From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] DNS: Fall back to permissive mode if recursor mode is unavailable Date: Tue, 07 Mar 2017 12:06:24 +0000 Message-ID: In-Reply-To: <1488842995.26357.2.camel@hughes.net> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6852668893461357668==" List-Id: --===============6852668893461357668== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable No, it is supposed to resolve everything. For that it only needs to be able to contact the root name servers and practi= cally all others on the internet. That seems to fail here. What does unbound log? > On 6 Mar 2017, at 11:29 pm, Paul Simmons wrote: >=20 >> On Mon, 2017-03-06 at 22:37 +0000, Michael Tremer wrote: >> Hi, >>=20 >>> On Mon, 2017-03-06 at 15:47 -0600, Paul Simmons wrote: >>>> On Mon, 2017-03-06 at 21:00 +0000, Michael Tremer wrote: >>>>=20 >>>> Hi, >>>>=20 >>>>> On Mon, 2017-03-06 at 12:18 -0600, Paul Simmons wrote: >>>>>=20 >>>>>> On Sun, 2017-03-05 at 11:42 +0000, Michael Tremer wrote: >>>>>>=20 >>>>>>=20 >>>>>> Hi, >>>>>>=20 >>>>>> can you confirm if unbound is running? >>>>>>=20 >>>>>> What is the output of /etc/init.d/unbound restart? >>>>>>=20 >>>>>> -Michael >>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>>>=20 >>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> ----<% snip %>---- >>>>>>>>=20 >>>>>>>> I have nightly commit >>>>>>>> c016773b9816ad9be4ffc8643c30457e87c094e3 >>>>>>>> available locally, and will beg my users for downtime to >>>>>>>> test. >>>>>>>>=20 >>>>>>>> Thank you, and best regards, >>>>>>>> Paul >>>>>>>>=20 >>>>>>>>=20 >>>>>>>=20 >>>>>>> Bad juju - build c016773b couldn't resolve any hosts (other >>>>>>> than >>>>>>> those in "localdomain"). >>>>>>>=20 >>>>>>> Provider is "hughes.net" and is the only ISP available (no >>>>>>> hardlines >>>>>>> or other LOS/NLOS WISPs available). >>>>>>>=20 >>>>>>> Tried assigning DNS servers 74.113.60.185 and 156.154.70.1 >>>>>>> - no >>>>>>> change. >>>>>>>=20 >>>>>>> Paul >>>>>>>=20 >>>>>=20 >>>>> Sorry for the lllooonnnggg delay - had to get a testing time >>>>> window. >>>>>=20 >>>>> Unbound was indeed running - verified with "/etc/init.d/unbound >>>>> status" >>>>>=20 >>>>> Command and output from "restart": >>>>>=20 >>>>> # /etc/init.d/unbound restart >>>>> Stopping Unbound DNS >>>>> Proxy... [ OK ] >>>>> Starting Unbound DNS >>>>> Proxy... [ OK ] >>>>> Ignoring broken upstream name server(s): 74.113.60.185 >>>>> 156.154.70.1 [ WARN ] >>>>> Falling back to recursor >>>>> mode [ WARN ] >>>>=20 >>>> So, can you remind me what your provider does again? Is any >>>> access to >>>> other name >>>> servers forbidden? If so the updated script should have detected >>>> that >>>> and should >>>> not have activated the recursor mode. >>>>=20 >>>> Could you manually execute the following commands from the >>>> console of >>>> IPFire for >>>> me? >>>>=20 >>>> dig @198.41.0.4 +dnssec SOA . >>>>=20 >>>> The dot at the end is important. What is the output of it? >>>>=20 >>>> Best, >>>> -Michael >>>>=20 >>>>>=20 >>>>>=20 >>>>>=20 >>>>> Thank you, >>>>> Paul >>>=20 >>> # dig @198.41.0.4 +dnssec SOA . >>>=20 >>> ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA . >>> ; (1 server found) >>> ;; global options: +cmd >>> ;; Got answer: >>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 811 >>> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: >>> 27 >>> ;; WARNING: recursion requested but not available >>>=20 >>> ;; OPT PSEUDOSECTION: >>> ; EDNS: version: 0, flags: do; udp: 4096 >>> ;; QUESTION SECTION: >>> ;. IN SOA >>>=20 >>> ;; ANSWER SECTION: >>> . 86400 IN SOA a.root- >>> servers.net. nstld.verisign-grs.com. 2017030601 1800 900 604800 >>> 86400 >>> . 86400 IN RRSIG SOA 8 >>> 0 >>> 86400 20170319170000 20170306160000 61045 . >>> X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP >>> lOU5/tfOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1 >>> DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9wv9/S/ZPyrC >>> qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO >>> +v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T >>> vNKEYLQ76nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q=3D=3D >>>=20 >>> ;; AUTHORITY SECTION: >>> . 518400 IN NS e.root- >>> servers.net. >>> . 518400 IN NS h.root- >>> servers.net. >>> . 518400 IN NS l.root- >>> servers.net. >>> . 518400 IN NS i.root- >>> servers.net. >>> . 518400 IN NS a.root- >>> servers.net. >>> . 518400 IN NS d.root- >>> servers.net. >>> . 518400 IN NS c.root- >>> servers.net. >>> . 518400 IN NS b.root- >>> servers.net. >>> . 518400 IN NS j.root- >>> servers.net. >>> . 518400 IN NS k.root- >>> servers.net. >>> . 518400 IN NS g.root- >>> servers.net. >>> . 518400 IN NS m.root- >>> servers.net. >>> . 518400 IN NS f.root- >>> servers.net. >>> . 518400 IN RRSIG NS 8 >>> 0 >>> 518400 20170319170000 20170306160000 61045 . >>> iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX >>> 3+PDCFQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm >>> nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o >>> dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV >>> B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC >>> 1KpUkDDMAwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA=3D=3D >>>=20 >>> ;; ADDITIONAL SECTION: >>> e.root-servers.net. 518400 IN A 192.203 >>> .230 >>> .10 >>> e.root-servers.net. 518400 IN AAAA 2001 >>> :500 >>> :a8::e >>> h.root-servers.net. 518400 IN A 198.97. >>> 190. >>> 53 >>> h.root-servers.net. 518400 IN AAAA 2001 >>> :500 >>> :1::53 >>> l.root-servers.net. 518400 IN A 199.7.8 >>> 3.42 >>> l.root-servers.net. 518400 IN AAAA 2001 >>> :500 >>> :9f::42 >>> i.root-servers.net. 518400 IN A 192.36. >>> 148. >>> 17 >>> i.root-servers.net. 518400 IN AAAA 2001 >>> :7fe >>> ::53 >>> a.root-servers.net. 518400 IN A 198.41. >>> 0.4 >>> a.root-servers.net. 518400 IN AAAA 2001 >>> :503 >>> :ba3e::2:30 >>> d.root-servers.net. 518400 IN A 199.7.9 >>> 1.13 >>> d.root-servers.net. 518400 IN AAAA 2001 >>> :500 >>> :2d::d >>> c.root-servers.net. 518400 IN A 192.33. >>> 4.12 >>> c.root-servers.net. 518400 IN AAAA 2001 >>> :500 >>> :2::c >>> b.root-servers.net. 518400 IN A 192.228 >>> .79. >>> 201 >>> b.root-servers.net. 518400 IN AAAA 2001 >>> :500 >>> :84::b >>> j.root-servers.net. 518400 IN A 192.58. >>> 128. >>> 30 >>> j.root-servers.net. 518400 IN AAAA 2001 >>> :503 >>> :c27::2:30 >>> k.root-servers.net. 518400 IN A 193.0.1 >>> 4.12 >>> 9 >>> k.root-servers.net. 518400 IN AAAA 2001 >>> :7fd >>> ::1 >>> g.root-servers.net. 518400 IN A 192.112 >>> .36. >>> 4 >>> g.root-servers.net. 518400 IN AAAA 2001 >>> :500 >>> :12::d0d >>> m.root-servers.net. 518400 IN A 202.12. >>> 27.3 >>> 3 >>> m.root-servers.net. 518400 IN AAAA 2001 >>> :dc3 >>> ::35 >>> f.root-servers.net. 518400 IN A 192.5.5 >>> .241 >>> f.root-servers.net. 518400 IN AAAA 2001 >>> :500 >>> :2f::f >>>=20 >>> ;; Query time: 836 msec >>> ;; SERVER: 198.41.0.4#53(198.41.0.4) >>> ;; WHEN: Mon Mar 06 15:40:58 CST 2017 >>> ;; MSG SIZE rcvd: 1440 >>> # >>>=20 >>> I suspect the ISP mangles DNS requests directed outside their net. >>=20 >> Well, that command shouldn't have worked then. >>=20 >> Could you give me an example for something that you cannot resolve? >>=20 >> -Michael >>=20 >>>=20 >>> Thank you, >>> Paul >>=20 >=20 > Ah, I see... so the problem is that we're not forwarding requests > outside the local domain? Latest testing sequence follows: >=20 > # /etc/init.d/unbound restart > Stopping Unbound DNS > Proxy... [ OK ] > Starting Unbound DNS > Proxy... [ OK ] > Ignoring broken upstream name server(s): 74.113.60.185 > 156.154.70.1 [ WARN ] > Falling back to recursor > mode [ WARN ] >=20 > # dig @198.41.0.4 +dnssec SOA . >=20 > ; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA . > ; (1 server found) > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23002 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL: 27 > ;; WARNING: recursion requested but not available >=20 > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1472 > ;; QUESTION SECTION: > ;. IN SOA >=20 > ;; ANSWER SECTION: > . 86400 IN SOA a.root-servers.net. nstld.verisign-grs.c= om. 2017030601 1800 900 604800 86400 > . 86400 IN RRSIG SOA 8 0 86400 20170319170000 201703061= 60000 61045 . X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP lOU5/t= fOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1 DDG0UbBW5yidfcghq1r6sdz30R= I5cSBGcAOmlktnPkjs9wv9/S/ZPyrC qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcyt= JGXm/b5WRO +v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T vNKEYLQ76= nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q=3D=3D >=20 > ;; AUTHORITY SECTION: > . 518400 IN NS a.root-servers.net. > . 518400 IN NS b.root-servers.net. > . 518400 IN NS c.root-servers.net. > . 518400 IN NS d.root-servers.net. > . 518400 IN NS e.root-servers.net. > . 518400 IN NS f.root-servers.net. > . 518400 IN NS g.root-servers.net. > . 518400 IN NS h.root-servers.net. > . 518400 IN NS i.root-servers.net. > . 518400 IN NS j.root-servers.net. > . 518400 IN NS k.root-servers.net. > . 518400 IN NS l.root-servers.net. > . 518400 IN NS m.root-servers.net. > . 518400 IN RRSIG NS 8 0 518400 20170319170000 20170306= 160000 61045 . iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX 3+PDC= FQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm nD4SvBZb0ET2jWbSiAzo8iy+1= +Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjD= sIwtvoAhEGV B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC 1KpUkDDM= AwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA=3D=3D >=20 > ;; ADDITIONAL SECTION: > a.root-servers.net. 518400 IN A 198.41.0.4 > b.root-servers.net. 518400 IN A 192.228.79.201 > c.root-servers.net. 518400 IN A 192.33.4.12 > d.root-servers.net. 518400 IN A 199.7.91.13 > e.root-servers.net. 518400 IN A 192.203.230.10 > f.root-servers.net. 518400 IN A 192.5.5.241 > g.root-servers.net. 518400 IN A 192.112.36.4 > h.root-servers.net. 518400 IN A 198.97.190.53 > i.root-servers.net. 518400 IN A 192.36.148.17 > j.root-servers.net. 518400 IN A 192.58.128.30 > k.root-servers.net. 518400 IN A 193.0.14.129 > l.root-servers.net. 518400 IN A 199.7.83.42 > m.root-servers.net. 518400 IN A 202.12.27.33 > a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30 > b.root-servers.net. 518400 IN AAAA 2001:500:84::b > c.root-servers.net. 518400 IN AAAA 2001:500:2::c > d.root-servers.net. 518400 IN AAAA 2001:500:2d::d > e.root-servers.net. 518400 IN AAAA 2001:500:a8::e > f.root-servers.net. 518400 IN AAAA 2001:500:2f::f > g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d > h.root-servers.net. 518400 IN AAAA 2001:500:1::53 > i.root-servers.net. 518400 IN AAAA 2001:7fe::53 > j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30 > k.root-servers.net. 518400 IN AAAA 2001:7fd::1 > l.root-servers.net. 518400 IN AAAA 2001:500:9f::42 > m.root-servers.net. 518400 IN AAAA 2001:dc3::35 >=20 > ;; Query time: 797 msec > ;; SERVER: 198.41.0.4#53(198.41.0.4) > ;; WHEN: Mon Mar 06 17:03:12 CST 2017 > ;; MSG SIZE rcvd: 1440 >=20 > # host www.google.com > Host www.google.com not found: 2(SERVFAIL) >=20 > # host www.ipfire.org > ;; connection timed out; no servers could be reached >=20 >=20 > # nslookup www.google.com > Server: 127.0.0.1 > Address: 127.0.0.1#53 >=20 > ** server can't find www.google.com: SERVFAIL >=20 > # nslookup www.ipfire.org 8.8.8.8 > Server: 8.8.8.8 > Address: 8.8.8.8#53 >=20 > Non-authoritative answer: > www.ipfire.org class=3D"Apple-tab-span" style=3D"white-space:pre"> canon= ical name =3D web01.ipfire.org. > Name: web01.ipfire.org > Address: 81.3.27.41 >=20 >=20 > Thanks, > Paul >=20 --===============6852668893461357668==--