Cannot resolve *.freebsd.org but everything else

Hello,

I am running local_unbound and I can not resolve any of *.freebsd.org. (all other domains resolved)

In my /etc/resolv.conf I have:
Code:
# nameserver 1.1.1.3
# nameserver 1.0.0.3

nameserver 127.0.0.1
options edns0

and in /var/unbound/forward.conf:
Code:
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
        name: .
        forward-addr: 1.1.1.3
        forward-addr: 1.0.0.3

The outcome of drill @1.1.1.3 pkg.freebsd.org is:
Code:
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 21742
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; pkg.freebsd.org.     IN      A

;; ANSWER SECTION:
pkg.freebsd.org.        300     IN      CNAME   pkgmir.geo.freebsd.org.
pkgmir.geo.freebsd.org. 150     IN      A       139.178.72.201

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 403 msec
;; SERVER: 1.1.1.3
;; WHEN: Mon Jul 25 15:28:30 2022
;; MSG SIZE  rcvd: 74

I also have a script /etc/dhclient-enter-hooks:
Code:
add_new_resolv_conf() {
                      return 0
}

Many thanks in advance.
 
Server: gns1.freebsd.org
Address: 96.47.72.24

Name: pkgmir.geo.freebsd.org
Address: 139.178.72.201
You get the right resolve of pkgmir.geo.freebsd.org so the DNS is working. Do you have connection to it? Lets say by ping?
 
This is my forward.conf for local_unbound,
Code:
forward-zone:
    name: "."
    # Opendns
    forward-addr:  2620:119:35::35
    forward-addr:  2620:119:53::53
    #Cloudfare
    forward-addr:  2606:4700:4700::1111
    forward-addr:  2606:4700:4700::1001
    #
 
what is the output of:
netstat -an4 | grep 53
drill @127.0.0.1 pkg.freebsd.org.
netstat -an4 | grep 53:
Code:
tcp4       0      0 127.0.0.1.53           *.*                    LISTEN    
tcp4       0      0 192.168.8.101.25653    64.233.167.109.993     ESTABLISHED
udp4       0      0 192.168.8.101.61388    1.1.1.3.53            
udp4       0      0 127.0.0.1.53           *.*
drill @127.0.0.1 pkg.freebsd.org:
Code:
Error: error sending query: Could not send or receive, because of network error
 
The above error means that you are not allow to connect at port 53 to your localhost 127.0.0.1. Usually because of firewall.
 
The above error means that you are not allow to connect at port 53 to your localhost 127.0.0.1. Usually because of firewall.
Why would that only affect *.freebsd.org domains? I can ping and browse any other domain I've tried.
 
The output of
Code:
netstat -r
In order to verify there is no routing problem.
Code:
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.8.1        UGS         re0
localhost          link#2             UH          lo0
192.168.8.0/24     link#1             U           re0
192.168.8.101      link#1             UHS         lo0

Internet6:
Destination        Gateway            Flags     Netif Expire
::/96              localhost          UGRS        lo0
localhost          link#2             UHS         lo0
::ffff:0.0.0.0/96  localhost          UGRS        lo0
fe80::/10          localhost          UGRS        lo0
fe80::%lo0/64      link#2             U           lo0
fe80::1%lo0        link#2             UHS         lo0
ff02::/16          localhost          UGRS        lo0
 
Try to query the localhost and check if unbound is working.

service local_unbound restart
drill @127.0.0.1 localhost

this should return localhost. 127.0.0.1

Also you can check if you can ping 127.0.0.1 and connect using telnet 127.0.0.1 53 If there's firewall if you are running this inside a jail you need to allow the lo0 interface
 
Try to query the localhost and check if unbound is working.

service local_unbound restart
drill @127.0.0.1 localhost

this should return localhost. 127.0.0.1
It does:
Code:
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7381
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; localhost.   IN      A

;; ANSWER SECTION:
localhost.      10800   IN      A       127.0.0.1

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Mon Jul 25 16:18:25 2022
;; MSG SIZE  rcvd: 43
 
Try to flush the cache of unbound unbound-control(8)

local-unbound-control flush pkg.freebsd.org
local-unbound-control flush freebsd.org


Then try to lookup the dns using
local-unbound-control lookup pkg.freebsd.org
 
Also, run tcpdump(1) and see if there are DNS requests going out. Unbound has to be able to forward queries to external hosts. Maybe something isn't going out, or being blocked further upstream. If you can see requests going out but not getting any responses then you know you need to look further upstream for the issue.
 
Try to flush the cache of unbound unbound-control(8)

local-unbound-control flush pkg.freebsd.org
local-unbound-control flush freebsd.org


Then try to lookup the dns using
local-unbound-control lookup pkg.freebsd.org
Did the flushing first.
local-unbound-control lookup pkg.freebsd.org returns:
Code:
The following name servers are used for lookup of pkg.freebsd.org.
forwarding request:
Delegation with 0 names, of which 0 can be examined to query further addresses.
It provides 2 IP addresses.
1.1.1.3                 rto 792 msec, ttl 894, ping 64 var 83 rtt 396, tA 0, tAAAA 0, tother 1, EDNS 0 probed.
1.0.0.3                 rto 540 msec, ttl 895, ping 6 var 66 rtt 270, tA 0, tAAAA 0, tother 1, EDNS 0 probed.
 
Also, run tcpdump(1) and see if there are DNS requests going out. Unbound has to be able to forward queries to external hosts. Maybe something isn't going out, or being blocked further upstream. If you can see requests going out but not getting any responses then you know you need to look further upstream for the issue.
I ran drill @127.0.0.1 pkg.freebsd.org while tcpdump was running.
This is the output. Any hint would be greatly appreciated.
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on re0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:03:30.174359 IP 192.168.8.101.47322 > 1.0.0.3.domain: 31443+% [1au] DNSKEY? freebsd.org. (40)
17:03:30.175372 IP 192.168.8.101.11850 > 1.0.0.3.domain: 56998+ [1au] PTR? 101.8.168.192.in-addr.arpa. (55)
17:03:30.228284 IP 1.0.0.3.domain > 192.168.8.101.11850: 56998 NXDomain 0/0/1 (55)
17:03:30.228805 IP 192.168.8.101.23114 > 1.0.0.3.domain: 55664+ [1au] PTR? 3.0.0.1.in-addr.arpa. (49)
17:03:30.265702 IP 1.0.0.3.domain > 192.168.8.101.23114: 55664 NXDomain 0/1/1 (114)
17:03:30.265871 IP 192.168.8.101.29475 > 1.0.0.3.domain: 43856+% [1au] DS? 0.1.in-addr.arpa. (45)
17:03:30.349091 IP 1.0.0.3.domain > 192.168.8.101.29475: 43856 0/4/1 (432)
17:03:30.349685 IP 192.168.8.101.43817 > 1.0.0.3.domain: 41389+% [1au] DS? 0.0.1.in-addr.arpa. (47)
17:03:30.794045 IP 1.0.0.3.domain > 192.168.8.101.43817: 41389 0/4/1 (437)
17:03:31.973389 IP 192.168.8.101.36702 > 1.0.0.3.domain: 60089+% [1au] DNSKEY? freebsd.org. (40)
17:03:32.777350 IP 192.168.8.101.50005 > 1.0.0.3.domain: 26612+% [1au] DNSKEY? freebsd.org. (40)
17:03:33.573409 IP 192.168.8.101.50416 > 1.0.0.3.domain: 25587+% [1au] DNSKEY? freebsd.org. (40)
17:03:35.152364 IP 192.168.8.101.61135 > 1.0.0.3.domain: 41219+% [1au] DNSKEY? freebsd.org. (40)
17:03:35.232985 ARP, Request who-has 192.168.8.101 tell 192.168.8.1, length 46
17:03:35.233025 ARP, Reply 192.168.8.101 is-at 3c:2c:30:d9:ee:bc (oui Unknown), length 28
17:03:35.233394 IP 192.168.8.101.41490 > 1.1.1.3.domain: 55963+ [1au] PTR? 1.8.168.192.in-addr.arpa. (53)
17:03:35.265778 IP 1.1.1.3.domain > 192.168.8.101.41490: 55963 NXDomain 0/0/1 (53)
17:03:36.741387 IP 192.168.8.101.9759 > 1.1.1.3.domain: 50876+% [1au] DNSKEY? freebsd.org. (40)
17:03:36.910427 IP 192.168.8.101.28269 > 1.1.1.3.domain: 36336+% [1au] DNSKEY? freebsd.org. (40)
17:03:37.090052 IP 192.168.8.101.4527 > 1.1.1.3.domain: 16880+% [1au] DNSKEY? freebsd.org. (40)
17:03:37.445351 IP 192.168.8.101.28670 > 1.1.1.3.domain: 24075+% [1au] DNSKEY? freebsd.org. (40)
17:03:37.790809 IP 192.168.8.101.47304 > 1.0.0.3.domain: 21006+% [1au] DNSKEY? freebsd.org. (40)
17:03:40.947354 IP 192.168.8.101.27634 > 1.0.0.3.domain: 1206+% [1au] DNSKEY? freebsd.org. (40)
17:03:44.133477 IP 192.168.8.101.38231 > 1.1.1.3.domain: 34340+% [1au] DNSKEY? freebsd.org. (40)
17:03:44.848491 IP 192.168.8.101.61678 > 1.1.1.3.domain: 53891+% [1au] DNSKEY? freebsd.org. (40)
17:03:45.563512 IP 192.168.8.101.22603 > 1.1.1.3.domain: 28053+% [1au] DNSKEY? freebsd.org. (40)
17:03:46.992507 IP 192.168.8.101.11557 > 1.1.1.3.domain: 23180+% [1au] DNSKEY? freebsd.org. (40)
17:03:48.421526 IP 192.168.8.101.46228 > 1.1.1.3.domain: 862+% [1au] DNSKEY? freebsd.org. (40)
17:03:51.179030 IP 192.168.8.101.51086 > 1.1.1.3.domain: 41168+% [1au] DNSKEY? freebsd.org. (40)
17:03:54.017557 IP 192.168.8.101.27975 > 1.1.1.3.domain: 7384+% [1au] DNSKEY? freebsd.org. (40)

Strangly enough, I can also not browse to www.freebsd.org in my browser.
 
Does everything work without using local_unbound ?
Ie. put just a DNS 8.8.8.8 in resolv.conf

Can you post your,
control.conf
forward.conf
lan-zones.conf
unbound.conf
To see if there is something strange ?
 
Back
Top