<div dir="ltr"><div>I do have DNSSEC validation enabled, however all tests validate successfully.</div><div>When I run</div><div>$ delv <a href="http://twitterdatadash.com">twitterdatadash.com</a></div><div>;; resolution failed: SERVFAIL<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 14 May 2022 at 21:30, <<a href="mailto:unbound-users-request@lists.nlnetlabs.nl">unbound-users-request@lists.nlnetlabs.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send Unbound-users mailing list submissions to<br>
        <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank">unbound-users@lists.nlnetlabs.nl</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
        <a href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
        <a href="mailto:unbound-users-request@lists.nlnetlabs.nl" target="_blank">unbound-users-request@lists.nlnetlabs.nl</a><br>
<br>
You can reach the person managing the list at<br>
        <a href="mailto:unbound-users-owner@lists.nlnetlabs.nl" target="_blank">unbound-users-owner@lists.nlnetlabs.nl</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Unbound-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
   1. Only one domain failing to resolve, unbound pi-hole (BangDroid)<br>
   2. Re: Only one domain failing to resolve, unbound pi-hole<br>
      (Georg Pfuetzenreuter)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Sat, 14 May 2022 13:06:26 +0930<br>
From: BangDroid <<a href="mailto:bangdroid.bangas@gmail.com" target="_blank">bangdroid.bangas@gmail.com</a>><br>
To: <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Only one domain failing to resolve, unbound pi-hole<br>
Message-ID:<br>
        <<a href="mailto:CAA3iKSF5pvefZFoQ1n8t_wgYj%2BrV-Of6eRTXBXur24v2chbQ8A@mail.gmail.com" target="_blank">CAA3iKSF5pvefZFoQ1n8t_wgYj+rV-Of6eRTXBXur24v2chbQ8A@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Kind of pulling my hair out with this one.. The domain <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a> will<br>
not resolve with unbound recursively. I get SERVFAIL.<br>
<br>
root.hints is up to date, local time on raspi is accurate. No other domains<br>
are failing.<br>
<br>
Both dig <a href="http://sigfail.verteiltesysteme.net" rel="noreferrer" target="_blank">sigfail.verteiltesysteme.net</a> @<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> -p 5335 and dig<br>
<a href="http://sigok.verteiltesysteme.net" rel="noreferrer" target="_blank">sigok.verteiltesysteme.net</a> @<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> -p 5335 are as expected.<br>
<br>
Switching to an upstream DNS in Pi-hole will get the domain to successfully<br>
resolve, as well as using a standard DNS forward-zone in<br>
unbound.conf.d/pi-hole.conf:<br>
<br>
    forward-zone:<br>
    name: "."<br>
    forward-addr: 8.8.8.8<br>
<br>
However, if I use a DoT forward zone (because suspected possible? DNS<br>
hijacking by ISP):<br>
<br>
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt<br>
    forward-zone:<br>
        name: "."<br>
        forward-addr: 1.1.1.1@853#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a><br>
        forward-addr: 1.0.0.1@853#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a><br>
        forward-ssl-upstream: yes<br>
<br>
Everything works exactly as expected, including <a href="https://1.1.1.1/help" rel="noreferrer" target="_blank">https://1.1.1.1/help</a><br>
 **except** <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a> remains SERVFAIL.<br>
<br>
Paste of dig outputs with various unbound configurations:<br>
<a href="https://pastebin.com/k1LtjzHB" rel="noreferrer" target="_blank">https://pastebin.com/k1LtjzHB</a><br>
<br>
pi-hole.conf: <a href="https://pastebin.com/szLmcNFj" rel="noreferrer" target="_blank">https://pastebin.com/szLmcNFj</a><br>
<br>
unbound logs greped with "twitterdatadash" :<br>
<br>
'default' pihole.conf : <a href="https://pastebin.com/JmgUDSRv" rel="noreferrer" target="_blank">https://pastebin.com/JmgUDSRv</a><br>
<br>
with DoT: <a href="https://pastebin.com/k3UgdZD4" rel="noreferrer" target="_blank">https://pastebin.com/k3UgdZD4</a><br>
<br>
Accessing that domain is not crucial by any means, I am only concerned it<br>
may be indicative of a bigger issue. It seems like there must be an issue<br>
with my configuration somewhere, but every test I run appear to indicate no<br>
issue. Is it possible the issue is not my end? Anyone have any ideas?<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm" rel="noreferrer" target="_blank">http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Sat, 14 May 2022 09:27:17 +0200<br>
From: Georg Pfuetzenreuter <<a href="mailto:georg@syscid.com" target="_blank">georg@syscid.com</a>><br>
To: <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Re: Only one domain failing to resolve, unbound pi-hole<br>
Message-ID: <<a href="mailto:8b3813a3-5677-4011-1eac-c6921dd9e291@syscid.com" target="_blank">8b3813a3-5677-4011-1eac-c6921dd9e291@syscid.com</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
Maybe you have DNSSEC validation enabled?<br>
<br>
$ delv <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a><br>
; unsigned answer<br>
<a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a>.    7200    IN      A       34.96.91.68<br>
<br>
<br>
On 5/14/22 05:36, BangDroid via Unbound-users wrote:<br>
> Kind of pulling my hair out with this one.. The domain <br>
> <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a> <<a href="http://twitterdatadash.com/" rel="noreferrer" target="_blank">http://twitterdatadash.com/</a>>?will not resolve with <br>
> unbound recursively. I get SERVFAIL.<br>
> <br>
> root.hints is up to date, local time on raspi is accurate. No other <br>
> domains are failing.<br>
> <br>
> Both dig <a href="http://sigfail.verteiltesysteme.net" rel="noreferrer" target="_blank">sigfail.verteiltesysteme.net</a> <br>
> <<a href="http://sigfail.verteiltesysteme.net/" rel="noreferrer" target="_blank">http://sigfail.verteiltesysteme.net/</a>>?@<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> <<a href="http://127.0.0.1/" rel="noreferrer" target="_blank">http://127.0.0.1/</a>>?-p <br>
> 5335 and dig <a href="http://sigok.verteiltesysteme.net" rel="noreferrer" target="_blank">sigok.verteiltesysteme.net</a> <br>
> <<a href="http://sigok.verteiltesysteme.net/" rel="noreferrer" target="_blank">http://sigok.verteiltesysteme.net/</a>>?@<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> <<a href="http://127.0.0.1/" rel="noreferrer" target="_blank">http://127.0.0.1/</a>>?-p <br>
> 5335 are as expected.<br>
> <br>
> Switching to an upstream DNS in Pi-hole will get the domain to <br>
> successfully resolve, as well as using a standard DNS forward-zone in <br>
> unbound.conf.d/pi-hole.conf:<br>
> <br>
>  ? ? forward-zone:<br>
>  ? ? name: "."<br>
>  ? ? forward-addr: 8.8.8.8<br>
> <br>
> However, if I use a DoT forward zone (because suspected possible? DNS <br>
> hijacking by ISP):<br>
> <br>
>  ? ? tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt<br>
>  ? ? forward-zone:<br>
>  ? ? ? ? name: "."<br>
>  ? ? ? ? forward-addr: 1.1.1.1@853#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a> <br>
> <<a href="http://cloudflare-dns.com/" rel="noreferrer" target="_blank">http://cloudflare-dns.com/</a>><br>
>  ? ? ? ? forward-addr: 1.0.0.1@853#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a> <br>
> <<a href="http://cloudflare-dns.com/" rel="noreferrer" target="_blank">http://cloudflare-dns.com/</a>><br>
>  ? ? ? ? forward-ssl-upstream: yes<br>
> <br>
> Everything works exactly as expected, including <a href="https://1.1.1.1/help" rel="noreferrer" target="_blank">https://1.1.1.1/help</a> <br>
> <<a href="https://1.1.1.1/help" rel="noreferrer" target="_blank">https://1.1.1.1/help</a>>?**except** <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a> <br>
> <<a href="http://twitterdatadash.com/" rel="noreferrer" target="_blank">http://twitterdatadash.com/</a>>?remains SERVFAIL.<br>
> <br>
> Paste of dig outputs with various unbound configurations: <br>
> <a href="https://pastebin.com/k1LtjzHB" rel="noreferrer" target="_blank">https://pastebin.com/k1LtjzHB</a> <<a href="https://pastebin.com/k1LtjzHB" rel="noreferrer" target="_blank">https://pastebin.com/k1LtjzHB</a>><br>
> <br>
> pi-hole.conf: <a href="https://pastebin.com/szLmcNFj" rel="noreferrer" target="_blank">https://pastebin.com/szLmcNFj</a> <<a href="https://pastebin.com/szLmcNFj" rel="noreferrer" target="_blank">https://pastebin.com/szLmcNFj</a>><br>
> <br>
> unbound logs greped with "twitterdatadash" :<br>
> <br>
> 'default' pihole.conf : <a href="https://pastebin.com/JmgUDSRv" rel="noreferrer" target="_blank">https://pastebin.com/JmgUDSRv</a> <br>
> <<a href="https://pastebin.com/JmgUDSRv" rel="noreferrer" target="_blank">https://pastebin.com/JmgUDSRv</a>><br>
> <br>
> with DoT: <a href="https://pastebin.com/k3UgdZD4" rel="noreferrer" target="_blank">https://pastebin.com/k3UgdZD4</a> <<a href="https://pastebin.com/k3UgdZD4" rel="noreferrer" target="_blank">https://pastebin.com/k3UgdZD4</a>><br>
> <br>
> Accessing that domain is not crucial by any means, I am only concerned <br>
> it may be indicative of a bigger issue. It seems like there must be an <br>
> issue with my configuration somewhere, but every test I run appear to <br>
> indicate no issue. Is it possible the issue is not my end? Anyone have <br>
> any ideas?<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@lists.nlnetlabs.nl" target="_blank">Unbound-users@lists.nlnetlabs.nl</a><br>
<a href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of Unbound-users Digest, Vol 29, Issue 9<br>
********************************************<br>
</blockquote></div></div>