Also in the latest version of IPFire the text on the menu for the DoT item is blank. Under the “IPFire” menu I see “Pakfire” and a blank entry. The “dns-over-tls” page still works, but the text on the menu item is missing. Do I just reinstall using the shell script?
Netflix does not display static pictures (all shows just have a black box and the icons for each person are missing) but video streams without problem. This happens in both a browser and the Netflix app on Android and iOS.
Occasionally we can’t open a major website in a browser, like www.amazon.com !
It has taken me a while to realise it was related to IPFire DNS as I use an upstream DNS server (PiHole) for blocking tracking and porn. I assumed the problem was related to it and only when investigating recently found that it was IPFire causing the issues.
I’ve been using Cloudflare’s DNS servers (over IPv4 only - 188.8.131.52 and 184.108.40.206) configured in the DNS-over-TLS screen.
For the moment I’ve done a dodgy cron job to restart unbound once a morning.
When I have a chance I’ll dig through what logs I have to see if I can find any more evidence of the problem.
Has anyone else seen problems like this?
EDIT: They may be TLS validation failures like
09:28:48 unbound: [17444:1] info: validation failure redditad.com. A IN
regarding to your described symptoms, haven´t had those problems but haven´t seen such in the old topic too.
The sources are already deleted (only deinstallation is possible) since IPFire do provides DNS-over-TLS with the upcoming and meanwhile in testing tree available Core update.
Like already written -> "unbound" DNS over TLS support , please uninstall this version before updating. Installing it is not possible but makes also no sense since DoT comes with the core system.
Thanks, I understand that it is about to be released. However I’m not willing to move to the test version of IPFire, so was hoping to keep using this functionality with the previous IPFire core version. I’ll wait.
It concerns me that no-one else has seen these problems. They happen with a variety of DNS names and never appear to be consistent.
may it has something to do with the PiHole, you can read through the old forum thread, there where also ~ 10 testers but there was no such problem. Have heard that ‘qname-minimization strict’ can lead to problems with some websites (like e.g. amazon) but i haven´t encountered it.
I needed to finish this development cause it can make trouble with the language files and unbound init.
I’m 100% certain that it not the PiHole - I said in my previous post that I isolated this problem to IPFire. I’m 95% certain the problem is with unbound but only when DoT was configured.
I reconfigured a client which was having one of the problems to only use IPFire for DNS and the problem kept happening. I then restarted the Unbound service and the problem went away.
Now that the DoT add-on (DoT Unbound configuration) has been disabled I’ve not seen any problems for 24 hours.
Some more symptoms:
In the edit to my first post yesterday I added a quote from the unbound logs. That example was a reddit domain. A major web property.
I’ve also seen a problem where a fitness device from a major vendor is able to download steps and heart-rate data, but cannot get health data (like sleep) but only while on my network. It works fine on a mobile network or another WiFi network.
Here’s how I diagnosed this:
I first checked the PiHole for problems. It has an excellent web UI and can easily show recent blocked domains. For all symptoms there has been no evidence of a related domain being blocked by the PiHole
I checked IPFire’s IPS log - no blocks at the time
I checked IPFire’s URL Filter log - it hardly blocks anything any more and had no blocks at the time
I checked firewall logs in IPFire but could find no evidence of blocks related to the client or application/website I was trying to use
Finally I was using a browser when it was obvious that a major domain couldn’t be resolvable. I enabled SSH on IPFire, jumped on and the IPFire system couldn’t resolve the domain. I restarted Unbound and the domain was resolvable again.
The day before I posted my previous messages, someone had complained about another random web problem. I restarted Unbound (by disabling and then re-enabling one of the DoT servers from the web UI) and the problem went away.
I’ve just used zcat $( ls -tr messages.*.gz ) |grep unbound > /root/unbound.log
to collect all unbound-related entires from recent history in one log (Excluding the current messages file as we’ve not seen the problem today)
So based on /root/unbound.log the validation failure (I previously quoted) has only happened for about 5 URLs (in the current history of logs I have). So that cannot explain all the intermittent problems we see. It is possible that it is not only unbound but some combination of things in IPFire.
I’ve done further digging through all logs in IPFire, excluding firewall DROP messages and aside from those validation messages I cannot find any clear log evidence of the problem. If it happens again I’ll try to get on to IPFire straight away and search logs at that point in time.
nice diagnosis but a little late since my machines works now with DoT from IPFire which simply works as it should. Also, i would really like to mark it out that this topic here is from an old testing version since the topic could also miss lead.
Sorry but i could not help in here any more since it is deprecated. Hopefully you get better results with the new DNS after the release