pfSense Support Subscription

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - agreenfield1

Pages: [1]
1
Do you have "harden glue" enabled on the Advanced tab of Unbound? If not, is it still replicable with that enabled?

I had experienced the same issue as Derelict, and was able to replicate it in the same way.  I did not have 'harden glue' enabled.  After doing so, I have not been able to replicate the issue! 

Should the default setting for harden-glue be enabled?  The documentation for unbound suggests yes (https://www.unbound.net/documentation/unbound.conf.html, but it was definitely not enabled by default on my system.

2
General Questions / Re: Periodic since 2.2 pages load blank, certs invalid
« on: February 09, 2015, 10:23:49 pm »
I'm really out of my league trying to diagnose this, but here is the output of 'unbound-control -c /var/unbound/unbound.conf lookup slashdot.org', when the issue is occuring with DNSSEC enabled:

Code: [Select]
unbound-control -c /var/unbound/unbound.conf lookup slashdot.org
The following name servers are used for lookup of slashdot.org.
;rrset 85785 4 0 7 0
org. 172185 IN NS ns1.csof.net.
org. 172185 IN NS ns2.csof.net.
org. 172185 IN NS ns3.csof.net.
org. 172185 IN NS ns4.csof.net.
;rrset 83879 2 1 11 4
org. 83879 IN DS 21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2
org. 83879 IN DS 21366 7 2 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0D90F01BA
org. 83879 IN RRSIG DS 8 1 86400 20150219170000 20150209160000 16665 . RxYpI0BzYpGTE/PjRQdR4SZaxlvXCja3SJyx10JagTfz20gnltl4ar94GOwp8bA/ktY/7JxMoJvzCTAtcsGaTGRv04yDHr7WaydMxZuPCP9YT9Ixc+fX9IAZlSfwLCkBQgiC0mVeRiq+LmbIJhI2grJbTtvy96O9mipAqkFR42g= ;{id = 16665}
;rrset 1185 1 0 3 0
ns4.csof.net. 1185 IN A 54.72.8.183
;rrset 197 1 0 8 0
ns3.csof.net. 197 IN A 195.22.26.199
;rrset 1185 1 0 8 0
ns2.csof.net. 1185 IN A 212.6.183.201
;rrset 1185 1 0 8 0
ns1.csof.net. 1185 IN A 54.77.72.254
Delegation with 4 names, of which 4 can be examined to query further addresses.
It provides 4 IP addresses.
54.77.72.254    NoDNSSEC rto 344 msec, ttl 286, ping 84 var 65 rtt 344, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
212.6.183.201    NoDNSSEC rto 365 msec, ttl 286, ping 69 var 74 rtt 365, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
195.22.26.199    rto 96256 msec, ttl 286, ping 0 var 94 rtt 376, tA 3, tAAAA 3, tother 3, EDNS 0 assumed.
54.72.8.183      NoDNSSEC rto 315 msec, ttl 286, ping 99 var 54 rtt 315, tA 0, tAAAA 0, tother 0, EDNS 0 probed.

And then after restarting unbound:

Code: [Select]
unbound-control -c /var/unbound/unbound.conf lookup slashdot.org
The following name servers are used for lookup of slashdot.org.
;rrset 86374 6 0 2 0
org. 86374 IN NS a0.org.afilias-nst.info.
org. 86374 IN NS a2.org.afilias-nst.info.
org. 86374 IN NS b0.org.afilias-nst.org.
org. 86374 IN NS b2.org.afilias-nst.org.
org. 86374 IN NS c0.org.afilias-nst.info.
org. 86374 IN NS d0.org.afilias-nst.org.
;rrset 86374 2 1 2 0
org. 86374 IN DS 21366 7 1 E6C1716CFB6BDC84E84CE1AB5510DAC69173B5B2
org. 86374 IN DS 21366 7 2 96EEB2FFD9B00CD4694E78278B5EFDAB0A80446567B69F634DA078F0D90F01BA
org. 86374 IN RRSIG DS 8 1 86400 20150219170000 20150209160000 16665 . RxYpI0BzYpGTE/PjRQdR4SZaxlvXCja3SJyx10JagTfz20gnltl4ar94GOwp8bA/ktY/7JxMoJvzCTAtcsGaTGRv04yDHr7WaydMxZuPCP9YT9Ixc+fX9IAZlSfwLCkBQgiC0mVeRiq+LmbIJhI2grJbTtvy96O9mipAqkFR42g= ;{id = 16665}
;rrset 86374 1 0 1 0
d0.org.afilias-nst.org. 172774 IN A 199.19.57.1
;rrset 86374 1 0 1 0
d0.org.afilias-nst.org. 172774 IN AAAA 2001:500:f::1
;rrset 86374 1 0 1 0
c0.org.afilias-nst.info. 172774 IN A 199.19.53.1
;rrset 86374 1 0 1 0
c0.org.afilias-nst.info. 172774 IN AAAA 2001:500:b::1
;rrset 86374 1 0 1 0
b2.org.afilias-nst.org. 172774 IN A 199.249.120.1
;rrset 86374 1 0 1 0
b2.org.afilias-nst.org. 172774 IN AAAA 2001:500:48::1
;rrset 86374 1 0 1 0
b0.org.afilias-nst.org. 172774 IN A 199.19.54.1
;rrset 86374 1 0 1 0
b0.org.afilias-nst.org. 172774 IN AAAA 2001:500:c::1
;rrset 86374 1 0 1 0
a2.org.afilias-nst.info. 172774 IN A 199.249.112.1
;rrset 86374 1 0 1 0
a2.org.afilias-nst.info. 172774 IN AAAA 2001:500:40::1
;rrset 86374 1 0 1 0
a0.org.afilias-nst.info. 172774 IN A 199.19.56.1
;rrset 86374 1 0 1 0
a0.org.afilias-nst.info. 172774 IN AAAA 2001:500:e::1
Delegation with 6 names, of which 0 can be examined to query further addresses.
It provides 12 IP addresses.
2001:500:e::1    not in infra cache.
199.19.56.1      not in infra cache.
2001:500:40::1  not in infra cache.
199.249.112.1    not in infra cache.
2001:500:c::1    not in infra cache.
199.19.54.1      not in infra cache.
2001:500:48::1  not in infra cache.
199.249.120.1    rto 356 msec, ttl 874, ping 8 var 87 rtt 356, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:b::1    not in infra cache.
199.19.53.1      rto 482 msec, ttl 874, ping 22 var 115 rtt 482, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:f::1    not in infra cache.
199.19.57.1      not in infra cache.

3
General Questions / Re: Periodic since 2.2 pages load blank, certs invalid
« on: February 09, 2015, 08:11:01 pm »
Yup.

Unbound starts returning SERVFAIL for random domains after querying at least one or both of those hostnames.  I'm doing it one more time at unbound log level 5.



This sounds like the manifestation of the issue with DNSSEC enabled.  At some point, you may want to try it again with DNSSEC disabled; you should then see all domains being resolved to a hostile IP, bad certs for https, etc. like reported in the beginning of this thread.  Not sure if this would help with the diagnostics.

4
Sounds like you might be having this problem: https://forum.pfsense.org/index.php?topic=87491.0.  At least, the white webpage is consistent with the problem discussed in that thread.

5
General Questions / Re: Periodic since 2.2 pages load blank, certs invalid
« on: February 05, 2015, 07:42:58 pm »
Same thing happened to me this morning: https certs signed by lolcat, all dns inquiries not handled by pfsense directly give 195.22.26.248, and using the Google DNS and Level 3 dns servers.  I was able to resolve the issue for the time being by checking the 'Allow DNS server list to be overridden by DHCP/PPP on WAN' box, which presumably switched pfsense from using the compromised/poisoned DNS server to my ISPs DNS server.

I originally thought this issue was unrelated to pfsense, and posted the issue here:https://forum.pfsense.org/index.php?topic=88238.0.  But after seeing this thread, it seems like pfsense 2.2 / DNS Resolver / Unbound may be a factor?

Configuration: PFSense 2.2, DNS Resolver, GoogleDNS and Level3 as primary and secondary DNS servers respectively.

6
General Discussion / Help with possible security issue
« on: February 05, 2015, 06:03:23 pm »
I had some network problems this morning, and would like to find out what happened.  I'm not sure if I have a compromised computer, or if the problem was elsewhere.  Observations:

 - This morning, most websites weren't loading on my ipad or computer
 - https sites wouldn't load, and Google Chrome showed certificate errors: they were signed by 'lolcat'
 - Did a tracert and ping to a random site.  It resolved to 195.22.26.248 (not the 'correct' ip), which a google search suggests is a sinkhole (not clear on what this means)
 - For the tracert, the hostname for every step (except my router) was rdns.gigabell.es
 - Logged in to pfsense to check dns settings.  i had them set to 8.8.8.8 and 4.2.2.3 (Google dns and Level3)
 - I checked the box to 'Allow DNS server list to be overridden by DHCP/PPP on WAN', and everything instantly started to work correctly.

If the Google DNS or Level3 DNS servers were down/hacked I would have expected a news story or something, so I'm concerned I may have a compromised system in my network.  Any thoughts on what may have happened?  FYI, this occurred at home where I have pfsense serving as the router in a VM.

Pages: [1]