# Cannot resolve www.FreeBSD.org but can resolve www.google.com



## Alfatrion (Apr 30, 2015)

I'm installing FreeBSD 10.1. That is to say I have it up and running, using the DHCP client.

`portsnap fetch` results in no mirrors found. When I try to ping portsnap.FreeBSD.org it fails. When I try to ping www.FreeBSD.org it fails. But when I try www.google.com it succeeds.

I have a Windows machine on the same network and that can ping FreeBSD.org. Any ideas to what can be causing this behavior?


----------



## diizzy (Apr 30, 2015)

`cat /etc/resolv.conf`
Paste output


----------



## Alfatrion (May 3, 2015)

```
# nameserver 192.168.1.1
nameserver 127.0.0.1
options edns0
```
When I use the first address it works fine. I have unbound running. Just the default config from FreeBSD-10.1 (r282111).

`cat /etc/unbound/unbound.conf`

```
# Generated by local-unbound-setup
server:
  username: unbound
  directory: /var/unbound
  chroot: /var/unbound
  pidfile: /var/run/local_unbound.pid
  auto-trust-anchor-file: /var/unbound/root.key

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/conf.d/*.conf
```

`cat /var/unbound/{forward,lan-zones}.conf`

```
# Generated by resolvconf
# Generated by local-unbound-setup
# Do not edit this file.
server:
  # Unblock reverse lookups for LAN addresses
  unblock-lan-zones: yes
  domain-insecure: 10.in-addr.arpa.
  domain-insecure: 127.in-addr.arpa.
  domain-insecure: 16.172.in-addr.arpa.
  domain-insecure: 17.172.in-addr.arpa.
  domain-insecure: 18.172.in-addr.arpa.
  domain-insecure: 19.172.in-addr.arpa.
  domain-insecure: 20.172.in-addr.arpa.
  domain-insecure: 21.172.in-addr.arpa.
  domain-insecure: 22.172.in-addr.arpa.
  domain-insecure: 23.172.in-addr.arpa.
  domain-insecure: 24.172.in-addr.arpa.
  domain-insecure: 25.172.in-addr.arpa.
  domain-insecure: 26.172.in-addr.arpa.
  domain-insecure: 27.172.in-addr.arpa.
  domain-insecure: 28.172.in-addr.arpa.
  domain-insecure: 29.172.in-addr.arpa.
  domain-insecure: 30.172.in-addr.arpa.
  domain-insecure: 31.172.in-addr.arpa.
  domain-insecure: 168.192.in-addr.arpa.
  domain-insecure: 254.169.in-addr.arpa.
  domain-insecure: d.f.ip6.arpa.
  domain-insecure: 8.e.ip6.arpa.
  domain-insecure: 9.e.ip6.arpa.
  domain-insecure: a.e.ip6.arpa.
  domain-insecure: b.e.ip6.arpa.
```

The directory /var/unbound/conf.d/ is empty.

Could it have something to do with:



			
				FreeBSD Handbook - Domain Name System (DNS) said:
			
		

> If any of the listed nameservers do not support DNSSEC, local DNS resolution will fail. Be sure to test each nameserver and remove any that fail the test. The following command will show the trust tree or a failure for a nameserver running on 192.168.1.1:



https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-dns.html


----------



## junovitch@ (May 3, 2015)

Going out a limb here but are you using a firewall and if so are you allowing fragment reassembly?  If you are not using a firewall then never mind.  With a firewall and no rule for fragment reassembly the packet size of a reply with DNSSEC is bigger than normal and usually gets fragmented, hence the need to account for it at the firewall.

Other ideas, run through a handful of different tests and see where things work and where it doesn't.  There will likely be some clues in here if you post the output of the following.
`drill www.FreeBSD.org`
`drill -T www.FreeBSD.org`
`drill -S www.FreeBSD.org`
`drill -4 @ns0.FreeBSD.org www.FreeBSD.org`
`drill -6 @ns0.FreeBSD.org www.FreeBSD.org`


----------



## ds_aim (May 6, 2015)

Replace /etc/resolv.conf:

```
nameserver 8.8.8.8
nameserver 127.0.0.1
options edns0
```


----------



## Alfatrion (May 6, 2015)

junovitch said:


> Going out a limb here but are you using a firewall and if so are you allowing fragment reassembly?


No, firewall. The FreeBSD install is fresh. I find it so weird that this works for some addresses and doesn't work for other addresses.

*When using 127.0.0.1  in resolv.conf*
`drill www.FreeBSD.org`

```
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 45413
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.freebsd.org.  IN  A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Wed May  6 19:37:36 2015
;; MSG SIZE  rcvd: 33
```

`drill -T www.FreeBSD.org`

```
org.  172800  IN  NS  a0.org.afilias-nst.info.
org.  172800  IN  NS  c0.org.afilias-nst.info.
org.  172800  IN  NS  b2.org.afilias-nst.org.
org.  172800  IN  NS  b0.org.afilias-nst.org.
org.  172800  IN  NS  a2.org.afilias-nst.info.
org.  172800  IN  NS  d0.org.afilias-nst.org.
freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns1.isc-sns.net.freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns2.isc-sns.com.freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns3.isc-sns.info.www.freebsd.org.  600  IN  CNAME  wfe0.ysv.freebsd.org.
wfe0.ysv.freebsd.org.  600  IN  A  8.8.178.110
freebsd.org.  600  IN  NS  ns2.isc-sns.com.
freebsd.org.  600  IN  NS  ns3.isc-sns.info.
freebsd.org.  600  IN  NS  ns1.isc-sns.net.
```

`drill -S www.FreeBSD.org`

```
;; Number of trusted keys: 1
;; Chasing: www.freebsd.org. A


DNSSEC Trust tree:
www.freebsd.org. (CNAME)
|---freebsd.org. (DNSKEY keytag: 60981 alg: 8 flags: 256)
  |---freebsd.org. (DNSKEY keytag: 25814 alg: 8 flags: 257)
  |---freebsd.org. (DS keytag: 25814 digest type: 2)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
```

`drill -4 @ns0.FreeBSD.org www.FreeBSD.org`

```
Error: could not find any address for the name: `ns0.FreeBSD.org'
```

`drill -6 @ns0.FreeBSD.org www.FreeBSD.org`

```
Error: could not find any address for the name: `ns0.FreeBSD.org'
```


*When using 196.168.1.1  in resolv.conf*
`drill www.FreeBSD.org`

```
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 29143
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.FreeBSD.org.  IN  A

;; ANSWER SECTION:
www.FreeBSD.org.  599  IN  CNAME  wfe0.ysv.FreeBSD.org.
wfe0.ysv.FreeBSD.org.  599  IN  A  8.8.178.110

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 31 msec
;; SERVER: 192.168.1.1
;; WHEN: Wed May  6 19:51:56 2015
;; MSG SIZE  rcvd: 72
```

`drill -S www.FreeBSD.org`

```
;; Number of trusted keys: 1
;; Chasing: www.freebsd.org. A


DNSSEC Trust tree:
www.freebsd.org. (CNAME)
|---freebsd.org. (DNSKEY keytag: 60981 alg: 8 flags: 256)
  |---freebsd.org. (DNSKEY keytag: 25814 alg: 8 flags: 257)
  |---freebsd.org. (DS keytag: 25814 digest type: 2)
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.
```

`drill -T www.FreeBSD.org`

```
org.  172800  IN  NS  a0.org.afilias-nst.info.
org.  172800  IN  NS  c0.org.afilias-nst.info.
org.  172800  IN  NS  d0.org.afilias-nst.org.
org.  172800  IN  NS  b0.org.afilias-nst.org.
org.  172800  IN  NS  b2.org.afilias-nst.org.
org.  172800  IN  NS  a2.org.afilias-nst.info.
freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns1.isc-sns.net.freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns2.isc-sns.com.freebsd.org.  86400  IN  NS  ns1.isc-sns.net.
freebsd.org.  86400  IN  NS  ns2.isc-sns.com.
freebsd.org.  86400  IN  NS  ns3.isc-sns.info.
ns3.isc-sns.info.www.freebsd.org.  600  IN  CNAME  wfe0.ysv.freebsd.org.
wfe0.ysv.freebsd.org.  600  IN  A  8.8.178.110
freebsd.org.  600  IN  NS  ns3.isc-sns.info.
freebsd.org.  600  IN  NS  ns2.isc-sns.com.
freebsd.org.  600  IN  NS  ns1.isc-sns.net.
```

`drill -4 @ns0.FreeBSD.org www.FreeBSD.org`

```
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 61961
;; flags: qr aa rd ; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 0
;; QUESTION SECTION:
;; www.FreeBSD.org.  IN  A

;; ANSWER SECTION:
www.FreeBSD.org.  600  IN  CNAME  wfe0.ysv.FreeBSD.org.
wfe0.ysv.FreeBSD.org.  600  IN  A  8.8.178.110

;; AUTHORITY SECTION:
FreeBSD.org.  600  IN  NS  ns1.isc-sns.net.
FreeBSD.org.  600  IN  NS  ns2.isc-sns.com.
FreeBSD.org.  600  IN  NS  ns3.isc-sns.info.

;; ADDITIONAL SECTION:

;; Query time: 192 msec
;; SERVER: 8.8.178.18
;; WHEN: Wed May  6 19:54:01 2015
;; MSG SIZE  rcvd: 160
```

`drill -6 @ns0.FreeBSD.org www.FreeBSD.org`

```
Error: could not find any address for the name: `ns0.FreeBSD.org'
```


----------



## junovitch@ (May 10, 2015)

That is pretty strange.  It seems like there is an issue with that initial recursive query to get the address of ns0.FreeBSD.org on some of the queries.  However the fact that `drill -T www.FreeBSD.org` works seems to discount that as being a cause.

I'm curious if normal queries with just a forwarder will work normal.  Can you try something like this in /etc/rc.conf and see what happens?

```
local_unbound_forwarders="8.8.8.8"
```


----------

