Cannot resolve www.FreeBSD.org but can resolve www.google.com

A

Alfatrion

I'm installing FreeBSD 10.1. That is to say I have it up and running, using the DHCP client.

portsnap fetch results in no mirrors found. When I try to ping portsnap.FreeBSD.org it fails. When I try to ping www.FreeBSD.org it fails. But when I try www.google.com it succeeds.

I have a Windows machine on the same network and that can ping FreeBSD.org. Any ideas to what can be causing this behavior?
 
Code: 
# nameserver 192.168.1.1
nameserver 127.0.0.1
options edns0
When I use the first address it works fine. I have unbound running. Just the default config from FreeBSD-10.1 (r282111).

cat /etc/unbound/unbound.conf
Code: 
# Generated by local-unbound-setup
server:
  username: unbound
  directory: /var/unbound
  chroot: /var/unbound
  pidfile: /var/run/local_unbound.pid
  auto-trust-anchor-file: /var/unbound/root.key

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/conf.d/*.conf

cat /var/unbound/{forward,lan-zones}.conf
Code: 
# Generated by resolvconf
# Generated by local-unbound-setup
# Do not edit this file.
server:
  # Unblock reverse lookups for LAN addresses
  unblock-lan-zones: yes
  domain-insecure: 10.in-addr.arpa.
  domain-insecure: 127.in-addr.arpa.
  domain-insecure: 16.172.in-addr.arpa.
  domain-insecure: 17.172.in-addr.arpa.
  domain-insecure: 18.172.in-addr.arpa.
  domain-insecure: 19.172.in-addr.arpa.
  domain-insecure: 20.172.in-addr.arpa.
  domain-insecure: 21.172.in-addr.arpa.
  domain-insecure: 22.172.in-addr.arpa.
  domain-insecure: 23.172.in-addr.arpa.
  domain-insecure: 24.172.in-addr.arpa.
  domain-insecure: 25.172.in-addr.arpa.
  domain-insecure: 26.172.in-addr.arpa.
  domain-insecure: 27.172.in-addr.arpa.
  domain-insecure: 28.172.in-addr.arpa.
  domain-insecure: 29.172.in-addr.arpa.
  domain-insecure: 30.172.in-addr.arpa.
  domain-insecure: 31.172.in-addr.arpa.
  domain-insecure: 168.192.in-addr.arpa.
  domain-insecure: 254.169.in-addr.arpa.
  domain-insecure: d.f.ip6.arpa.
  domain-insecure: 8.e.ip6.arpa.
  domain-insecure: 9.e.ip6.arpa.
  domain-insecure: a.e.ip6.arpa.
  domain-insecure: b.e.ip6.arpa.

The directory /var/unbound/conf.d/ is empty.

Could it have something to do with:

FreeBSD Handbook - Domain Name System (DNS) said:
If any of the listed nameservers do not support DNSSEC, local DNS resolution will fail. Be sure to test each nameserver and remove any that fail the test. The following command will show the trust tree or a failure for a nameserver running on 192.168.1.1:
Click to expand...

https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dns.html
 
Going out a limb here but are you using a firewall and if so are you allowing fragment reassembly? If you are not using a firewall then never mind. With a firewall and no rule for fragment reassembly the packet size of a reply with DNSSEC is bigger than normal and usually gets fragmented, hence the need to account for it at the firewall.

Other ideas, run through a handful of different tests and see where things work and where it doesn't. There will likely be some clues in here if you post the output of the following.
drill www.FreeBSD.org
drill -T www.FreeBSD.org
drill -S www.FreeBSD.org
drill -4 @ns0.FreeBSD.org www.FreeBSD.org
drill -6 @ns0.FreeBSD.org www.FreeBSD.org
 
Replace /etc/resolv.conf:
Code: 
nameserver 8.8.8.8
nameserver 127.0.0.1
options edns0
 
junovitch said:
Going out a limb here but are you using a firewall and if so are you allowing fragment reassembly?
Click to expand...
No, firewall. The FreeBSD install is fresh. I find it so weird that this works for some addresses and doesn't work for other addresses.

When using 127.0.0.1 in resolv.conf
drill www.FreeBSD.org
Code: 
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 45413
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.freebsd.org.  IN  A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed May  6 19:37:36 2015
;; MSG SIZE  rcvd: 33

drill -T www.FreeBSD.org
Code: 
org.  172800  IN  NS  a0.org.afilias-nst.info.
org.  172800  IN  NS  c0.org.afilias-nst.info.
org.  172800  IN  NS  b2.org.afilias-nst.org.
org.  172800  IN  NS  b0.org.afilias-nst.org.
org.  172800  IN  NS  a2.org.afilias-nst.info.
org.  172800  IN  NS  d0.org.afilias-nst.org.
freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns1.isc-sns.net.freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns2.isc-sns.com.freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns3.isc-sns.info.www.freebsd.org.  600  IN  CNAME  wfe0.ysv.freebsd.org.
wfe0.ysv.freebsd.org.  600  IN  A  8.8.178.110
freebsd.org.  600  IN  NS  ns2.isc-sns.com.
freebsd.org.  600  IN  NS  ns3.isc-sns.info.
freebsd.org.  600  IN  NS  ns1.isc-sns.net.

drill -S www.FreeBSD.org
Code: 
;; Number of trusted keys: 1
;; Chasing: www.freebsd.org. A


DNSSEC Trust tree:
www.freebsd.org. (CNAME)
|---freebsd.org. (DNSKEY keytag: 60981 alg: 8 flags: 256)
  |---freebsd.org. (DNSKEY keytag: 25814 alg: 8 flags: 257)
  |---freebsd.org. (DS keytag: 25814 digest type: 2)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.

drill -4 @ns0.FreeBSD.org www.FreeBSD.org
Code: 
Error: could not find any address for the name: `ns0.FreeBSD.org'

drill -6 @ns0.FreeBSD.org www.FreeBSD.org
Code: 
Error: could not find any address for the name: `ns0.FreeBSD.org'


When using 196.168.1.1 in resolv.conf
drill www.FreeBSD.org
Code: 
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 29143
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.FreeBSD.org.  IN  A

;; ANSWER SECTION:
www.FreeBSD.org.  599  IN  CNAME  wfe0.ysv.FreeBSD.org.
wfe0.ysv.FreeBSD.org.  599  IN  A  8.8.178.110

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 31 msec
;; SERVER: 192.168.1.1
;; WHEN: Wed May  6 19:51:56 2015
;; MSG SIZE  rcvd: 72

drill -S www.FreeBSD.org
Code: 
;; Number of trusted keys: 1
;; Chasing: www.freebsd.org. A


DNSSEC Trust tree:
www.freebsd.org. (CNAME)
|---freebsd.org. (DNSKEY keytag: 60981 alg: 8 flags: 256)
  |---freebsd.org. (DNSKEY keytag: 25814 alg: 8 flags: 257)
  |---freebsd.org. (DS keytag: 25814 digest type: 2)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.

drill -T www.FreeBSD.org
Code: 
org.  172800  IN  NS  a0.org.afilias-nst.info.
org.  172800  IN  NS  c0.org.afilias-nst.info.
org.  172800  IN  NS  d0.org.afilias-nst.org.
org.  172800  IN  NS  b0.org.afilias-nst.org.
org.  172800  IN  NS  b2.org.afilias-nst.org.
org.  172800  IN  NS  a2.org.afilias-nst.info.
freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns1.isc-sns.net.freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns2.isc-sns.com.freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns3.isc-sns.info.www.freebsd.org.  600  IN  CNAME  wfe0.ysv.freebsd.org.
wfe0.ysv.freebsd.org.  600  IN  A  8.8.178.110
freebsd.org.  600  IN  NS  ns3.isc-sns.info.
freebsd.org.  600  IN  NS  ns2.isc-sns.com.
freebsd.org.  600  IN  NS  ns1.isc-sns.net.

drill -4 @ns0.FreeBSD.org www.FreeBSD.org
Code: 
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61961
;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.FreeBSD.org.  IN  A

;; ANSWER SECTION:
www.FreeBSD.org.  600  IN  CNAME  wfe0.ysv.FreeBSD.org.
wfe0.ysv.FreeBSD.org.  600  IN  A  8.8.178.110

;; AUTHORITY SECTION:
FreeBSD.org.  600  IN  NS  ns1.isc-sns.net.
FreeBSD.org.  600  IN  NS  ns2.isc-sns.com.
FreeBSD.org.  600  IN  NS  ns3.isc-sns.info.

;; ADDITIONAL SECTION:

;; Query time: 192 msec
;; SERVER: 8.8.178.18
;; WHEN: Wed May  6 19:54:01 2015
;; MSG SIZE  rcvd: 160

drill -6 @ns0.FreeBSD.org www.FreeBSD.org
Code: 
Error: could not find any address for the name: `ns0.FreeBSD.org'
 
That is pretty strange. It seems like there is an issue with that initial recursive query to get the address of ns0.FreeBSD.org on some of the queries. However the fact that drill -T www.FreeBSD.org works seems to discount that as being a cause.

I'm curious if normal queries with just a forwarder will work normal. Can you try something like this in /etc/rc.conf and see what happens?
Code: 
local_unbound_forwarders="8.8.8.8"
 
You must log in or register to reply here.
Back
Top