From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable
Date: Tue, 07 Mar 2017 12:06:24 +0000 [thread overview]
Message-ID: <C7C38AB8-82DD-447E-9ADE-4C15621B3E78@ipfire.org> (raw)
In-Reply-To: <1488842995.26357.2.camel@hughes.net>
[-- Attachment #1: Type: text/plain, Size: 13031 bytes --]
No, it is supposed to resolve everything.
For that it only needs to be able to contact the root name servers and practically all others on the internet. That seems to fail here.
What does unbound log?
> On 6 Mar 2017, at 11:29 pm, Paul Simmons <redneckmother(a)hughes.net> wrote:
>
>> On Mon, 2017-03-06 at 22:37 +0000, Michael Tremer wrote:
>> Hi,
>>
>>> On Mon, 2017-03-06 at 15:47 -0600, Paul Simmons wrote:
>>>> On Mon, 2017-03-06 at 21:00 +0000, Michael Tremer wrote:
>>>>
>>>> Hi,
>>>>
>>>>> On Mon, 2017-03-06 at 12:18 -0600, Paul Simmons wrote:
>>>>>
>>>>>> On Sun, 2017-03-05 at 11:42 +0000, Michael Tremer wrote:
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> can you confirm if unbound is running?
>>>>>>
>>>>>> What is the output of /etc/init.d/unbound restart?
>>>>>>
>>>>>> -Michael
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ----<% snip %>----
>>>>>>>>
>>>>>>>> I have nightly commit
>>>>>>>> c016773b9816ad9be4ffc8643c30457e87c094e3
>>>>>>>> available locally, and will beg my users for downtime to
>>>>>>>> test.
>>>>>>>>
>>>>>>>> Thank you, and best regards,
>>>>>>>> Paul
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Bad juju - build c016773b couldn't resolve any hosts (other
>>>>>>> than
>>>>>>> those in "localdomain").
>>>>>>>
>>>>>>> Provider is "hughes.net" and is the only ISP available (no
>>>>>>> hardlines
>>>>>>> or other LOS/NLOS WISPs available).
>>>>>>>
>>>>>>> Tried assigning DNS servers 74.113.60.185 and 156.154.70.1
>>>>>>> - no
>>>>>>> change.
>>>>>>>
>>>>>>> Paul
>>>>>>>
>>>>>
>>>>> Sorry for the lllooonnnggg delay - had to get a testing time
>>>>> window.
>>>>>
>>>>> Unbound was indeed running - verified with "/etc/init.d/unbound
>>>>> status"
>>>>>
>>>>> Command and output from "restart":
>>>>>
>>>>> # /etc/init.d/unbound restart
>>>>> Stopping Unbound DNS
>>>>> Proxy... [ OK ]
>>>>> Starting Unbound DNS
>>>>> Proxy... [ OK ]
>>>>> Ignoring broken upstream name server(s): 74.113.60.185
>>>>> 156.154.70.1 [ WARN ]
>>>>> Falling back to recursor
>>>>> mode [ WARN ]
>>>>
>>>> So, can you remind me what your provider does again? Is any
>>>> access to
>>>> other name
>>>> servers forbidden? If so the updated script should have detected
>>>> that
>>>> and should
>>>> not have activated the recursor mode.
>>>>
>>>> Could you manually execute the following commands from the
>>>> console of
>>>> IPFire for
>>>> me?
>>>>
>>>> dig @198.41.0.4 +dnssec SOA .
>>>>
>>>> The dot at the end is important. What is the output of it?
>>>>
>>>> Best,
>>>> -Michael
>>>>
>>>>>
>>>>>
>>>>>
>>>>> Thank you,
>>>>> Paul
>>>
>>> # dig @198.41.0.4 +dnssec SOA .
>>>
>>> ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA .
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> ;; Got answer:
>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 811
>>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL:
>>> 27
>>> ;; WARNING: recursion requested but not available
>>>
>>> ;; OPT PSEUDOSECTION:
>>> ; EDNS: version: 0, flags: do; udp: 4096
>>> ;; QUESTION SECTION:
>>> ;. IN SOA
>>>
>>> ;; ANSWER SECTION:
>>> . 86400 IN SOA a.root-
>>> servers.net. nstld.verisign-grs.com. 2017030601 1800 900 604800
>>> 86400
>>> . 86400 IN RRSIG SOA 8
>>> 0
>>> 86400 20170319170000 20170306160000 61045 .
>>> X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP
>>> lOU5/tfOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1
>>> DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9wv9/S/ZPyrC
>>> qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO
>>> +v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T
>>> vNKEYLQ76nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q==
>>>
>>> ;; AUTHORITY SECTION:
>>> . 518400 IN NS e.root-
>>> servers.net.
>>> . 518400 IN NS h.root-
>>> servers.net.
>>> . 518400 IN NS l.root-
>>> servers.net.
>>> . 518400 IN NS i.root-
>>> servers.net.
>>> . 518400 IN NS a.root-
>>> servers.net.
>>> . 518400 IN NS d.root-
>>> servers.net.
>>> . 518400 IN NS c.root-
>>> servers.net.
>>> . 518400 IN NS b.root-
>>> servers.net.
>>> . 518400 IN NS j.root-
>>> servers.net.
>>> . 518400 IN NS k.root-
>>> servers.net.
>>> . 518400 IN NS g.root-
>>> servers.net.
>>> . 518400 IN NS m.root-
>>> servers.net.
>>> . 518400 IN NS f.root-
>>> servers.net.
>>> . 518400 IN RRSIG NS 8
>>> 0
>>> 518400 20170319170000 20170306160000 61045 .
>>> iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX
>>> 3+PDCFQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm
>>> nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o
>>> dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV
>>> B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC
>>> 1KpUkDDMAwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA==
>>>
>>> ;; ADDITIONAL SECTION:
>>> e.root-servers.net. 518400 IN A 192.203
>>> .230
>>> .10
>>> e.root-servers.net. 518400 IN AAAA 2001
>>> :500
>>> :a8::e
>>> h.root-servers.net. 518400 IN A 198.97.
>>> 190.
>>> 53
>>> h.root-servers.net. 518400 IN AAAA 2001
>>> :500
>>> :1::53
>>> l.root-servers.net. 518400 IN A 199.7.8
>>> 3.42
>>> l.root-servers.net. 518400 IN AAAA 2001
>>> :500
>>> :9f::42
>>> i.root-servers.net. 518400 IN A 192.36.
>>> 148.
>>> 17
>>> i.root-servers.net. 518400 IN AAAA 2001
>>> :7fe
>>> ::53
>>> a.root-servers.net. 518400 IN A 198.41.
>>> 0.4
>>> a.root-servers.net. 518400 IN AAAA 2001
>>> :503
>>> :ba3e::2:30
>>> d.root-servers.net. 518400 IN A 199.7.9
>>> 1.13
>>> d.root-servers.net. 518400 IN AAAA 2001
>>> :500
>>> :2d::d
>>> c.root-servers.net. 518400 IN A 192.33.
>>> 4.12
>>> c.root-servers.net. 518400 IN AAAA 2001
>>> :500
>>> :2::c
>>> b.root-servers.net. 518400 IN A 192.228
>>> .79.
>>> 201
>>> b.root-servers.net. 518400 IN AAAA 2001
>>> :500
>>> :84::b
>>> j.root-servers.net. 518400 IN A 192.58.
>>> 128.
>>> 30
>>> j.root-servers.net. 518400 IN AAAA 2001
>>> :503
>>> :c27::2:30
>>> k.root-servers.net. 518400 IN A 193.0.1
>>> 4.12
>>> 9
>>> k.root-servers.net. 518400 IN AAAA 2001
>>> :7fd
>>> ::1
>>> g.root-servers.net. 518400 IN A 192.112
>>> .36.
>>> 4
>>> g.root-servers.net. 518400 IN AAAA 2001
>>> :500
>>> :12::d0d
>>> m.root-servers.net. 518400 IN A 202.12.
>>> 27.3
>>> 3
>>> m.root-servers.net. 518400 IN AAAA 2001
>>> :dc3
>>> ::35
>>> f.root-servers.net. 518400 IN A 192.5.5
>>> .241
>>> f.root-servers.net. 518400 IN AAAA 2001
>>> :500
>>> :2f::f
>>>
>>> ;; Query time: 836 msec
>>> ;; SERVER: 198.41.0.4#53(198.41.0.4)
>>> ;; WHEN: Mon Mar 06 15:40:58 CST 2017
>>> ;; MSG SIZE rcvd: 1440
>>> #
>>>
>>> I suspect the ISP mangles DNS requests directed outside their net.
>>
>> Well, that command shouldn't have worked then.
>>
>> Could you give me an example for something that you cannot resolve?
>>
>> -Michael
>>
>>>
>>> Thank you,
>>> Paul
>>
>
> Ah, I see... so the problem is that we're not forwarding requests
> outside the local domain? Latest testing sequence follows:
>
> # /etc/init.d/unbound restart
> Stopping Unbound DNS
> Proxy... [ OK ]
> Starting Unbound DNS
> Proxy... [ OK ]
> Ignoring broken upstream name server(s): 74.113.60.185
> 156.154.70.1 [ WARN ]
> Falling back to recursor
> mode [ WARN ]
>
> # dig @198.41.0.4 +dnssec SOA .
>
> ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA .
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23002
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 27
> ;; WARNING: recursion requested but not available
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 1472
> ;; QUESTION SECTION:
> ;. IN SOA
>
> ;; ANSWER SECTION:
> . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2017030601 1800 900 604800 86400
> . 86400 IN RRSIG SOA 8 0 86400 20170319170000 20170306160000 61045 . X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP lOU5/tfOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1 DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9wv9/S/ZPyrC qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO +v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T vNKEYLQ76nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q==
>
> ;; AUTHORITY SECTION:
> . 518400 IN NS a.root-servers.net.
> . 518400 IN NS b.root-servers.net.
> . 518400 IN NS c.root-servers.net.
> . 518400 IN NS d.root-servers.net.
> . 518400 IN NS e.root-servers.net.
> . 518400 IN NS f.root-servers.net.
> . 518400 IN NS g.root-servers.net.
> . 518400 IN NS h.root-servers.net.
> . 518400 IN NS i.root-servers.net.
> . 518400 IN NS j.root-servers.net.
> . 518400 IN NS k.root-servers.net.
> . 518400 IN NS l.root-servers.net.
> . 518400 IN NS m.root-servers.net.
> . 518400 IN RRSIG NS 8 0 518400 20170319170000 20170306160000 61045 . iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX 3+PDCFQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC 1KpUkDDMAwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA==
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net. 518400 IN A 198.41.0.4
> b.root-servers.net. 518400 IN A 192.228.79.201
> c.root-servers.net. 518400 IN A 192.33.4.12
> d.root-servers.net. 518400 IN A 199.7.91.13
> e.root-servers.net. 518400 IN A 192.203.230.10
> f.root-servers.net. 518400 IN A 192.5.5.241
> g.root-servers.net. 518400 IN A 192.112.36.4
> h.root-servers.net. 518400 IN A 198.97.190.53
> i.root-servers.net. 518400 IN A 192.36.148.17
> j.root-servers.net. 518400 IN A 192.58.128.30
> k.root-servers.net. 518400 IN A 193.0.14.129
> l.root-servers.net. 518400 IN A 199.7.83.42
> m.root-servers.net. 518400 IN A 202.12.27.33
> a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
> b.root-servers.net. 518400 IN AAAA 2001:500:84::b
> c.root-servers.net. 518400 IN AAAA 2001:500:2::c
> d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
> e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
> f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
> g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
> h.root-servers.net. 518400 IN AAAA 2001:500:1::53
> i.root-servers.net. 518400 IN AAAA 2001:7fe::53
> j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
> k.root-servers.net. 518400 IN AAAA 2001:7fd::1
> l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
> m.root-servers.net. 518400 IN AAAA 2001:dc3::35
>
> ;; Query time: 797 msec
> ;; SERVER: 198.41.0.4#53(198.41.0.4)
> ;; WHEN: Mon Mar 06 17:03:12 CST 2017
> ;; MSG SIZE rcvd: 1440
>
> # host www.google.com
> Host www.google.com not found: 2(SERVFAIL)
>
> # host www.ipfire.org
> ;; connection timed out; no servers could be reached
>
>
> # nslookup www.google.com
> Server: 127.0.0.1
> Address: 127.0.0.1#53
>
> ** server can't find www.google.com: SERVFAIL
>
> # nslookup www.ipfire.org 8.8.8.8
> Server: 8.8.8.8
> Address: 8.8.8.8#53
>
> Non-authoritative answer:
> www.ipfire.org class="Apple-tab-span" style="white-space:pre"> canonical name = web01.ipfire.org.
> Name: web01.ipfire.org
> Address: 81.3.27.41
>
>
> Thanks,
> Paul
>
next prev parent reply other threads:[~2017-03-07 12:06 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-01 16:11 Michael Tremer
2017-03-01 16:17 ` Michael Tremer
2017-03-01 18:00 ` Paul Simmons
2017-03-03 20:54 ` Paul Simmons
2017-03-05 11:42 ` Michael Tremer
2017-03-06 18:18 ` Paul Simmons
2017-03-06 21:00 ` Michael Tremer
2017-03-06 21:47 ` Paul Simmons
2017-03-06 22:37 ` Michael Tremer
2017-03-06 23:29 ` Paul Simmons
2017-03-07 12:06 ` Michael Tremer [this message]
[not found] <1488903324.21248.2.camel@hughes.net>
2017-03-08 12:09 ` Michael Tremer
2017-03-08 16:19 ` Paul Simmons
[not found] <1490455220.20288.4.camel@hughes.net>
2017-03-30 16:51 ` Michael Tremer
2017-03-30 18:21 ` Paul Simmons
[not found] <1490979195.2643.88.camel@ipfire.org>
2017-04-02 16:37 ` Paul Simmons
2017-04-02 18:03 ` Michael Tremer
2017-04-02 19:07 ` Paul Simmons
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=C7C38AB8-82DD-447E-9ADE-4C15621B3E78@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox