• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Solved Unbound very slow and/or DNS address could not be found

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#1
Hello,

I am trying to use unbound without forward and several times it take ages to resolve a supposedly cached website, or do not resolve: DNS address could not be found. It can happen with any site, including freebsd.org.

Basically it works very well for a while then seem it stop working for a minute.

Code:
server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key
        root-hints: "/var/unbound/root.hints"
        qname-minimisation: yes
        minimal-responses: yes
        hide-identity: yes
        hide-version: yes
        interface: 127.0.0.1
        interface: 192.168.0.254
        access-control: 192.168.0.0/24 allow

include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf
Thanks!
 

getopt

Well-Known Member

Thanks: 294
Messages: 494

#3
For trouble-fixing or debugging start to look at the logfiles.

Add to unbound.conf:
Code:
logfile: log/unbound.log
log-time-ascii: yes
log-queries: yes
val-log-level: >>see manual unbound.conf<<
Come back with your findings.
 

Snurg

Aspiring Daemon

Thanks: 238
Messages: 684

#4
I had a exactly the same problem some time ago. I also first suspected unbound as the culprit.
The logs told about timeouts.
Finally I found out that my Fritzbox router which got a firmware update recently had changed its DSL parameters, which led to the internet connection intermittently brown out. This seems to happen frequently, so that the Fritzbox manufacturer published a guide how to fix this in his knowledge database. See this page (in German), section "Vorherige DSL-Version einsetzen".
After I did that, the problems disappeared immediately and permanently.
Just in case if you happen to use a recently updated Fritzbox...
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#5
Hi,

I had to revert back to forward and will take a look again later. I need to have a stable connection during day time.

Thanks!
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#6
After using for a while without using forward, the problem come back. No log messages was created so far.

I do not have a Fritszbox here, my ISP is very eclectic each time they bring a different box, but I am thinking it is something related with the connection. Also, my ISP is very prone to block things, like ports...

EDIT: "val-log-level: 2"

Here we go:

Code:
UID PID PPID CPU PRI NI    VSZ    RSS MWCHAN   STAT TT      TIME COMMAND
   0   0    0   0  -8  0      0    160 -        DLs   -   0:00.01 [kernel]
   0   1    0   0  52  0   9496    912 wait     ILs   -   0:00.01 /sbin/init --
   0   2    0   0 -16  0      0     32 -        DL    -   0:00.00 [cam]
   0   3    0   0 -16  0      0     16 -        DL    -   0:00.00 [fdc0]
   0   4    0   0 -16  0      0     16 waiting_ DL    -   0:00.00 [sctp_iterator]
   0   5    0   0 -16  0      0     16 idle     DL    -   0:00.00 [enc_daemon0]
   0   6    0   0 -16  0      0     32 umarcl   DL    -   0:00.04 [pagedaemon]
   0   7    0   0 -16  0      0     16 psleep   DL    -   0:00.00 [vmdaemon]
   0   8    0   0 155  0      0     16 pgzero   DL    -   0:00.00 [pagezero]
   0   9    0   0 -16  0      0     96 sdflush  DL    -   0:00.05 [bufdaemon]
   0  10    0   0 -16  0      0     16 audit_wo DL    -   0:00.00 [audit]
   0  11    0   0 155  0      0     64 -        RL    -  93:06.29 [idle]
   0  12    0   0 -72  0      0    528 -        WL    -   0:01.19 [intr]
   0  13    0   0  -8  0      0     48 -        DL    -   0:00.02 [geom]
   0  14    0   0 -16  0      0     16 -        DL    -   0:00.14 [rand_harvestq]
   0  15    0   0 -68  0      0    640 -        DL    -   0:00.05 [usb]
   0  16    0   0 -16  0      0     16 vlruwt   DL    -   0:00.00 [vnlru]
   0  17    0   0  16  0      0     16 syncer   DL    -   0:00.08 [syncer]
   0 311    1   0  20  0  13636   4828 select   Is    -   0:00.00 /sbin/devd
   0 319    0   0 -16  0      0     16 pftm     DL    -   0:00.39 [pf purge]
  59 359    1   0  20  0  39408  11412 select   Ss    -   0:01.34 /usr/sbin/unbound -c /var/unbound/unbound.conf
   0 407    1   0  20  0  14524   2152 select   Ss    -   0:00.01 /usr/sbin/syslogd -s
   0 552    1   0  20  0  26132  18052 select   Ss    -   0:00.07 /usr/sbin/ntpd -c /etc/ntp.conf -p /var/run/ntpd.pid -f /var/db/ntpd.drift
   0 555    1   0  20  0  14504   1968 select   Ss    -   0:00.06 /usr/sbin/powerd
535 576    1   0  52  0  24248   5120 uwait    Is    -   0:00.45 redis-server: /usr/local/bin/redis-server 127.0.0.1:6379 (redis-server)
   0 580    1   0  20  0 137604  14736 kqread   Ss    -   0:00.03 php-fpm: master process (/usr/local/etc/php-fpm.conf) (php-fpm)
  80 581  580   0  41  0 152068  29904 accept   S     -   1:24.27 php-fpm: pool www (php-fpm)
  80 582  580   0  52  0 137604  14740 accept   I     -   0:00.00 php-fpm: pool www (php-fpm)
  80 583  580   0  52  0 137604  14744 accept   I     -   0:00.00 php-fpm: pool www (php-fpm)
  80 584  580   0  52  0 137604  14748 accept   I     -   0:00.00 php-fpm: pool www (php-fpm)
  80 585  580   0  52  0 137604  14752 accept   I     -   0:00.00 php-fpm: pool www (php-fpm)
  80 586  580   0  52  0 137604  14756 accept   I     -   0:00.00 php-fpm: pool www (php-fpm)
  80 587  580   0  52  0 137604  14760 accept   I     -   0:00.00 php-fpm: pool www (php-fpm)
  80 588  580   0  52  0 137604  14764 accept   I     -   0:00.00 php-fpm: pool www (php-fpm)
  80 589  580   0  52  0 137604  14768 accept   I     -   0:00.00 php-fpm: pool www (php-fpm)
  80 590  580   0  52  0 137604  14772 accept   I     -   0:00.00 php-fpm: pool www (php-fpm)
   0 594    1   0  52  0  39284   6628 pause    Is    -   0:00.00 nginx: master process /usr/local/sbin/nginx
  80 595  594   0  20  0  39284   7708 kqread   S     -   0:00.16 nginx: worker process (nginx)
  80 596  594   0  20  0  39284   7640 kqread   S     -   0:00.09 nginx: worker process (nginx)
  80 598  594   0  20  0  39284   7640 kqread   S     -   0:00.06 nginx: worker process (nginx)
  80 599  594   0  20  0  39284   7640 kqread   S     -   0:00.09 nginx: worker process (nginx)
  88 606    1   0  52  0  17100   2604 wait     Is    -   0:00.01 /bin/sh /usr/local/bin/mysqld_safe --defaults-extra-file=/var/db/mysql/my.cnf --user=mysql --datadir=/var/db
  88 688  606   0  47  0 571728 106960 sigwait  I     -   0:01.96 /usr/local/libexec/mysqld --defaults-extra-file=/var/db/mysql/my.cnf --basedir=/usr/local --datadir=/var/db/
   0 695    1   0  20  0 100624  16024 select   S     -   0:00.28 /usr/local/bin/python2.7 /usr/local/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2
   0 701    1   0  20  0  41516  11788 nanslp   Ss    -   0:00.04 ddclient - sleeping for 100 seconds (perl)
   0 730    1   0  20  0  34628   5912 select   Is    -   0:00.00 /usr/sbin/sshd
   0 733    1   0  20  0  16628   2352 nanslp   Ss    -   0:00.01 /usr/sbin/cron -s
   0 761    1   0  52  0  18748   2220 select   Is    -   0:00.00 /usr/sbin/inetd -Ww
   0 807  730   0  20  0  59900   6432 select   Is    -   0:00.02 sshd: privacychain [priv] (sshd)
1001 809  807   0  20  0  59900   6500 select   S     -   0:00.03 sshd: privacychain@pts/0 (sshd)
   0 780    1   0  52  0  14524   2088 ttyin    Is+  v0   0:00.00 /usr/libexec/getty Pc ttyv0
   0 781    1   0  52  0  14524   2088 ttyin    Is+  v1   0:00.00 /usr/libexec/getty Pc ttyv1
   0 782    1   0  52  0  14524   2088 ttyin    Is+  v2   0:00.00 /usr/libexec/getty Pc ttyv2
   0 783    1   0  52  0  14524   2088 ttyin    Is+  v3   0:00.00 /usr/libexec/getty Pc ttyv3
   0 784    1   0  52  0  14524   2088 ttyin    Is+  v4   0:00.00 /usr/libexec/getty Pc ttyv4
   0 785    1   0  52  0  14524   2088 ttyin    Is+  v5   0:00.00 /usr/libexec/getty Pc ttyv5
   0 786    1   0  52  0  14524   2088 ttyin    Is+  v6   0:00.00 /usr/libexec/getty Pc ttyv6
   0 787    1   0  52  0  14524   2088 ttyin    Is+  v7   0:00.00 /usr/libexec/getty Pc ttyv7
1001 810  809   0  20  0  23600   4244 pause    Ss    0   0:00.03 -csh (csh)
1001 853  810   0  20  0  18772   2588 -        R+    0   0:00.00 ps -lax
Code:
Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4     128      0 localhost.9000         localhost.26699        ESTABLISHED
tcp4       0   1320 localhost.26699        localhost.9000         ESTABLISHED
tcp4       0      0 localhost.49768        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.17970        TIME_WAIT
tcp4       0      0 192.168.0.254.https    192.168.0.10.60740     ESTABLISHED
tcp4       0      0 localhost.37272        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.22940        TIME_WAIT
tcp4       0      0 192.168.0.254.38335    x.mx-ns.mx.domain      TIME_WAIT
tcp4       0      0 localhost.36631        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.39674        TIME_WAIT
tcp4       0      0 localhost.41893        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.28518        TIME_WAIT
tcp4       0      0 localhost.59963        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.39822        TIME_WAIT
tcp4       0      0 localhost.18051        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.45615        TIME_WAIT
tcp4       0      0 localhost.48116        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.30544        TIME_WAIT
tcp4       0      0 localhost.10762        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.31305        TIME_WAIT
tcp4       0      0 localhost.62480        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.28116        TIME_WAIT
tcp4       0      0 localhost.43681        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.65516        TIME_WAIT
tcp4       0      0 localhost.52718        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.25170        TIME_WAIT
tcp4       0      0 localhost.58089        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.32632        TIME_WAIT
tcp4       0      0 localhost.58363        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.24926        TIME_WAIT
tcp4       0      0 localhost.19203        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.22835        TIME_WAIT
tcp4       0      0 localhost.11775        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.16594        TIME_WAIT
tcp4       0      0 localhost.26507        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.17044        TIME_WAIT
tcp4       0      0 localhost.28910        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.21417        TIME_WAIT
tcp4       0      0 localhost.20531        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.32934        TIME_WAIT
tcp4       0      0 localhost.22907        localhost.6379         TIME_WAIT
tcp4       0      0 localhost.9000         localhost.52003        TIME_WAIT
tcp4       0      0 192.168.0.254.17727    nic4-sea.opera.c.domai TIME_WAIT
tcp4       0      0 192.168.0.254.https    192.168.0.10.60560     TIME_WAIT
tcp4       0      0 192.168.0.254.ssh      192.168.0.10.53922     ESTABLISHED
tcp4       0      0 localhost.ssh          *.*                    LISTEN
tcp4       0      0 192.168.0.254.ssh      *.*                    LISTEN
tcp4       0      0 *.https                *.*                    LISTEN
tcp4       0      0 *.http                 *.*                    LISTEN
tcp4       0      0 localhost.9000         *.*                    LISTEN
tcp4       0      0 localhost.6379         *.*                    LISTEN
tcp4       0      0 192.168.0.254.domain   *.*                    LISTEN
tcp4       0      0 localhost.domain       *.*                    LISTEN
udp4       0      0 *.49900                *.*                   
udp4       0      0 *.35440                *.*                   
udp4       0      0 *.21434                *.*                   
udp4       0      0 *.10960                *.*                   
udp4       0      0 localhost.ntp          *.*                   
udp6       0      0 fe80::1%lo0.ntp        *.*                   
udp6       0      0 localhost.ntp          *.*                   
udp4       0      0 192.168.0.254.ntp      *.*                   
udp4       0      0 *.ntp                  *.*                   
udp6       0      0 *.ntp                  *.*                   
udp4       0      0 *.syslog               *.*                   
udp6       0      0 *.syslog               *.*                   
udp4       0      0 192.168.0.254.domain   *.*                   
udp4       0      0 localhost.domain       *.*                   
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
fffff8000657c5a0 stream      0      0        0 fffff800067dbc30        0        0 /tmp/mysql.sock
fffff800067dbc30 stream      0      0        0 fffff8000657c5a0        0        0
fffff8000653bb40 stream      0      0        0        0        0        0
fffff8000653bd20 stream      0      0        0 fffff8000653c0f0        0        0
fffff8000653c0f0 stream      0      0        0 fffff8000653bd20        0        0
fffff8000653c960 stream      0      0 fffff8003e0cb000        0        0        0 /var/run/fail2ban/fail2ban.sock
fffff80006554690 stream      0      0 fffff80006f2d760        0        0        0 /tmp/mysql.sock
fffff8000653ca50 stream      0      0        0 fffff8000653cb40        0        0
fffff8000653cb40 stream      0      0        0 fffff8000653ca50        0        0
fffff8000653cc30 stream      0      0        0 fffff8000653cd20        0        0
fffff8000653cd20 stream      0      0        0 fffff8000653cc30        0        0
fffff8000653ce10 stream      0      0        0 fffff8000653d000        0        0
fffff8000653d000 stream      0      0        0 fffff8000653ce10        0        0
fffff8000653d0f0 stream      0      0        0 fffff8000653d1e0        0        0
fffff8000653d1e0 stream      0      0        0 fffff8000653d0f0        0        0
fffff800067dc0f0 stream      0      0        0 fffff800067dc1e0        0        0
fffff800067dc1e0 stream      0      0        0 fffff800067dc0f0        0        0
fffff800067dc2d0 stream      0      0        0 fffff8000657c870        0        0
fffff8000657c870 stream      0      0        0 fffff800067dc2d0        0        0
fffff8000653d5a0 stream      0      0 fffff800064b1b10        0        0        0 /var/run/local_unbound.ctl
fffff80006554b40 stream      0      0 fffff800063e21d8        0        0        0 /var/run/devd.pipe
fffff8000653c4b0 dgram       0      0        0 fffff8000653d3c0        0 fffff80006554960
fffff80006554960 dgram       0      0        0 fffff8000653d3c0        0        0
fffff8000653d3c0 dgram       0      0 fffff800063e0938        0 fffff8000653c4b0        0 /var/run/logpriv
fffff8000653d4b0 dgram       0      0 fffff800063e0b10        0        0        0 /var/run/log
fffff80006554a50 seqpac      0      0 fffff800063e2000        0        0        0 /var/run/devd.seqpacket.pipe
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#7
Now I am getting erros like this:

Code:
Invalid URL
The requested URL "[no URL]", is invalid.
Reference #9.2d2511c9.1472863259.44e1521
And there are logs, but just like these:

Code:
Sep 02 21:47:05 unbound[1456:0] notice: init module 0: validator
Sep 02 21:47:05 unbound[1456:0] notice: init module 1: iterator
Sep 02 21:47:05 unbound[1456:0] info: start of service (unbound 1.5.7).
Sep 02 21:47:10 unbound[1456:0] info: 192.168.0.10 s0.wp.com. A IN
Sep 02 21:47:10 unbound[1456:0] info: 192.168.0.10 abrilveja.files.wordpress.com. A IN
Sep 02 21:47:10 unbound[1456:0] info: 192.168.0.10 i0.wp.com. A IN
Sep 02 21:47:10 unbound[1456:0] info: 192.168.0.10 0.gravatar.com. A IN
 

obsigna

Aspiring Daemon

Thanks: 330
Messages: 645

#8
... my ISP is very prone to block things, like ports ...
I am also resident in Brazil, in my case São Paulo, (according to your profile you are in Rio de Janeiro), and my ISP (NET) came with a cable modem that served as well as the router into the internet. I asked them to put it into bridge mode, and without any complaints the technician did it and in addition showed me how I can do it myself, in case the settings became reset somehow. So, my FreeBSD server is directly connected with the public IP into the internet, and serves as the router for the internal clients at home.

I have configured local_unbound as a recursive caching name server (i.e. this one does recursive DNS resolution starting at the DNS root servers). My ISP (NET) does not block my DNS requests, i.e. UDP port 53 is open here, and I never experienced any problems with this setup.

I wrote 3 BLog posts (in German language) about this, and perhaps you can grep the basic ideas with the aid of the Google Translator:

https://translate.google.com/transl...=de&ie=UTF-8&u=http://blog.obsigna.net/?p=500

https://translate.google.com/transl...=de&ie=UTF-8&u=http://blog.obsigna.net/?p=504

https://translate.google.com/transl...=de&ie=UTF-8&u=http://blog.obsigna.net/?p=509
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#9
obsigna

Yes, I am in Rio de Janeiro and also with NET but they do block all ports here for domestic clients, if you want to have open ports for input connections they "force" you to pay their commercial plan.

Thought it were in their contract and literature, I did a test with the router on bridge mode some time ago to attest it in order to take legal measures (I do not advocate since years but I am graduated in law, and also have a master degree indeed). With the Loi 12.965/14, aka "Marco Civil da Internet" it is clearly illegal to block/filter (and much more) anything, the Loi bring it explicitly. There are so many illegal things on their practice, and affect so many people it should be more a job for MPF indeed.

They usual excuse about "commercial use of a domestic connection" is not valid, legally - unless it is done by a company using a domestic plan. They do not have this freedom anymore.

These problems are happening while I use the server locally. NET do block access to address very "randomly", I already found/heard ever of blocked poker sites, they may be doing some king of filtering on DNS roots here for unknown reasons.

I will take a look on your blog posts too, unfortunately my another router with wireless capabilities died recently, I must use the NET one for while until I get another. :mad:

Thanks!

EDIT: I can't even ping from a external connection here.

Off topic: I am whiling to move on to Niteroi/RJ due to personal reasons and I heard about PredialNET. They have so much bandwidth available on the fiber network they do not control the maximum up/down. There are people whom pay for (i.e.) 40Mbps and sometimes get +500Mpbs up/down. Everyone I found with them just say love about.
 

obsigna

Aspiring Daemon

Thanks: 330
Messages: 645

#10
obsigna

Yes, I am in Rio de Janeiro and also with NET but they do block all ports here for domestic clients, if you want to have open ports for input connections they "force" you to pay their commercial plan ...
Maybe, however, in the present case of failing DNS resolutions, we are not talking about incoming connections, because the actual DNS request is an outgoing UDP 53 one, and this cannot be blocked completely -- perhaps limited to their own DNS servers only, however, this won't explain, why it sometimes work and stops working occasionally.
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#11
I am forwarding to GigaDNS what is the faster one I found here. I thought it was a router issue but I remember I had the exactly same problem a few months ago using pfSense and OPNsense, with a completely different router.

Another possibility I have in mind were some kind of network card/driver issue, it is a generic Realtek. I bought a Intel one but still waiting the delivery.
 

obsigna

Aspiring Daemon

Thanks: 330
Messages: 645

#12
You can test your DNS connectivity using the drill(1) command. According to the most recent cached DNS Root hint zones, the IPv4-address of A.ROOT-SERVERS.NET is 198.41.0.4. And, the following command sends a query directly to that root DNS server, bypassing my own DNS server and of course anything that may be provided by the ISP.
Code:
drill obsigna.com @198.41.0.4
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8006
;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14
;; QUESTION SECTION:
;; obsigna.com.    IN    A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
com.    172800    IN    NS    a.gtld-servers.net.
com.    172800    IN    NS    b.gtld-servers.net.
com.    172800    IN    NS    c.gtld-servers.net.
com.    172800    IN    NS    d.gtld-servers.net.
com.    172800    IN    NS    e.gtld-servers.net.
com.    172800    IN    NS    f.gtld-servers.net.
com.    172800    IN    NS    g.gtld-servers.net.
com.    172800    IN    NS    h.gtld-servers.net.
com.    172800    IN    NS    i.gtld-servers.net.
com.    172800    IN    NS    j.gtld-servers.net.
com.    172800    IN    NS    k.gtld-servers.net.
com.    172800    IN    NS    l.gtld-servers.net.
com.    172800    IN    NS    m.gtld-servers.net.

;; ADDITIONAL SECTION:
a.gtld-servers.net.    172800    IN    A    192.5.6.30
b.gtld-servers.net.    172800    IN    A    192.33.14.30
c.gtld-servers.net.    172800    IN    A    192.26.92.30
d.gtld-servers.net.    172800    IN    A    192.31.80.30
e.gtld-servers.net.    172800    IN    A    192.12.94.30
f.gtld-servers.net.    172800    IN    A    192.35.51.30
g.gtld-servers.net.    172800    IN    A    192.42.93.30
h.gtld-servers.net.    172800    IN    A    192.54.112.30
i.gtld-servers.net.    172800    IN    A    192.43.172.30
j.gtld-servers.net.    172800    IN    A    192.48.79.30
k.gtld-servers.net.    172800    IN    A    192.52.178.30
l.gtld-servers.net.    172800    IN    A    192.41.162.30
m.gtld-servers.net.    172800    IN    A    192.55.83.30
a.gtld-servers.net.    172800    IN    AAAA    2001:503:a83e::2:30

;; Query time: 155 msec
;; SERVER: 198.41.0.4
;; WHEN: Sat Sep  3 00:52:42 2016
;; MSG SIZE  rcvd: 489
Since this is a recursive request, I get a result for the first level .com only, namely a list of name servers that may give answers to the second level. Now, lets ask again the same question to one of the listed servers (e.gtld-servers.net):
Code:
# drill obsigna.com @192.12.94.30
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 62830
;; flags: qr rd ; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;; obsigna.com.    IN    A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
obsigna.com.    172800    IN    NS    docks18.rzone.de.
obsigna.com.    172800    IN    NS    shades19.rzone.de.

;; ADDITIONAL SECTION:

;; Query time: 136 msec
;; SERVER: 192.12.94.30
;; WHEN: Sat Sep  3 00:54:50 2016
;; MSG SIZE  rcvd: 82
And this is already the final result. If you can do the same with your connection into the internet, then your ISP is not blocking outgoing DNS UDP 53 connections, and the problem is related to the DNS server that you set as the forwarder.
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#13
Yes, it works using drill.

Just let me point out I just have problems when I do not use the forwarders but Root hints only, what is being updated monthly.
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#14
Correction!

Now I did the tests when the problem come back:

Code:
Error: error sending query: Could not send or receive, because of network error
 

obsigna

Aspiring Daemon

Thanks: 330
Messages: 645

#15
Yes, it works using drill.

Just let me point out I just have problems when I do not use the forwarders but Root hints only, what is being updated monthly.
Sorry, I overlooked that part. Anyway, from your test result, we can rule out any blocking by your ISP as the cause of the problem.

For the next troubleshooting step, I suggest to simplify the unbound rule set to the bare necessity:
Code:
server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key

        outgoing-range: 512
        root-hints: /var/unbound/root-hints.zones
        interface: 127.0.0.1
        interface: 192.168.0.254
        interface: ::1
        access-control: 127.0.0.1 allow
        access-control: 192.168.0.0/24 allow
        access-control: 0.0.0.0/0 deny
        access-control: ::0/0 deny
        private-address: 0.0.0.0/8
        private-address: 127.0.0.0/8
        private-address: 169.254.0.0/16
        private-address: 10.0.0.0/8
        private-address: 172.16.0.0/12
        private-address: 192.168.0.0/16
        private-address: fd00::/8
        private-address: fe80::/10
Then try again.
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#17
Check your cables and connectors.
I already did that. :)

I changed all of them for new ones. At same time it would not explain why I just have problems when just using Root hints.

I will try using wireless to see what happens!

I tested with the simplified configuration file but I had to add include: /var/unbound/control.conf otherwise I tons of errors like those:

Code:
aiting for nameserver to start...[1472876498] unbound-control[14409:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388873928:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388873928:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388873928:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1472876499] unbound-control[14412:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
34388873928:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388873928:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388873928:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
.[1472876500] unbound-control[14415:0] warning: control-enable is 'no' in the config file.
error: Error setting up SSL_CTX client key and cert
  388873928:error:02001002:system library:fopen:No such file or directory:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('/var/unbound/unbound_control.pem','r')
34388873928:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
34388873928:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_rsa.c:687:
Thanks!
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#18
Hum. Apparently there is no problem using wireless.

The cables are new, so there may be a problem on the router/laptop port/card.

The router just have two ports, one used by the server and another by my laptop, exchange them will not make difference then. I have a small switch somewhere here. Tomorrow I will look for it to test it.

But still weird I just have problem when using a specific configuration. :confused:

EDIT: I had problems while using another router. So, most probably to be on my laptop or server card.

Thanks!
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#20
Shame on me! I forgot the wireless connection were using DHCP, so not using unbound DNS but the ISP one.

I will wait the Intel board arrive before hook up on this problem again.

Thanks!
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#21
I bought a new router and the ISP one is working on bridge mode now. After an hour using Unbound without the forwarders with no issues, I think the ISP router was the problem.

Thanks!
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#22
The problem again. I did some changes on unbound.conf and now it stop to work about one time a day:

Code:
server:
        port: 53
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key
        root-hints: "/var/unbound/root.hints"

        #val-permissive-mode: yes

        logfile: log/unbound.log
        log-time-ascii: yes
        val-log-level: 2

        do-ip6: no

        interface: 127.0.0.1
        interface: 192.168.0.200
        access-control: 192.168.0.0/24 allow
        access-control: 127.0.0.0/8 allow
        private-address: 192.168.0.0/24
        private-domain: privacychain.ch

        qname-minimisation: yes
        minimal-responses: no
        hide-identity: yes
        hide-version: yes
        do-not-query-localhost: no
        val-clean-additional: yes

        prefetch: yes
        prefetch-key: yes

        num-threads: 4
        msg-cache-slabs: 8
        rrset-cache-slabs: 8
        infra-cache-slabs: 8
        key-cache-slabs: 8
        rrset-cache-size: 100m
        msg-cache-size: 50m
        outgoing-range: 200
        num-queries-per-thread: 100
        so-rcvbuf: 1m
        so-sndbuf: 1m

        unblock-lan-zones: yes
        insecure-lan-zones: yes

include: /var/unbound/conf.d/*.conf

#forward-zone:
#       name: .
#       forward-addr: 37.235.1.174
#       forward-addr: 37.235.1.177

remote-control:
        control-enable: yes
        control-interface: /var/run/local_unbound.ctl
        control-use-cert: no
I found out if the problem appear and I activate "val-permissive-mode: yes" for a while the problem go away, what seem to be a DNSSEC problem indeed. Later I found out too running unbound-anchor instead, unbound come back to work right after.

Now I do not know how to fix it permanently.
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#23
I give up and installed Unbound from ports in a jail with libevent support. Seem to be working perfect now.

Thanks!
 

lebarondemerde

Aspiring Daemon

Thanks: 367
Messages: 969

#24
No, it is not solved, sorry, but I think I (partially) found what is causing it.

After a talk on Unbound mailing list, and using unbound-control dump_requestlist when the problem appear, I found out Unbound is trying to resolve AAAA records while my network is completely IPv6 free:

Code:
thread #0
thread #0
#   type cl name    seconds    module status
  0    A IN blade.4t2.com. - iterator wait for 217.11.57.53
  1 AAAA IN www.edicron.com. 40.960788 iterator wait for 217.160.83.143
  2 AAAA IN www.edicron.com.privacychain.ch. 10.932778 iterator wait for 185.148.76.30
  3 AAAA IN www.tubetown.de. 6.024901 iterator wait for 88.198.65.232
  4 AAAA IN www.eurotubes.com. 11.084678 iterator wait for 208.109.255.22
  5 AAAA IN www.tubemonger.com. 10.982738 iterator wait for 69.49.191.246
  6 AAAA IN www.diyhifisupply.com. 40.981773 iterator wait for 216.35.197.129
  7 AAAA IN www.diyhifisupply.com.privacychain.ch. 10.954016 iterator wait for 185.148.76.30
  8 AAAA IN www.hificollective.co.uk. 41.052734 iterator wait for 212.67.202.2
  9 AAAA IN www.hificollective.co.uk.privacychain.ch. 11.024719 iterator wait for 46.16.200.135
I do not have idea why this is happening neither the people on Unbound list. I sent a e-mail on freebsd-net@freebsd.org but without reply yet.

Note this is my currently unbound.conf:

Code:
server:
        port: 53
        username: unbound
        directory: /usr/local/etc/unbound
        chroot: /usr/local/etc/unbound
        pidfile: /usr/local/etc/unbound/unbound.pid
        auto-trust-anchor-file: /usr/local/etc/unbound/root.key
        root-hints: "/usr/local/etc/unbound/root.hints"

        logfile: log/unbound.log
        log-time-ascii: yes
        val-log-level: 2

        do-ip6: no

        interface: 127.0.0.2
        interface: 192.168.0.220

        access-control: 127.0.0.2/16 allow
        access-control: 192.168.0.0/24 allow_snoop

        private-address: 192.168.0.0/24
        private-domain: privacychain.ch

        qname-minimisation: yes
        minimal-responses: yes
        hide-identity: yes
        hide-version: yes
        do-not-query-localhost: no
        val-clean-additional: yes

        harden-glue: yes
        harden-dnssec-stripped: yes

        unwanted-reply-threshold: 10000

        prefetch: yes
        prefetch-key: yes

        cache-min-ttl: 3600
        cache-max-ttl: 86400

        num-threads: 4
        msg-cache-slabs: 8
        rrset-cache-slabs: 8
        infra-cache-slabs: 8
        key-cache-slabs: 8

        rrset-roundrobin: yes
        rrset-cache-size: 100m
        msg-cache-size: 50m

        outgoing-range: 8192
        num-queries-per-thread: 4096

        so-rcvbuf: 1m
        so-sndbuf: 1m

        unblock-lan-zones: yes
        insecure-lan-zones: yes

include: /usr/local/etc/unbound/conf.d/*.conf

#forward-zone:
#       name: .
#       forward-addr: 189.38.95.95
#       forward-addr: 189.38.95.96

remote-control:
        control-enable: yes
        control-interface: /usr/local/etc/unbound/unbound.ctl
        control-use-cert: no
Just to point out the problem appear about one time a day now, if there is just one client to Unbound. If I add a second client, usually a Macmini, Unbound hang almost completely. :mad:

Thank you!