You are not logged in.

#1 2016-05-17 10:36:34

rbaj
Member
Registered: 2016-01-27
Posts: 36

[SOLVED] VPN cannot connect to .co.uk TLDs

Hi,

I'm using Unbound as a local DNS server on my laptop. When I'm connected to a VPN all DNS requests get passed to the VPN nameserver at 10.4.0.1. It works great in general but there are occasional periods where I can't resolve .co.uk addresses while connected to the VPN. All other TLDs appear to work fine. https://airvpn.org/routes/?q=google.co.uk indicates that e.g. google.co.uk can be reached from the VPN servers.

Without a VPN, the DNS requests on port 53 while pinging google.co.uk look like:

# tcpdump port 53
11:05:52.969181 IP avocet.33874 > c.root-servers.net.domain: 22368% [1au] A? google.co.uk. (41)
11:05:52.969404 IP avocet.62722 > b.root-servers.net.domain: 50108% [1au] AAAA? google.co.uk. (41)
11:05:52.969845 IP avocet.21570 > c.in-addr-servers.arpa.domain: 46529% [1au] PTR? 12.4.33.192.in-addr.arpa. (53)
11:05:53.017430 IP c.root-servers.net.domain > avocet.33874: 22368- 0/10/14 (668)
11:05:53.017788 IP avocet.31744 > dns1.nic.uk.domain: 61688% [1au] A? google.co.uk. (41)
11:05:53.018081 IP avocet.22213 > nsb.nic.uk.domain: 43892% [1au] AAAA? nsc.nic.uk. (39)
11:05:53.018317 IP avocet.46781 > nsb.nic.uk.domain: 32300% [1au] AAAA? nsd.nic.uk. (39)
11:05:54.361922 IP avocet.58438 > x.arin.net.domain: 31083% [1au] PTR? 201.79.228.192.in-addr.arpa. (56)
11:05:55.025626 IP avocet.48761 > anysec.apnic.net.domain: 27375% [1au] PTR? 10.169.216.196.in-addr.arpa. (56)
11:05:56.060688 IP avocet.12857 > d.in-addr-servers.arpa.domain: 39258% [1au] PTR? 1.216.248.213.in-addr.arpa. (55)
11:05:56.237980 IP avocet.34921 > 61.240.144.10.domain: 22513% [1au] AAAA? dns4.iidns.com. (43)
11:05:56.749877 IP avocet.45883 > d.in-addr-servers.arpa.domain: 18636% [1au] PTR? 3.101.154.156.in-addr.arpa. (55)
11:05:57.460351 IP avocet.46681 > a.in-addr-servers.arpa.domain: 54644% [1au] PTR? 63.0.71.199.in-addr.arpa. (53)
11:05:57.489862 IP pdns196.ultradns.co.uk.domain > avocet.31010: 9767*- 1/10/1 A 204.74.108.1 (366)
...

With the VPN the DNS requests look like:

# tcpdump port 53
(ping google.com - works)
11:08:11.246036 IP avocet.25351 > 10.4.0.1.domain: 54418+% [1au] A? google.com. (39)
11:08:11.246131 IP avocet.25181 > 10.4.0.1.domain: 27593+% [1au] AAAA? google.com. (39)
11:08:11.246717 IP avocet.23373 > 10.4.0.1.domain: 51986+% [1au] PTR? 1.0.4.10.in-addr.arpa. (50)
11:08:11.294432 IP 10.4.0.1.domain > avocet.23373: 51986 NXDomain* 0/1/1 (100)
11:08:11.294744 IP avocet.17120 > 10.4.0.1.domain: 45227+% [1au] DNSKEY? . (28)
11:08:11.302583 IP 10.4.0.1.domain > avocet.25351: 54418 1/4/5 A 216.58.213.110 (191)
11:08:11.304672 IP 10.4.0.1.domain > avocet.25181: 27593 1/4/5 AAAA 2a00:1450:4009:80f::200e (203)

(ping google.co.uk - 'name or service not known')
11:08:17.382075 IP avocet.46539 > 10.4.0.1.domain: 10919+% [1au] A? google.co.uk. (41)
11:08:17.382164 IP avocet.17746 > 10.4.0.1.domain: 28151+% [1au] AAAA? google.co.uk. (41)
11:08:17.446427 IP avocet.11027 > 10.4.0.1.domain: 41297+% [1au] A? google.co.uk. (41)
11:08:17.446605 IP avocet.58762 > 10.4.0.1.domain: 54528+% [1au] AAAA? google.co.uk. (41)
11:08:17.449834 IP 10.4.0.1.domain > avocet.46539: 10919 1/4/5 A 216.58.213.99 (203)
11:08:17.450418 IP 10.4.0.1.domain > avocet.17746: 28151 1/4/5 AAAA 2a00:1450:4009:80f::2003 (215)
11:08:17.491442 IP 10.4.0.1.domain > avocet.11027: 41297 1/4/5 A 216.58.213.99 (203)
11:08:17.491793 IP avocet.61768 > 10.4.0.1.domain: 25310+% [1au] DS? uk. (31)
11:08:17.493847 IP 10.4.0.1.domain > avocet.58762: 54528 1/4/5 AAAA 2a00:1450:4009:80f::2003 (215)
11:08:17.536329 IP 10.4.0.1.domain > avocet.61768: 25310 2/0/1 DS, RRSIG (238)
11:08:17.536900 IP avocet.24985 > 10.4.0.1.domain: 6401+% [1au] DNSKEY? uk. (31)
11:08:17.584671 IP 10.4.0.1.domain > avocet.24985: 6401 3/0/1 DNSKEY, DNSKEY, RRSIG (745)
11:08:17.585278 IP avocet.24965 > 10.4.0.1.domain: 58026+% [1au] DS? co.uk. (34)
11:08:17.633617 IP 10.4.0.1.domain > avocet.24965: 58026 0/4/1 (454)
11:08:17.633858 IP avocet.52519 > 10.4.0.1.domain: 30704+% [1au] DS? co.uk. (34)
11:08:17.679713 IP 10.4.0.1.domain > avocet.52519: 30704 0/4/1 (454)
11:08:17.680020 IP avocet.56660 > 10.4.0.1.domain: 41163+% [1au] DS? co.uk. (34)
11:08:17.725557 IP 10.4.0.1.domain > avocet.56660: 41163 0/4/1 (454)
11:08:17.725815 IP avocet.53087 > 10.4.0.1.domain: 48233+% [1au] DS? co.uk. (34)
11:08:17.772035 IP 10.4.0.1.domain > avocet.53087: 48233 0/4/1 (454)
11:08:17.772307 IP avocet.30856 > 10.4.0.1.domain: 60484+% [1au] DS? co.uk. (34)
11:08:17.817180 IP 10.4.0.1.domain > avocet.30856: 60484 0/4/1 (454)
11:08:17.817453 IP avocet.44058 > 10.4.0.1.domain: 47817+% [1au] DS? co.uk. (34)
11:08:17.862020 IP 10.4.0.1.domain > avocet.44058: 47817 0/4/1 (454)

I can't find a reproducible set of steps to either cause or fix the issue. Does anyone understand why this might be happening? How come it only affects .co.uk domains?

The unbound config:

# cat /etc/unbound/unbound.conf
---
include: "/etc/resolvunbound"
server:
  verbosity: 1
  use-syslog: yes
  username: "unbound"
  directory: "/etc/unbound"

  interface: 127.0.0.1
  trust-anchor-file: trusted-key.key
  root-hints: "/etc/unbound/root.hints"

  local-zone: "10.in-addr.arpa." nodefault
  local-zone: "168.192.in-addr.arpa." nodefault

with /etc/resolvunbound generated by openresolv:

# cat /etc/resolvunbound
---
forward-zone:
	name: "."
	forward-addr: 10.4.0.1

Last edited by rbaj (2016-06-29 13:26:58)

Offline

#2 2016-06-29 13:26:48

rbaj
Member
Registered: 2016-01-27
Posts: 36

Re: [SOLVED] VPN cannot connect to .co.uk TLDs

Solution is to remove trust-anchor-file line from config.

https://unbound.net/pipermail/unbound-u … 04336.html

Offline

Board footer

Powered by FluxBB