Unbound DNS problem with Cache or config, not clearing?

[vtgolf]

Hi guys!
I'm using Unbound DNS in OPNsense 20.1.6, and I have a problem. I don't know in what moment Server didn't clear some DNS cached entries and I can't connect to some urls.
I'm using NextDNS in System-Settings-General (45.90.28.46 and 45.90.30.46) and tried checking and unchecking "Do not use the local DNS service as a nameserver for this system"
In unbound dns I have enabled on all interfaces, port 53, DNSSEC active, domain override (our local domain),checked:
DHCP Static Mappings    Register DHCP static mappings
IPv6 Link-local    Register IPv6 link-local addresses
TXT Comment Support    Create corresponding TXT records
DNS Query Forwarding    Enable Forwarding Mode

Local Zone Type transparent and outgoing interfaces all

In stadistics some time ago says "Zero TTL undefined", seems a bug

There is a domain that was blocked by nextdns but now not, http://www.msftconnecttest.com, if I try to resolve in OpenDNS shows old ip (37.120.148.100) and if I try to resolve with NextDNS directly shows good ip 13.107.4.52. The two shows real name in nslookup ( v4ncsi.msedge.net)

What I can do? I don't know logs that I can put or how to reset Unbound. I tried to reinstall unbound dns, and reboot opnsense..

[Mitheor]

Hi,

you can check those queries via logs (enable Log Queries in Unbound / advanced).

And, have you tried restarting unbound service?

[vtgolf]

Hi
I restarted service but well.. Same

In log appears:
2020-05-13T13:00:53   unbound: [12154:0] info: 192.168.36.34 www.msftconnecttest.com. A IN
2020-05-13T13:00:46   unbound: [12154:0] info: 192.168.36.40 www.msftconnecttest.com. AAAA IN
2020-05-13T13:00:46   unbound: [12154:0] info: 192.168.36.40 www.msftconnecttest.com. A IN


This was the query (Being 192.168.X.X FW address)

PS C:\Windows\system32> nslookup www.msftconnecttest.com 192.168.X.X
Servidor:  **server hostname**
Address:  192.168.X.X

Respuesta no autoritativa:
Nombre:  v4ncsi.msedge.net
Addresses:  2a0d:5642:113:101:5054:ff:fe29:631b
          37.120.148.100
Aliases:  www.msftconnecttest.com

In Google:
PS C:\Windows\system32> nslookup www.msftconnecttest.com 8.8.8.8
Servidor:  dns.google
Address:  8.8.8.8

Respuesta no autoritativa:
Nombre:  4-c-0003.c-msedge.net
Address:  13.107.4.52
Aliases:  www.msftconnecttest.com
          v4ncsi.msedge.net
          ncsi.4-c-0003.c-msedge.net


I think is not passing with every page (Because yesterday I registered a domain, saw here, change IP address of domain register, and it updated here..)

[vtgolf]

Log in level 3

Code Select Expand



2020-05-13T13:14:25 unbound: [26558:0] debug: cache memory msg=85642 rrset=100766 infra=8564 val=77070
2020-05-13T13:14:25 unbound: [26558:0] info: validator operate: query www.msftconnecttest.com. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
2020-05-13T13:14:25 unbound: [26558:0] info: finishing processing for www.msftconnecttest.com. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] info: query response was ANSWER
2020-05-13T13:14:25 unbound: [26558:0] info: reply from <.> 45.90.28.46#53
2020-05-13T13:14:25 unbound: [26558:0] info: response for www.msftconnecttest.com. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] info: iterator operate: chased to v4ncsi.msedge.net. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] info: iterator operate: query www.msftconnecttest.com. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
2020-05-13T13:14:25 unbound: [26558:0] debug: cache memory msg=85190 rrset=100561 infra=8564 val=77070
2020-05-13T13:14:25 unbound: [26558:0] debug: sending to target: <.> 45.90.28.46#53
2020-05-13T13:14:25 unbound: [26558:0] info: sending query: v4ncsi.msedge.net. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] info: processQueryTargets: www.msftconnecttest.com. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] info: resolving www.msftconnecttest.com. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] info: resolving www.msftconnecttest.com. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
2020-05-13T13:14:25 unbound: [26558:0] info: validator operate: query www.msftconnecttest.com. AAAA IN
2020-05-13T13:14:25 unbound: [26558:0] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new
2020-05-13T13:14:25 unbound: [26558:0] info: 192.168.36.40 www.msftconnecttest.com. AAAA IN
2020-05-13T13:14:25 unbound: [26558:1] debug: cache memory msg=85190 rrset=100561 infra=8564 val=77070
2020-05-13T13:14:25 unbound: [26558:1] info: Verified that unsigned response is INSECURE
2020-05-13T13:14:25 unbound: [26558:1] info: validator operate: chased to v4ncsi.msedge.net. A IN
2020-05-13T13:14:25 unbound: [26558:1] info: validator operate: query www.msftconnecttest.com. A IN


[Mitheor]

Mmm, it seems it´s been resolved by NextDNS ...

Aren´t you seeing those queries in the NextDNS log tab? (because you´re trying to send that query to NextDNS right?)

[vtgolf]

Well
Seeing logs of NextDNS, I saw that this query "v4ncsi.msedge.net" was being blocked (By a list). the www.msftconnecttest.com is not blocked (And I saw it in logs, but not when I did nslookup)
Is strange because when call firewall to resolve msftconnecttest.com, it resolves v4ncsi.msedge.net (Was blocked), but directly calls to "4-c-0003.c-msedge.net" (Seems not blocked):
Calling Firewall:

Code Select Expand


PS C:\Users\x> nslookup www.msftconnecttest.com 192.168.X.X
Servidor:  FW
Address:  192.168.X.X

Respuesta no autoritativa:
Nombre:  v4ncsi.msedge.net
Addresses:  2a0d:5642:113:101:5054:ff:fe29:631b
          37.120.148.100
Aliases:  www.msftconnecttest.com

Calling NextDNS directly:

Code Select Expand


PS C:\Users\x> nslookup www.msftconnecttest.com 45.90.28.36
Servidor:  dns1.nextdns.io
Address:  45.90.28.36

Respuesta no autoritativa:
Nombre:  4-c-0003.c-msedge.net
Address:  13.107.4.52
Aliases:  www.msftconnecttest.com
          v4ncsi.msedge.net
          ncsi.4-c-0003.c-msedge.net


Google resolves also as "4-c-0003.c-msedge.net"

When I unblock "v4ncsi.msedge.net" in NextDNS, firewall resolves as "4-c-0003.c-msedge.net"

Code Select Expand


PS C:\Users\X> nslookup www.msftconnecttest.com 192.168.X.X
Servidor:  FW
Address:  192.168.X.X

Respuesta no autoritativa:
Nombre:  4-c-0003.c-msedge.net
Address:  13.107.4.52
Aliases:  www.msftconnecttest.com
          v4ncsi.msedge.net
          ncsi.4-c-0003.c-msedge.net


Alghough adding to whitelist resolves my problem and I don't worry about it, my brain is not able to understand why this is happening..

[Mitheor]

www.msftconnecttest.com. 3600   IN   CNAME   v4ncsi.msedge.net.
;; Received 72 bytes from 13.107.160.205#53(13.107.160.205) in 2 ms

v4ncsi.msedge.net.   60   IN   CNAME   ncsi.4-c-0003.c-msedge.net.
ncsi.4-c-0003.c-msedge.net. 60   IN   CNAME   4-c-0003.c-msedge.net.
4-c-0003.c-msedge.net.   60   IN   A   13.107.4.52
;; Received 102 bytes from 204.79.197.2#53(204.79.197.2) in 2 ms

You need to unblock v4ncsi and 4-c-0003

[Mitheor]

Alghough adding to whitelist resolves my problem and I don't worry about it, my brain is not able to understand why this is happening..

You can troubleshoot this with a dig trace.

If the domain answer is a CNAME you need to be able to query its "alias".

[vtgolf]

Well, I see it, it make sense that the alias has to be whitelisted

Thanks for the help!