Core 131 with unbound error

General questions.
Post Reply
JonM
Posts: 88
Joined: August 4th, 2017, 5:49 pm
Location: US

Core 131 with unbound error

Post by JonM » May 18th, 2019, 2:47 am

I updated from Core 130 to Core 131 yesterday and I am getting lots of unbound errors. (No unbound errors in Core 130). Most are related to NTP but some are related to other sites and some are related to rDNS.

Code: Select all

[root@ipfire ~]# grep validation /var/log/messages
. . . 
May 17 14:55:16 ipfire unbound: [1527:2] info: validation failure 14.138.207.34.in-addr.arpa. PTR IN
May 17 14:55:18 ipfire unbound: [1527:1] info: validation failure 14.138.207.34.in-addr.arpa. PTR IN
May 17 15:48:49 ipfire unbound: [1527:3] info: validation failure 0.iPfIRe.PooL.nTP.OrG. A IN
May 17 15:48:55 ipfire unbound: [1527:1] info: validation failure 0.IpfiRE.pooL.nTP.ORg. AAAA IN
May 17 15:48:55 ipfire unbound: [1527:2] info: validation failure 0.iPFIRE.POOl.nTp.oRg. A IN
May 17 15:48:55 ipfire unbound: [1527:0] info: validation failure 0.IPfIre.poOl.Ntp.org. AAAA IN
May 17 16:23:17 ipfire unbound: [1527:2] info: validation failure north-america.pool.ntp.org. A IN
May 17 16:23:22 ipfire unbound: [1527:0] info: validation failure north-america.pool.ntp.org. A IN
May 17 16:23:24 ipfire unbound: [1527:3] info: validation failure north-america.pool.ntp.org. A IN
May 17 19:23:17 ipfire unbound: [1527:2] info: validation failure north-america.pool.ntp.org. A IN
May 17 19:23:22 ipfire unbound: [1527:3] info: validation failure north-america.pool.ntp.org. A IN
May 17 20:23:17 ipfire unbound: [1527:1] info: validation failure north-america.pool.ntp.org. A IN
May 17 20:23:22 ipfire unbound: [1527:3] info: validation failure north-america.pool.ntp.org. A IN
May 17 20:23:27 ipfire unbound: [1527:0] info: validation failure north-america.pool.ntp.org. A IN
May 17 21:14:26 ipfire unbound: [1527:3] info: validation failure 1.1.1.1.in-addr.arpa. PTR IN
May 17 21:14:36 ipfire unbound: [1527:0] info: validation failure 1.0.0.1.in-addr.arpa. PTR IN
May 17 21:16:11 ipfire unbound: [1527:3] info: validation failure i-use.ipfire.org. A IN
Looking at the DNSSEC Information (menu Status > Network-external):
Screen Shot 2019-05-17 at 9.15.26 PM.png

I'm really not sure how to fix. I deleted the DNS at "Assign DNS server addresses only for DHCP on red0" (menu Network > Assign DNS Server). It was set to Cloudflare 1.1.1.1. Hopefully that will help.

I don't use DoT (not that I know of) but I've seen similars errors in the unbound - DoT thread. Could that be related?

EDIT: Replace image with text.
Production:
Image

Testing Raspi 3B+:
Image

JonM
Posts: 88
Joined: August 4th, 2017, 5:49 pm
Location: US

Re: Core 131 with unbound error

Post by JonM » May 20th, 2019, 6:18 pm

The above seems to be related to the new IPS. If I turn IPS off then all works OK. Once I turn IPS back on then I start getting the validation failure errors. Below is what I see once IPS is on for RED only:

Code: Select all

[root@ipfire ~]# grep validation /var/log/messages
May 20 12:31:09 ipfire unbound: [1507:2] info: validation failure ocsp.int-x3.letsencrypt.org. A IN
May 20 12:31:32 ipfire unbound: [1507:2] info: validation failure email.mg.hackster.io. A IN
May 20 12:31:48 ipfire unbound: [1507:2] info: validation failure pool.ntp.org. A IN
May 20 12:32:12 ipfire unbound: [1507:1] info: validation failure pool.ntp.org. A IN
May 20 12:42:26 ipfire unbound: [1507:0] info: validation failure pool.ntp.org. A IN
May 20 12:43:20 ipfire unbound: [1507:0] info: validation failure pool.ntp.org. A IN
May 20 12:45:05 ipfire unbound: [1507:3] info: validation failure pool.ntp.org. A IN
May 20 12:45:31 ipfire unbound: [1507:1] info: validation failure pool.ntp.org. A IN
May 20 12:46:02 ipfire unbound: [1507:2] info: validation failure email.mg.hackster.io. A IN
May 20 12:46:25 ipfire unbound: [1507:3] info: validation failure pool.ntp.org. A IN
May 20 12:48:00 ipfire unbound: [1507:2] info: validation failure pool.ntp.org. A IN
May 20 12:48:50 ipfire unbound: [1507:2] info: validation failure pool.ntp.org. A IN
May 20 12:51:13 ipfire unbound: [1507:1] info: validation failure pool.ntp.org. A IN
May 20 12:51:14 ipfire unbound: [1507:3] info: validation failure pool.ntp.org. A IN
May 20 12:51:57 ipfire unbound: [1507:3] info: validation failure pool.ntp.org. A IN
May 20 12:53:39 ipfire unbound: [1507:2] info: validation failure pool.ntp.org. A IN
May 20 12:54:29 ipfire unbound: [1507:2] info: validation failure pool.ntp.org. A IN
May 20 12:54:35 ipfire unbound: [1507:0] info: validation failure pool.ntp.org. A IN
May 20 12:55:29 ipfire unbound: [1507:0] info: validation failure pool.ntp.org. A IN
May 20 12:55:29 ipfire unbound: [1507:2] info: validation failure pool.ntp.org. A IN
May 20 12:56:18 ipfire unbound: [1507:3] info: validation failure pool.ntp.org. A IN
May 20 12:56:32 ipfire unbound: [1507:1] info: validation failure pool.ntp.org. A IN
May 20 12:57:26 ipfire unbound: [1507:0] info: validation failure pool.ntp.org. A IN
May 20 13:01:34 ipfire unbound: [1507:0] info: validation failure pool.ntp.org. A IN
May 20 13:01:45 ipfire unbound: [1507:3] info: validation failure pool.ntp.org. A IN
May 20 13:02:02 ipfire unbound: [1507:1] info: validation failure pool.ntp.org. A IN
May 20 13:02:13 ipfire unbound: [1507:2] info: validation failure pool.ntp.org. A IN
May 20 13:03:07 ipfire unbound: [1507:2] info: validation failure pool.ntp.org. A IN
[root@ipfire ~]# 

Here are the IPS Logs (menu Logs > IPS Logs):

Code: Select all

IPFire IPS log
Date: 20 May

Date: 05/20 13:04:13
Name: ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
Priority: 2
Type: Attempted Information Leak
IP Info: 185.53.88.242:5237 -> 24.12.xxx.xxx:5060
SID: 2011716
Refs: 

Date: 05/20 13:04:13
Name: ET SCAN Sipvicious Scan
Priority: 2
Type: Attempted Information Leak
IP Info: 185.53.88.242:5237 -> 24.12.xxx.xxx:5060
SID: 2008578
Refs: 

Date: 05/20 13:01:00
Name: ET SCAN Suspicious inbound to mySQL port 3306
Priority: 2
Type: Potentially Bad Traffic
IP Info: 222.186.172.54:6000 -> 24.12.xxx.xxx:3306
SID: 2010937
Refs: 

Date: 05/20 12:48:00
Name: ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
Priority: 2
Type: Attempted Information Leak
IP Info: 77.247.110.23:5435 -> 24.12.xxx.xxx:5060
SID: 2011716
Refs: 

Date: 05/20 12:48:00
Name: ET SCAN Sipvicious Scan
Priority: 2
Type: Attempted Information Leak
IP Info: 77.247.110.23:5435 -> 24.12.xxx.xxx:5060
SID: 2008578
Refs: 

Date: 05/20 12:40:01
Name: ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
Priority: 2
Type: Attempted Information Leak
IP Info: 77.247.109.214:5083 -> 24.12.xxx.xxx:5060
SID: 2011716
Refs: 

Date: 05/20 12:40:01
Name: ET SCAN Sipvicious Scan
Priority: 2
Type: Attempted Information Leak
IP Info: 77.247.109.214:5083 -> 24.12.xxx.xxx:5060
SID: 2008578
Refs: 

Date: 05/20 12:29:10
Name: ET SCAN Suspicious inbound to PostgreSQL port 5432
Priority: 2
Type: Potentially Bad Traffic
IP Info: 107.170.192.103:43971 -> 24.12.xxx.xxx:5432
SID: 2010939
Refs: 

There is noting in the Intrusion Prevention log (menu Logs > System Logs >> Intrusion Prevention):
Screen Shot 2019-05-20 at 1.12.24 PM.png
Production:
Image

Testing Raspi 3B+:
Image

dominictayloruk
Posts: 1
Joined: Yesterday, 2:02 pm

Re: Core 131 with unbound error

Post by dominictayloruk » Yesterday, 2:06 pm

I've added 1.1.1.1 and 1.0.0.1 to whitelisted hosts and haven't had a problem so far.

EDIT: 6 Hours on and we have issues resolving DNS queries again

Post Reply