772:0] error: SERVFAIL <www.youtube.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:34 ipfire unbound: [1772:0] error: SERVFAIL <r3.o.lencr.org. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:34 ipfire unbound: [1772:0] error: SERVFAIL <fedoraproject.org. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:35 ipfire unbound: [1772:0] error: SERVFAIL <static.asm.skype.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:39 ipfire unbound: [1772:0] error: SERVFAIL <x.bidswitch.net. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:40 ipfire unbound: [1772:0] error: SERVFAIL <profile.accounts.firefox.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:40 ipfire unbound: [1772:0] error: SERVFAIL <profile.accounts.firefox.com. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:40 ipfire unbound: [1772:0] error: SERVFAIL <sync-1-us-west1-g.sync.services.mozilla.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:40 ipfire unbound: [1772:0] error: SERVFAIL <sync-1-us-west1-g.sync.services.mozilla.com. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:41 ipfire unbound: [1772:0] error: SERVFAIL <static.asm.skype.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:41 ipfire unbound: [1772:0] error: SERVFAIL <download.opensuse.org. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:42 ipfire unbound: [1772:0] error: SERVFAIL <packages.microsoft.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:48 ipfire unbound: [1772:0] error: SERVFAIL <community.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:48 ipfire unbound: [1772:0] error: SERVFAIL <community.ipfire.org. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:49 ipfire unbound: [1772:0] error: SERVFAIL <mirrorcache.opensuse.org. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:54 ipfire unbound: [1772:0] error: SERVFAIL <bidder.criteo.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:30:59 ipfire unbound: [1772:0] error: SERVFAIL <www.googleapis.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:01 ipfire unbound: [1772:0] error: SERVFAIL <static.asm.skype.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:02 ipfire unbound: [1772:0] error: SERVFAIL <packages.microsoft.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:02 ipfire unbound: [1772:0] error: SERVFAIL <mirrorcache-eu.opensuse.org. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:04 ipfire unbound: [1772:0] error: SERVFAIL <pagead2.googlesyndication.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:07 ipfire unbound: [1772:0] error: SERVFAIL <mirrorcache-eu.opensuse.org. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:08 ipfire unbound: [1772:0] error: SERVFAIL <downloadcontent.opensuse.org. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:08 ipfire unbound: [1772:0] error: SERVFAIL <downloadcontent.opensuse.org. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:09 ipfire unbound: [1772:0] error: SERVFAIL <fw.adsafeprotected.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:13 ipfire unbound: [1772:0] error: SERVFAIL <www.youtube.com. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:13 ipfire unbound: [1772:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Nov 6 11:31:13 ipfire unbound: [1772:0] notice: ssl handshake failed 1.1.1.1 port 853
Nov 6 11:31:13 ipfire unbound: [1772:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Nov 6 11:31:13 ipfire unbound: [1772:0] notice: ssl handshake failed 1.1.1.1 port 853
Nov 6 11:31:13 ipfire unbound: [1772:0] error: SERVFAIL <www.youtube.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:14 ipfire unbound: [1772:0] error: SERVFAIL <community.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:14 ipfire unbound: [1772:0] error: SERVFAIL <community.ipfire.org. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:14 ipfire unbound: [1772:0] error: SERVFAIL <cdn-0.tutorial45.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:16 ipfire unbound: [1772:0] error: SERVFAIL <static.asm.skype.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:18 ipfire unbound: [1772:0] error: SERVFAIL <api.crowdsec.net. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:18 ipfire unbound: [1772:0] error: SERVFAIL <api.crowdsec.net. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:19 ipfire unbound: [1772:0] error: SERVFAIL <googleads4.g.doubleclick.net. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:22 ipfire unbound: [1772:0] error: SERVFAIL <brave-browser-rpm-release.s3.brave.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:23 ipfire unbound: [1772:0] error: SERVFAIL <community.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:23 ipfire unbound: [1772:0] error: SERVFAIL <community.ipfire.org. AAAA IN>: all the configured stub or forward servers failed, at zone .
Nov 6 11:31:25 ipfire unbound: [1772:0] error: SERVFAIL <ade.googlesyndication.com. A IN>: all the configured stub or forward servers failed, at zone .
[root@ipfire ~]#

Back with UDP, testing apt update on Ubuntu x86_64. No unbound messages with Ubuntu x86_64 and ARM problems since 11:34 until last apt-get update at 11:50.
Processing: messages…
messages.gz (270.0 KB)

UDP1015×788 74.9 KB

Err:5 Bytemark - Mirror impish-backports InRelease
Cannot initiate the connection to mirror.bytemark.co.uk:80 (2001:41c8:20:5e6::150). - connect (101: Network is unreachable) Cannot initiate the connection to mirror.bytemark.co.uk:80 (2001:41c8:20:5fc::12). - connect (101: Network is unreachable)
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
All packages are up-to-date.
W: Failed to fetch http://mirror.bytemark.co.uk/ubuntu/dists/impish/InRelease Could not connect to mirror.bytemark.co.uk:80 (80.68.83.150). - connect (111: Connection refused) Cannot initiate the connection to mirror.bytemark.co.uk:80 (2001:41c8:20:5e6::150). - connect
(101: Network is unreachable) Could not connect to mirror.bytemark.co.uk:80 (212.110.163.12). - connect (111: Connection refused) Cannot initiate the connection to mirror.bytemark.co.uk:80 (2001:41c8:20:5fc::12). - connect (101: Network is unreachable)
W: Failed to fetch http://mirror.bytemark.co.uk/ubuntu/dists/impish-updates/InRelease Cannot initiate the connection to mirror.bytemark.co.uk:80 (2001:41c8:20:5e6::150). - connect (101: Network is unreachable) Cannot initiate the connection to mirror.bytemark.co.uk:80 (
2001:41c8:20:5fc::12). - connect (101: Network is unreachable)
W: Failed to fetch http://mirror.bytemark.co.uk/ubuntu/dists/impish-security/InRelease Cannot initiate the connection to mirror.bytemark.co.uk:80 (2001:41c8:20:5e6::150). - connect (101: Network is unreachable) Cannot initiate the connection to mirror.bytemark.co.uk:80
(2001:41c8:20:5fc::12). - connect (101: Network is unreachable)
W: Failed to fetch http://mirror.bytemark.co.uk/ubuntu/dists/impish-backports/InRelease Cannot initiate the connection to mirror.bytemark.co.uk:80 (2001:41c8:20:5e6::150). - connect (101: Network is unreachable) Cannot initiate the connection to mirror.bytemark.co.uk:80
(2001:41c8:20:5fc::12). - connect (101: Network is unreachable)
W: Failed to fetch http://security.ubuntu.com/ubuntu/dists/impish-security/InRelease Could not connect to security.ubuntu.com:80 (91.189.91.38). - connect (111: Connection refused) Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1360:8001::24). - conn
ect (101: Network is unreachable) Could not connect to security.ubuntu.com:80 (91.189.88.152). - connect (111: Connection refused) Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1562::15). - connect (101: Network is unreachable) Could not connect to s
ecurity.ubuntu.com:80 (91.189.91.39). - connect (111: Connection refused) Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1360:8001::23). - connect (101: Network is unreachable) Could not connect to security.ubuntu.com:80 (91.189.88.142). - connect (11
1: Connection refused) Cannot initiate the connection to security.ubuntu.com:80 (2001:67c:1562::18). - connect (101: Network is unreachable)
W: Some index files failed to download. They have been ignored, or old ones used instead.

Your problem with TLS is that you just changed the protocol from UDP to TLS but TLS requires the TLS Hostname to be filled in.

With the UDP protocoll you have a different problem not related to DNS.

The Network unreachable messages are related to the ipv6 addresses which is not surprising as IPFire does not use ipv6.
The ipv4 ip addresses are coming back with Connection refused. This indicates that the connection was made to the server but that it was then rejected for some reason.

You could try

ping -c4 91.189.88.152

You should get back 4 responses with no problems, which is what I get when I run that command from the console.
EDIT: you should do the ping with security.ubuntu.com as that will also confirm DNS working or not.

Then I ran

dig security.ubuntu.com

and got the following good response.

; <<>> DiG 9.11.32 <<>> security.ubuntu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19779
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;security.ubuntu.com.		IN	A

;; ANSWER SECTION:
security.ubuntu.com.	60	IN	A	91.189.91.39
security.ubuntu.com.	60	IN	A	91.189.91.38
security.ubuntu.com.	60	IN	A	91.189.88.152
security.ubuntu.com.	60	IN	A	91.189.88.142

;; Query time: 47 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 06 14:31:44 CET 2021
;; MSG SIZE  rcvd: 112

This indicates that DNS access for that url is working fine.
EDIT:
You can also see that security.ubuntu.com has 4 different ip addresses. When you ping security.ubuntu.com then each time you could get a different one of these resolved.

If you get something different for the ping and dig commands then there is still a problem with communication to the ubuntu server but I don’t expect it based on your unbound log messages.

Searching for the error code connect 111 that is given I found the following link that might be worth looking at.
https://askubuntu.com/questions/678285/111-connection-refused

This link would suggest the problem is on the Ubuntu machine.

The unbound messages are back.

messages.gz (277.2 KB)[root@ipfire ~]# ping -c4 91.189.88.152
PING 91.189.88.152 (91.189.88.152) 56(84) bytes of data.
64 bytes from 91.189.88.152: icmp_seq=1 ttl=53 time=21.2 ms
64 bytes from 91.189.88.152: icmp_seq=2 ttl=53 time=21.2 ms
64 bytes from 91.189.88.152: icmp_seq=3 ttl=53 time=15.6 ms
64 bytes from 91.189.88.152: icmp_seq=4 ttl=53 time=16.4 ms

— 91.189.88.152 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 15.603/18.615/21.244/2.618 ms
[root@ipfire ~]# ^C
[
[root@ipfire ~]#
[root@ipfire ~]# nslookup 63.245.208.195
195.208.245.63.in-addr.arpa name = mozilla-org.public.mdc1.mozilla.com.

Authoritative answers can be found from:

[root@ipfire ~]# ping 63.245.208.195
PING 63.245.208.195 (63.245.208.195) 56(84) bytes of data.
64 bytes from 63.245.208.195: icmp_seq=1 ttl=47 time=178 ms
64 bytes from 63.245.208.195: icmp_seq=2 ttl=47 time=178 ms
64 bytes from 63.245.208.195: icmp_seq=3 ttl=47 time=176 ms
^C
— 63.245.208.195 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 175.728/177.451/178.342/1.218 ms
[root@ipfire ~]#

You still have not informed us whether your workstations are configured for STATIC addressing.

Pinging an IP address does not test DNS. Try pinging mozilla-org.public.mdc1.mozilla.com

All IP Adresses obtained via DHCP from IPFire box.
pings from Kubuntu x86_64 all OK.
root@sdrbox1:~# ping mozilla-org.public.mdc1.mozilla.com
PING mozilla-org.public.mdc1.mozilla.com (63.245.208.195) 56(84) bytes of data.
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=1 ttl=48 time=190 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=2 ttl=48 time=187 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=3 ttl=48 time=187 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=4 ttl=48 time=185 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=5 ttl=46 time=187 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=6 ttl=48 time=185 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=7 ttl=46 time=188 ms
^C
— mozilla-org.public.mdc1.mozilla.com ping statistics —
7 packets transmitted, 7 received, 0% packet loss, time 6015ms
rtt min/avg/max/mdev = 184.628/187.020/189.947/1.623 ms
root@sdrbox1:~#

[root@ipfire ~]# grep unbound /var/log/messages
Nov 7 00:01:40 ipfire unbound: [1772:0] error: SERVFAIL <ups.analytics.yahoo.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 7 00:08:09 ipfire unbound: [1772:0] error: SERVFAIL <pixel.advertising.com. A IN>: all the configured stub or forward servers failed, at zone .
[root@ipfire ~]# date
Sun Nov 7 02:05:26 AM GMT 2021
[root@ipfire ~]#

If you only have the two SERVFAIL messages that is not a big issue.

Occasionally there will be an error getting a DNS response for a certain url from a DNS server and you will get a SERVFAIL and then unbound will try the other DNS servers in your list.

If it is a continuous list of SERVFAIL messages then you have a problem.

Also if your DNS Servers are all showing a green OK and the overall is a green Working then there is no problem from the unbound DNS service. Also if your pings or digs work from your computer on green that also indicates no problem with IPFire because all of those have to go via the IPFire unbound service.

I see this post with the same problem.