On Tue, 2017-03-07 at 12:06 +0000, Michael Tremer wrote:
No, it is supposed to resolve everything.
For that it only needs to be able to contact the root name servers
and practically all others on the internet. That seems to fail here.
What does unbound log?
On 6 Mar 2017, at 11:29 pm, Paul Simmons <redneckmother@hughes.net>
wrote:
On Mon, 2017-03-06 at 22:37 +0000, Michael Tremer wrote:
Hi,
On Mon, 2017-03-06 at 15:47 -0600, Paul Simmons wrote:
On Mon, 2017-03-06 at 21:00 +0000, Michael Tremer wrote:
Hi,
On Mon, 2017-03-06 at 12:18 -0600, Paul Simmons wrote:
On Sun, 2017-03-05 at 11:42 +0000, Michael Tremer wrote:
Hi,
can you confirm if unbound is running?
What is the output of /etc/init.d/unbound restart?
-Michael
----<% snip %>----
I have nightly commit
c016773b9816ad9be4ffc8643c30457e87c094e3
available locally, and will beg my users for downtime
to
test.
Thank you, and best regards,
Paul
Bad juju - build c016773b couldn't resolve any hosts
(other
than
those in "localdomain").
Provider is "hughes.net" and is the only ISP available
(no
hardlines
or other LOS/NLOS WISPs available).
Tried assigning DNS servers 74.113.60.185 and
156.154.70.1
- no
change.
Paul
Sorry for the lllooonnnggg delay - had to get a testing
time
window.
Unbound was indeed running - verified with
"/etc/init.d/unbound
status"
Command and output from "restart":
# /etc/init.d/unbound restart
Stopping Unbound DNS
Proxy... [ OK ]
Starting Unbound DNS
Proxy... [ OK ]
Ignoring broken upstream name server(s): 74.113.60.185
156.154.70.1 [ WARN ]
Falling back to recursor
mode [ WARN ]
So, can you remind me what your provider does again? Is any
access to
other name
servers forbidden? If so the updated script should have
detected
that
and should
not have activated the recursor mode.
Could you manually execute the following commands from the
console of
IPFire for
me?
dig @198.41.0.4 +dnssec SOA .
The dot at the end is important. What is the output of it?
Best,
-Michael
Thank you,
Paul
# dig @198.41.0.4 +dnssec SOA .
; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 811
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14,
ADDITIONAL:
27
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;. IN SOA
;; ANSWER SECTION:
. 86400 IN SOA a.root-
servers.net. nstld.verisign-grs.com. 2017030601 1800 900 604800
86400
. 86400 IN RRSIG SOA 8
0
86400 20170319170000 20170306160000 61045 .
X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP
lOU5/tfOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1
DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9wv9/S/ZPyrC
qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO
+v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T
vNKEYLQ76nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O
qk4V0Q==
;; AUTHORITY SECTION:
. 518400 IN NS e.root-
servers.net.
. 518400 IN NS h.root-
servers.net.
. 518400 IN NS l.root-
servers.net.
. 518400 IN NS i.root-
servers.net.
. 518400 IN NS a.root-
servers.net.
. 518400 IN NS d.root-
servers.net.
. 518400 IN NS c.root-
servers.net.
. 518400 IN NS b.root-
servers.net.
. 518400 IN NS j.root-
servers.net.
. 518400 IN NS k.root-
servers.net.
. 518400 IN NS g.root-
servers.net.
. 518400 IN NS m.root-
servers.net.
. 518400 IN NS f.root-
servers.net.
. 518400 IN RRSIG NS 8
0
518400 20170319170000 20170306160000 61045 .
iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX
3+PDCFQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm
nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o
dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV
B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC
1KpUkDDMAwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C
xBc0gA==
;; ADDITIONAL SECTION:
e.root-servers.net. 518400 IN A 192.203
.230
.10
e.root-servers.net. 518400 IN AAAA 2001
:500
:a8::e
h.root-servers.net. 518400 IN A 198.97.
190.
53
h.root-servers.net. 518400 IN AAAA 2001
:500
:1::53
l.root-servers.net. 518400 IN A 199.7.8
3.42
l.root-servers.net. 518400 IN AAAA 2001
:500
:9f::42
i.root-servers.net. 518400 IN A 192.36.
148.
17
i.root-servers.net. 518400 IN AAAA 2001
:7fe
::53
a.root-servers.net. 518400 IN A 198.41.
0.4
a.root-servers.net. 518400 IN AAAA 2001
:503
:ba3e::2:30
d.root-servers.net. 518400 IN A 199.7.9
1.13
d.root-servers.net. 518400 IN AAAA 2001
:500
:2d::d
c.root-servers.net. 518400 IN A 192.33.
4.12
c.root-servers.net. 518400 IN AAAA 2001
:500
:2::c
b.root-servers.net. 518400 IN A 192.228
.79.
201
b.root-servers.net. 518400 IN AAAA 2001
:500
:84::b
j.root-servers.net. 518400 IN A 192.58.
128.
30
j.root-servers.net. 518400 IN AAAA 2001
:503
:c27::2:30
k.root-servers.net. 518400 IN A 193.0.1
4.12
9
k.root-servers.net. 518400 IN AAAA 2001
:7fd
::1
g.root-servers.net. 518400 IN A 192.112
.36.
4
g.root-servers.net. 518400 IN AAAA 2001
:500
:12::d0d
m.root-servers.net. 518400 IN A 202.12.
27.3
3
m.root-servers.net. 518400 IN AAAA 2001
:dc3
::35
f.root-servers.net. 518400 IN A 192.5.5
.241
f.root-servers.net. 518400 IN AAAA 2001
:500
:2f::f
;; Query time: 836 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Mar 06 15:40:58 CST 2017
;; MSG SIZE rcvd: 1440
#
I suspect the ISP mangles DNS requests directed outside their
net.
Well, that command shouldn't have worked then.
Could you give me an example for something that you cannot
resolve?
-Michael
Thank you,
Paul
Ah, I see... so the problem is that we're not forwarding requests
outside the local domain? Latest testing sequence follows:
# /etc/init.d/unbound restart
Stopping Unbound DNS
Proxy... [ OK ]
Starting Unbound DNS
Proxy... [ OK ]
Ignoring broken upstream name server(s): 74.113.60.185
156.154.70.1 [ WARN ]
Falling back to recursor
mode [ WARN ]
# dig @198.41.0.4 +dnssec SOA .
; <<>> DiG 9.11.0-P3 <<>> @198.41.0.4 +dnssec SOA .
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23002
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 14, ADDITIONAL:
27
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;. IN SOA
;; ANSWER SECTION:
. 86400 IN SOA a.root-servers.net.
nstld.verisign-grs.com. 2017030601 1800 900 604800 86400
. 86400 IN RRSIG SOA 8 0 86400 20170319170000
20170306160000 61045 .
X2xWv3z0ZmFxXkF9ybMgxMv6dcZ+SmnG3XHcNtAavuPNPLW3cVBwolDP
lOU5/tfOaKwbu7HENFWysaekMpb6O7ycg+kryuCP7z6Q4WyG0O2160l1
DDG0UbBW5yidfcghq1r6sdz30RI5cSBGcAOmlktnPkjs9wv9/S/ZPyrC
qMPJR9A60R52NcWEONS3DiyGxR66KA4S4grJnDgcI6pcytJGXm/b5WRO
+v51tnLT0UVbgXvV03Itn/3MR72muzKXWzzj5LFJST5iqWCgAHJryG3T
vNKEYLQ76nwl6B3YVJDjC1InmpIujwXBbxMKpyL1Sh0RLdlHq2TtZS8O qk4V0Q==
;; AUTHORITY SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
. 518400 IN RRSIG NS 8 0 518400 20170319170000
20170306160000 61045 .
iQVPY67dNDj6w14dY1tDFgwRFqhEXVVLmY8q1woIX1eU7t1k/XaPi+tX
3+PDCFQlrQmWSWUtLPaA6pmrACB6EL2YvWzAiLVyocGCBpUpnbUCNAwm
nD4SvBZb0ET2jWbSiAzo8iy+1+Hr84I8RXtbcrcpF5Y/J5Oataxt5z9o
dHGQSKru0eYEbwfszq0L5L8KECk6skm7iQ0RAIspdTfjDsIwtvoAhEGV
B8qjFQP5Bkcn38b35eWHneCmc3cgG0J+pK/eX/YHpqClcINGh3eavBlC
1KpUkDDMAwCvo+X/MhDE2Ol/VR00/M/YCzXbEv97IWenM1Xi4ArX9F1C xBc0gA==
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 192.228.79.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2001:500:84::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
;; Query time: 797 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Mon Mar 06 17:03:12 CST 2017
;; MSG SIZE rcvd: 1440
# host www.google.com
Host www.google.com not found: 2(SERVFAIL)
# host www.ipfire.org
;; connection timed out; no servers could be reached
# nslookup www.google.com
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can't find www.google.com: SERVFAIL
# nslookup www.ipfire.org 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
www.ipfire.org class="Apple-tab-span" style="white-
space:pre"> canonical name = web01.ipfire.org.
Name: web01.ipfire.org
Address: 81.3.27.41
Thanks,
Paul
Log from unbound (via web interface):
IPFire diagnostics
Section: unbound
Date: March 07, 2017
09:53:05 unbound: [3485:0] info: validation failure ns02.fedoraproject.org. AAAA IN
09:53:05 unbound: [3485:0] info: validation failure ns05.fedoraproject.org. AAAA IN
09:53:05 unbound: [3485:0] info: validation failure fedoraproject.org. AAAA IN
09:52:36 unbound: [3485:1] info: validation failure fedoraproject.org.localdomain. AAAA IN
09:52:29 unbound: [3485:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
09:52:19 unbound: [3485:0] info: failed to prime trust anchor -- could not fetch DNSKEY rrset . DNSKEY IN
09:51:29 unbound: [3485:0] info: start of service (unbound 1.6.1).
09:51:29 unbound: [3485:0] notice: init module 1: iterator
09:51:29 unbound: [3485:0] notice: init module 0: validator
09:51:27 unbound: [1406:0] info: 4.000000 8.000000 1
09:51:27 unbound: [1406:0] info: 2.000000 4.000000 1
09:51:27 unbound: [1406:0] info: 0.524288 1.000000 2
09:51:27 unbound: [1406:0] info: 0.262144 0.524288 5
09:51:27 unbound: [1406:0] info: 0.131072 0.262144 1
09:51:27 unbound: [1406:0] info: 0.016384 0.032768 1
09:51:27 unbound: [1406:0] info: 0.008192 0.016384 1
09:51:27 unbound: [1406:0] info: 0.000000 0.000001 7
09:51:27 unbound: [1406:0] info: lower(secs) upper(secs) recursions
09:51:27 unbound: [1406:0] info: [25%]=6.78571e-07 median[50%]=0.196608 [75%]=0.484966
09:51:27 unbound: [1406:0] info: histogram of recursion processing times
09:51:27 unbound: [1406:0] info: average recursion processing time 0.581705 sec
09:51:27 unbound: [1406:0] info: server stats for thread 1: requestlist max 3 avg 0.526316 exceeded 0 jostled 0
09:51:27 unbound: [1406:0] info: server stats for thread 1: 45 queries, 26 answers from cache, 19 recursions, 0 prefetch, 0 rejected by ip ratelimiting
09:51:27 unbound: [1406:0] info: 32.000000 64.000000 6
09:51:27 unbound: [1406:0] info: 16.000000 32.000000 6
09:51:27 unbound: [1406:0] info: 8.000000 16.000000 11
09:51:27 unbound: [1406:0] info: 4.000000 8.000000 5
09:51:27 unbound: [1406:0] info: 2.000000 4.000000 2
09:51:27 unbound: [1406:0] info: 1.000000 2.000000 2
09:51:27 unbound: [1406:0] info: 0.262144 0.524288 4
09:51:27 unbound: [1406:0] info: 0.131072 0.262144 1
09:51:27 unbound: [1406:0] info: 0.000000 0.000001 2
09:51:27 unbound: [1406:0] info: lower(secs) upper(secs) recursions
09:51:27 unbound: [1406:0] info: [25%]=2.75 median[50%]=10.5455 [75%]=22
09:51:27 unbound: [1406:0] info: histogram of recursion processing times
09:51:27 unbound: [1406:0] info: average recursion processing time 15.696339 sec
09:51:27 unbound: [1406:0] info: server stats for thread 0: requestlist max 68 avg 23.925 exceeded 0 jostled 0
09:51:27 unbound: [1406:0] info: server stats for thread 0: 67 queries, 28 answers from cache, 39 recursions, 1 prefetch, 0 rejected by ip ratelimiting
09:51:27 unbound: [1406:0] info: service stopped (unbound 1.6.1).
09:50:18 unbound: [1406:0] info: validation failure b.gtld-servers.net. AAAA IN
09:50:18 unbound: [1406:0] info: validation failure a.gtld-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure a.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure m.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure c.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure b.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure l.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure k.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure j.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure i.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure h.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure g.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure f.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure e.root-servers.net. AAAA IN
09:50:17 unbound: [1406:0] info: validation failure d.root-servers.net. AAAA IN
09:49:55 unbound: [1406:0] info: validation failure ns02.fedoraproject.org. AAAA IN
09:49:55 unbound: [1406:0] info: validation failure ns05.fedoraproject.org. AAAA IN
09:49:51 unbound: [1406:0] info: validation failure fedoraproject.org. AAAA IN
09:49:48 unbound: [1406:0] info: validation failure fireinfo.ipfire.org. AAAA IN
09:49:46 unbound: [1406:0] info: validation failure ns1.lightningwirelabs.com. AAAA IN
09:49:46 unbound: [1406:0] info: validation failure ns3.lightningwirelabs.com. AAAA IN
09:49:46 unbound: [1406:0] info: validation failure ns2.lightningwirelabs.com. AAAA IN
09:49:42 unbound: [1406:1] info: validation failure fedoraproject.org. AAAA IN
09:49:18 unbound: [1406:0] info: validation failure fedoraproject.org.localdomain. AAAA IN
09:49:18 unbound: [1406:0] info: validation failure fireinfo.ipfire.org.localdomain. AAAA IN
09:48:21 unbound: [1406:0] info: start of service (unbound 1.6.1).
09:48:21 unbound: [1406:0] notice: init module 1: iterator
09:48:21 unbound: [1406:0] notice: init module 0: validator
Thank you,
Paul