Bug 228210

Summary: 11.2-BETA1 - DNS resolution does not work with local_unbound; cannot ping with local_unbound disabled
Product: Base System Reporter: Patrick McMunn <doctorwhoguy>
Component: miscAssignee: Dag-Erling Smørgrav <des>
Status: Closed Works As Intended    
Severity: Affects Only Me CC: des, emaste, net, rgrimes
Priority: --- Keywords: regression
Version: 11.1-STABLE   
Hardware: Any   
OS: Any   

Description Patrick McMunn 2018-05-13 03:24:53 UTC 
I've only tested this on an Acer Aspire One D255, but this was an issue with a recent 11.1-STABLE snapshot and is still true with 11.2-BETA1. I had no problems with 11.0 or 11.1 RELEASE on this same netbook. On a completely fresh installation with local_unbound enabled, I am able to ping IP addresses but cannot ping domain names. I also tried disabling local_unbound, but then I was unable to even ping IP addresses (even on my LAN). In the case of local_unbound being disabled, /etc/resolv.conf was being automatically generated with the correct DNS nameserver info from DHCP, so I could not figure out why I wasn't able to ping anything (including my router).

The only solution that has worked for me was the advice I found at https://forums.freebsd.org/threads/unbound.60475/ which suggested that I add

module-config: iterator

to /var/unbound/unbound.conf. The networking mostly worked, with local_unbound enabled, after that change. It was kind of flaky after that where it would work for a while then stop until rebooting. Then after a few reboots it seemed somewhat reliable. In any case, the line which I added was absent from the config for 11.1-RELEASE, and it worked just fine under 11.1-RELEASE. And to the best of my recollection, it also worked fine with local_unbound disabled under 11.1-RELEASE. So there has apparently been some kind of regression.
Comment 1 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2018-05-14 06:09:14 UTC 
What that configuration line does is disable DNSSEC, which is half the point of running Unbound in the first place.

There is absolutely no difference in Unbound between 11.0-R, 11.1-R and 11.1-S.  Not a single line of code.  If it worked on one but not on the other, there were differences in your environment.

There is also no way Unbound or its absence can prevent you from sending or receiving packets.

I suggest using `traceroute -n` instead of or in addition to `ping`; it will show you not only whether the target is reachable, but where the problem lies.  Let it run for at least 30 seconds before interrupting it, and if it shows even *one* line with actual numbers instead of “* * *”, the problem is not on your own machine but somewhere upstream.

The following assumes that you are on a dynamically configured IPv4 network.

When Unbound doesn't seem to be working, start by checking that the latest stanza in /var/db/dhclient.leases.<interface-name> is recent (the “renew”, “rebind” and “expire” dates are all in the future) and that it contains an “option domain-name-servers” line.  Try that IP address with drill(8).  If it doesn't respond, then your network is misconfigured.

Check that the address you got in the previous step matches the “forward-addr” line in /var/unbound/forward.conf.  If it doesn't, there is something wrong with dhclient(8) or resolvconf(8).  Try to edit forward.conf yourself and restart the local_unbound service.

Run `netstat -4rn | grep default` and check that it matches the address on the “option routers” line in dhclient.leases.  Run `route -4n get <nameserver-address>` and check that the “interface” line shows your external network interface and that the “gateway” line shows the same address that you got from netstat(8) earlier.  Try `service netif restart <interface> && service dhclient restart <interface>`.

If none of the above works, send me a detailed log of all the commands that you tried and their output, as well as the last stanza from dhclient.leases and the full output from `ifconfig -v` and `netstat -4rn`.
Comment 2 Rodney W. Grimes freebsd_committer freebsd_triage 2018-05-14 06:26:58 UTC 
I would also suggest when do attempt to ping a numeric address to include the -n optino to ping, otherwise you may still get a significant delay, which looks like a non response situation, if reverse dns can not be obtained for any given IP addresses.
Comment 3 Patrick McMunn 2018-05-21 02:11:37 UTC 
I've been busy the past week, so it wasn't until the weekend that I could follow up. I tried Dag-Erling's troubleshooting steps. Traceroute and drill definitely showed some problems. So I did a bunch of Googling, reading, and tinkering with my router and with config file settings. In the end, it turns out that the problem was that OpenDNS, the nameservers I had been using, do not support DNSSEC. Honestly I didn't realize that unbound was enabling DNSSEC by default. I had been using it only for the DNS caching. But once I changed the DNS nameservers being served by DHCP in my router to a nameserver that supports DNSSEC (Quad9), everything started working fine.

So I feel a bit sheepish about opening this bug. But judging by the number of forum posts and some mailing list questions I found from other people who experienced this same problem, and the fact that the only solutions anyone offered was to disable DNSSEC (even if they didn't know that's what they were doing), it may be that this should be better documented somewhere. Unbound is advertised simply as a caching nameserver, so, like me, I suspect a lot of people are enabling it for that purpose, unaware of its DNSSEC features, and then they have no idea why DNS resolution isn't working.

In any case, thank you for your help.