Cannot resolve *.freebsd.org but everything else

Without local_unbound everything works. With local_unbound all domains I've tested work, besides *.freebsd.org

Code: 
# cat /var/unbound/control.conf 
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
remote-control:
        control-enable: yes
        control-interface: /var/run/local_unbound.ctl
        control-use-cert: no

# cat /var/unbound/lan-zones.conf 
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
        # Unblock reverse lookups for LAN addresses
        unblock-lan-zones: yes
        insecure-lan-zones: yes

# cat /var/unbound/unbound.conf 
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf

# cat /var/unbound/forward.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
        name: .
        forward-addr: 1.1.1.3
        forward-addr: 1.0.0.3
 
SirDice said:
Ok, we can see requests going out, and some requests getting an answer. But the DNSKEY request for freebsd.org gets forwarded but there's never any response.
Click to expand...
Is there anything concrete I should be looking further into?
 
I use a Raspberry Pi 400 without a hardware clock. I had troubles connecting to freebsd.org because time was incorrect. I had to run ntpd to be able to connect.
 
Have you tried updating that root key?
Code: 
auto-trust-anchor-file: /var/unbound/root.key
 
Is that file owned by the unbound user? Just remove that file and restart /etc/rc.d/local_unbound, if I read the script correctly it should create a new one if it's missing.
 
SirDice said:
Is that file owned by the unbound user? Just remove that file and restart /etc/rc.d/local_unbound, if I read the script correctly it should create a new one if it's missing.
Click to expand...
Yes, it's owned by the unbound user. I recreated it as suggested, but also this did not help :/
 
I've tried that already once. Did not help.

Even though I did not understand how changing from Cloudflare to Google could solve this. (And if you are referring to the syntax of rather "." then . - I've tried that, too, even though those files are generated by unbound itself.)
 
Please check if you have anything as
Code: 
local-zone: "www.eivamos.com" static
local-zone: "clk.cloudyisland.com" static
local-zone: "sdk.iappgame.com" static
...
in your *.conf files. Of course with the non working domains instead of the three examples below. This is a method to block DNS requests. May be the FreeBSD domain has been added by accident or for testing purpose. Good luck!
 
chrbr said:
Please check if you have anything as
Code: 
local-zone: "www.eivamos.com" static
local-zone: "clk.cloudyisland.com" static
local-zone: "sdk.iappgame.com" static
...
in your *.conf files. Of course with the non working domains instead of the three examples below. This is a method to block DNS requests. May be the FreeBSD domain has been added by accident or for testing purpose. Good luck!
Click to expand...
I've checked that. Nothing like that there. I even deleted all of /var/unbound/* and let unbound recreate the config files. All this did not help.
 
VladiBG said:
Is there DNS service on your router at 192.168.8.1?
Click to expand...
According to my knowledge, every router has a DNS service. /etc/resolv.conf points, if unbound is not running, to my router.

Please keep in mind, other domains resolve fine. Just not *.freebsd.org
 
According your tcpdump you didn't get any response from 1.0.0.3 or 1.1.1.3
try drill -TD @1.1.1.3 freebsd.org.
and also drill -TD @192.168.8.1 freebsd.org.

did you get the dnskey record?
 
VladiBG said:
According your tcpdump you didn't get any response from 1.0.0.3 or 1.1.1.3
try drill -TD @1.1.1.3 freebsd.org.
and also drill -TD @192.168.8.1 freebsd.org.

did you get the dnskey record?
Click to expand...
Both mentioned commands just idle after this message displayed: ;;Number of trusted keys: 1
 
i suspect that your UDP/53 is blocked on your router. Can you try with regular query over TCP
drill -t @1.1.1.3 freebsd.org.
drill -t @1.1.1.3 google.com.
drill -t @192.168.8.1 freebsd.org.
 
VladiBG said:
i suspect that your UDP/53 is blocked on your router. Can you try with regular query over TCP
drill -t @1.1.1.3 freebsd.org.
drill -t @1.1.1.3 google.com.
drill -t @192.168.8.1 freebsd.org.
Click to expand...
The first to commands resolved.
The third not. (idle)
 
So you don't have DNS forwarder on your router at 192.168.8.1 and you get DNS response over TCP
just to double check try again with UDP query and if you don't get response then search the problem in your router/firewall at 192.168.8.1
drill -u @1.1.1.3 google.com.
This will ask the DNS 1.1.1.3 on UDP/53 and if your router is blocking the UDP/53 then it will timeout.

Edit:
another reason can be the Don't Fragment blocking on the firewall when the UDP packets are above the MTU size. More info here:

DNS message fragments

This document describes a method to transmit DNS messages over multiple UDP datagrams by fragmenting them at the application layer. The objective is to allow authoriative servers to successfully reply to DNS queries via UDP using multiple smaller datagrams, where larger...
www.ietf.org
 
VladiBG said:
So you don't have DNS forwarder on your router at 192.168.8.1 and you get DNS response over TCP
just to double check try again with UDP query and if you don't get response then search the problem in your router/firewall at 192.168.8.1
drill -u @1.1.1.3 google.com.
This will ask the DNS 1.1.1.3 on UDP/53 and if your router is blocking the UDP/53 then it will timeout.

Edit:
another reason can be the Don't Fragment blocking on the firewall when the UDP packets are above the MTU size. More info here:

DNS message fragments

This document describes a method to transmit DNS messages over multiple UDP datagrams by fragmenting them at the application layer. The objective is to allow authoriative servers to successfully reply to DNS queries via UDP using multiple smaller datagrams, where larger...
www.ietf.org
Click to expand...
Your last mentioned command did resolve.

What can I conclude from this? And does this explain the exceptional behaviour for *.freebsd.org?

Many thanks!
 
Most likely your router is blocking your DNS responses which are bigger than 512 bytes and when you query DNSSEC you didn't get any DNS response from the server because those responses are a lot bigger.
You can try the same using the DNS server that your ISP is providing you and verify if you can get the DNSSEC chain using drill -TD @IPaddress_of_ISP_DNS google.com.

Example:
versus@nginx:~ % drill -TD @1.1.1.3 freebsd.org.
;; Number of trusted keys: 1
;; Domain: .
[T] . 172800 IN DNSKEY 256 3 8 ;{id = 20826 (zsk), size = 2048b}
. 172800 IN DNSKEY 257 3 8 ;{id = 20326 (ksk), size = 2048b}
Checking if signing key is trusted:
New key: . 172800 IN DNSKEY 256 3 8 AwEAAaQVKIqdmeLCaF4lq+IoKpejId9qqoIbZJ6cjB5MfyJYX3KVFXYyJ9rt4jKOwf4m2BoDOY66V1upRumF+eu502HXzdOdJlioRLA9YiRyLgvfjzyfUYrExYT4/TDTS4XfQX2UcJDN5C7SQ9UxebZk/VjQfPAUU+hZKOcjOVRFbAHom4tIi+Rin0laGlAi8ZY5WUZypYKR0xvprtG0eXeOBMjbUt1EnhmO2Bs52zC8B0cMjq6fMiYFUqtziALccsQczGngIDR0dIvvL54ky1JNNp19Ldy9ir27s7eRCYGbYI1WzR05/d4/nCmDSHkQS2BiesYufuWZZwm+FsitupCciwE= ;{id = 20826 (zsk), size = 2048b}
Trusted key: . 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAaQVKIqdmeLCaF4lq+IoKpejId9qqoIbZJ6cjB5MfyJYX3KVFXYyJ9rt4jKOwf4m2BoDOY66V1upRumF+eu502HXzdOdJlioRLA9YiRyLgvfjzyfUYrExYT4/TDTS4XfQX2UcJDN5C7SQ9UxebZk/VjQfPAUU+hZKOcjOVRFbAHom4tIi+Rin0laGlAi8ZY5WUZypYKR0xvprtG0eXeOBMjbUt1EnhmO2Bs52zC8B0cMjq6fMiYFUqtziALccsQczGngIDR0dIvvL54ky1JNNp19Ldy9ir27s7eRCYGbYI1WzR05/d4/nCmDSHkQS2BiesYufuWZZwm+FsitupCciwE= ;{id = 20826 (zsk), size = 2048b}
Key is now trusted!
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
[T] org. 86400 IN DS 26974 8 2 4fede294c53f438a158c41d39489cd78a86beb0d8a0aeaff14745c0d16e1de32
;; Domain: org.
[T] org. 3600 IN DNSKEY 256 3 8 ;{id = 52626 (zsk), size = 1024b}
org. 3600 IN DNSKEY 257 3 8 ;{id = 26974 (ksk), size = 2048b}
org. 3600 IN DNSKEY 256 3 8 ;{id = 29511 (zsk), size = 1024b}
Checking if signing key is trusted:
New key: org. 3600 IN DNSKEY 256 3 8 AwEAAZx4W6Yqg93Ca3Xc+6Thy8oFaRiBC0LYRlYwVvc9d3HejqXg5hJa1rXGsImT9jDShcEu4862oYV5HeGkLO0d9EKwqGYnnpRNRIamcRNUXDLdcjpO+1AKpu+dDwzpFyUPGyhhLbwU71PqzNAVVn4xpfyE/sC4TmiV7iqcfYJb17uh ;{id = 52626 (zsk), size = 1024b}
Trusted key: . 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAaQVKIqdmeLCaF4lq+IoKpejId9qqoIbZJ6cjB5MfyJYX3KVFXYyJ9rt4jKOwf4m2BoDOY66V1upRumF+eu502HXzdOdJlioRLA9YiRyLgvfjzyfUYrExYT4/TDTS4XfQX2UcJDN5C7SQ9UxebZk/VjQfPAUU+hZKOcjOVRFbAHom4tIi+Rin0laGlAi8ZY5WUZypYKR0xvprtG0eXeOBMjbUt1EnhmO2Bs52zC8B0cMjq6fMiYFUqtziALccsQczGngIDR0dIvvL54ky1JNNp19Ldy9ir27s7eRCYGbYI1WzR05/d4/nCmDSHkQS2BiesYufuWZZwm+FsitupCciwE= ;{id = 20826 (zsk), size = 2048b}
Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
Trusted key: org. 3600 IN DNSKEY 256 3 8 AwEAAZx4W6Yqg93Ca3Xc+6Thy8oFaRiBC0LYRlYwVvc9d3HejqXg5hJa1rXGsImT9jDShcEu4862oYV5HeGkLO0d9EKwqGYnnpRNRIamcRNUXDLdcjpO+1AKpu+dDwzpFyUPGyhhLbwU71PqzNAVVn4xpfyE/sC4TmiV7iqcfYJb17uh ;{id = 52626 (zsk), size = 1024b}
Key is now trusted!
Trusted key: org. 3600 IN DNSKEY 257 3 8 AwEAAexZJ/1wfyNCxNPrTZizaG7UlibGhP+AyogR6bqjptKweEgE4gD8GxRQJkt+Fn5pCoNqzmm1ZnEoKqvm93uOYtbKkYQDGH+W69J66MSKpgIyS+mT/4iaXn+lpb5o99l/sf7lHMa975O/fqN6aPUll4hUbN2T1LHv6HzQuQCtNRJA8jHGwX5q0NMmh2Z+yaG6B9cISerje9l5L+ID2ydJ6zXquYteoIUvX2xzqnXCdHPSvD+oL6R/weW+tztdFS1hok/1z3tn5NzmcaOLll9nXniCozEpLFEGPswyvtphWgCYhI8bBTqhUsIwfIwLSBQTEg2oCX7sS5CbXg44OqwhIW8= ;{id = 26974 (ksk), size = 2048b}
Trusted key: org. 3600 IN DNSKEY 256 3 8 AwEAAb9tjHO8nHIiRuf0zHT2Gen/tjGmj2ZWB/ko+5M4jmrGFnu/fMmr5pkTcKe5JVwEEykWcMZWjB4vT0hljN5ua8gW+Xskzk6EH5F2+CzmN6u1DysuFn9FAwBpilKpZ9OKnN5qYDOURAX11O4ib+iqSdwzOMv55WHv4waE3TsGZNAR ;{id = 29511 (zsk), size = 1024b}
[T] freebsd.org. 3600 IN DS 23710 8 2 710552694c349260c84430f5e7cc54406543896011c39bb79e21d9bfc3a7b62f
;; Domain: freebsd.org.
[T] freebsd.org. 3600 IN DNSKEY 256 3 8 ;{id = 62638 (zsk), size = 2048b}
freebsd.org. 3600 IN DNSKEY 257 3 8 ;{id = 23710 (ksk), size = 2048b}
freebsd.org. 3600 IN DNSKEY 256 3 8 ;{id = 48825 (zsk), size = 2048b}
[T] freebsd.org. 3600 IN A 96.47.72.84
;; self sig OK; bogus; [T] trusted
Click to expand...

What model is your router at 192.168.8.1? Is it some small SOHO router or it's dedicated PC?
 
You must log in or register to reply here.
Back
Top