1.1.1.1 was working, but not anymore


#1

I set up unbound on a Freebsd 11.1 server to use [email protected] and [email protected] as forwarders yesterday. it worked fine, but sometime during the night it stopped working. Using kdig from the command line with 1.1.1.1/1.0.0.1 works fine as does using unbound with Quad9 (9.9.9.9). Enabling debug on unbound doesn’t give much information other than there is a TCP error talking to both 1.1.1.1 and 1.0.0.1. Unfortunately, there is no real good debugging info at the TCP or TLS levels for unbound apparently. Did anything change with the 1.1.1.1 service last night (around 01:45 Eastern)?


#2

Can you send queries to 1.1.1.1 directly, without going through Unbound?


1.1.1.1 DNS over TLS not working
#3

Yes. Using kdig from the command line works:

kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com example.com
;; DEBUG: Querying for owner(example.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 151 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, C=US,ST=CA,L=San Francisco,O=Cloudflare, Inc.,CN=*.cloudflare-dns.com
;; DEBUG: SHA-256 PIN: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4375
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1536 B; ext-rcode: NOERROR
;; PADDING: 408 B

;; QUESTION SECTION:
;; example.com. IN A

;; ANSWER SECTION:
example.com. 2397 IN A 93.184.216.34

;; Received 468 B
;; Time 2018-04-04 17:43:39 EDT
;; From [email protected](TCP) in 15.7 ms


#4

Thanks for the report! This is going to be fixed in the next upgrade that’s being rolled out.
There was an interop issue in the last upgrade with Unbound as it sends the frame size and the actual DNS message in two separate packets instead of both at once.


#5

Thanks for the update! Looking forward to using 1.1.1.1.


#6

Is there an ETA on when this update will be rolled out? I’ve switched to Quad9 in the interim but would like to use Cloudflare when it’s working properly.


#7

It has rolled out today, let me know if you still see any problems!


#8

Looks good from here, running pfSense 2.4.3 with Unbound.


#10

Working for me now as well. Thanks!


#11

Working, Thanks