1.1.1.1 was working, but not anymore

ian351c · 2018-04-04 20:22:10 UTC

I set up unbound on a Freebsd 11.1 server to use [email protected] and [email protected] as forwarders yesterday. it worked fine, but sometime during the night it stopped working. Using kdig from the command line with 1.1.1.1/1.0.0.1 works fine as does using unbound with Quad9 (9.9.9.9). Enabling debug on unbound doesn’t give much information other than there is a TCP error talking to both 1.1.1.1 and 1.0.0.1. Unfortunately, there is no real good debugging info at the TCP or TLS levels for unbound apparently. Did anything change with the 1.1.1.1 service last night (around 01:45 Eastern)?

jedisct1 · 2018-04-04 21:40:44 UTC

Can you send queries to 1.1.1.1 directly, without going through Unbound?

ian351c · 2018-04-04 21:44:01 UTC

Yes. Using kdig from the command line works:

kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 151 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4375
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B

;; QUESTION SECTION:
;; example.com. IN A

;; ANSWER SECTION:
example.com. 2397 IN A 93.184.216.34

;; Received 468 B
;; Time 2018-04-04 17:43:39 EDT
;; From [email protected](TCP) in 15.7 ms

mvavrusa · 2018-04-05 04:45:09 UTC

Thanks for the report! This is going to be fixed in the next upgrade that’s being rolled out.
There was an interop issue in the last upgrade with Unbound as it sends the frame size and the actual DNS message in two separate packets instead of both at once.

ian351c · 2018-04-05 15:08:17 UTC

Thanks for the update! Looking forward to using 1.1.1.1.

robcork · 2018-04-05 16:11:22 UTC

Is there an ETA on when this update will be rolled out? I’ve switched to Quad9 in the interim but would like to use Cloudflare when it’s working properly.

mvavrusa · 2018-04-06 07:43:23 UTC

It has rolled out today, let me know if you still see any problems!

thedaveCA · 2018-04-06 05:55:38 UTC

Looks good from here, running pfSense 2.4.3 with Unbound.

ian351c · 2018-04-06 17:58:19 UTC

Working for me now as well. Thanks!

kingsuhail940 · 2018-04-25 14:52:44 UTC

Working, Thanks