Need help and techniques to debug DNS failure on Facebook and Instagram using Pihole with Unbound

pedz · May 26, 2021, 9:54pm

I guess I got myself confused or things have changed. I thought I could resolve www.facebook.com ... so I thought I could resolve some Facebook subdomains but not all. But now today (with the 1.9 unbound) I can't resolve any.

I have my gateway, my 4G LTE modem, and then the AT&T network between me and reality. I'll check the first two again for some type of filtering.

It's interesting (from your previous post) that I can add special cases for particular domains.

The other question is if doing encrypted queries would help. Any idea if it would?

Thank you again for your help. It's been very educational for me.

deHakkelaar · May 26, 2021, 9:57pm

No I dont think so.
Something is realy wrong upstream somewhere and encrypting wont fix that.
You cant encrypt if you cant even connect.

EDIT: Ow sorry, you cant establish a DNSSEC connection with the servers unbound uses recursively , they dont have encryption.

EDIT2: One encrypted solution is to run everything through a public VPN.
That way the IP cant be blocked.

pedz · May 26, 2021, 10:31pm

This somewhat implies that it is outside of my house:

% traceroute 185.89.218.12
traceroute to 185.89.218.12 (185.89.218.12), 64 hops max, 52 byte packets
 1  gateway (192.168.1.1)  12.378 ms  3.499 ms  3.426 ms
 2  192.168.10.1 (192.168.10.1)  4.177 ms  4.033 ms  3.660 ms
 3  * * *
 4  * * *

#2 is the AT&T 4G LTE modem.

deHakkelaar · May 26, 2021, 10:32pm

Dont mind the last hops not showing:

pi@ph5b:~ $ traceroute -n 185.89.218.12
traceroute to 185.89.218.12 (185.89.218.12), 30 hops max, 60 byte packets
 1  10.0.0.1  0.713 ms  0.704 ms  0.817 ms
 2  192.168.1.1  1.096 ms  0.901 ms  0.905 ms
 3  62.58.240.1  7.562 ms  7.320 ms  7.845 ms
 4  212.53.25.201  10.555 ms  11.000 ms  26.897 ms
 5  212.53.25.193  10.782 ms  10.578 ms  10.714 ms
 6  212.151.190.0  11.419 ms  11.210 ms  11.102 ms
 7  130.244.82.55  8.042 ms  8.037 ms  8.983 ms
 8  130.244.200.46  10.774 ms  11.048 ms  10.959 ms
 9  195.219.194.78  218.731 ms 195.219.156.61  204.850 ms 195.219.194.146  203.320 ms
10  195.219.156.133  211.872 ms 195.219.156.151  214.576 ms 80.231.217.5  206.166 ms
11  195.219.87.209  202.499 ms 195.219.87.169  213.530 ms 180.87.12.2  205.479 ms
12  180.87.12.226  216.651 ms 80.231.217.1  199.245 ms  199.079 ms
13  116.0.93.168  202.783 ms 80.231.217.91  203.732 ms 116.0.93.152  197.990 ms
14  180.87.12.2  202.581 ms 116.0.93.147  206.972 ms 180.87.12.2  202.714 ms
15  180.87.12.226  215.920 ms * 116.0.82.62  211.895 ms
16  116.0.82.62  198.831 ms  203.942 ms 116.0.93.147  200.938 ms
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Bucking_Horn · May 27, 2021, 5:38am

(Unrelated to the issue, just to clarify:
DNSSEC is not about encrypting DNS traffic - it is about digitally signing DNS records so you can be sure they are authentic and haven't been manipulated.

It is correct that the root servers don't do encryption, but they (as well as the majority of TLD domain servers) do support DNSSEC (the root zone has been completely signed since 2010).

Since the root servers do not support encryption, that also means you cannot run unbound (nor any other DNS server) as a fully recursive resolver and encrypt DNS traffic at the same time.)

deHakkelaar · May 27, 2021, 10:54am

Yeah I was confusing DNSSEC with DoT and DoH.
The DNSSEC validation is clearly seen in the logs:

[1622048098] unbound[883:0] info: iterator operate: query com. DNSKEY IN
[1622048098] unbound[883:0] info: response for com. DNSKEY IN
[1622048098] unbound[883:0] info: reply from <com.> 192.52.178.30#53
[1622048098] unbound[883:0] info: query response was ANSWER
[1622048098] unbound[883:0] info: finishing processing for com. DNSKEY IN
[1622048098] unbound[883:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1622048098] unbound[883:0] info: validator operate: query com. DNSKEY IN
[1622048098] unbound[883:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1622048098] unbound[883:0] info: subnet operate: query com. DNSKEY IN
[1622048098] unbound[883:0] info: validated DNSKEY com. DNSKEY IN

Thanks for the correction!

Somebody · May 27, 2021, 11:38am

Last week my kids were complaining that some sites including Instagram weren't connecting. After some investigation it transpired that it was down to the Adlists that were pulled in overnight. Trimming the Adlists to the default 4 brought them all back. Bonus was that it brought down the memory usage of the Pi as well.

YMMV.

Cheers

pedz · May 27, 2021, 12:13pm

I sent an email to the support of my 4G provider. If they say anything interesting, I'll report back.

deHakkelaar · May 27, 2021, 1:33pm

I created a little bash script to analyse those debug logs and generate a list of dig queries that unbound performs.
Next time we can compare outcome for those queries between a good and bad setup.
I know its not perfect but does the job:

pi@ph5b:~ $ nano unbound_check.sh
#!/bin/bash
while read LINE; do
   if [[ "$LINE" =~ "sending query" ]]; then
      QUERY=$(sed 's/^.*sending query: //' <<< $LINE )
   fi
   if [[ "$LINE" =~ "sending to target" ]]; then
      TARGET=$(sed 's/^.*sending to target.*> //; s/#.*$//' <<< $LINE )
   fi
   if [[ "$QUERY" != "" ]] && [[ "$TARGET" != "" ]]; then
      echo "dig +norecurse @$TARGET $QUERY"
      QUERY=""
      TARGET=""
   fi
done < $1

pi@ph5b:~ $ chmod +x unbound_check.sh
pi@ph5b:~ $

Below my good logs:

pi@ph5b:~ $ ./unbound_check.sh unbound.good.log | column -t
dig  +norecurse  @192.203.230.10   .                                   NS      IN
dig  +norecurse  @199.9.14.201     com.                                A       IN
dig  +norecurse  @192.54.112.30    instagram.com.                      A       IN
dig  +norecurse  @205.251.193.128  www.instagram.com.                  A       IN
dig  +norecurse  @192.112.36.4     org.                                A       IN
dig  +norecurse  @192.36.148.17    uk.                                 A       IN
dig  +norecurse  @202.12.27.33     net.                                A       IN
dig  +norecurse  @199.19.53.1      awsdns-40.org.                      A       IN
dig  +norecurse  @192.35.51.30     facebook.com.                       A       IN
dig  +norecurse  @192.54.112.30    awsdns-44.net.                      A       IN
dig  +norecurse  @205.251.196.43   ns-1349.awsdns-40.org.              A       IN
dig  +norecurse  @129.134.31.12    c10r.facebook.com.                  A       IN
dig  +norecurse  @205.251.195.46   ns-868.awsdns-44.net.               A       IN
dig  +norecurse  @129.134.30.11    z-p42-instagram.c10r.facebook.com.  A       IN
dig  +norecurse  @43.230.48.1      co.uk.                              A       IN
dig  +norecurse  @156.154.102.3    awsdns-60.co.uk.                    A       IN
dig  +norecurse  @192.36.148.17    .                                   DNSKEY  IN
dig  +norecurse  @192.33.4.12      _ta-4f66.                           A       IN
dig  +norecurse  @192.52.178.30    com.                                DNSKEY  IN
dig  +norecurse  @205.251.198.1    ns-2016.awsdns-60.co.uk.            A       IN

Below the bad logs:

pi@ph5b:~ $ ./unbound_check.sh unbound.bad.log | column -t
dig  +norecurse  @192.5.5.241      .                                   NS  IN
dig  +norecurse  @198.97.190.53    com.                                A   IN
dig  +norecurse  @192.31.80.30     instagram.com.                      A   IN
dig  +norecurse  @205.251.193.128  www.instagram.com.                  A   IN
dig  +norecurse  @192.5.5.241      org.                                A   IN
dig  +norecurse  @192.5.5.241      uk.                                 A   IN
dig  +norecurse  @192.112.36.4     net.                                A   IN
dig  +norecurse  @192.43.172.30    facebook.com.                       A   IN
dig  +norecurse  @199.19.56.1      awsdns-40.org.                      A   IN
dig  +norecurse  @192.12.94.30     awsdns-44.net.                      A   IN
dig  +norecurse  @185.89.218.12    c10r.facebook.com.                  A   IN
dig  +norecurse  @205.251.199.172  ns-868.awsdns-44.net.               A   IN
dig  +norecurse  @205.251.194.234  ns-1349.awsdns-40.org.              A   IN
dig  +norecurse  @156.154.103.3    co.uk.                              A   IN
dig  +norecurse  @156.154.103.3    awsdns-60.co.uk.                    A   IN
dig  +norecurse  @205.251.198.1    ns-2016.awsdns-60.co.uk.            A   IN
dig  +norecurse  @129.134.30.12    c10r.facebook.com.                  A   IN
dig  +norecurse  @129.134.30.12    c10r.facebook.com.                  A   IN
dig  +norecurse  @185.89.218.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @129.134.31.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @129.134.31.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.219.12    c10r.facebook.com.                  A   IN
dig  +norecurse  @185.89.219.12    c10r.facebook.com.                  A   IN
dig  +norecurse  @185.89.219.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.218.12    c10r.facebook.com.                  A   IN
dig  +norecurse  @185.89.218.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.219.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.219.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @129.134.31.12    c10r.facebook.com.                  A   IN
dig  +norecurse  @129.134.31.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @129.134.31.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @129.134.30.12    c10r.facebook.com.                  A   IN
dig  +norecurse  @129.134.30.12    c10r.facebook.com.                  A   IN
dig  +norecurse  @185.89.219.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @129.134.30.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.219.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.218.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.218.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.218.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.219.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.218.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.218.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @185.89.218.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @129.134.30.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @129.134.30.12    z-p42-instagram.c10r.facebook.com.  A   IN
dig  +norecurse  @129.134.30.12    z-p42-instagram.c10r.facebook.com.  A   IN

EDIT: added good/bad

deHakkelaar · May 27, 2021, 4:37pm

One more
I noticed below event indicates no answer/reply:

pi@ph5b:~ $ grep -B3 module_event_noreply unbound.bad.log
[..]
[1621993999] unbound[4963:0] info: sending query: c10r.facebook.com. A IN
[1621993999] unbound[4963:0] debug: sending to target: <facebook.com.> 129.134.30.12#53
[1621993999] unbound[4963:0] debug: cache memory msg=34898 rrset=60588 infra=7225 val=35039 subnet=41372
[1621994000] unbound[4963:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
--
[1621994000] unbound[4963:0] info: sending query: c10r.facebook.com. A IN
[1621994000] unbound[4963:0] debug: sending to target: <facebook.com.> 129.134.30.12#53
[1621994000] unbound[4963:0] debug: cache memory msg=34898 rrset=60588 infra=7225 val=35039 subnet=41372
[1621994002] unbound[4963:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
--
[1621994002] unbound[4963:0] info: sending query: z-p42-instagram.c10r.facebook.com. A IN
[1621994002] unbound[4963:0] debug: sending to target: <facebook.com.> 185.89.218.12#53
[1621994002] unbound[4963:0] debug: cache memory msg=34898 rrset=60588 infra=7225 val=35039 subnet=41372
[1621994003] unbound[4963:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
--
[1621994003] unbound[4963:0] info: sending query: z-p42-instagram.c10r.facebook.com. A IN
[1621994003] unbound[4963:0] debug: sending to target: <facebook.com.> 129.134.31.12#53
[1621994003] unbound[4963:0] debug: cache memory msg=34898 rrset=60588 infra=7467 val=35039 subnet=41372
[1621994004] unbound[4963:0] debug: iterator[module 2] operate: extstate:module_wait_reply event:module_event_noreply
[..]

pi@ph5b:~ $ grep -B3 module_event_noreply unbound.good.log
pi@ph5b:~ $

system · June 17, 2021, 4:38pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.