From mboxrd@z Thu Jan 1 00:00:00 1970 From: Paul Simmons To: development@lists.ipfire.org Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable Date: Mon, 06 Mar 2017 17:29:55 -0600 Message-ID: <1488842995.26357.2.camel@hughes.net> In-Reply-To: <1488839855.24229.34.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7333284212647788876==" List-Id: --===============7333284212647788876== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Mon, 2017-03-06 at 22:37 +0000, Michael Tremer wrote: > Hi, >=20 > On Mon, 2017-03-06 at 15:47 -0600, Paul Simmons wrote: > > On Mon, 2017-03-06 at 21:00 +0000, Michael Tremer wrote: > > >=20 > > > Hi, > > >=20 > > > On Mon, 2017-03-06 at 12:18 -0600, Paul Simmons wrote: > > > >=20 > > > > On Sun, 2017-03-05 at 11:42 +0000, Michael Tremer wrote: > > > > >=20 > > > > >=20 > > > > > Hi, > > > > >=20 > > > > > can you confirm if unbound is running? > > > > >=20 > > > > > What is the output of /etc/init.d/unbound restart? > > > > >=20 > > > > > -Michael > > > > >=20 > > > > > >=20 > > > > > >=20 > > > > > > >=20 > > > > > > >=20 > > > > > > > >=20 > > > > > > > >=20 > > > > > > > > ----<% snip %>---- > > > > > > >=20 > > > > > > > I have nightly commit > > > > > > > c016773b9816ad9be4ffc8643c30457e87c094e3 > > > > > > > available locally, and will beg my users for downtime to > > > > > > > test. > > > > > > >=20 > > > > > > > Thank you, and best regards, > > > > > > > Paul > > > > > > >=20 > > > > > > >=20 > > > > > >=20 > > > > > > Bad juju - build c016773b couldn't resolve any hosts (other > > > > > > than > > > > > > those in "localdomain"). > > > > > >=20 > > > > > > Provider is "hughes.net" and is the only ISP available (no > > > > > > hardlines > > > > > > or other LOS/NLOS WISPs available). > > > > > >=20 > > > > > > Tried assigning DNS servers 74.113.60.185 and 156.154.70.1 > > > > > > - no > > > > > > change. > > > > > >=20 > > > > > > Paul > > > > > >=20 > > > >=20 > > > > Sorry for the lllooonnnggg delay - had to get a testing time > > > > window. > > > >=20 > > > > Unbound was indeed running - verified with "/etc/init.d/unbound > > > > status" > > > >=20 > > > > Command and output from "restart": > > > >=20 > > > > # /etc/init.d/unbound restart > > > > Stopping Unbound DNS > > > > Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0] > > > > Starting Unbound DNS > > > > Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0] > > > > Ignoring broken upstream name server(s): 74.113.60.185 > > > > 156.154.70.1=C2=A0=C2=A0=C2=A0=C2=A0[ WARN ] > > > > Falling back to recursor > > > > mode=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[ WARN ] > > >=20 > > > So, can you remind me what your provider does again? Is any > > > access to > > > other name > > > servers forbidden? If so the updated script should have detected > > > that > > > and should > > > not have activated the recursor mode. > > >=20 > > > Could you manually execute the following commands from the > > > console of > > > IPFire for > > > me? > > >=20 > > > =C2=A0 dig @198.41.0.4 +dnssec SOA . > > >=20 > > > The dot at the end is important. What is the output of it? > > >=20 > > > Best, > > > -Michael > > >=20 > > > >=20 > > > >=20 > > > >=20 > > > > Thank you, > > > > Paul > >=20 > > # dig @198.41.0.4 +dnssec SOA . > >=20 > > ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA . > > ; (1 server found) > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 811 > > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: > > 27 > > ;; WARNING: recursion requested but not available > >=20 > > ;; OPT PSEUDOSECTION: > > ; EDNS: version: 0, flags: do; udp: 4096 > > ;; QUESTION SECTION: > > ;. IN SOA > >=20 > > ;; ANSWER SECTION: > > . 86400 IN SOA a.root- > > servers.net. nstld.verisign-grs.com. 2017030601 1800 900 604800 > > 86400 > > . 86400 IN RRSIG SOA 8 > > 0 > > 86400 20170319170000 20170306160000 61045 . > > X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP > > lOU5/tfOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1 > > DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9wv9/S/ZPyrC > > qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO > > +v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T > > vNKEYLQ76nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q=3D=3D > >=20 > > ;; AUTHORITY SECTION: > > . 518400 IN NS e.root- > > servers.net. > > . 518400 IN NS h.root- > > servers.net. > > . 518400 IN NS l.root- > > servers.net. > > . 518400 IN NS i.root- > > servers.net. > > . 518400 IN NS a.root- > > servers.net. > > . 518400 IN NS d.root- > > servers.net. > > . 518400 IN NS c.root- > > servers.net. > > . 518400 IN NS b.root- > > servers.net. > > . 518400 IN NS j.root- > > servers.net. > > . 518400 IN NS k.root- > > servers.net. > > . 518400 IN NS g.root- > > servers.net. > > . 518400 IN NS m.root- > > servers.net. > > . 518400 IN NS f.root- > > servers.net. > > . 518400 IN RRSIG NS 8 > > 0 > > 518400 20170319170000 20170306160000 61045 . > > iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX > > 3+PDCFQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm > > nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o > > dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV > > B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC > > 1KpUkDDMAwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA=3D=3D > >=20 > > ;; ADDITIONAL SECTION: > > e.root-servers.net. 518400 IN A 192.203 > > .230 > > .10 > > e.root-servers.net. 518400 IN AAAA 2001 > > :500 > > :a8::e > > h.root-servers.net. 518400 IN A 198.97. > > 190. > > 53 > > h.root-servers.net. 518400 IN AAAA 2001 > > :500 > > :1::53 > > l.root-servers.net. 518400 IN A 199.7.8 > > 3.42 > > l.root-servers.net. 518400 IN AAAA 2001 > > :500 > > :9f::42 > > i.root-servers.net. 518400 IN A 192.36. > > 148. > > 17 > > i.root-servers.net. 518400 IN AAAA 2001 > > :7fe > > ::53 > > a.root-servers.net. 518400 IN A 198.41. > > 0.4 > > a.root-servers.net. 518400 IN AAAA 2001 > > :503 > > :ba3e::2:30 > > d.root-servers.net. 518400 IN A 199.7.9 > > 1.13 > > d.root-servers.net. 518400 IN AAAA 2001 > > :500 > > :2d::d > > c.root-servers.net. 518400 IN A 192.33. > > 4.12 > > c.root-servers.net. 518400 IN AAAA 2001 > > :500 > > :2::c > > b.root-servers.net. 518400 IN A 192.228 > > .79. > > 201 > > b.root-servers.net. 518400 IN AAAA 2001 > > :500 > > :84::b > > j.root-servers.net. 518400 IN A 192.58. > > 128. > > 30 > > j.root-servers.net. 518400 IN AAAA 2001 > > :503 > > :c27::2:30 > > k.root-servers.net. 518400 IN A 193.0.1 > > 4.12 > > 9 > > k.root-servers.net. 518400 IN AAAA 2001 > > :7fd > > ::1 > > g.root-servers.net. 518400 IN A 192.112 > > .36. > > 4 > > g.root-servers.net. 518400 IN AAAA 2001 > > :500 > > :12::d0d > > m.root-servers.net. 518400 IN A 202.12. > > 27.3 > > 3 > > m.root-servers.net. 518400 IN AAAA 2001 > > :dc3 > > ::35 > > f.root-servers.net. 518400 IN A 192.5.5 > > .241 > > f.root-servers.net. 518400 IN AAAA 2001 > > :500 > > :2f::f > >=20 > > ;; Query time: 836 msec > > ;; SERVER: 198.41.0.4#53(198.41.0.4) > > ;; WHEN: Mon Mar 06 15:40:58 CST 2017 > > ;; MSG SIZE=C2=A0=C2=A0rcvd: 1440 > > # > >=20 > > I suspect the ISP mangles DNS requests directed outside their net. >=20 > Well, that command shouldn't have worked then. >=20 > Could you give me an example for something that you cannot resolve? >=20 > -Michael >=20 > >=20 > > Thank you, > > Paul >=20 Ah, I see... so the problem is that we're not forwarding requests outside the local domain? Latest testing sequence follows: # /etc/init.d/unbound restart Stopping Unbound DNS Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0] Starting Unbound DNS Proxy...=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[=C2=A0=C2=A0OK=C2=A0=C2=A0] Ignoring broken upstream name server(s): 74.113.60.185 156.154.70.1=C2=A0=C2=A0=C2=A0=C2=A0[ WARN ] Falling back to recursor mode=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0[ WARN ] # dig @198.41.0.4 +dnssec SOA . ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA . ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23002 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 27 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1472 ;; QUESTION SECTION: ;. IN SOA ;; ANSWER SECTION: . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017030601 1800 = 900 604800 86400 . 86400 IN RRSIG SOA 8 0 86400 20170319170000 20170306160000 61045 . X2xWv3= z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP lOU5/tfOaKwbu7HENFWysaekMp= b6O7ycg+kryuCP7z6Q4WyG0O2160l1 DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9w= v9/S/ZPyrC qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO +v51tnLT0= UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T vNKEYLQ76nwl6B3YVJDjC1InmpIuj= wXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q=3D=3D ;; AUTHORITY SECTION: . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN RRSIG NS 8 0 518400 20170319170000 20170306160000 61045 . iQVPY= 67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX 3+PDCFQlrQmWSWUtLPaA6pmrA= CB6EL2YvWzAiLVyocGCBpUpnbUCNAwm nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J= 5Oataxt5z9o dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV B8qjFQP5= Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC 1KpUkDDMAwCvo+X/MhDE2Ol/VR00= /M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA=3D=3D ;; ADDITIONAL SECTION: a.root-servers.net. 518400 IN A 198.41.0.4 b.root-servers.net. 518400 IN A 192.228.79.201 c.root-servers.net. 518400 IN A 192.33.4.12 d.root-servers.net. 518400 IN A 199.7.91.13 e.root-servers.net. 518400 IN A 192.203.230.10 f.root-servers.net. 518400 IN A 192.5.5.241 g.root-servers.net. 518400 IN A 192.112.36.4 h.root-servers.net. 518400 IN A 198.97.190.53 i.root-servers.net. 518400 IN A 192.36.148.17 j.root-servers.net. 518400 IN A 192.58.128.30 k.root-servers.net. 518400 IN A 193.0.14.129 l.root-servers.net. 518400 IN A 199.7.83.42 m.root-servers.net. 518400 IN A 202.12.27.33 a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 518400 IN AAAA 2001:500:84::b c.root-servers.net. 518400 IN AAAA 2001:500:2::c d.root-servers.net. 518400 IN AAAA 2001:500:2d::d e.root-servers.net. 518400 IN AAAA 2001:500:a8::e f.root-servers.net. 518400 IN AAAA 2001:500:2f::f g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d h.root-servers.net. 518400 IN AAAA 2001:500:1::53 i.root-servers.net. 518400 IN AAAA 2001:7fe::53 j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 518400 IN AAAA 2001:7fd::1 l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 m.root-servers.net. 518400 IN AAAA 2001:dc3::35 ;; Query time: 797 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Mon Mar 06 17:03:12 CST 2017 ;; MSG SIZE rcvd: 1440 # host www.google.com Host www.google.com not found: 2(SERVFAIL) # host www.ipfire.org ;; connection timed out; no servers could be reached # nslookup www.google.com Server: 127.0.0.1 Address: 127.0.0.1#53 ** server can't find www.google.com: SERVFAIL # nslookup www.ipfire.org 8.8.8.8 Server: 8.8.8.8 Address: 8.8.8.8#53 Non-authoritative answer: www.ipfire.org class=3D"Apple-tab-span" style=3D"white-space:pre"> canonical = name =3D web01.ipfire.org. Name: web01.ipfire.org Address: 81.3.27.41 Thanks, Paul --===============7333284212647788876==--