Solved DNS Quad9 problem still

fernandel · Apr 28, 2024

Hi!

I am using bellow line in ipfw.rules for DNS. The first one 91. ... works but Quad9 no and firewall blockind tcp in on port 853 from Quad9.
What I am doing wrong? Should allow from port 853 to me?

Thank you.

Code:

$cmd 01250 allow udp from any to 91.239.100.100 853 out via $pif keep-state                             

$cmd 01260 allow tcp from any to 91.239.100.100 853 out via $pif setup keep-state                       

$cmd 01265 allow udp from any to 9.9.9.9 853 out via $pif keep-state                                 

$cmd 01270 allow tcp from any to 9.9.9.9 853 out via $pif setup keep-state                           

$cmd 01275 allow udp from any to 149.112.112.112 853 out via $pif keep-state                         

$cmd 01280 allow tcp from any to 149.112.112.113 853 out via $pif setup keeo-state

fernandel · May 2, 2024

I am old...
In unbound.conf I must have both lines:

Code:

root-hints: /usr/local/etc/unbound/root.hints
auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"

and didn't have first one. Now Quad9 works with my ipfw.rules and with default workstation too.
I am sorry for disturbing you.

mw.decavia · May 3, 2024

That was one solution to your firewall problem.

After you posted, I experimented with trying to duplicate your problem, and found a second solution.

I did not need to specify a root.hints file if I put the following lines in my unbound.conf file

Code:

forward-zone:
        name: "."
        forward-tls-upstream: yes
        forward-addr: 9.9.9.9@853

fernandel · May 4, 2024

mw.decavia said:
That was one solution to your firewall problem.

After you posted, I experimented with trying to duplicate your problem, and found a second solution.

I did not need to specify a root.hints file if I put the following lines in my unbound.conf file

Code:

forward-zone: name: "." forward-tls-upstream: yes forward-addr: 9.9.9.9@853

I had the same before and didn't work and I have the still.
P.S.
I gave up. After I answer you Quad9 stopped work again. No problems with others. Maybe be some other settings not works with quad.

mw.decavia · May 4, 2024

If you do use the "root.hints" at all,
it should be a good idea to add an ipfw rule allowing for each of the 13 root servers defined within it.

fernandel · May 5, 2024

mw.decavia said:
That was one solution to your firewall problem.

After you posted, I experimented with trying to duplicate your problem, and found a second solution.

I did not need to specify a root.hints file if I put the following lines in my unbound.conf file

Code:

forward-zone: name: "." forward-tls-upstream: yes forward-addr: 9.9.9.9@853

Do you use any firewall?
Thank you.

mw.decavia · May 5, 2024

yes.

for a few years, I used a pc diy freebsd gateway/router for my home internet lan. I used ipfw. I ran my own local dns server, first using bind9, then near the end switching to unbound. That machine is in storage now.

I was faced with the choice of either using the root.hints and having a rule to allow each root server of the 13, or else not using the root hints and just have one rule for my chosen forwarder.

But trying to use the root.hints without allowing those root servers caused my local dns server to have problems.

Right now, I just have a laptop to use. I have a freebsd install on an external drive, it uses a much simpler ipfw and unbound on the same machine.

fernandel · May 5, 2024

mw.decavia said:
yes.

for a few years, I used a pc diy freebsd gateway/router for my home internet lan. I used ipfw. I ran my own local dns server, first using bind9, then near the end switching to unbound. That machine is in storage now.

I was faced with the choice of either using the root.hints and having a rule to allow each root server of the 13, or else not using the root hints and just have one rule for my chosen forwarder.

But trying to use the root.hints without allowing those root servers caused my local dns server to have problems.

Right now, I just have a laptop to use. I have a freebsd install on an external drive, it uses a much simpler ipfw and unbound on the same machine.

I have ipwf.rules and I am using default ipfw workstation and the problem with quad9 is the same.

mw.decavia · May 5, 2024

Normally I do not use Quad9 dns for an upstream fowarder. I was just using it now to try to duplicate your problem. And sometimes the unbound I am running can not connect to it. Maybe sometimes they get too busy?

I usually use Cloudflare's 1.0.0.1 and 1.1.1.1

fernandel · Saturday at 11:23 AM

Looks like that Quad9 is solved with:

Code:

firewall_enable="YES"
firewall_type="workstation"
firewall_myservices="853/tcp 853/udp"
firewall_allowservices="any"
# firewall_script="/etc/ipfw.rules"
firewall_quiet="YES"
firewall_logdeny="YES"
firewall_logging="YES"

It works now.