Yet another DNS reverse lookup failed

mastergeekmx · 12 November 2022 00:06

Hi there.

I have the task of upgrading the firewall server for my university computing lab. I am replacing the ancient Core 2 Quad machine running IPCop with a Core i7 7th gen machine with IPFire.

My problem is that I cannot setup the DNS servers no matter what. I’m trying to discard a port blockade from the uni sysadmin department (because dealing with them is a pain)

The connection to the outside is provided as a RJ45 port in the wall going netadmins know where, so I cannot give details about anything beyond that. I have an assigned IP aswell as our own DNS server IP, so RED is configured with static IP (no DHCP or dialup)

I have tried both the DNS our college has as pretty much evey single DNS server found at the wiki. each in UDP, TLS (ensuring to put the TLS hostname in each entry) and TCP. Even I tried reinstalling IPFire several times and doing that as the first ever config in order to avoid a wanky rule I may had setup badly.

Nothing.

I always get “reverse lookup failed” and an error status (but our DNS says “broken” for some reason).

Here is my config:

and the logs of unbound:

Nov 11 17:28:21 firewall unbound: [1659:0] info: service stopped (unbound 1.16.3).
Nov 11 17:28:21 firewall unbound: [1659:0] info: server stats for thread 0: 108 queries, 0 answers from cache, 108 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Nov 11 17:28:21 firewall unbound: [1659:0] info: server stats for thread 0: requestlist max 18 avg 15.1111 exceeded 0 jostled 0
Nov 11 17:28:21 firewall unbound: [1659:0] notice: Restart of unbound 1.16.3.
Nov 11 17:28:21 firewall unbound: [1659:0] notice: init module 0: validator
Nov 11 17:28:21 firewall unbound: [1659:0] notice: init module 1: iterator
Nov 11 17:28:21 firewall unbound: [1659:0] info: start of service (unbound 1.16.3).
Nov 11 17:28:21 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:28:21 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:28:21 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:28:21 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:28:21 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:28:21 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:28:37 firewall unbound: [1659:0] error: read (in tcp s): Connection timed out for 1.1.1.1 port 53
Nov 11 17:28:37 firewall unbound: [1659:0] error: read (in tcp s): Connection timed out for 198.101.242.72 port 53
Nov 11 17:28:52 firewall unbound: [1659:0] error: read (in tcp s): Connection timed out for 1.1.1.1 port 53
Nov 11 17:28:52 firewall unbound: [1659:0] error: read (in tcp s): Connection timed out for 198.101.242.72 port 53
Nov 11 17:28:52 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:28:52 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:28:52 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:28:52 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:28:52 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:28:52 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:28:52 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <1.ipfire.pool.ntp.org.labT169. A IN>: key for validation . is marked as invalid
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <ping.ipfire.org. A IN>: key for validation . is marked as invalid
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org.labT169. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <1.ipfire.pool.ntp.org. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <1.ipfire.pool.ntp.org.labT169. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org.labT169. A IN>: key for validation . is marked as invalid
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <1.ipfire.pool.ntp.org. A IN>: key for validation . is marked as invalid
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <. DNSKEY IN>: no signatures from 148.206.32.29 for trust anchor . while building chain of trust
Nov 11 17:28:52 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org. A IN>: key for validation . is marked as invalid
Nov 11 17:29:27 firewall unbound: [1659:0] info: service stopped (unbound 1.16.3).
Nov 11 17:29:27 firewall unbound: [1659:0] info: server stats for thread 0: 67 queries, 50 answers from cache, 17 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Nov 11 17:29:27 firewall unbound: [1659:0] info: server stats for thread 0: requestlist max 12 avg 7.64706 exceeded 0 jostled 0
Nov 11 17:29:27 firewall unbound: [1659:0] info: average recursion processing time 15.579281 sec
Nov 11 17:29:27 firewall unbound: [1659:0] info: histogram of recursion processing times
Nov 11 17:29:27 firewall unbound: [1659:0] info: [25%]=6.5 median[50%]=16.8889 [75%]=24.4444
Nov 11 17:29:27 firewall unbound: [1659:0] info: lower(secs) upper(secs) recursions
Nov 11 17:29:27 firewall unbound: [1659:0] info:    0.524288    1.000000 1
Nov 11 17:29:27 firewall unbound: [1659:0] info:    1.000000    2.000000 2
Nov 11 17:29:27 firewall unbound: [1659:0] info:    4.000000    8.000000 2
Nov 11 17:29:27 firewall unbound: [1659:0] info:    8.000000   16.000000 3
Nov 11 17:29:27 firewall unbound: [1659:0] info:   16.000000   32.000000 9
Nov 11 17:29:27 firewall unbound: [1659:0] notice: Restart of unbound 1.16.3.
Nov 11 17:29:27 firewall unbound: [1659:0] notice: init module 0: validator
Nov 11 17:29:27 firewall unbound: [1659:0] notice: init module 1: iterator
Nov 11 17:29:27 firewall unbound: [1659:0] info: start of service (unbound 1.16.3).
Nov 11 17:29:28 firewall unbound: [1659:0] error: SERVFAIL <. DNSKEY IN>: all the configured stub or forward servers failed, at zone . from 8.8.8.8 upstream server timeout
Nov 11 17:29:28 firewall unbound: [1659:0] error: SERVFAIL <ping.ipfire.org. A IN>: all the configured stub or forward servers failed, at zone . from 1.1.1.1 upstream server timeout
Nov 11 17:29:28 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:28 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org. AAAA IN>: all the configured stub or forward servers failed, at zone . from 1.1.1.1 upstream server timeout
Nov 11 17:29:28 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org.labT169. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:28 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org.labT169. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:44 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:44 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:44 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org.labT169. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:44 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org.labT169. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:52 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:52 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:52 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org.labT169. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:29:52 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org.labT169. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:00 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:00 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:00 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org.labT169. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:00 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org.labT169. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:00 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:00 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:00 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org.labT169. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:00 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org.labT169. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:16 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:16 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:16 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org.labT169. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:16 firewall unbound: [1659:0] error: SERVFAIL <0.ipfire.pool.ntp.org.labT169. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:24 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:24 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:24 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org.labT169. A IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:24 firewall unbound: [1659:0] error: SERVFAIL <1.ipfire.pool.ntp.org.labT169. AAAA IN>: all the configured stub or forward servers failed, at zone . no server to query nameserver addresses not usable have no nameserver names
Nov 11 17:30:41 firewall unbound: [1659:0] info: service stopped (unbound 1.16.3).
Nov 11 17:30:41 firewall unbound: [1659:0] info: server stats for thread 0: 58 queries, 29 answers from cache, 29 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Nov 11 17:30:41 firewall unbound: [1659:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Nov 11 17:30:41 firewall unbound: [1659:0] info: average recursion processing time 0.029884 sec
Nov 11 17:30:41 firewall unbound: [1659:0] info: histogram of recursion processing times
Nov 11 17:30:41 firewall unbound: [1659:0] info: [25%]=2.68519e-07 median[50%]=5.37037e-07 [75%]=8.05556e-07
Nov 11 17:30:41 firewall unbound: [1659:0] info: lower(secs) upper(secs) recursions
Nov 11 17:30:41 firewall unbound: [1659:0] info:    0.000000    0.000001 27
Nov 11 17:30:41 firewall unbound: [1659:0] info:    0.262144    0.524288 1
Nov 11 17:30:41 firewall unbound: [1659:0] info:    0.524288    1.000000 1
Nov 11 17:30:41 firewall unbound: [1659:0] notice: Restart of unbound 1.16.3.
Nov 11 17:30:41 firewall unbound: [1659:0] notice: init module 0: validator
Nov 11 17:30:41 firewall unbound: [1659:0] notice: init module 1: iterator
Nov 11 17:30:41 firewall unbound: [1659:0] info: start of service (unbound 1.16.3).
Nov 11 17:30:41 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:30:41 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:30:41 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:30:41 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:30:41 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:30:41 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:51:06 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:51:06 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:51:06 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:51:06 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:51:06 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:51:06 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:51:06 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <1.ipfire.pool.ntp.org.labT169. A IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <www.google.com. A IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <ping.ipfire.org. A IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <pakfire.ipfire.org. A IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <pakfire.ipfire.org.labT169. A IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <pacifico.izt.uam.mx. A IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <8.8.8.8.in-addr.arpa. PTR IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org.labT169. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <1.ipfire.pool.ntp.org. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <1.ipfire.pool.ntp.org.labT169. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org.labT169. A IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <1.ipfire.pool.ntp.org. A IN>: key for validation . is marked as invalid
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <. DNSKEY IN>: no signatures from 148.206.32.29 for trust anchor . while building chain of trust
Nov 11 17:51:06 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org. A IN>: key for validation . is marked as invalid
Nov 11 17:52:04 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org. A IN>: key for validation . is marked as invalid
Nov 11 17:52:04 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org.labT169. A IN>: key for validation . is marked as invalid
Nov 11 17:52:04 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org.labT169. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:52:04 firewall unbound: [1659:0] info: validation failure <0.ipfire.pool.ntp.org. AAAA IN>: key for validation . is marked as invalid
Nov 11 17:52:10 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:52:10 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:52:10 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:52:10 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:52:10 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:57:44 firewall unbound: [1659:0] info: service stopped (unbound 1.16.3).
Nov 11 17:57:44 firewall unbound: [1659:0] info: server stats for thread 0: 434 queries, 13 answers from cache, 421 recursions, 6 prefetch, 0 rejected by ip ratelimiting
Nov 11 17:57:44 firewall unbound: [1659:0] info: server stats for thread 0: requestlist max 17 avg 14.192 exceeded 0 jostled 0
Nov 11 17:57:44 firewall unbound: [1659:0] info: average recursion processing time 618.637512 sec
Nov 11 17:57:44 firewall unbound: [1659:0] info: histogram of recursion processing times
Nov 11 17:57:44 firewall unbound: [1659:0] info: [25%]=317.091 median[50%]=624.432 [75%]=910.703
Nov 11 17:57:44 firewall unbound: [1659:0] info: lower(secs) upper(secs) recursions
Nov 11 17:57:44 firewall unbound: [1659:0] info:    0.032768    0.065536 2
Nov 11 17:57:44 firewall unbound: [1659:0] info:    0.262144    0.524288 1
Nov 11 17:57:44 firewall unbound: [1659:0] info:    4.000000    8.000000 2
Nov 11 17:57:44 firewall unbound: [1659:0] info:    8.000000   16.000000 2
Nov 11 17:57:44 firewall unbound: [1659:0] info:   16.000000   32.000000 8
Nov 11 17:57:44 firewall unbound: [1659:0] info:   32.000000   64.000000 12
Nov 11 17:57:44 firewall unbound: [1659:0] info:   64.000000  128.000000 18
Nov 11 17:57:44 firewall unbound: [1659:0] info:  128.000000  256.000000 22
Nov 11 17:57:44 firewall unbound: [1659:0] info:  256.000000  512.000000 66
Nov 11 17:57:44 firewall unbound: [1659:0] info:  512.000000 1024.000000 148
Nov 11 17:57:44 firewall unbound: [1659:0] info: 1024.000000 2048.000000 50
Nov 11 17:57:44 firewall unbound: [1659:0] notice: Restart of unbound 1.16.3.
Nov 11 17:57:44 firewall unbound: [1659:0] notice: init module 0: validator
Nov 11 17:57:44 firewall unbound: [1659:0] notice: init module 1: iterator
Nov 11 17:57:44 firewall unbound: [1659:0] info: start of service (unbound 1.16.3).
Nov 11 17:57:44 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:57:44 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:57:44 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Nov 11 17:57:44 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:57:44 firewall unbound: [1659:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
Nov 11 17:57:44 firewall unbound: [1659:0] info: generate keytag query _ta-4a5c-4f66. NULL IN

Thanks in advance, and hailings from Mexico.

bonnietwin · 12 November 2022 08:59

Hi @mastergeekmx

Welcome to the IPFire community.

If you place your mouse pointer over the red Error/Broken status lines on the right of the table and wait a few seconds you will get a pop up message telling you in brief what the problem was for that DNS server.

Looking in your logs segment you have shown Your Cloudflare and Alternate DNS servers are timing out. That suggests that they are not able to be reached. Either your red connection is not working or alternatively wherever that RJ45 plug goes to is blocking any outside DNS servers except the college one.

Unfortunately the College Server has the

message. This usually gets shown if the DNS Server being contacted is not able to do DNSSEC Validation.

To see if your red connection is working what is shown on the Gateway Graph on the menu item Status - Network (Other). If you have a green graph running with a value for the link quality that shows that you are able to get out of red to your ISP’s gateway computer.

This is what my working system, looks like.

If you then try ping -c4 95.217.163.246 this will test if you can get out to archlinux.org. Using the IP address means that you don’t need the DNS server.
This is what I got on my system

ping -c4 archlinux.org
PING archlinux.org (95.217.163.246) 56(84) bytes of data.
64 bytes from archlinux.org (95.217.163.246): icmp_seq=1 ttl=55 time=35.8 ms
64 bytes from archlinux.org (95.217.163.246): icmp_seq=2 ttl=55 time=35.9 ms
64 bytes from archlinux.org (95.217.163.246): icmp_seq=3 ttl=55 time=35.7 ms
64 bytes from archlinux.org (95.217.163.246): icmp_seq=4 ttl=55 time=35.9 ms

— archlinux.org ping statistics —
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 35.745/35.823/35.877/0.050 ms

If both the above are working then your red connection is up and running so your DNS timeouts are more likely to be a blocking issue.

If the above are not working then you need to get your red connection working before you will get any DNS responses.

bonnietwin · 12 November 2022 09:06

You mention the static assigned IP and the college DNS IP. Do you also have the Gateway IP and has that been added to the red connection entries?

mastergeekmx · 14 November 2022 15:43

Sorry for the absence. Lab is closed on weekends.

Yes, I have the IP for the default gateway and it is added to the config.

All the computers downstream in GREEN have internet beacuse I gave them the college DNS via the included DHCP server. It is only the firewall itself who has trouble with the DNS (I cannot update or install anything with pakfire because it can’t resolve the names, for example)

Have a look at my gateway graph: (not much use has been on the wekend):

About hovering on the error/broken, it says:

Using UDP:
College DNS: DNSSEC not supported
Other DNS: response timeout for $IP@53(UDP); [3 times]

Using TCP:
College DNS: DNSSEC not supported
Other DNS: connection timeout for $IP@53(TCP);

Using TLS:
(only google and cloudflare have hostname)
TLS, handshake failed (error in the pull function.);

and I do have ping abilities. just for good measure, my ping to archlinux:

$ ping -c 4 95.217.163.246
PING 95.217.163.246 (95.217.163.246) 56(84) bytes of data.
64 bytes from 95.217.163.246: icmp_seq=1 ttl=43 time=185 ms
64 bytes from 95.217.163.246: icmp_seq=2 ttl=43 time=185 ms
64 bytes from 95.217.163.246: icmp_seq=3 ttl=43 time=185 ms
64 bytes from 95.217.163.246: icmp_seq=4 ttl=43 time=185 ms

--- 95.217.163.246 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 184.739/184.767/184.808/0.028 ms

Thank you for the time, @bonnietwin

bonnietwin · 14 November 2022 16:00

No problems, understand the situation.

That indicates that you have a connection to your provider gateway and your successful ping to an internet IP indicates that the internet connection is up and running.

This is the problem with IPFire not getting any DNS info from your College DNS. It does not support DNSSEC validation and IPFire requires that to be present otherwise it will ignore that DNS server. So IPFire cannot use your College DNS sewrver.

This error is flagging up on my search as either being a mismatch in the cipher used or an incorrect hostname.
If you try and run Google or Cloudfare via UDP or TCP instead of TLS do they work or do they still have an error, and if so what is the error.

Just as a check did you use the following TLS hostnames for these two DNS Servers.

google ---------dns.google
cloudfare ------cloudflare-dns.com

bonnietwin · 14 November 2022 16:28

Re-reading your post i see that you did try google and cloudflare with udp/tcp and got timeout messages.

Maybe your network supply has been set up to only use the college dns server and block any other dns server access.

If that is the case then you are a bit stuck as IPFire won’t work with any DNS server that does not do DNSSEC validation. Without DNSSEC validation you would not be able to tell if your dns response was from the correct dns source or via a MITM attack.

mastergeekmx · 14 November 2022 16:28

yes, google and cloudflare have those hostnames configured.

and as seen below the image all DNS give error in both TCP and UDP about timeout.

bonnietwin · 14 November 2022 18:18

Try the following command from your IPFire command line.

dig @8.8.8.8 archlinux.org

This will get the ip address information about archlinux.org using the google dns server.

On my system that has no problems with dns service I get the following response

; <<>> DiG 9.16.33 <<>> @8.8.8.8 archlinux.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58961
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;archlinux.org. IN A

;; ANSWER SECTION:
archlinux.org. 1792 IN A 95.217.163.246

;; Query time: 6 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 14 19:13:20 CET 2022
;; MSG SIZE rcvd: 58

The key part is in the ANSWER SECTION where it has the line SERVER showing that it used the google.com DNS Server.

This test checks if you can specify a DNS server directly and access it.

Let us know what response you get back.

The command
dig archlinux.org

will use the dns server defined via unbound on IPFire and gave me the following responsae.

; <<>> DiG 9.16.33 <<>> archlinux.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20410
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;archlinux.org. IN A

;; ANSWER SECTION:
archlinux.org. 1597 IN A 95.217.163.246

;; Query time: 68 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Nov 14 19:19:42 CET 2022
;; MSG SIZE rcvd: 58

Here you can see that the DNS server is defined as local host (127.0.0.1) as it goes to the unbound server on IPFire itself.

mastergeekmx · 14 November 2022 20:09

Nope, dig cannot acces it. I even tried in a computer at GREEN and in other network at the lab, same result:

dig @8.8.8.8 archlinux.org

; <<>> DiG 9.16.33 <<>> @8.8.8.8 archlinux.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

I tried with my college DNS in both machines and the firewall, and it works.

dig @$UNI_DNS archlinux.org

; <<>> DiG 9.16.33 <<>> @$UNI_DNS archlinux.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12837
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;archlinux.org.                 IN      A

;; ANSWER SECTION:
archlinux.org.          3357    IN      A       95.217.163.246

;; AUTHORITY SECTION:
archlinux.org.          44826   IN      NS      oxygen.ns.hetzner.com.
archlinux.org.          44826   IN      NS      hydrogen.ns.hetzner.com.
archlinux.org.          44826   IN      NS      helium.ns.hetzner.de.

;; Query time: 0 msec
;; SERVER: $UNI_DNS#53($UNI_DNS)
;; WHEN: Mon Nov 14 14:06:02 CST 2022
;; MSG SIZE  rcvd: 150

all pints to a blockade, am I right?

bonnietwin · 14 November 2022 20:41

Unfortunately yes. It looks like somewhere on your College network DNS is blocked except if it goes through your college DNS system but that system is not doing DNSSEC validation which means that IPFire cannot work with it.

See this IPFire blog article about DNSSEC.

https://blog.ipfire.org/post/dns-configuration-recommendations-for-ipfire-users

I would suggest that if your network organisation is not willing to unblock the DNS ports that they should update the College DNS system to use DNSSEC validation so that all users have confidence that any DNS responses have actually come from the intended DNS Server and not been hijacked by some Man In The Middle attack.

Without some change somewhere then your IPFire will not be able to carry out any DNS resolving.