From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Simmons To: development@lists.ipfire.org Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable Date: Mon, 06 Mar 2017 15:47:52 -0600 Message-ID: <1488836872.28849.11.camel@hughes.net> In-Reply-To: <1488834009.24229.17.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7808019935703289621==" List-Id: --===============7808019935703289621== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Mon, 2017-03-06 at 21:00 +0000, Michael Tremer wrote: > Hi, >=20 > On Mon, 2017-03-06 at 12:18 -0600, Paul Simmons wrote: > > On Sun, 2017-03-05 at 11:42 +0000, Michael Tremer wrote: > > >=20 > > > Hi, > > >=20 > > > can you confirm if unbound is running? > > >=20 > > > What is the output of /etc/init.d/unbound restart? > > >=20 > > > -Michael > > >=20 > > > >=20 > > > > >=20 > > > > > >=20 > > > > > > ----<% snip %>---- > > > > >=20 > > > > > I have nightly commit > > > > > c016773b9816ad9be4ffc8643c30457e87c094e3 > > > > > available locally, and will beg my users for downtime to > > > > > test. > > > > >=20 > > > > > Thank you, and best regards, > > > > > Paul > > > > >=20 > > > > >=20 > > > >=20 > > > > Bad juju - build c016773b couldn't resolve any hosts (other > > > > than > > > > those in "localdomain"). > > > >=20 > > > > Provider is "hughes.net" and is the only ISP available (no > > > > hardlines > > > > or other LOS/NLOS WISPs available). > > > >=20 > > > > Tried assigning DNS servers 74.113.60.185 and 156.154.70.1 - no > > > > change. > > > >=20 > > > > Paul > > > >=20 > >=20 > > Sorry for the lllooonnnggg delay - had to get a testing time > > window. > >=20 > > Unbound was indeed running - verified with "/etc/init.d/unbound > > status" > >=20 > > Command and output from "restart": > >=20 > > # /etc/init.d/unbound restart > > Stopping Unbound DNS > > Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0] > > Starting Unbound DNS > > Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0] > > Ignoring broken upstream name server(s): 74.113.60.185 > > 156.154.70.1=C2=A0=C2=A0=C2=A0=C2=A0[ WARN ] > > Falling back to recursor > > mode=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[ WARN ] >=20 > So, can you remind me what your provider does again? Is any access to > other name > servers forbidden? If so the updated script should have detected that > and should > not have activated the recursor mode. >=20 > Could you manually execute the following commands from the console of > IPFire for > me? >=20 > =C2=A0 dig @198.41.0.4 +dnssec SOA . >=20 > The dot at the end is important. What is the output of it? >=20 > Best, > -Michael >=20 > >=20 > >=20 > > Thank you, > > Paul >=20 # dig @198.41.0.4 +dnssec SOA . ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA . ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 811 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 27 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;. IN SOA ;; ANSWER SECTION: . 86400 IN SOA a.root- servers.net. nstld.verisign-grs.com. 2017030601 1800 900 604800 86400 . 86400 IN RRSIG SOA 8 0 86400 20170319170000 20170306160000 61045 . X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP lOU5/tfOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1 DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9wv9/S/ZPyrC qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO +v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T vNKEYLQ76nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q=3D=3D ;; AUTHORITY SECTION: . 518400 IN NS e.root- servers.net. . 518400 IN NS h.root- servers.net. . 518400 IN NS l.root- servers.net. . 518400 IN NS i.root- servers.net. . 518400 IN NS a.root- servers.net. . 518400 IN NS d.root- servers.net. . 518400 IN NS c.root- servers.net. . 518400 IN NS b.root- servers.net. . 518400 IN NS j.root- servers.net. . 518400 IN NS k.root- servers.net. . 518400 IN NS g.root- servers.net. . 518400 IN NS m.root- servers.net. . 518400 IN NS f.root- servers.net. . 518400 IN RRSIG NS 8 0 518400 20170319170000 20170306160000 61045 . iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX 3+PDCFQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC 1KpUkDDMAwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA=3D=3D ;; ADDITIONAL SECTION: e.root-servers.net. 518400 IN A 192.203.230 .10 e.root-servers.net. 518400 IN AAAA 2001:500 :a8::e h.root-servers.net. 518400 IN A 198.97.190. 53 h.root-servers.net. 518400 IN AAAA 2001:500 :1::53 l.root-servers.net. 518400 IN A 199.7.83.42 l.root-servers.net. 518400 IN AAAA 2001:500 :9f::42 i.root-servers.net. 518400 IN A 192.36.148. 17 i.root-servers.net. 518400 IN AAAA 2001:7fe ::53 a.root-servers.net. 518400 IN A 198.41.0.4 a.root-servers.net. 518400 IN AAAA 2001:503 :ba3e::2:30 d.root-servers.net. 518400 IN A 199.7.91.13 d.root-servers.net. 518400 IN AAAA 2001:500 :2d::d c.root-servers.net. 518400 IN A 192.33.4.12 c.root-servers.net. 518400 IN AAAA 2001:500 :2::c b.root-servers.net. 518400 IN A 192.228.79. 201 b.root-servers.net. 518400 IN AAAA 2001:500 :84::b j.root-servers.net. 518400 IN A 192.58.128. 30 j.root-servers.net. 518400 IN AAAA 2001:503 :c27::2:30 k.root-servers.net. 518400 IN A 193.0.14.12 9 k.root-servers.net. 518400 IN AAAA 2001:7fd ::1 g.root-servers.net. 518400 IN A 192.112.36. 4 g.root-servers.net. 518400 IN AAAA 2001:500 :12::d0d m.root-servers.net. 518400 IN A 202.12.27.3 3 m.root-servers.net. 518400 IN AAAA 2001:dc3 ::35 f.root-servers.net. 518400 IN A 192.5.5.241 f.root-servers.net. 518400 IN AAAA 2001:500 :2f::f ;; Query time: 836 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Mon Mar 06 15:40:58 CST 2017 ;; MSG SIZE=C2=A0=C2=A0rcvd: 1440 # I suspect the ISP mangles DNS requests directed outside their net. Thank you, Paul --=20 =C2=A0Three o'clock in the afternoon is always just a little too late or a li= ttle too early for anything you want to do. -- Jean-Paul Sartre =C2=A0Jean-Paul didn't understand the concept of "beer-thirty". -- El DiPablo --===============7808019935703289621==--