DNS queries for arduino.cc are dropped by IPS

bonnietwin · 6 November 2021 13:36

Your problem with TLS is that you just changed the protocol from UDP to TLS but TLS requires the TLS Hostname to be filled in.

With the UDP protocoll you have a different problem not related to DNS.

The Network unreachable messages are related to the ipv6 addresses which is not surprising as IPFire does not use ipv6.
The ipv4 ip addresses are coming back with Connection refused. This indicates that the connection was made to the server but that it was then rejected for some reason.

You could try

ping -c4 91.189.88.152

You should get back 4 responses with no problems, which is what I get when I run that command from the console.
EDIT: you should do the ping with security.ubuntu.com as that will also confirm DNS working or not.

Then I ran

dig security.ubuntu.com

and got the following good response.

; <<>> DiG 9.11.32 <<>> security.ubuntu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19779
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;security.ubuntu.com.		IN	A

;; ANSWER SECTION:
security.ubuntu.com.	60	IN	A	91.189.91.39
security.ubuntu.com.	60	IN	A	91.189.91.38
security.ubuntu.com.	60	IN	A	91.189.88.152
security.ubuntu.com.	60	IN	A	91.189.88.142

;; Query time: 47 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Nov 06 14:31:44 CET 2021
;; MSG SIZE  rcvd: 112

This indicates that DNS access for that url is working fine.
EDIT:
You can also see that security.ubuntu.com has 4 different ip addresses. When you ping security.ubuntu.com then each time you could get a different one of these resolved.

If you get something different for the ping and dig commands then there is still a problem with communication to the ubuntu server but I don’t expect it based on your unbound log messages.

Searching for the error code connect 111 that is given I found the following link that might be worth looking at.
https://askubuntu.com/questions/678285/111-connection-refused

This link would suggest the problem is on the Ubuntu machine.

sboyce · 6 November 2021 19:30

The unbound messages are back.

messages.gz (277.2 KB)[root@ipfire ~]# ping -c4 91.189.88.152
PING 91.189.88.152 (91.189.88.152) 56(84) bytes of data.
64 bytes from 91.189.88.152: icmp_seq=1 ttl=53 time=21.2 ms
64 bytes from 91.189.88.152: icmp_seq=2 ttl=53 time=21.2 ms
64 bytes from 91.189.88.152: icmp_seq=3 ttl=53 time=15.6 ms
64 bytes from 91.189.88.152: icmp_seq=4 ttl=53 time=16.4 ms

— 91.189.88.152 ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 15.603/18.615/21.244/2.618 ms
[root@ipfire ~]# ^C
[
[root@ipfire ~]#
[root@ipfire ~]# nslookup 63.245.208.195
195.208.245.63.in-addr.arpa name = mozilla-org.public.mdc1.mozilla.com.

Authoritative answers can be found from:

[root@ipfire ~]# ping 63.245.208.195
PING 63.245.208.195 (63.245.208.195) 56(84) bytes of data.
64 bytes from 63.245.208.195: icmp_seq=1 ttl=47 time=178 ms
64 bytes from 63.245.208.195: icmp_seq=2 ttl=47 time=178 ms
64 bytes from 63.245.208.195: icmp_seq=3 ttl=47 time=176 ms
^C
— 63.245.208.195 ping statistics —
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 175.728/177.451/178.342/1.218 ms
[root@ipfire ~]#

rodneyp · 6 November 2021 20:27

You still have not informed us whether your workstations are configured for STATIC addressing.

Pinging an IP address does not test DNS. Try pinging mozilla-org.public.mdc1.mozilla.com

sboyce · 7 November 2021 02:03

All IP Adresses obtained via DHCP from IPFire box.
pings from Kubuntu x86_64 all OK.
root@sdrbox1:~# ping mozilla-org.public.mdc1.mozilla.com
PING mozilla-org.public.mdc1.mozilla.com (63.245.208.195) 56(84) bytes of data.
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=1 ttl=48 time=190 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=2 ttl=48 time=187 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=3 ttl=48 time=187 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=4 ttl=48 time=185 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=5 ttl=46 time=187 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=6 ttl=48 time=185 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=7 ttl=46 time=188 ms
^C
— mozilla-org.public.mdc1.mozilla.com ping statistics —
7 packets transmitted, 7 received, 0% packet loss, time 6015ms
rtt min/avg/max/mdev = 184.628/187.020/189.947/1.623 ms
root@sdrbox1:~#

[root@ipfire ~]# grep unbound /var/log/messages
Nov 7 00:01:40 ipfire unbound: [1772:0] error: SERVFAIL <ups.analytics.yahoo.com. A IN>: all the configured stub or forward servers failed, at zone .
Nov 7 00:08:09 ipfire unbound: [1772:0] error: SERVFAIL <pixel.advertising.com. A IN>: all the configured stub or forward servers failed, at zone .
[root@ipfire ~]# date
Sun Nov 7 02:05:26 AM GMT 2021
[root@ipfire ~]#

bonnietwin · 7 November 2021 11:05

If you only have the two SERVFAIL messages that is not a big issue.

Occasionally there will be an error getting a DNS response for a certain url from a DNS server and you will get a SERVFAIL and then unbound will try the other DNS servers in your list.

If it is a continuous list of SERVFAIL messages then you have a problem.

Also if your DNS Servers are all showing a green OK and the overall is a green Working then there is no problem from the unbound DNS service. Also if your pings or digs work from your computer on green that also indicates no problem with IPFire because all of those have to go via the IPFire unbound service.

sboyce · 7 November 2021 13:59

I see this post with the same problem.

sboyce · 7 November 2021 14:09

From Kubuntu box

root@sdrbox1:~# dig security.ubuntu.com

; <<>> DiG 9.16.15-Ubuntu <<>> security.ubuntu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45104
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;security.ubuntu.com. IN A

;; ANSWER SECTION:
security.ubuntu.com. 18 IN A 91.189.91.39
security.ubuntu.com. 18 IN A 91.189.88.142
security.ubuntu.com. 18 IN A 91.189.91.38
security.ubuntu.com. 18 IN A 91.189.88.152

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Nov 07 14:04:55 GMT 2021
;; MSG SIZE rcvd: 112

root@sdrbox1:~#

From IPFire

[root@ipfire ~]# dig security.ubuntu.com

; <<>> DiG 9.11.32 <<>> security.ubuntu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11970
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;security.ubuntu.com. IN A

;; ANSWER SECTION:
security.ubuntu.com. 12 IN A 91.189.88.142
security.ubuntu.com. 12 IN A 91.189.88.152
security.ubuntu.com. 12 IN A 91.189.91.38
security.ubuntu.com. 12 IN A 91.189.91.39

;; Query time: 49 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 07 14:08:26 GMT 2021
;; MSG SIZE rcvd: 112

[root@ipfire ~]#

bonnietwin · 7 November 2021 14:12

If you go to the end of that thread you will see that the poster found that the issue was with his ISP updating the firmware of his modem.

bonnietwin · 7 November 2021 14:15

So your dig commands for the security.ubuntu.com site are showing a totally correct response and exactly the same from both your Ubuntu machine and from IPFire. It is showing no problem with accessing the website by DNS.

sboyce · 7 November 2021 15:41

Hi Rodney,
Earlier I did report that all my PC’s and SBC’s are connected to a 16-port Gigabit switch and all get their IP addresses via DHCP from the IPFire box.
root@sdrbox1:~# ping -c 4 mozilla-org.public.mdc1.mozilla.com
PING mozilla-org.public.mdc1.mozilla.com (63.245.208.195) 56(84) bytes of data.
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=1 ttl=46 time=191 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=2 ttl=46 time=195 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=3 ttl=48 time=195 ms
64 bytes from mozilla-org.public.mdc1.mozilla.com (63.245.208.195): icmp_seq=4 ttl=46 time=186 ms

— mozilla-org.public.mdc1.mozilla.com ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 186.442/191.603/194.744/3.396 ms
root@sdrbox1:~#

sboyce · 7 November 2021 15:50

Hi Adolph,
All looks good, except from any of the x86_64 and 9 Ubuntu based SBC’s when update attempted.
No trouble at all with Fedora 34 x84_64 or 3 openSUSE x86_64 boxes.
There is something that’s causing the problem when trying to update from the LAN while there is no problem on Wifi which bypasses the IPfire box.
I notice an identical problem being worked on by you in another post.

bonnietwin · 7 November 2021 16:05

Yes but that thread turned out to be a faulty firmware update of a modem by the posters ISP.

I am running out of ideas of what the problem could be.

sboyce · 7 November 2021 21:28

It’s definitely very puzzling.
If I can get time tomorrow I shall try the miniPC with Core-159 installed.

sboyce · 9 November 2021 01:39

I am now on the MiniPC which has Core154 installed.
Everything works! It’s some gremlin in Core 160.

root@sdrbox1:~# aptitude update
Hit Bytemark - Mirror impish InRelease
Hit Bytemark - Mirror impish-updates InRelease
Hit Bytemark - Mirror impish-security InRelease
Hit Bytemark - Mirror impish-backports InRelease
Get: 1 Index of /ubuntu impish-security InRelease [103 kB]
Get: 2 Index of /ubuntu impish-security/main i386 Packages [20.7 kB]
Get: 3 Index of /ubuntu impish-security/main amd64 Packages [81.0 kB]
Get: 4 Index of /ubuntu impish-security/main Translation-en [20.5 kB]
Get: 5 Index of /ubuntu impish-security/main amd64 DEP-11 Metadata [4,680 B]
Get: 6 Index of /ubuntu impish-security/universe i386 Packages [11.5 kB]
Get: 7 Index of /ubuntu impish-security/universe amd64 Packages [15.3 kB]
Get: 8 Index of /ubuntu impish-security/universe Translation-en [8,204 B]
Get: 9 Index of /ubuntu impish-security/multiverse i386 Packages [1,080 B]
Get: 10 Index of /ubuntu impish-security/multiverse amd64 Packages [1,088 B]
Get: 11 Index of /ubuntu impish-security/multiverse Translation-en [324 B]
Get: 12 Index of /ubuntu impish-security/restricted i386 Packages [12.9 kB]
Get: 13 Index of /ubuntu impish-security/restricted amd64 Packages [73.8 kB]
Get: 14 Index of /ubuntu impish-security/restricted Translation-en [10.4 kB]
Fetched 365 kB in 2s (185 kB/s)

Current status: 1 (+1) upgradable, 66324 (+217) new.
root@sdrbox1:~# aptitude full-upgrade
The following packages will be upgraded:
linux-libc-dev
1 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 1,287 kB of archives. After unpacking 8,192 B will be used.
Do you want to continue? [Y/n/?]
Get: 1 Index of /ubuntu impish-security/main amd64 linux-libc-dev amd64 5.13.0-21.21 [1,287 kB]
Fetched 1,287 kB in 1s (1,402 kB/s)
(Reading database … 322418 files and directories currently installed.)
Preparing to unpack …/linux-libc-dev_5.13.0-21.21_amd64.deb …
Unpacking linux-libc-dev:amd64 (5.13.0-21.21) over (5.13.0-20.20) …
Setting up linux-libc-dev:amd64 (5.13.0-21.21) …

Current status: 0 (-1) upgradable.
root@sdrbox1:~#

bonnietwin · 9 November 2021 07:34

Last night I installed Ubuntu 20.04.3 as a vm on my virtualbox test bed together with a CU 160 IPFire that has been running for some time.

This morning I just ran apt -u update followed by apt -u upgrade and the update and upgrade were successfully carried out with no hiccups.

sboyce · 9 November 2021 14:00

Still absolutely fine on Core 154 on the MiniPC. I’ll probably swap back to the PC and try Core 161 Beta later in the week.
root@sdrbox1:~# aptitude update
Hit Bytemark - Mirror impish InRelease
Hit Bytemark - Mirror impish-updates InRelease
Hit Bytemark - Mirror impish-security InRelease
Hit Bytemark - Mirror impish-backports InRelease
Hit Index of /ubuntu impish-security InRelease

root@sdrbox1:~# aptitude full-upgrade
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.

root@sdrbox1:~#

sboyce · 22 November 2021 12:20

FIXED:- The mirror directories were all wrong for aarch64, needed to point to ubuntu-ports.

http://mirror.bytemark.co.uk/ubuntu
Changed to:
http://gb.ports.ubuntu.com/ubuntu-ports/ubuntu-ports/

sboyce · 17 February 2022 00:35

I am now on core-163 and still experiencing problems. The problem originally seen on Core-160.
If I disable the LAN connection on any PC/SBC and connect to my cable modem via Wifi there is no problem.
PC → IPfire → Cable Modem → (PROBLEM)
PC → Cable Modem via WiFi (AOK).
root@sdrbox1:~# nslookup www.arduino.cc
Server: 127.0.0.53
Address: 127.0.0.53#53

Non-authoritative answer:
www.arduino.cc canonical name = www.arduino.cc.cdn.cloudflare.net.
Name: www.arduino.cc.cdn.cloudflare.net
Address: 104.18.28.45
Name: www.arduino.cc.cdn.cloudflare.net
Address: 104.18.29.45
Name: www.arduino.cc.cdn.cloudflare.net
Address: 2606:4700::6812:1c2d
Name: www.arduino.cc.cdn.cloudflare.net
Address: 2606:4700::6812:1d2d

root@sdrbox1:~# dig www.arduino.cc

; <<>> DiG 9.16.15-Ubuntu <<>> www.arduino.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1400
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.arduino.cc. IN A

;; ANSWER SECTION:
www.arduino.cc. 187 IN CNAME www.arduino.cc.cdn.cloudflare.net.
www.arduino.cc.cdn.cloudflare.net. 187 IN A 104.18.28.45
www.arduino.cc.cdn.cloudflare.net. 187 IN A 104.18.29.45

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Thu Feb 17 00:24:35 GMT 2022
;; MSG SIZE rcvd: 122

On the IpFire box (No Wifi) – nslookup www.arduino.cc or dig www.arduino.cc return – Connection timed out: no server could be reached.
This is with DNS set to UDP, TLS or TCP.

anon42188109 · 17 February 2022 00:49

I assume sdrbox1 is your ipfire installation.

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)

from my ipfire, digs shows:
;; Query time: 21 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)

cat /etc/hosts
127.0.0.1 localhost

Why do you have 127.0.0.53 instead of 127.0.0.1 ?
(systemd-resolved does this trick but ipfire has no systemd)

bonnietwin · 17 February 2022 09:51

Does this issue only happen with www.arduino.cc or with any website. Are all websites timing out when you try to access via your IPFire?

As your DNS servers are showing no problems try dig dns.google on your CU163 IPFire. I get the following.

-bash-5.1$ dig dns.google

; <<>> DiG 9.16.22 <<>> dns.google
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26269
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dns.google.			IN	A

;; ANSWER SECTION:
dns.google.		44	IN	A	8.8.8.8
dns.google.		44	IN	A	8.8.4.4

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Feb 17 10:50:06 CET 2022
;; MSG SIZE  rcvd: 71