<div dir="auto"><div>I agree that's it's probably a firewall or edge router causing the issue.</div><div dir="auto">Try using a different target DNS server in your dig command. (E.g. 8.8.8.8 or 9.9.9.9)</div><div dir="auto">Both SHOULD give good replies </div><div dir="auto">If you get similar results as received on your initial command, remove the +TCP and +NOSPLIT switches from the command. That will pinpoint what is going on but not where </div><div dir="auto">Make sure your router is not the culprit </div><div dir="auto"><br></div><div dir="auto">BTW, the command gets good results here for both unbound 1.24.0 and power DNS_recursor 5.3</div><div dir="auto"><br></div><div dir="auto">My $.02</div><div dir="auto"><br></div><div dir="auto">Bob</div><div><br></div><div data-smartmail="gmail_signature">Sent from my Google Pixel 9a phone.</div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Sun, Oct 19, 2025, 08:00 <<a href="mailto:unbound-users-request@lists.nlnetlabs.nl">unbound-users-request@lists.nlnetlabs.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Unbound-users mailing list submissions to<br>
<a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users" rel="noreferrer noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:unbound-users-request@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users-request@lists.nlnetlabs.nl</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:unbound-users-owner@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users-owner@lists.nlnetlabs.nl</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Unbound-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: unbound fails to do reverse look ups (Carlo Wood)<br>
2. Re: unbound fails to do reverse look ups (Carlo Wood)<br>
3. Re: unbound fails to do reverse look ups (M?ns Nilsson)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Sat, 18 Oct 2025 17:23:14 +0200<br>
From: Carlo Wood <<a href="mailto:carlo@alinoe.com" target="_blank" rel="noreferrer">carlo@alinoe.com</a>><br>
To: <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Re: unbound fails to do reverse look ups<br>
Message-ID: <20251018172314.7bd17782@daniel.localdomain><br>
Content-Type: text/plain; charset="us-ascii"<br>
<br>
Hi, thanks you for your reply.<br>
<br>
The command<br>
```<br>
~>dig @f.in-addr-servers.arpa in-addr.arpa DNSKEY +dnssec +tcp +nosplit<br>
+norecurse +mult ;; communications error to 193.0.9.1#53: end of file<br>
;; communications error to 193.0.9.1#53: end of file<br>
;; communications error to 193.0.9.1#53: end of file<br>
<br>
; <<>> DiG 9.20.13 <<>> @f.in-addr-servers.arpa in-addr.arpa DNSKEY<br>
+dnssec +tcp +nosplit +norecurse +mult ; (1 server found)<br>
;; global options: +cmd<br>
;; no servers could be reached<br>
```<br>
fails.<br>
<br>
For your last command I get back:<br>
```<br>
~>dig @f.in-addr-servers.arpa. hostname.bind CH TXT +short "<a href="http://ns1.se-sto.authdns.ripe.net" rel="noreferrer noreferrer" target="_blank">ns1.se-sto.authdns.ripe.net</a>"<br>
"<a href="http://ns2.pt-lis.authdns.ripe.net" rel="noreferrer noreferrer" target="_blank">ns2.pt-lis.authdns.ripe.net</a>"<br>
```<br>
<br>
If this is indeed a firewall issue as Jan Komissar suggested then it<br>
seems hard to find out which firewall that is :/. That is, I get an "end of file"<br>
(it is pretty fast, not a real timeout). Aka, the connection is closed.<br>
What packet should can I look at the closes the connection? Will that have<br>
the address of the firewall, or address of the root server? I suspect the<br>
latter, so that the only way to find out where this happens is with timing.<br>
<br>
This is way above my pay grade however (to figure out what the "ping" is<br>
using a +norecurse DNS query packet) :/...<br>
<br>
Any ideas?<br>
<br>
Carlo<br>
<br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: not available<br>
Type: application/pgp-signature<br>
Size: 228 bytes<br>
Desc: OpenPGP digital signature<br>
URL: <<a href="http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20251018/08191a6e/attachment-0001.bin" rel="noreferrer noreferrer" target="_blank">http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20251018/08191a6e/attachment-0001.bin</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Sat, 18 Oct 2025 17:30:13 +0200<br>
From: Carlo Wood <<a href="mailto:carlo@alinoe.com" target="_blank" rel="noreferrer">carlo@alinoe.com</a>><br>
To: "Jan Komissar (jkomissa)" <<a href="mailto:jkomissa@cisco.com" target="_blank" rel="noreferrer">jkomissa@cisco.com</a>><br>
Cc: "<a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a>"<br>
<<a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a>><br>
Subject: Re: unbound fails to do reverse look ups<br>
Message-ID: <20251018173013.22cdc68e@daniel.localdomain><br>
Content-Type: text/plain; charset=US-ASCII<br>
<br>
Hello Jan,<br>
<br>
thank you for your reply!<br>
<br>
Why would any firewall go so far as to specifically filter on DNS<br>
queries with certain flags?! I didn't even know that was possible :/.<br>
<br>
Could this be done by my ISP? If so, is there a way I can find out<br>
where exactly this filtering happens? I am using a Linksys Router<br>
that still has the firmware of VPNExpress on it, even though I no<br>
longer have an account there. I suppose that theoretically it is<br>
possible that even my own router does this, because DNS (leakage)<br>
is a VPN thing - if that is the case then I want to switch back to<br>
opensource firmware... In that case the closing of the connection<br>
should be sub-millisecond I think. I wonder if I can measure that<br>
easily?<br>
<br>
Carlo<br>
<br>
On Fri, 17 Oct 2025 21:22:24 +0000<br>
"Jan Komissar (jkomissa)" <<a href="mailto:jkomissa@cisco.com" target="_blank" rel="noreferrer">jkomissa@cisco.com</a>> wrote:<br>
<br>
> Your result may be caused by a misconfigured firewall that<br>
> drops outgoing DNS queries without the recursion flag set.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Sat, 18 Oct 2025 20:17:16 +0200<br>
From: M?ns Nilsson <<a href="mailto:mansaxel@besserwisser.org" target="_blank" rel="noreferrer">mansaxel@besserwisser.org</a>><br>
To: Carlo Wood <<a href="mailto:carlo@alinoe.com" target="_blank" rel="noreferrer">carlo@alinoe.com</a>><br>
Cc: <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Re: unbound fails to do reverse look ups<br>
Message-ID: <<a href="mailto:aPPZrEsn-uyCOwqx@besserwisser.org" target="_blank" rel="noreferrer">aPPZrEsn-uyCOwqx@besserwisser.org</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Subject: Re: unbound fails to do reverse look ups Date: Sat, Oct 18, 2025 at 05:23:14PM +0200 Quoting Carlo Wood via Unbound-users (<a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@lists.nlnetlabs.nl</a>):<br>
<br>
> Any ideas?<br>
<br>
The DNS firewall blocks DNS traffic via TCP but not UDP If I had a<br>
Eurocent every time a stupid firewall admin does that, I could devote<br>
all my time to answering questions on mailing lists pro bono! :-) .<br>
Since the refusing reply arrives fast, it probably is in the form of a<br>
ICMP unreachable. <br>
<br>
Looking at traffic on the machine while asking the question, using a<br>
tool like tcpdump and writing to file, to filter in Wireshark later,<br>
probably is the best way to check this hypothesis.<br>
<br>
What you are looking for is a TCP RST or ICMP unreach packet, and it<br>
just might, if it is a ICMP one, contain the ip address of the offender.<br>
<br>
My speculation here is that you normally don't end up with large answers<br>
that trigger re-query over TCP (when the reply is large enough so as to<br>
trigger the Truncated bit being set and most resolver servers re-query<br>
via TCP when this happens.) except when you look up reverses which are<br>
signed. And the /8 delegations to RIR infrastructure typically are signed.<br>
<br>
-- <br>
M?ns Nilsson primary/secondary/besserwisser/machina<br>
MN-1334-RIPE SA0XLR +46 705 989668<br>
Yow! And then we could sit on the hoods of cars at stop lights!<br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: signature.asc<br>
Type: application/pgp-signature<br>
Size: 833 bytes<br>
Desc: not available<br>
URL: <<a href="http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20251018/d7b7c69e/attachment-0001.bin" rel="noreferrer noreferrer" target="_blank">http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20251018/d7b7c69e/attachment-0001.bin</a>><br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@lists.nlnetlabs.nl" target="_blank" rel="noreferrer">Unbound-users@lists.nlnetlabs.nl</a><br>
<a href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users" rel="noreferrer noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of Unbound-users Digest, Vol 70, Issue 4<br>
********************************************<br>
</blockquote></div>