I have a very weird DNS resolution problem that I cannot figure out. I'm running OPNsense 20.7.8_4. I'm using unbound in resolver mode with DNSSEC turned on and unbound traffic sent out via Mullvad OpenVPN (UDP) tunnel.
The setup generally works great, but for some reason, unbound fails to resolve certain domains. For example, it will not resolve "workplace.schwab.com." There are likely other domains, but I don't have a list. What I found is that unbound will resolve "workplace.schwab.com" if I either:
1) turn off DNSSEC (and continue to send unbound traffic via VPN); OR
2) send unbound traffic out via WAN (in this case, I do NOT have to turn off DNSSEC).
If I do not do either of the above, unbound does not resolve "workplace.schwab.com". If I go to Interfaces --> Diagnostics --> DNS Lookup and put in "workplace.schwab.com," it would take about 10 seconds to run, and return the following:
Response
Type Address
CNAME workplace.gslb.schwab.com.
A 162.93.221.50
Resolution time per server
Server Query time
127.0.0.1 No response
1.1.1.1 45 msec
1.0.0.1 8 msec
As you can see above, in forward mode (to 1.1.1.1 or 1.0.0.1), DNS resolution works fine. But unbound at 127.0.0.1 gets "No response."
If I SSH into OPNsense and run dig at the shell, nothing seems obviously wrong EXCEPT the dig takes like 2.5 minute to complete (it pauses for a super long time between the first block of output for the root-servers and the second block of output, then the remaining blocks of output follow very quickly). Here is the output.
root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com +trace
; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com +trace
; (1 server found)
;; global options: +cmd
. 80398 IN NS m.root-servers.net.
. 80398 IN NS a.root-servers.net.
. 80398 IN NS b.root-servers.net.
. 80398 IN NS c.root-servers.net.
. 80398 IN NS d.root-servers.net.
. 80398 IN NS e.root-servers.net.
. 80398 IN NS f.root-servers.net.
. 80398 IN NS g.root-servers.net.
. 80398 IN NS h.root-servers.net.
. 80398 IN NS i.root-servers.net.
. 80398 IN NS j.root-servers.net.
. 80398 IN NS k.root-servers.net.
. 80398 IN NS l.root-servers.net.
. 80398 IN RRSIG NS 8 0 518400 20210318050000 20210305040000 42351 . RGrSTUNk4Ad41ITau7wzwMrm6Uk/ReeJlR/1cul8D1bs7qdYZOeICUvX CU+j9KipCbh0VUKvbcVWXFlpWoy9k/4ay0u1ZB5BbooERfyfGVyTe4ru pXrXymKeFLetZFhUr2KoO6ITyigRPPNvJFkRhwUn6nHqgCiHEvdG2cZW FmmvFpZ+0ejIB1h7lJYg+iaG8be2tI3aXp3CF/u8Cerjii5DddESAZrL bR9K6SeeQB9GxabnQJMvFY2FXsHBps9BQkx6D1vc5Vpn8E7R4e3uIcte Rt0c7fwvOyZE1lwHsvhxIaXugLJdlSX0bWT5XwGtGFm3xo6OHuL2cqXJ 9HbxVQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20210318050000 20210305040000 42351 . bVi/an3ya9VuX/O+2R5wTHP5+Ea7jmmQD+ZVs6rbmTpExiGl8Hsc8P+5 HSIbOcN9qcv/wnXoVwm8zLQojXWxJO4o4rkfAWI2fQ4ZvgEzZF5rxbmz DhOrXOexP7Yick8UqQpX8KADBrU6cH+jv1sYcc+pcDX0GzIq/LQV3bSa crTjtxBiqhYT8LD3d7bQ/kDbo6jyXMQTe77j2qFohW2+X3KBTpfFK6BZ iIrslY0OUYSCMqasCk9v5wSkM3qE0ebJlo71zcJVeGVaLEAEupS/HEzb ne+KSBIOMHJ3zSmZaFMXCZPSYmBAF2poNSh+L13Xpkf4Ib7w12PtWPUz BplviQ==
;; Received 1180 bytes from 192.5.5.241#53(f.root-servers.net) in 7 ms
schwab.com. 172800 IN NS ns1.schwab.com.
schwab.com. 172800 IN NS ns2.schwab.com.
schwab.com. 172800 IN NS ns3.schwab.com.
schwab.com. 172800 IN NS ns4.schwab.com.
schwab.com. 172800 IN NS a9-65.akam.net.
schwab.com. 172800 IN NS a8-64.akam.net.
schwab.com. 86400 IN DS 3829 8 2 8B39D6D8CE4FA5D55DEB38CF05BB81E0CC087FA978AB9E0721411513 86CF2EA2
schwab.com. 86400 IN RRSIG DS 8 2 86400 20210309054915 20210302043915 58540 com. WCclyXLsxq4uaQpBB5WFJZvYbVNCra/EeN/AaBE+xVT0e+W9P0rJnWOM 1MdQ+FFdQDQndy9HQantJh7pOYsrroIrBDC84/MvvihnAzl0cSzUv8/1 zH95Rn0TGmyP1iGtUoBR9LTspXOy6vd6bsi3x8/J/KjzHco31YeBig1j nUSvSOG+w0gOx5XWq+1jkfh8rtIVTb8gDfDRc/muamDnNQ==
;; Received 476 bytes from 192.54.112.30#53(h.gtld-servers.net) in 22 ms
workplace.schwab.com. 300 IN CNAME workplace.gslb.schwab.com.
workplace.schwab.com. 300 IN RRSIG CNAME 8 3 300 20210313093720 20210211084427 43563 schwab.com. HMRYlzV44nhXrDntld7SwDAbk/zihLTrIwF+O6TnjdBjzwyAmYmT1BJA 9cAT7JAtQ8jKrkQDXvfrVdWZWiN/Pgrd1sjpprnasNaggYG/lg9hsfWU PawjDfTLfXs0jC/6PVHNcmJS1JoplkB8ccdzFMbFDw6qpxhx5ISP3MeX yl9yKrl7YJH69ufLv503ZU0tKKZ6oHJg60D07U9uxSuu6LZ6aDbYT0IA SHCEgVWq25uKBTS8eTekYalS0clyCYH9oeJ9JRN0GL84AoAlsZqOUeEj rde0yCzPk/aTCTZat8PgCP0Uz4gP/ooz6htu7TdCL7hDhqlRjbdowgIW Lq6CFg==
gslb.schwab.com. 900 IN NS gslb-anycast.schwab.com.
gslb.schwab.com. 86400 IN DS 28456 8 2 D62CE9A0008171EE1F9DAC7A50AC167ADFCCF12A85C0314083F9CB86 8AC8C52F
gslb.schwab.com. 86400 IN RRSIG DS 8 3 86400 20210313094830 20210211090458 43563 schwab.com. ZaD1MLn/fOWaXgwZ6pyP2eKF5aG4t6fwjnRau/YF6zjigvfGHU+sNa26 qyzcFu2dnEUZsmnie2WDN4w7IhnkbzRUnzPN2Dkegj7gVvJ23UbkDOxP sQIxLWkog5okaUK9fv03Rh9pNk8pTEVUoSn/nnuPXrU57eJwscl2BJCc 6dzDuruTNE+wtmHe97tv3HZupWhyy4B5MpAKh6awWRBShpLmIE2NK0cR Hkwfo+Vb1cE2yfH6XTDQA/QeV1mBw32uvPQBT9Tp1ZGF6THjqZWyfaCV 1hsSN+KWavOgAjWxIt0OqJrfGewaQCQJDn5n0MrXQxB3ndoSxk/8/vYk wALTcw==
;; Received 1063 bytes from 162.93.253.171#53(ns3.schwab.com) in 43 ms
And if I dig "workplace.gslb.schwab.com" I get the correct IP address (162.93.221.50). Again, the dig takes 2.5 minutes to complete, but the pause is only between the first block of output and the second block of output. Here is the output.
root@OPNsense:~ # dig @127.0.0.1 workplace.gslb.schwab.com +trace
; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.gslb.schwab.com +trace
; (1 server found)
;; global options: +cmd
. 80069 IN NS i.root-servers.net.
. 80069 IN NS j.root-servers.net.
. 80069 IN NS k.root-servers.net.
. 80069 IN NS l.root-servers.net.
. 80069 IN NS m.root-servers.net.
. 80069 IN NS a.root-servers.net.
. 80069 IN NS b.root-servers.net.
. 80069 IN NS c.root-servers.net.
. 80069 IN NS d.root-servers.net.
. 80069 IN NS e.root-servers.net.
. 80069 IN NS f.root-servers.net.
. 80069 IN NS g.root-servers.net.
. 80069 IN NS h.root-servers.net.
. 80069 IN RRSIG NS 8 0 518400 20210318050000 20210305040000 42351 . RGrSTUNk4Ad41ITau7wzwMrm6Uk/ReeJlR/1cul8D1bs7qdYZOeICUvX CU+j9KipCbh0VUKvbcVWXFlpWoy9k/4ay0u1ZB5BbooERfyfGVyTe4ru pXrXymKeFLetZFhUr2KoO6ITyigRPPNvJFkRhwUn6nHqgCiHEvdG2cZW FmmvFpZ+0ejIB1h7lJYg+iaG8be2tI3aXp3CF/u8Cerjii5DddESAZrL bR9K6SeeQB9GxabnQJMvFY2FXsHBps9BQkx6D1vc5Vpn8E7R4e3uIcte Rt0c7fwvOyZE1lwHsvhxIaXugLJdlSX0bWT5XwGtGFm3xo6OHuL2cqXJ 9HbxVQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20210318050000 20210305040000 42351 . bVi/an3ya9VuX/O+2R5wTHP5+Ea7jmmQD+ZVs6rbmTpExiGl8Hsc8P+5 HSIbOcN9qcv/wnXoVwm8zLQojXWxJO4o4rkfAWI2fQ4ZvgEzZF5rxbmz DhOrXOexP7Yick8UqQpX8KADBrU6cH+jv1sYcc+pcDX0GzIq/LQV3bSa crTjtxBiqhYT8LD3d7bQ/kDbo6jyXMQTe77j2qFohW2+X3KBTpfFK6BZ iIrslY0OUYSCMqasCk9v5wSkM3qE0ebJlo71zcJVeGVaLEAEupS/HEzb ne+KSBIOMHJ3zSmZaFMXCZPSYmBAF2poNSh+L13Xpkf4Ib7w12PtWPUz BplviQ==
;; Received 1185 bytes from 198.97.190.53#53(h.root-servers.net) in 23 ms
schwab.com. 172800 IN NS ns1.schwab.com.
schwab.com. 172800 IN NS ns2.schwab.com.
schwab.com. 172800 IN NS ns3.schwab.com.
schwab.com. 172800 IN NS ns4.schwab.com.
schwab.com. 172800 IN NS a9-65.akam.net.
schwab.com. 172800 IN NS a8-64.akam.net.
schwab.com. 86400 IN DS 3829 8 2 8B39D6D8CE4FA5D55DEB38CF05BB81E0CC087FA978AB9E0721411513 86CF2EA2
schwab.com. 86400 IN RRSIG DS 8 2 86400 20210309054915 20210302043915 58540 com. WCclyXLsxq4uaQpBB5WFJZvYbVNCra/EeN/AaBE+xVT0e+W9P0rJnWOM 1MdQ+FFdQDQndy9HQantJh7pOYsrroIrBDC84/MvvihnAzl0cSzUv8/1 zH95Rn0TGmyP1iGtUoBR9LTspXOy6vd6bsi3x8/J/KjzHco31YeBig1j nUSvSOG+w0gOx5XWq+1jkfh8rtIVTb8gDfDRc/muamDnNQ==
;; Received 481 bytes from 192.43.172.30#53(i.gtld-servers.net) in 24 ms
gslb.schwab.com. 900 IN NS gslb-anycast.schwab.com.
gslb.schwab.com. 86400 IN DS 28456 8 2 D62CE9A0008171EE1F9DAC7A50AC167ADFCCF12A85C0314083F9CB86 8AC8C52F
gslb.schwab.com. 86400 IN RRSIG DS 8 3 86400 20210313094830 20210211090458 43563 schwab.com. ZaD1MLn/fOWaXgwZ6pyP2eKF5aG4t6fwjnRau/YF6zjigvfGHU+sNa26 qyzcFu2dnEUZsmnie2WDN4w7IhnkbzRUnzPN2Dkegj7gVvJ23UbkDOxP sQIxLWkog5okaUK9fv03Rh9pNk8pTEVUoSn/nnuPXrU57eJwscl2BJCc 6dzDuruTNE+wtmHe97tv3HZupWhyy4B5MpAKh6awWRBShpLmIE2NK0cR Hkwfo+Vb1cE2yfH6XTDQA/QeV1mBw32uvPQBT9Tp1ZGF6THjqZWyfaCV 1hsSN+KWavOgAjWxIt0OqJrfGewaQCQJDn5n0MrXQxB3ndoSxk/8/vYk wALTcw==
;; Received 741 bytes from 162.93.195.171#53(ns4.schwab.com) in 44 ms
workplace.gslb.schwab.com. 20 IN A 162.93.221.50
workplace.gslb.schwab.com. 20 IN RRSIG A 8 4 20 20210308200738 20210301200738 46146 gslb.schwab.com. rjkuOJx+2tBnwv3Hm3CJEhHSxx4+NMzFuw1iNnPUTxewzx8RaqKdqX3K vIhGDCGoVIWJLeL/QiKvXnpulAIg1y3Aha9DCnsPNPJY4kJ61D3+PkeP Ygx3bEQETt+EFd+CIDjhgYlmZLkt5pkSMhONaPK4cXUBYBbPsoYW5b/u TZtzGcVaqmoRGbJgiildwfeqgykH+dER/tZ2E3/yIxvZnVnorcQFYPw9 t7F88iSOnSLg3253CHxu6iU8d/0dZcBU/Ta5vH4Qbba8sm2RNLLeHe/T u4glfkZRRey8KbPxoozRUOhsl/kXKQ8slAIcpfPZHtmEWncfkmfVPt+n BYcDKA==
workplace.gslb.schwab.com. 20 IN RRSIG A 8 4 20 20210311004437 20210304004437 16098 gslb.schwab.com. hdltHg4v0iOH6idgOMxXXWUSbvKeZHP3igqcERU9pMCuZWaQweIc8XEX z5QOoMhujJI9o3AdFDnBT9JVN/AQs90GbLT/SbPP6OQt2fCtVPFI+xCh 4bVVidFfFvfuTP36W7RNXc3FrfLyPJwyWRBCOHg/3UjN8E2+goVoU/Uw Ft4xmPFHJ5tYL8v7o9v/paICpSQgk7RcjjIsZZiKzN+BF8coCJNtT8DN WEohKJNt9Du+LZq8F59HjTa3g0PopOOhxu5tEzSHbs+IKPc4x3lYL25W nquvnEfVexEw81KfQB3smdi3CEY0yz/zqG8nbMb6QkxC9XQxi6b2iBbf n+JO2w==
;; Received 676 bytes from 162.93.239.1#53(gslb-anycast.schwab.com) in 46 ms
So what might be causing this problem? The dig output seems like it is working ok? But dig takes like 2.5 minutes to run, which does not seem normal. I am guessing this is why unbound fails to resolve this domain and there is "No response."
On the other hand, if I try to dig a domain that unbound DOES resolve, such as "www.schwab.com," it ALSO takes like 2.5 minutes to complete. And "www.schwab.com" resolves fine using DNSSEC turned on through the VPN tunnel. Here is the output of DNS Lookup:
Response
Type Address
CNAME www.schwab.com.edgekey.net.
CNAME e17738.x.akamaiedge.net.
A 104.125.55.112
Resolution time per server
Server Query time
127.0.0.1 51 msec
1.1.1.1 6 msec
1.0.0.1 7 msec
Here is the output of dig "www.schwab.com".
root@OPNsense:~ # dig @127.0.0.1 www.schwab.com +trace
; <<>> DiG 9.16.10 <<>> @127.0.0.1 www.schwab.com +trace
; (1 server found)
;; global options: +cmd
. 79654 IN NS j.root-servers.net.
. 79654 IN NS k.root-servers.net.
. 79654 IN NS l.root-servers.net.
. 79654 IN NS m.root-servers.net.
. 79654 IN NS a.root-servers.net.
. 79654 IN NS b.root-servers.net.
. 79654 IN NS c.root-servers.net.
. 79654 IN NS d.root-servers.net.
. 79654 IN NS e.root-servers.net.
. 79654 IN NS f.root-servers.net.
. 79654 IN NS g.root-servers.net.
. 79654 IN NS h.root-servers.net.
. 79654 IN NS i.root-servers.net.
. 79654 IN RRSIG NS 8 0 518400 20210318050000 20210305040000 42351 . RGrSTUNk4Ad41ITau7wzwMrm6Uk/ReeJlR/1cul8D1bs7qdYZOeICUvX CU+j9KipCbh0VUKvbcVWXFlpWoy9k/4ay0u1ZB5BbooERfyfGVyTe4ru pXrXymKeFLetZFhUr2KoO6ITyigRPPNvJFkRhwUn6nHqgCiHEvdG2cZW FmmvFpZ+0ejIB1h7lJYg+iaG8be2tI3aXp3CF/u8Cerjii5DddESAZrL bR9K6SeeQB9GxabnQJMvFY2FXsHBps9BQkx6D1vc5Vpn8E7R4e3uIcte Rt0c7fwvOyZE1lwHsvhxIaXugLJdlSX0bWT5XwGtGFm3xo6OHuL2cqXJ 9HbxVQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20210318050000 20210305040000 42351 . bVi/an3ya9VuX/O+2R5wTHP5+Ea7jmmQD+ZVs6rbmTpExiGl8Hsc8P+5 HSIbOcN9qcv/wnXoVwm8zLQojXWxJO4o4rkfAWI2fQ4ZvgEzZF5rxbmz DhOrXOexP7Yick8UqQpX8KADBrU6cH+jv1sYcc+pcDX0GzIq/LQV3bSa crTjtxBiqhYT8LD3d7bQ/kDbo6jyXMQTe77j2qFohW2+X3KBTpfFK6BZ iIrslY0OUYSCMqasCk9v5wSkM3qE0ebJlo71zcJVeGVaLEAEupS/HEzb ne+KSBIOMHJ3zSmZaFMXCZPSYmBAF2poNSh+L13Xpkf4Ib7w12PtWPUz BplviQ==
;; Received 1174 bytes from 192.203.230.10#53(e.root-servers.net) in 5 ms
schwab.com. 172800 IN NS ns1.schwab.com.
schwab.com. 172800 IN NS ns2.schwab.com.
schwab.com. 172800 IN NS ns3.schwab.com.
schwab.com. 172800 IN NS ns4.schwab.com.
schwab.com. 172800 IN NS a9-65.akam.net.
schwab.com. 172800 IN NS a8-64.akam.net.
schwab.com. 86400 IN DS 3829 8 2 8B39D6D8CE4FA5D55DEB38CF05BB81E0CC087FA978AB9E0721411513 86CF2EA2
schwab.com. 86400 IN RRSIG DS 8 2 86400 20210309054915 20210302043915 58540 com. WCclyXLsxq4uaQpBB5WFJZvYbVNCra/EeN/AaBE+xVT0e+W9P0rJnWOM 1MdQ+FFdQDQndy9HQantJh7pOYsrroIrBDC84/MvvihnAzl0cSzUv8/1 zH95Rn0TGmyP1iGtUoBR9LTspXOy6vd6bsi3x8/J/KjzHco31YeBig1j nUSvSOG+w0gOx5XWq+1jkfh8rtIVTb8gDfDRc/muamDnNQ==
;; Received 470 bytes from 192.35.51.30#53(f.gtld-servers.net) in 21 ms
www.schwab.com. 300 IN CNAME www.schwab.com.edgekey.net.
www.schwab.com. 300 IN RRSIG CNAME 8 3 300 20210313110153 20210211103625 43563 schwab.com. eVem19JCDHIfAz3hu6smc3auF2TyWg7utEy+a43wF2Mo7cODhRsxqCvw hEffohd3bn3/INLkvuMWp7Ep4tIZD/EvQDSBzA0MYpXHUJZaCkY8j1iJ 3l2A3sO9f/ovDRAM4H0ZB6thgTErDDFpNPXVvqR2C8begFeL7M07/MZM M8eIc4tLpLDXFXKzkJk9h3Dg28xN5esKKIO7eEKS5IJEBom5YqUetHaz vwSDQQSltpHj3FR9kK6tz2AcuvtVIs/02Z0ZusbtVUNUDpozDFb3B/39 kVp87DUeFMMYaRETMAxK6lfAmlKZRpTT9cjia/qn2LkNmWzfS9qgpM4s n986XQ==
;; Received 381 bytes from 162.93.253.90#53(ns1.schwab.com) in 43 ms
ANY IDEAS?
Wo vermutest Du genau den Fehler?
Falls Du die fehlende Ausgabe einer IP-Adresse bei Aufruf von ,,dig @127.0.0.1 www.schwab.com +trace
" meinst, dies ist normal. ,,+trace" gibt den delegation path aus (siehe Manpage).
Edit:
Oh sorry, wrong language in this forum ???. Here is the translation...
Where do you exactly suspect the issue? The missing ip address in the output of "dig @127.0.0.1 www.schwab.com +trace" looks correct, because the parameter "+trace" only returns the delegation path (see manpage).
Quote from: schnipp on March 05, 2021, 01:21:01 PM
Oh sorry, wrong language in this forum ???. Here is the translation...
Where do you exactly suspect the issue? The missing ip address in the output of "dig @127.0.0.1 www.schwab.com +trace" looks correct, because the parameter "+trace" only returns the delegation path (see manpage).
I am not sure what the issue is. If I try to dig "workplace.schwab.com" without the +trace, it times out, but dig "www.schwab.com" works fine. I don't understand what could cause this issue.
root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com
; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reachedroot@OPNsense:~ # dig @127.0.0.1 www.schwab.com
; <<>> DiG 9.16.10 <<>> @127.0.0.1 www.schwab.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45826
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.schwab.com. IN A
;; ANSWER SECTION:
www.schwab.com. 300 IN CNAME www.schwab.com.edgekey.net.
www.schwab.com.edgekey.net. 21600 IN CNAME e17738.x.akamaiedge.net.
e17738.x.akamaiedge.net. 20 IN A 184.24.175.152
;; Query time: 406 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 11:53:51 PST 2021
;; MSG SIZE rcvd: 133
If I set the timeout option to be a very long time, it comes back with a SERVFAIL when unbound traffic goes through the VPN and DNSSEC is enabled.
root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com +timeout=240
; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com +timeout=240
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44880
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;workplace.schwab.com. IN A
;; Query time: 92514 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 12:07:32 PST 2021
;; MSG SIZE rcvd: 49
If I send unbound traffic through WAN, with DNSSEC still enabled, it resolves very quickly.
root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com +timeout=240
; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com +timeout=240
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5622
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;workplace.schwab.com. IN A
;; ANSWER SECTION:
workplace.schwab.com. 300 IN CNAME workplace.gslb.schwab.com.
workplace.gslb.schwab.com. 20 IN A 162.93.233.50
;; Query time: 329 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 12:11:47 PST 2021
;; MSG SIZE rcvd: 94
If I send the unbound traffic through the VPN, but disable DNSSEC, it also resolves quickly.
root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com +timeout=240
; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com +timeout=240
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50717
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;workplace.schwab.com. IN A
;; ANSWER SECTION:
workplace.schwab.com. 294 IN CNAME workplace.gslb.schwab.com.
workplace.gslb.schwab.com. 14 IN A 162.93.232.50
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 12:13:52 PST 2021
;; MSG SIZE rcvd: 94
Probably related to packet size. DNS packets are significantly larger if they contain DNSSEC records.
Keywords for further research: EDNS, MTU, fragmentation, PMTUD, DNS over TCP vs. UDP.
Quote from: Maurice on March 06, 2021, 09:50:13 PM
Probably related to packet size. DNS packets are significantly larger if they contain DNSSEC records.
Keywords for further research: EDNS, MTU, fragmentation, PMTUD, DNS over TCP vs. UDP.
Ok, I think I solved it by adding this custom option in unbound settings:
edns-buffer-size: 4096I had previously thought the problem might be fragmentation and looked into this EDNS setting. But I incorrectly thought the way to solve fragmentation issues was to set the EDNS buffer size to be something small. That obviously didn't work, which prompted me to post on this forum. But actually, the solution was to set the buffer to be something high. According to the internet, the default for this setting should be 4096, but that does not appear to be the case in OPNsense. Once I manually specify this setting, it resolves fine.
Now when I run dig with unbound traffic through the VPN and DNSSEC enabled, here is the output:
root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com
; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16740
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;workplace.schwab.com. IN A
;; ANSWER SECTION:
workplace.schwab.com. 300 IN CNAME workplace.gslb.schwab.com.
workplace.gslb.schwab.com. 20 IN A 162.93.221.50
;; Query time: 112 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 13:25:55 PST 2021
;; MSG SIZE rcvd: 94
Notice that the EDNS UDP size is 4096, whereas in my previous posts, this size was 1232.
Unbound default is 1232 bytes. If it works with a larger value, this might indicate that TCP fallback doesn't work through the tunnel for some reason.
Quote from: Maurice on March 06, 2021, 10:50:55 PM
Unbound default is 1232 bytes. If it works with a larger value, this might indicate that TCP fallback doesn't work through the tunnel for some reason.
I don't need to specifically open ports on my VPN interface to allow DNS to work over TCP, correct? Otherwise, I am not sure what would be blocking when using VPN.
Quote from: randomwalk on March 06, 2021, 08:55:28 PM
Quote from: schnipp on March 05, 2021, 01:21:01 PM
Oh sorry, wrong language in this forum ???. Here is the translation...
Where do you exactly suspect the issue? The missing ip address in the output of "dig @127.0.0.1 www.schwab.com +trace" looks correct, because the parameter "+trace" only returns the delegation path (see manpage).
I am not sure what the issue is. If I try to dig "workplace.schwab.com" without the +trace, it times out, but dig "www.schwab.com" works fine. I don't understand what could cause this issue.
My comment was related to the behavior of the "dig" command. We have probably misunderstood each other. Good to hear that the problem is now solved :).
Quote from: randomwalk on March 06, 2021, 10:25:31 PM
Ok, I think I solved it by adding this custom option in unbound settings:
edns-buffer-size: 4096
Notice that the EDNS UDP size is 4096, whereas in my previous posts, this size was 1232.
Thank you for this: I started seeing same behaviour after upgrade to 21.1.2 (or what is latest version) - and the weird thing it was only few selected subdomains that failed to resolve. But added this as optional command in unbound settings, restarted unbound and now all works.
Weird issue that I could also run nslookup in terminal and the domains that failed to resolve did resolve - however browser (and apps on phone) did not resolve them. Rebooted everything etc before trying this fix.