Hi, On Mon, 2017-03-06 at 15:47 -0600, Paul Simmons wrote: > On Mon, 2017-03-06 at 21:00 +0000, Michael Tremer wrote: > > > > Hi, > > > > On Mon, 2017-03-06 at 12:18 -0600, Paul Simmons wrote: > > > > > > On Sun, 2017-03-05 at 11:42 +0000, Michael Tremer wrote: > > > > > > > > > > > > Hi, > > > > > > > > can you confirm if unbound is running? > > > > > > > > What is the output of /etc/init.d/unbound restart? > > > > > > > > -Michael > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----<% snip %>---- > > > > > > > > > > > > I have nightly commit > > > > > > c016773b9816ad9be4ffc8643c30457e87c094e3 > > > > > > available locally, and will beg my users for downtime to > > > > > > test. > > > > > > > > > > > > Thank you, and best regards, > > > > > > Paul > > > > > > > > > > > > > > > > > > > > > > Bad juju - build c016773b couldn't resolve any hosts (other > > > > > than > > > > > those in "localdomain"). > > > > > > > > > > Provider is "hughes.net" and is the only ISP available (no > > > > > hardlines > > > > > or other LOS/NLOS WISPs available). > > > > > > > > > > Tried assigning DNS servers 74.113.60.185 and 156.154.70.1 - no > > > > > change. > > > > > > > > > > Paul > > > > > > > > > > > Sorry for the lllooonnnggg delay - had to get a testing time > > > window. > > > > > > Unbound was indeed running - verified with "/etc/init.d/unbound > > > status" > > > > > > Command and output from "restart": > > > > > > # /etc/init.d/unbound restart > > > Stopping Unbound DNS > > > Proxy...                                          [  OK  ] > > > Starting Unbound DNS > > > Proxy...                                          [  OK  ] > > > Ignoring broken upstream name server(s): 74.113.60.185 > > > 156.154.70.1    [ WARN ] > > > Falling back to recursor > > > mode                                          [ WARN ] > > > > So, can you remind me what your provider does again? Is any access to > > other name > > servers forbidden? If so the updated script should have detected that > > and should > > not have activated the recursor mode. > > > > Could you manually execute the following commands from the console of > > IPFire for > > me? > > > >   dig @198.41.0.4 +dnssec SOA . > > > > The dot at the end is important. What is the output of it? > > > > Best, > > -Michael > > > > > > > > > > > > > > Thank you, > > > Paul > > > > # dig @198.41.0.4 +dnssec SOA . > > ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA . > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 811 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 27 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;. IN SOA > > ;; ANSWER SECTION: > . 86400 IN SOA a.root- > servers.net. nstld.verisign-grs.com. 2017030601 1800 900 604800 86400 > . 86400 IN RRSIG SOA 8 0 > 86400 20170319170000 20170306160000 61045 . > X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP > lOU5/tfOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1 > DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9wv9/S/ZPyrC > qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO > +v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T > vNKEYLQ76nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q== > > ;; AUTHORITY SECTION: > . 518400 IN NS e.root- > servers.net. > . 518400 IN NS h.root- > servers.net. > . 518400 IN NS l.root- > servers.net. > . 518400 IN NS i.root- > servers.net. > . 518400 IN NS a.root- > servers.net. > . 518400 IN NS d.root- > servers.net. > . 518400 IN NS c.root- > servers.net. > . 518400 IN NS b.root- > servers.net. > . 518400 IN NS j.root- > servers.net. > . 518400 IN NS k.root- > servers.net. > . 518400 IN NS g.root- > servers.net. > . 518400 IN NS m.root- > servers.net. > . 518400 IN NS f.root- > servers.net. > . 518400 IN RRSIG NS 8 0 > 518400 20170319170000 20170306160000 61045 . > iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX > 3+PDCFQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm > nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o > dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV > B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC > 1KpUkDDMAwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA== > > ;; ADDITIONAL SECTION: > e.root-servers.net. 518400 IN A 192.203.230 > .10 > e.root-servers.net. 518400 IN AAAA 2001:500 > :a8::e > h.root-servers.net. 518400 IN A 198.97.190. > 53 > h.root-servers.net. 518400 IN AAAA 2001:500 > :1::53 > l.root-servers.net. 518400 IN A 199.7.83.42 > l.root-servers.net. 518400 IN AAAA 2001:500 > :9f::42 > i.root-servers.net. 518400 IN A 192.36.148. > 17 > i.root-servers.net. 518400 IN AAAA 2001:7fe > ::53 > a.root-servers.net. 518400 IN A 198.41.0.4 > a.root-servers.net. 518400 IN AAAA 2001:503 > :ba3e::2:30 > d.root-servers.net. 518400 IN A 199.7.91.13 > d.root-servers.net. 518400 IN AAAA 2001:500 > :2d::d > c.root-servers.net. 518400 IN A 192.33.4.12 > c.root-servers.net. 518400 IN AAAA 2001:500 > :2::c > b.root-servers.net. 518400 IN A 192.228.79. > 201 > b.root-servers.net. 518400 IN AAAA 2001:500 > :84::b > j.root-servers.net. 518400 IN A 192.58.128. > 30 > j.root-servers.net. 518400 IN AAAA 2001:503 > :c27::2:30 > k.root-servers.net. 518400 IN A 193.0.14.12 > 9 > k.root-servers.net. 518400 IN AAAA 2001:7fd > ::1 > g.root-servers.net. 518400 IN A 192.112.36. > 4 > g.root-servers.net. 518400 IN AAAA 2001:500 > :12::d0d > m.root-servers.net. 518400 IN A 202.12.27.3 > 3 > m.root-servers.net. 518400 IN AAAA 2001:dc3 > ::35 > f.root-servers.net. 518400 IN A 192.5.5.241 > f.root-servers.net. 518400 IN AAAA 2001:500 > :2f::f > > ;; Query time: 836 msec > ;; SERVER: 198.41.0.4#53(198.41.0.4) > ;; WHEN: Mon Mar 06 15:40:58 CST 2017 > ;; MSG SIZE  rcvd: 1440 > # > > I suspect the ISP mangles DNS requests directed outside their net. Well, that command shouldn't have worked then. Could you give me an example for something that you cannot resolve? -Michael > > Thank you, > Paul >