[SOLVED] Unbound Fails to Resolve Selected Domains

[randomwalk]

I have a very weird DNS resolution problem that I cannot figure out.  I'm running OPNsense 20.7.8_4.  I'm using unbound in resolver mode with DNSSEC turned on and unbound traffic sent out via Mullvad OpenVPN (UDP) tunnel. 

The setup generally works great, but for some reason, unbound fails to resolve certain domains.  For example, it will not resolve "workplace.schwab.com."  There are likely other domains, but I don't have a list.  What I found is that unbound will resolve "workplace.schwab.com" if I either:

1) turn off DNSSEC (and continue to send unbound traffic via VPN); OR

2) send unbound traffic out via WAN (in this case, I do NOT have to turn off DNSSEC).

If I do not do either of the above, unbound does not resolve "workplace.schwab.com".  If I go to Interfaces --> Diagnostics --> DNS Lookup and put in "workplace.schwab.com," it would take about 10 seconds to run, and return the following:

Code: [Select]

Response
Type Address
CNAME workplace.gslb.schwab.com.
A 162.93.221.50

Resolution time per server
Server Query time
127.0.0.1 No response
1.1.1.1 45 msec
1.0.0.1 8 msec
As you can see above, in forward mode (to 1.1.1.1 or 1.0.0.1), DNS resolution works fine.  But unbound at 127.0.0.1 gets "No response."

If I SSH into OPNsense and run dig at the shell, nothing seems obviously wrong EXCEPT the dig takes like 2.5 minute to complete (it pauses for a super long time between the first block of output for the root-servers and the second block of output, then the remaining blocks of output follow very quickly).  Here is the output.

Code: [Select]

root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com +trace

; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com +trace
; (1 server found)
;; global options: +cmd
.                       80398   IN      NS      m.root-servers.net.
.                       80398   IN      NS      a.root-servers.net.
.                       80398   IN      NS      b.root-servers.net.
.                       80398   IN      NS      c.root-servers.net.
.                       80398   IN      NS      d.root-servers.net.
.                       80398   IN      NS      e.root-servers.net.
.                       80398   IN      NS      f.root-servers.net.
.                       80398   IN      NS      g.root-servers.net.
.                       80398   IN      NS      h.root-servers.net.
.                       80398   IN      NS      i.root-servers.net.
.                       80398   IN      NS      j.root-servers.net.
.                       80398   IN      NS      k.root-servers.net.
.                       80398   IN      NS      l.root-servers.net.
.                       80398   IN      RRSIG   NS 8 0 518400 20210318050000 20210305040000 42351 . RGrSTUNk4Ad41ITau7wzwMrm6Uk/ReeJlR/1cul8D1bs7qdYZOeICUvX CU+j9KipCbh0VUKvbcVWXFlpWoy9k/4ay0u1ZB5BbooERfyfGVyTe4ru pXrXymKeFLetZFhUr2KoO6ITyigRPPNvJFkRhwUn6nHqgCiHEvdG2cZW FmmvFpZ+0ejIB1h7lJYg+iaG8be2tI3aXp3CF/u8Cerjii5DddESAZrL bR9K6SeeQB9GxabnQJMvFY2FXsHBps9BQkx6D1vc5Vpn8E7R4e3uIcte Rt0c7fwvOyZE1lwHsvhxIaXugLJdlSX0bWT5XwGtGFm3xo6OHuL2cqXJ 9HbxVQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20210318050000 20210305040000 42351 . bVi/an3ya9VuX/O+2R5wTHP5+Ea7jmmQD+ZVs6rbmTpExiGl8Hsc8P+5 HSIbOcN9qcv/wnXoVwm8zLQojXWxJO4o4rkfAWI2fQ4ZvgEzZF5rxbmz DhOrXOexP7Yick8UqQpX8KADBrU6cH+jv1sYcc+pcDX0GzIq/LQV3bSa crTjtxBiqhYT8LD3d7bQ/kDbo6jyXMQTe77j2qFohW2+X3KBTpfFK6BZ iIrslY0OUYSCMqasCk9v5wSkM3qE0ebJlo71zcJVeGVaLEAEupS/HEzb ne+KSBIOMHJ3zSmZaFMXCZPSYmBAF2poNSh+L13Xpkf4Ib7w12PtWPUz BplviQ==
;; Received 1180 bytes from 192.5.5.241#53(f.root-servers.net) in 7 ms

schwab.com.             172800  IN      NS      ns1.schwab.com.
schwab.com.             172800  IN      NS      ns2.schwab.com.
schwab.com.             172800  IN      NS      ns3.schwab.com.
schwab.com.             172800  IN      NS      ns4.schwab.com.
schwab.com.             172800  IN      NS      a9-65.akam.net.
schwab.com.             172800  IN      NS      a8-64.akam.net.
schwab.com.             86400   IN      DS      3829 8 2 8B39D6D8CE4FA5D55DEB38CF05BB81E0CC087FA978AB9E0721411513 86CF2EA2
schwab.com.             86400   IN      RRSIG   DS 8 2 86400 20210309054915 20210302043915 58540 com. WCclyXLsxq4uaQpBB5WFJZvYbVNCra/EeN/AaBE+xVT0e+W9P0rJnWOM 1MdQ+FFdQDQndy9HQantJh7pOYsrroIrBDC84/MvvihnAzl0cSzUv8/1 zH95Rn0TGmyP1iGtUoBR9LTspXOy6vd6bsi3x8/J/KjzHco31YeBig1j nUSvSOG+w0gOx5XWq+1jkfh8rtIVTb8gDfDRc/muamDnNQ==
;; Received 476 bytes from 192.54.112.30#53(h.gtld-servers.net) in 22 ms

workplace.schwab.com.   300     IN      CNAME   workplace.gslb.schwab.com.
workplace.schwab.com.   300     IN      RRSIG   CNAME 8 3 300 20210313093720 20210211084427 43563 schwab.com. HMRYlzV44nhXrDntld7SwDAbk/zihLTrIwF+O6TnjdBjzwyAmYmT1BJA 9cAT7JAtQ8jKrkQDXvfrVdWZWiN/Pgrd1sjpprnasNaggYG/lg9hsfWU PawjDfTLfXs0jC/6PVHNcmJS1JoplkB8ccdzFMbFDw6qpxhx5ISP3MeX yl9yKrl7YJH69ufLv503ZU0tKKZ6oHJg60D07U9uxSuu6LZ6aDbYT0IA SHCEgVWq25uKBTS8eTekYalS0clyCYH9oeJ9JRN0GL84AoAlsZqOUeEj rde0yCzPk/aTCTZat8PgCP0Uz4gP/ooz6htu7TdCL7hDhqlRjbdowgIW Lq6CFg==
gslb.schwab.com.        900     IN      NS      gslb-anycast.schwab.com.
gslb.schwab.com.        86400   IN      DS      28456 8 2 D62CE9A0008171EE1F9DAC7A50AC167ADFCCF12A85C0314083F9CB86 8AC8C52F
gslb.schwab.com.        86400   IN      RRSIG   DS 8 3 86400 20210313094830 20210211090458 43563 schwab.com. ZaD1MLn/fOWaXgwZ6pyP2eKF5aG4t6fwjnRau/YF6zjigvfGHU+sNa26 qyzcFu2dnEUZsmnie2WDN4w7IhnkbzRUnzPN2Dkegj7gVvJ23UbkDOxP sQIxLWkog5okaUK9fv03Rh9pNk8pTEVUoSn/nnuPXrU57eJwscl2BJCc 6dzDuruTNE+wtmHe97tv3HZupWhyy4B5MpAKh6awWRBShpLmIE2NK0cR Hkwfo+Vb1cE2yfH6XTDQA/QeV1mBw32uvPQBT9Tp1ZGF6THjqZWyfaCV 1hsSN+KWavOgAjWxIt0OqJrfGewaQCQJDn5n0MrXQxB3ndoSxk/8/vYk wALTcw==
;; Received 1063 bytes from 162.93.253.171#53(ns3.schwab.com) in 43 ms

And if I dig "workplace.gslb.schwab.com" I get the correct IP address (162.93.221.50).  Again, the dig takes 2.5 minutes to complete, but the pause is only between the first block of output and the second block of output.  Here is the output.

Code: [Select]

root@OPNsense:~ # dig @127.0.0.1 workplace.gslb.schwab.com +trace

; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.gslb.schwab.com +trace
; (1 server found)
;; global options: +cmd
.                       80069   IN      NS      i.root-servers.net.
.                       80069   IN      NS      j.root-servers.net.
.                       80069   IN      NS      k.root-servers.net.
.                       80069   IN      NS      l.root-servers.net.
.                       80069   IN      NS      m.root-servers.net.
.                       80069   IN      NS      a.root-servers.net.
.                       80069   IN      NS      b.root-servers.net.
.                       80069   IN      NS      c.root-servers.net.
.                       80069   IN      NS      d.root-servers.net.
.                       80069   IN      NS      e.root-servers.net.
.                       80069   IN      NS      f.root-servers.net.
.                       80069   IN      NS      g.root-servers.net.
.                       80069   IN      NS      h.root-servers.net.
.                       80069   IN      RRSIG   NS 8 0 518400 20210318050000 20210305040000 42351 . RGrSTUNk4Ad41ITau7wzwMrm6Uk/ReeJlR/1cul8D1bs7qdYZOeICUvX CU+j9KipCbh0VUKvbcVWXFlpWoy9k/4ay0u1ZB5BbooERfyfGVyTe4ru pXrXymKeFLetZFhUr2KoO6ITyigRPPNvJFkRhwUn6nHqgCiHEvdG2cZW FmmvFpZ+0ejIB1h7lJYg+iaG8be2tI3aXp3CF/u8Cerjii5DddESAZrL bR9K6SeeQB9GxabnQJMvFY2FXsHBps9BQkx6D1vc5Vpn8E7R4e3uIcte Rt0c7fwvOyZE1lwHsvhxIaXugLJdlSX0bWT5XwGtGFm3xo6OHuL2cqXJ 9HbxVQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20210318050000 20210305040000 42351 . bVi/an3ya9VuX/O+2R5wTHP5+Ea7jmmQD+ZVs6rbmTpExiGl8Hsc8P+5 HSIbOcN9qcv/wnXoVwm8zLQojXWxJO4o4rkfAWI2fQ4ZvgEzZF5rxbmz DhOrXOexP7Yick8UqQpX8KADBrU6cH+jv1sYcc+pcDX0GzIq/LQV3bSa crTjtxBiqhYT8LD3d7bQ/kDbo6jyXMQTe77j2qFohW2+X3KBTpfFK6BZ iIrslY0OUYSCMqasCk9v5wSkM3qE0ebJlo71zcJVeGVaLEAEupS/HEzb ne+KSBIOMHJ3zSmZaFMXCZPSYmBAF2poNSh+L13Xpkf4Ib7w12PtWPUz BplviQ==
;; Received 1185 bytes from 198.97.190.53#53(h.root-servers.net) in 23 ms

schwab.com.             172800  IN      NS      ns1.schwab.com.
schwab.com.             172800  IN      NS      ns2.schwab.com.
schwab.com.             172800  IN      NS      ns3.schwab.com.
schwab.com.             172800  IN      NS      ns4.schwab.com.
schwab.com.             172800  IN      NS      a9-65.akam.net.
schwab.com.             172800  IN      NS      a8-64.akam.net.
schwab.com.             86400   IN      DS      3829 8 2 8B39D6D8CE4FA5D55DEB38CF05BB81E0CC087FA978AB9E0721411513 86CF2EA2
schwab.com.             86400   IN      RRSIG   DS 8 2 86400 20210309054915 20210302043915 58540 com. WCclyXLsxq4uaQpBB5WFJZvYbVNCra/EeN/AaBE+xVT0e+W9P0rJnWOM 1MdQ+FFdQDQndy9HQantJh7pOYsrroIrBDC84/MvvihnAzl0cSzUv8/1 zH95Rn0TGmyP1iGtUoBR9LTspXOy6vd6bsi3x8/J/KjzHco31YeBig1j nUSvSOG+w0gOx5XWq+1jkfh8rtIVTb8gDfDRc/muamDnNQ==
;; Received 481 bytes from 192.43.172.30#53(i.gtld-servers.net) in 24 ms

gslb.schwab.com.        900     IN      NS      gslb-anycast.schwab.com.
gslb.schwab.com.        86400   IN      DS      28456 8 2 D62CE9A0008171EE1F9DAC7A50AC167ADFCCF12A85C0314083F9CB86 8AC8C52F
gslb.schwab.com.        86400   IN      RRSIG   DS 8 3 86400 20210313094830 20210211090458 43563 schwab.com. ZaD1MLn/fOWaXgwZ6pyP2eKF5aG4t6fwjnRau/YF6zjigvfGHU+sNa26 qyzcFu2dnEUZsmnie2WDN4w7IhnkbzRUnzPN2Dkegj7gVvJ23UbkDOxP sQIxLWkog5okaUK9fv03Rh9pNk8pTEVUoSn/nnuPXrU57eJwscl2BJCc 6dzDuruTNE+wtmHe97tv3HZupWhyy4B5MpAKh6awWRBShpLmIE2NK0cR Hkwfo+Vb1cE2yfH6XTDQA/QeV1mBw32uvPQBT9Tp1ZGF6THjqZWyfaCV 1hsSN+KWavOgAjWxIt0OqJrfGewaQCQJDn5n0MrXQxB3ndoSxk/8/vYk wALTcw==
;; Received 741 bytes from 162.93.195.171#53(ns4.schwab.com) in 44 ms

workplace.gslb.schwab.com. 20   IN      A       162.93.221.50
workplace.gslb.schwab.com. 20   IN      RRSIG   A 8 4 20 20210308200738 20210301200738 46146 gslb.schwab.com. rjkuOJx+2tBnwv3Hm3CJEhHSxx4+NMzFuw1iNnPUTxewzx8RaqKdqX3K vIhGDCGoVIWJLeL/QiKvXnpulAIg1y3Aha9DCnsPNPJY4kJ61D3+PkeP Ygx3bEQETt+EFd+CIDjhgYlmZLkt5pkSMhONaPK4cXUBYBbPsoYW5b/u TZtzGcVaqmoRGbJgiildwfeqgykH+dER/tZ2E3/yIxvZnVnorcQFYPw9 t7F88iSOnSLg3253CHxu6iU8d/0dZcBU/Ta5vH4Qbba8sm2RNLLeHe/T u4glfkZRRey8KbPxoozRUOhsl/kXKQ8slAIcpfPZHtmEWncfkmfVPt+n BYcDKA==
workplace.gslb.schwab.com. 20   IN      RRSIG   A 8 4 20 20210311004437 20210304004437 16098 gslb.schwab.com. hdltHg4v0iOH6idgOMxXXWUSbvKeZHP3igqcERU9pMCuZWaQweIc8XEX z5QOoMhujJI9o3AdFDnBT9JVN/AQs90GbLT/SbPP6OQt2fCtVPFI+xCh 4bVVidFfFvfuTP36W7RNXc3FrfLyPJwyWRBCOHg/3UjN8E2+goVoU/Uw Ft4xmPFHJ5tYL8v7o9v/paICpSQgk7RcjjIsZZiKzN+BF8coCJNtT8DN WEohKJNt9Du+LZq8F59HjTa3g0PopOOhxu5tEzSHbs+IKPc4x3lYL25W nquvnEfVexEw81KfQB3smdi3CEY0yz/zqG8nbMb6QkxC9XQxi6b2iBbf n+JO2w==
;; Received 676 bytes from 162.93.239.1#53(gslb-anycast.schwab.com) in 46 ms

So what might be causing this problem?  The dig output seems like it is working ok?  But dig takes like 2.5 minutes to run, which does not seem normal.  I am guessing this is why unbound fails to resolve this domain and there is "No response."

On the other hand, if I try to dig a domain that unbound DOES resolve, such as "www.schwab.com," it ALSO takes like 2.5 minutes to complete.  And "www.schwab.com" resolves fine using DNSSEC turned on through the VPN tunnel.  Here is the output of DNS Lookup:

Code: [Select]

Response
Type Address
CNAME www.schwab.com.edgekey.net.
CNAME e17738.x.akamaiedge.net.
A 104.125.55.112

Resolution time per server
Server Query time
127.0.0.1 51 msec
1.1.1.1 6 msec
1.0.0.1 7 msec
Here is the output of dig "www.schwab.com".

Code: [Select]

root@OPNsense:~ # dig @127.0.0.1 www.schwab.com +trace

; <<>> DiG 9.16.10 <<>> @127.0.0.1 www.schwab.com +trace
; (1 server found)
;; global options: +cmd
.                       79654   IN      NS      j.root-servers.net.
.                       79654   IN      NS      k.root-servers.net.
.                       79654   IN      NS      l.root-servers.net.
.                       79654   IN      NS      m.root-servers.net.
.                       79654   IN      NS      a.root-servers.net.
.                       79654   IN      NS      b.root-servers.net.
.                       79654   IN      NS      c.root-servers.net.
.                       79654   IN      NS      d.root-servers.net.
.                       79654   IN      NS      e.root-servers.net.
.                       79654   IN      NS      f.root-servers.net.
.                       79654   IN      NS      g.root-servers.net.
.                       79654   IN      NS      h.root-servers.net.
.                       79654   IN      NS      i.root-servers.net.
.                       79654   IN      RRSIG   NS 8 0 518400 20210318050000 20210305040000 42351 . RGrSTUNk4Ad41ITau7wzwMrm6Uk/ReeJlR/1cul8D1bs7qdYZOeICUvX CU+j9KipCbh0VUKvbcVWXFlpWoy9k/4ay0u1ZB5BbooERfyfGVyTe4ru pXrXymKeFLetZFhUr2KoO6ITyigRPPNvJFkRhwUn6nHqgCiHEvdG2cZW FmmvFpZ+0ejIB1h7lJYg+iaG8be2tI3aXp3CF/u8Cerjii5DddESAZrL bR9K6SeeQB9GxabnQJMvFY2FXsHBps9BQkx6D1vc5Vpn8E7R4e3uIcte Rt0c7fwvOyZE1lwHsvhxIaXugLJdlSX0bWT5XwGtGFm3xo6OHuL2cqXJ 9HbxVQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20210318050000 20210305040000 42351 . bVi/an3ya9VuX/O+2R5wTHP5+Ea7jmmQD+ZVs6rbmTpExiGl8Hsc8P+5 HSIbOcN9qcv/wnXoVwm8zLQojXWxJO4o4rkfAWI2fQ4ZvgEzZF5rxbmz DhOrXOexP7Yick8UqQpX8KADBrU6cH+jv1sYcc+pcDX0GzIq/LQV3bSa crTjtxBiqhYT8LD3d7bQ/kDbo6jyXMQTe77j2qFohW2+X3KBTpfFK6BZ iIrslY0OUYSCMqasCk9v5wSkM3qE0ebJlo71zcJVeGVaLEAEupS/HEzb ne+KSBIOMHJ3zSmZaFMXCZPSYmBAF2poNSh+L13Xpkf4Ib7w12PtWPUz BplviQ==
;; Received 1174 bytes from 192.203.230.10#53(e.root-servers.net) in 5 ms

schwab.com.             172800  IN      NS      ns1.schwab.com.
schwab.com.             172800  IN      NS      ns2.schwab.com.
schwab.com.             172800  IN      NS      ns3.schwab.com.
schwab.com.             172800  IN      NS      ns4.schwab.com.
schwab.com.             172800  IN      NS      a9-65.akam.net.
schwab.com.             172800  IN      NS      a8-64.akam.net.
schwab.com.             86400   IN      DS      3829 8 2 8B39D6D8CE4FA5D55DEB38CF05BB81E0CC087FA978AB9E0721411513 86CF2EA2
schwab.com.             86400   IN      RRSIG   DS 8 2 86400 20210309054915 20210302043915 58540 com. WCclyXLsxq4uaQpBB5WFJZvYbVNCra/EeN/AaBE+xVT0e+W9P0rJnWOM 1MdQ+FFdQDQndy9HQantJh7pOYsrroIrBDC84/MvvihnAzl0cSzUv8/1 zH95Rn0TGmyP1iGtUoBR9LTspXOy6vd6bsi3x8/J/KjzHco31YeBig1j nUSvSOG+w0gOx5XWq+1jkfh8rtIVTb8gDfDRc/muamDnNQ==
;; Received 470 bytes from 192.35.51.30#53(f.gtld-servers.net) in 21 ms

www.schwab.com.         300     IN      CNAME   www.schwab.com.edgekey.net.
www.schwab.com.         300     IN      RRSIG   CNAME 8 3 300 20210313110153 20210211103625 43563 schwab.com. eVem19JCDHIfAz3hu6smc3auF2TyWg7utEy+a43wF2Mo7cODhRsxqCvw hEffohd3bn3/INLkvuMWp7Ep4tIZD/EvQDSBzA0MYpXHUJZaCkY8j1iJ 3l2A3sO9f/ovDRAM4H0ZB6thgTErDDFpNPXVvqR2C8begFeL7M07/MZM M8eIc4tLpLDXFXKzkJk9h3Dg28xN5esKKIO7eEKS5IJEBom5YqUetHaz vwSDQQSltpHj3FR9kK6tz2AcuvtVIs/02Z0ZusbtVUNUDpozDFb3B/39 kVp87DUeFMMYaRETMAxK6lfAmlKZRpTT9cjia/qn2LkNmWzfS9qgpM4s n986XQ==
;; Received 381 bytes from 162.93.253.90#53(ns1.schwab.com) in 43 ms

ANY IDEAS? 

[schnipp]

Wo vermutest Du genau den Fehler?

Falls Du die fehlende Ausgabe einer  IP-Adresse bei Aufruf von „dig @127.0.0.1 www.schwab.com +trace
“ meinst, dies ist normal. „+trace“ gibt den delegation path aus (siehe Manpage).

Edit:
Oh sorry, wrong language in this forum  . Here is the translation…

Where do you exactly suspect the issue? The missing ip address in the output of "dig @127.0.0.1 www.schwab.com +trace" looks correct, because the parameter "+trace" only returns the delegation path (see manpage).

[randomwalk]

Oh sorry, wrong language in this forum  . Here is the translation…

Where do you exactly suspect the issue? The missing ip address in the output of "dig @127.0.0.1 www.schwab.com +trace" looks correct, because the parameter "+trace" only returns the delegation path (see manpage).

I am not sure what the issue is.  If I try to dig "workplace.schwab.com" without the +trace, it times out, but dig "www.schwab.com" works fine.  I don't understand what could cause this issue.

Code: [Select]

root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com

; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Code: [Select]

root@OPNsense:~ # dig @127.0.0.1 www.schwab.com

; <<>> DiG 9.16.10 <<>> @127.0.0.1 www.schwab.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45826
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.schwab.com.                        IN      A

;; ANSWER SECTION:
www.schwab.com.         300     IN      CNAME   www.schwab.com.edgekey.net.
www.schwab.com.edgekey.net. 21600 IN    CNAME   e17738.x.akamaiedge.net.
e17738.x.akamaiedge.net. 20     IN      A       184.24.175.152

;; Query time: 406 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 11:53:51 PST 2021
;; MSG SIZE  rcvd: 133


[randomwalk]

If I set the timeout option to be a very long time, it comes back with a SERVFAIL when unbound traffic goes through the VPN and DNSSEC is enabled.

Code: [Select]

root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com +timeout=240

; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com +timeout=240
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 44880
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;workplace.schwab.com.          IN      A

;; Query time: 92514 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 12:07:32 PST 2021
;; MSG SIZE  rcvd: 49

If I send unbound traffic through WAN, with DNSSEC still enabled, it resolves very quickly.

Code: [Select]

root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com +timeout=240

; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com +timeout=240
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5622
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;workplace.schwab.com.          IN      A

;; ANSWER SECTION:
workplace.schwab.com.   300     IN      CNAME   workplace.gslb.schwab.com.
workplace.gslb.schwab.com. 20   IN      A       162.93.233.50

;; Query time: 329 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 12:11:47 PST 2021
;; MSG SIZE  rcvd: 94

If I send the unbound traffic through the VPN, but disable DNSSEC, it also resolves quickly.

Code: [Select]

root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com +timeout=240

; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com +timeout=240
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50717
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;workplace.schwab.com.          IN      A

;; ANSWER SECTION:
workplace.schwab.com.   294     IN      CNAME   workplace.gslb.schwab.com.
workplace.gslb.schwab.com. 14   IN      A       162.93.232.50

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 12:13:52 PST 2021
;; MSG SIZE  rcvd: 94


[Maurice]

Probably related to packet size. DNS packets are significantly larger if they contain DNSSEC records.
Keywords for further research: EDNS, MTU, fragmentation, PMTUD, DNS over TCP vs. UDP.

[randomwalk]

Probably related to packet size. DNS packets are significantly larger if they contain DNSSEC records.
Keywords for further research: EDNS, MTU, fragmentation, PMTUD, DNS over TCP vs. UDP.

Ok, I think I solved it by adding this custom option in unbound settings:

Code: [Select]

edns-buffer-size: 4096
I had previously thought the problem might be fragmentation and looked into this EDNS setting.  But I incorrectly thought the way to solve fragmentation issues was to set the EDNS buffer size to be something small.  That obviously didn't work, which prompted me to post on this forum.  But actually, the solution was to set the buffer to be something high.  According to the internet, the default for this setting should be 4096, but that does not appear to be the case in OPNsense.  Once I manually specify this setting, it resolves fine.

Now when I run dig with unbound traffic through the VPN and DNSSEC enabled, here is the output:

Code: [Select]

root@OPNsense:~ # dig @127.0.0.1 workplace.schwab.com

; <<>> DiG 9.16.10 <<>> @127.0.0.1 workplace.schwab.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16740
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;workplace.schwab.com.          IN      A

;; ANSWER SECTION:
workplace.schwab.com.   300     IN      CNAME   workplace.gslb.schwab.com.
workplace.gslb.schwab.com. 20   IN      A       162.93.221.50

;; Query time: 112 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Mar 06 13:25:55 PST 2021
;; MSG SIZE  rcvd: 94

Notice that the EDNS UDP size is 4096, whereas in my previous posts, this size was 1232.

[Maurice]

Unbound default is 1232 bytes. If it works with a larger value, this might indicate that TCP fallback doesn't work through the tunnel for some reason.

[randomwalk]

Unbound default is 1232 bytes. If it works with a larger value, this might indicate that TCP fallback doesn't work through the tunnel for some reason.

I don't need to specifically open ports on my VPN interface to allow DNS to work over TCP, correct?  Otherwise, I am not sure what would be blocking when using VPN.

[schnipp]

Oh sorry, wrong language in this forum  . Here is the translation…

Where do you exactly suspect the issue? The missing ip address in the output of "dig @127.0.0.1 www.schwab.com +trace" looks correct, because the parameter "+trace" only returns the delegation path (see manpage).

I am not sure what the issue is.  If I try to dig "workplace.schwab.com" without the +trace, it times out, but dig "www.schwab.com" works fine.  I don't understand what could cause this issue.

My comment was related to the behavior of the "dig" command. We have probably misunderstood each other. Good to hear that the problem is now solved  .

[paul_a2]

Ok, I think I solved it by adding this custom option in unbound settings:

Code: [Select]

edns-buffer-size: 4096
Notice that the EDNS UDP size is 4096, whereas in my previous posts, this size was 1232.

Thank you for this: I started seeing same behaviour after upgrade to 21.1.2 (or what is latest version) - and the weird thing it was only few selected subdomains that failed to resolve. But added this as optional command in unbound settings, restarted unbound and now all works.

Weird issue that I could also run nslookup in terminal and the domains that failed to resolve did resolve - however browser (and apps on phone) did not resolve them. Rebooted everything etc before trying this fix.