Also in the latest version of IPFire the text on the menu for the DoT item is blank. Under the āIPFireā menu I see āPakfireā and a blank entry. The ādns-over-tlsā page still works, but the text on the menu item is missing. Do I just reinstall using the shell script?
Yes, i didnĀ“t started this topic here. This topic is readable in the old forum for, i think, a year. If some questions arises, we do have here now a new one .
Did youĀ“ve updated IPFire ? If yes you will need to use the script to update everything again.
Hi all,
since Core 141 is now in testing tree and it delivers also DNS-over-TLS, i would recommend to uninstall the development version before updating. This can be done via the script from here --> https://forum.ipfire.org/viewtopic.php?f=50&t=21954 .
Thanks to all for testing and your help. Well done .
Sadly Iāve found a number of problems caused by DNS since I switched to this addon.
I havenāt reported this until now as I didnāt realise that DNS was the root-cause.
Symptoms are all intermittent but include:
Unable to get to update.microsoft.com, preventing Windows updates from downloading on occasion.
Netflix does not display static pictures (all shows just have a black box and the icons for each person are missing) but video streams without problem. This happens in both a browser and the Netflix app on Android and iOS.
Occasionally we canāt open a major website in a browser, like www.amazon.com !
It has taken me a while to realise it was related to IPFire DNS as I use an upstream DNS server (PiHole) for blocking tracking and porn. I assumed the problem was related to it and only when investigating recently found that it was IPFire causing the issues.
Iāve been using Cloudflareās DNS servers (over IPv4 only - 1.1.1.1 and 1.0.0.1) configured in the DNS-over-TLS screen.
For the moment Iāve done a dodgy cron job to restart unbound once a morning.
When I have a chance Iāll dig through what logs I have to see if I can find any more evidence of the problem.
Has anyone else seen problems like this?
EDIT: They may be TLS validation failures like
09:28:48 unbound: [17444:1] info: validation failure redditad.com. A IN
PS: Just updated to your latest version - I may have been behind.
I had multiple perl errors relating to missing operators when updating the language file, and now thereās an internal server error for all IPFire pages in the WUI. Iāll remove + reinstall.
Itās totally broken - I saw briefly some comment about being unable to get one of the sources. Iāve been forced to uninstall it to keep IPFire working properly
regarding to your described symptoms, havenĀ“t had those problems but havenĀ“t seen such in the old topic too.
The sources are already deleted (only deinstallation is possible) since IPFire do provides DNS-over-TLS with the upcoming and meanwhile in testing tree available Core update.
Like already written ā "unbound" DNS over TLS support - #6 by ummeegge , please uninstall this version before updating. Installing it is not possible but makes also no sense since DoT comes with the core system.
Thanks, I understand that it is about to be released. However Iām not willing to move to the test version of IPFire, so was hoping to keep using this functionality with the previous IPFire core version. Iāll wait.
It concerns me that no-one else has seen these problems. They happen with a variety of DNS names and never appear to be consistent.
Your welcome,
may it has something to do with the PiHole, you can read through the old forum thread, there where also ~ 10 testers but there was no such problem. Have heard that āqname-minimization strictā can lead to problems with some websites (like e.g. amazon) but i havenĀ“t encountered it.
I needed to finish this development cause it can make trouble with the language files and unbound init.
Iām 100% certain that it not the PiHole - I said in my previous post that I isolated this problem to IPFire. Iām 95% certain the problem is with unbound but only when DoT was configured.
I reconfigured a client which was having one of the problems to only use IPFire for DNS and the problem kept happening. I then restarted the Unbound service and the problem went away.
Now that the DoT add-on (DoT Unbound configuration) has been disabled Iāve not seen any problems for 24 hours.
Some more symptoms:
In the edit to my first post yesterday I added a quote from the unbound logs. That example was a reddit domain. A major web property.
Iāve also seen a problem where a fitness device from a major vendor is able to download steps and heart-rate data, but cannot get health data (like sleep) but only while on my network. It works fine on a mobile network or another WiFi network.
Hereās how I diagnosed this:
I first checked the PiHole for problems. It has an excellent web UI and can easily show recent blocked domains. For all symptoms there has been no evidence of a related domain being blocked by the PiHole
I checked IPFireās IPS log - no blocks at the time
I checked IPFireās URL Filter log - it hardly blocks anything any more and had no blocks at the time
I checked firewall logs in IPFire but could find no evidence of blocks related to the client or application/website I was trying to use
Finally I was using a browser when it was obvious that a major domain couldnāt be resolvable. I enabled SSH on IPFire, jumped on and the IPFire system couldnāt resolve the domain. I restarted Unbound and the domain was resolvable again.
The day before I posted my previous messages, someone had complained about another random web problem. I restarted Unbound (by disabling and then re-enabling one of the DoT servers from the web UI) and the problem went away.
Iāve just used zcat $( ls -tr messages.*.gz ) |grep unbound > /root/unbound.log
to collect all unbound-related entires from recent history in one log (Excluding the current messages file as weāve not seen the problem today)
So based on /root/unbound.log the validation failure (I previously quoted) has only happened for about 5 URLs (in the current history of logs I have). So that cannot explain all the intermittent problems we see. It is possible that it is not only unbound but some combination of things in IPFire.
Iāve done further digging through all logs in IPFire, excluding firewall DROP messages and aside from those validation messages I cannot find any clear log evidence of the problem. If it happens again Iāll try to get on to IPFire straight away and search logs at that point in time.
Hi dnl,
nice diagnosis but a little late since my machines works now with DoT from IPFire which simply works as it should. Also, i would really like to mark it out that this topic here is from an old testing version since the topic could also miss lead.
Sorry but i could not help in here any more since it is deprecated. Hopefully you get better results with the new DNS after the release