"unbound" DNS over TLS support

Hello,
Is @ummeegge here?

Do you have a thread on these new forums for your development on DNS over TLS (DoT) in IPFire?

I had email notifications on your old thread (https://forum.ipfire.org/viewtopic.php?f=50&t=21954) but haven’t found anything here yet.

Also in the latest version of IPFire the text on the menu for the DoT item is blank. Under the “IPFire” menu I see “Pakfire” and a blank entry. The “dns-over-tls” page still works, but the text on the menu item is missing. Do I just reinstall using the shell script?

Thanks again!
dnl

Hi dnl,

For sure :ghost: :slightly_smiling_face:

Currently no, but we started a new conversation on the dev mailinglist --> https://lists.ipfire.org/pipermail/development/2019-October/006575.html EDIT: And the second part --> https://lists.ipfire.org/pipermail/development/2019-November/006581.html to implement DoT also in the coming future incl. some other goodies.

Yes, i didn´t started this topic here. This topic is readable in the old forum for, i think, a year. If some questions arises, we do have here now a new one :wink: .

Did you´ve updated IPFire ? If yes you will need to use the script to update everything again.

Best,

Erik

Thanks for letting me/us know.

Could you please post here if there are any updates to your Unbound script, before those changes are officially introduced to IPFire?

Thanks!

Hi dnl,

Your welcome. Yes i can do this.

Best,

Erik

Hi all,
update for Core 138 is up, a little late at this time but nevertheless done now. Update can be done as usual via script --> https://forum.ipfire.org/viewtopic.php?f=50&t=21954#p120691 .

Best,

Erik

Hi all,
since Core 141 is now in testing tree and it delivers also DNS-over-TLS, i would recommend to uninstall the development version before updating. This can be done via the script from here --> https://forum.ipfire.org/viewtopic.php?f=50&t=21954 .

Thanks to all for testing and your help. Well done :slightly_smiling_face: .

Best,

Erik

Hi Erik,

Sadly I’ve found a number of problems caused by DNS since I switched to this addon.
I haven’t reported this until now as I didn’t realise that DNS was the root-cause.

Symptoms are all intermittent but include:

  • Unable to get to update.microsoft.com, preventing Windows updates from downloading on occasion.
  • Netflix does not display static pictures (all shows just have a black box and the icons for each person are missing) but video streams without problem. This happens in both a browser and the Netflix app on Android and iOS.
  • Occasionally we can’t open a major website in a browser, like www.amazon.com !

It has taken me a while to realise it was related to IPFire DNS as I use an upstream DNS server (PiHole) for blocking tracking and porn. I assumed the problem was related to it and only when investigating recently found that it was IPFire causing the issues.

I’ve been using Cloudflare’s DNS servers (over IPv4 only - 1.1.1.1 and 1.0.0.1) configured in the DNS-over-TLS screen.

For the moment I’ve done a dodgy cron job to restart unbound once a morning.

When I have a chance I’ll dig through what logs I have to see if I can find any more evidence of the problem.

Has anyone else seen problems like this?

EDIT: They may be TLS validation failures like

09:28:48 unbound: [17444:1] info: validation failure redditad.com. A IN

Thanks

PS: Just updated to your latest version - I may have been behind.

I had multiple perl errors relating to missing operators when updating the language file, and now there’s an internal server error for all IPFire pages in the WUI. I’ll remove + reinstall.

It’s totally broken - I saw briefly some comment about being unable to get one of the sources. I’ve been forced to uninstall it to keep IPFire working properly

Hi dnl,

regarding to your described symptoms, haven´t had those problems but haven´t seen such in the old topic too.
The sources are already deleted (only deinstallation is possible) since IPFire do provides DNS-over-TLS with the upcoming and meanwhile in testing tree available Core update.

Like already written -> "unbound" DNS over TLS support , please uninstall this version before updating. Installing it is not possible but makes also no sense since DoT comes with the core system.

Best,

Erik

Thanks, I understand that it is about to be released. However I’m not willing to move to the test version of IPFire, so was hoping to keep using this functionality with the previous IPFire core version. I’ll wait.

It concerns me that no-one else has seen these problems. They happen with a variety of DNS names and never appear to be consistent.

Your welcome,
may it has something to do with the PiHole, you can read through the old forum thread, there where also ~ 10 testers but there was no such problem. Have heard that ‘qname-minimization strict’ can lead to problems with some websites (like e.g. amazon) but i haven´t encountered it.
I needed to finish this development cause it can make trouble with the language files and unbound init.

Best,

Erik

Hello again,

I’m 100% certain that it not the PiHole - I said in my previous post that I isolated this problem to IPFire. I’m 95% certain the problem is with unbound but only when DoT was configured.

I reconfigured a client which was having one of the problems to only use IPFire for DNS and the problem kept happening. I then restarted the Unbound service and the problem went away.

Now that the DoT add-on (DoT Unbound configuration) has been disabled I’ve not seen any problems for 24 hours.

Some more symptoms:

  • In the edit to my first post yesterday I added a quote from the unbound logs. That example was a reddit domain. A major web property.
  • I’ve also seen a problem where a fitness device from a major vendor is able to download steps and heart-rate data, but cannot get health data (like sleep) but only while on my network. It works fine on a mobile network or another WiFi network.

Here’s how I diagnosed this:

  1. I first checked the PiHole for problems. It has an excellent web UI and can easily show recent blocked domains. For all symptoms there has been no evidence of a related domain being blocked by the PiHole
  2. I checked IPFire’s IPS log - no blocks at the time
  3. I checked IPFire’s URL Filter log - it hardly blocks anything any more and had no blocks at the time
  4. I checked firewall logs in IPFire but could find no evidence of blocks related to the client or application/website I was trying to use
  5. Finally I was using a browser when it was obvious that a major domain couldn’t be resolvable. I enabled SSH on IPFire, jumped on and the IPFire system couldn’t resolve the domain. I restarted Unbound and the domain was resolvable again.

The day before I posted my previous messages, someone had complained about another random web problem. I restarted Unbound (by disabling and then re-enabling one of the DoT servers from the web UI) and the problem went away.

I’ve just used
zcat $( ls -tr messages.*.gz ) |grep unbound > /root/unbound.log
to collect all unbound-related entires from recent history in one log (Excluding the current messages file as we’ve not seen the problem today)

So based on /root/unbound.log the validation failure (I previously quoted) has only happened for about 5 URLs (in the current history of logs I have). So that cannot explain all the intermittent problems we see. It is possible that it is not only unbound but some combination of things in IPFire.

I’ve done further digging through all logs in IPFire, excluding firewall DROP messages and aside from those validation messages I cannot find any clear log evidence of the problem. If it happens again I’ll try to get on to IPFire straight away and search logs at that point in time.

Hi dnl,
nice diagnosis but a little late since my machines works now with DoT from IPFire which simply works as it should. Also, i would really like to mark it out that this topic here is from an old testing version since the topic could also miss lead.

Sorry but i could not help in here any more since it is deprecated. Hopefully you get better results with the new DNS after the release

Best,

Erik