Validation failure

anon42188109 · 27 March 2020 17:03

I have a simple red/green setup, core 142, I do not have web proxy, url filters, etc.
I get these in /var/log/messages every hour. Are these problems with cloudflare? thanks

|09:49:09|unbound: [1359:0]|info: validation failure <ndymeax.lan. A IN>: nameerror proof failed from 1.0.0 .1|
|09:49:09|unbound: [1359:0]|info: validation failure <uhamapgo.lan. A IN>: nameerror proof failed from 1.0. 0.1|
|09:49:09|unbound: [1359:0]|info: validation failure <odffzzyuyqbooyw.lan. A IN>: nameerror proof failed fr om 1.1.1.1|
|08:47:29|unbound: [1359:0]|info: validation failure <exsqgwvfsol.lan. A IN>: nameerror proof failed from 1 .1.1.1|
|08:47:28|unbound: [1359:0]|info: validation failure <iyfultaeua.lan. A IN>: nameerror proof failed from 1. 1.1.1|
|08:47:28|unbound: [1359:0]|info: validation failure <bxuumqkfi.lan. A IN>: nameerror proof failed from 1.1 .1.1|
|08:32:59|unbound: [1359:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|
|07:45:07|unbound: [1359:0]|info: validation failure <wpad.lan. A IN>: nameerror proof failed from 1.1.1.1|

xperimental · 27 March 2020 17:24

I use cloudflare as well and I get:

The DNS server returned:

Name Error: The domain name does not exist.

The names don’t look trustfull so I’m not sad about that at all.

pmueller · 27 April 2020 16:09

Hi,

.lan is not a registered TLD. No idea what is going on here, but *.lan will not resolve unless someone manage to setup this TLD.

Indeed, these look questionable. Perhaps some broken network equipment chatting all over the place?

Thanks, and best regards,
Peter Müller

anon42188109 · 27 April 2020 16:32

dot lan is my domainname
the internal systems are xps.lan, fx.lan, …
but there is no wpad.lan or uhamapgo.lan
The DNS configuration is UDP/Standard.

firewell · 6 May 2020 03:39

I can also duplicate these same errors using Core 144 in a lab environment. This appears to be Unbound forwarding all internal requests to the external nameserver.

For instance, my test lab domain in IPFire is configured as ‘vbox.local’. If I ping a bogus network name ‘ping a-random-test’ I can see the following errors in Unbound:
22:35:26 unbound: [1632:0] info: validation failure <a-random-test.local.vbox. AAAA IN>: nameerror proof f ailed from 1.1.1.1 22:35:26 unbound: [1632:0] info: validation failure <a-random-test.local.vbox. A IN>: nameerror proof fail ed from 1.1.1.1

The random wpad entries are also present on my logs. This appears to be a proxy auto discovery used by chrome. so the wpad.domain entries are somewhat normal but again, it appears Unbound in IPFire may be incorrectly forwarding these out of the network to the chosen DNS servers.

Is there a way to set a filter on unbound to not forward any requests that end in the local domain specified in IPFire?