From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable Date: Mon, 06 Mar 2017 22:37:35 +0000 Message-ID: <1488839855.24229.34.camel@ipfire.org> In-Reply-To: <1488836872.28849.11.camel@hughes.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2839491706441930515==" List-Id: --===============2839491706441930515== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On Mon, 2017-03-06 at 15:47 -0600, Paul Simmons wrote: > On Mon, 2017-03-06 at 21:00 +0000, Michael Tremer wrote: > >=20 > > Hi, > >=20 > > On Mon, 2017-03-06 at 12:18 -0600, Paul Simmons wrote: > > >=20 > > > On Sun, 2017-03-05 at 11:42 +0000, Michael Tremer wrote: > > > >=20 > > > >=20 > > > > Hi, > > > >=20 > > > > can you confirm if unbound is running? > > > >=20 > > > > What is the output of /etc/init.d/unbound restart? > > > >=20 > > > > -Michael > > > >=20 > > > > >=20 > > > > >=20 > > > > > >=20 > > > > > >=20 > > > > > > >=20 > > > > > > >=20 > > > > > > > ----<% snip %>---- > > > > > >=20 > > > > > > I have nightly commit > > > > > > c016773b9816ad9be4ffc8643c30457e87c094e3 > > > > > > available locally, and will beg my users for downtime to > > > > > > test. > > > > > >=20 > > > > > > Thank you, and best regards, > > > > > > Paul > > > > > >=20 > > > > > >=20 > > > > >=20 > > > > > Bad juju - build c016773b couldn't resolve any hosts (other > > > > > than > > > > > those in "localdomain"). > > > > >=20 > > > > > Provider is "hughes.net" and is the only ISP available (no > > > > > hardlines > > > > > or other LOS/NLOS WISPs available). > > > > >=20 > > > > > Tried assigning DNS servers 74.113.60.185 and 156.154.70.1 - no > > > > > change. > > > > >=20 > > > > > Paul > > > > >=20 > > >=20 > > > Sorry for the lllooonnnggg delay - had to get a testing time > > > window. > > >=20 > > > Unbound was indeed running - verified with "/etc/init.d/unbound > > > status" > > >=20 > > > Command and output from "restart": > > >=20 > > > # /etc/init.d/unbound restart > > > Stopping Unbound DNS > > > Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0] > > > Starting Unbound DNS > > > Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0] > > > Ignoring broken upstream name server(s): 74.113.60.185 > > > 156.154.70.1=C2=A0=C2=A0=C2=A0=C2=A0[ WARN ] > > > Falling back to recursor > > > mode=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[ WARN ] > >=20 > > So, can you remind me what your provider does again? Is any access to > > other name > > servers forbidden? If so the updated script should have detected that > > and should > > not have activated the recursor mode. > >=20 > > Could you manually execute the following commands from the console of > > IPFire for > > me? > >=20 > > =C2=A0 dig @198.41.0.4 +dnssec SOA . > >=20 > > The dot at the end is important. What is the output of it? > >=20 > > Best, > > -Michael > >=20 > > >=20 > > >=20 > > >=20 > > > Thank you, > > > Paul > >=20 >=20 > # dig @198.41.0.4 +dnssec SOA . >=20 > ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA . > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 811 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 27 > ;; WARNING: recursion requested but not available >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ;; QUESTION SECTION: > ;. IN SOA >=20 > ;; ANSWER SECTION: > . 86400 IN SOA a.root- > servers.net. nstld.verisign-grs.com. 2017030601 1800 900 604800 86400 > . 86400 IN RRSIG SOA 8 0 > 86400 20170319170000 20170306160000 61045 . > X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP > lOU5/tfOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1 > DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9wv9/S/ZPyrC > qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO > +v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T > vNKEYLQ76nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q=3D=3D >=20 > ;; AUTHORITY SECTION: > . 518400 IN NS e.root- > servers.net. > . 518400 IN NS h.root- > servers.net. > . 518400 IN NS l.root- > servers.net. > . 518400 IN NS i.root- > servers.net. > . 518400 IN NS a.root- > servers.net. > . 518400 IN NS d.root- > servers.net. > . 518400 IN NS c.root- > servers.net. > . 518400 IN NS b.root- > servers.net. > . 518400 IN NS j.root- > servers.net. > . 518400 IN NS k.root- > servers.net. > . 518400 IN NS g.root- > servers.net. > . 518400 IN NS m.root- > servers.net. > . 518400 IN NS f.root- > servers.net. > . 518400 IN RRSIG NS 8 0 > 518400 20170319170000 20170306160000 61045 . > iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX > 3+PDCFQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm > nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o > dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV > B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC > 1KpUkDDMAwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA=3D=3D >=20 > ;; ADDITIONAL SECTION: > e.root-servers.net. 518400 IN A 192.203.230 > .10 > e.root-servers.net. 518400 IN AAAA 2001:500 > :a8::e > h.root-servers.net. 518400 IN A 198.97.190. > 53 > h.root-servers.net. 518400 IN AAAA 2001:500 > :1::53 > l.root-servers.net. 518400 IN A 199.7.83.42 > l.root-servers.net. 518400 IN AAAA 2001:500 > :9f::42 > i.root-servers.net. 518400 IN A 192.36.148. > 17 > i.root-servers.net. 518400 IN AAAA 2001:7fe > ::53 > a.root-servers.net. 518400 IN A 198.41.0.4 > a.root-servers.net. 518400 IN AAAA 2001:503 > :ba3e::2:30 > d.root-servers.net. 518400 IN A 199.7.91.13 > d.root-servers.net. 518400 IN AAAA 2001:500 > :2d::d > c.root-servers.net. 518400 IN A 192.33.4.12 > c.root-servers.net. 518400 IN AAAA 2001:500 > :2::c > b.root-servers.net. 518400 IN A 192.228.79. > 201 > b.root-servers.net. 518400 IN AAAA 2001:500 > :84::b > j.root-servers.net. 518400 IN A 192.58.128. > 30 > j.root-servers.net. 518400 IN AAAA 2001:503 > :c27::2:30 > k.root-servers.net. 518400 IN A 193.0.14.12 > 9 > k.root-servers.net. 518400 IN AAAA 2001:7fd > ::1 > g.root-servers.net. 518400 IN A 192.112.36. > 4 > g.root-servers.net. 518400 IN AAAA 2001:500 > :12::d0d > m.root-servers.net. 518400 IN A 202.12.27.3 > 3 > m.root-servers.net. 518400 IN AAAA 2001:dc3 > ::35 > f.root-servers.net. 518400 IN A 192.5.5.241 > f.root-servers.net. 518400 IN AAAA 2001:500 > :2f::f >=20 > ;; Query time: 836 msec > ;; SERVER: 198.41.0.4#53(198.41.0.4) > ;; WHEN: Mon Mar 06 15:40:58 CST 2017 > ;; MSG SIZE=C2=A0=C2=A0rcvd: 1440 > # >=20 > I suspect the ISP mangles DNS requests directed outside their net. Well, that command shouldn't have worked then. Could you give me an example for something that you cannot resolve? -Michael >=20 > Thank you, > Paul >=20 --===============2839491706441930515== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC Q2dBR0JRSll2ZVN2QUFvSkVJQjU4UDl2a0FrSDhjOFAvQXlXeUdxbUJsQ1RYVWpSWlp4UVVlRFEK c0hySHRwTXE5eTNHQzlxbVQyZkwrTlRGcDBEMU90RTRKTUNyOFRyREdnVWxrQmxOZmFLZEJkQUVp ekg4ZlhUKwpjRlQvb2l0RW83SnVWTlJYbGI5WVE4ZUpJbVprMVR1RnlQWjY0RXZRWmZOSEozVDdJ dXAxeDVDSlJsZUk3Z0hsCjcydmtWZy9ibThXSVRIVWd0cmpNWmZWYXREcXlDVytjWUR3U2pIaENE R09Kekx6Tkt2QkJjU0pFUmV3d1U0VHMKWWlpTXZGMG5GU1h5dDlhd0ZTamdXUzRCdzR1V0NZNjEw UldZSDdvRHQxeTg1TkZWc2RoOExNeGhPUDlnODRKcApuSGF4dk9VV2tIRnErRVRLMmw2NWlvb2hU OG12bktpVnFsSHh1WDVGZGUzMHRuU0gwT2VYLzZ1dm5CMWJwUW5XCjlRQVA0TXVKVmFXNVcrVDdM WTlvQUswaGtGaDhhT0Q2cUNDVHIyTlVxdlJ0WVFwaCtyTi9lRlV5MTJXanZOWVMKZHo3dC93RXN6 a1diTE92QVJLOFozVXFqYUhPakxjVGRkWVBkUE0wdDY3Q3VHcWFTWWtOcXhZOWhPRHFSbExtdQpN NDZsZCtsb2U2VGVEOHNkQkdLbWlqSy8xV0ZsOFcya0pmTUlmYUxJbzVSWFFDQzVaVmV4RDVOMElZ Z3YzV1U0Ck84OTdJQmlOOE9ReXN6U0hSYWZMd0ZIbEl0WmhiN05vWHF4aE9CNndpZ2pjSklsTTFD Zmg5c05CNjNXL1crR2YKL3ltRVB4Q05QbFdWZVNRTTUrU2xRYWlBUU1WWDUzUWpyM2k2ay8rTlRi aHJnNTJzbk9lUVNlL1FQaXJ3N3hZbApRaG5xcjZZOUl5b0I3Q3BVOW1keAo9Smx2QQotLS0tLUVO RCBQR1AgU0lHTkFUVVJFLS0tLS0K --===============2839491706441930515==--