
<div dir="ltr"><div>I do have DNSSEC validation enabled, however all tests validate successfully.</div><div>When I run</div><div>$ delv <a href="http://twitterdatadash.com">twitterdatadash.com</a></div><div>;; resolution failed: SERVFAIL<br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 14 May 2022 at 21:30, <<a href="mailto:unbound-users-request@lists.nlnetlabs.nl">unbound-users-request@lists.nlnetlabs.nl</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Send Unbound-users mailing list submissions to<br>

        <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank">unbound-users@lists.nlnetlabs.nl</a><br>

<br>

To subscribe or unsubscribe via the World Wide Web, visit<br>

        <a href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>

or, via email, send a message with subject or body 'help' to<br>

        <a href="mailto:unbound-users-request@lists.nlnetlabs.nl" target="_blank">unbound-users-request@lists.nlnetlabs.nl</a><br>

<br>

You can reach the person managing the list at<br>

        <a href="mailto:unbound-users-owner@lists.nlnetlabs.nl" target="_blank">unbound-users-owner@lists.nlnetlabs.nl</a><br>

<br>

When replying, please edit your Subject line so it is more specific<br>

than "Re: Contents of Unbound-users digest..."<br>

<br>

<br>

Today's Topics:<br>

<br>

   1. Only one domain failing to resolve, unbound pi-hole (BangDroid)<br>

   2. Re: Only one domain failing to resolve, unbound pi-hole<br>

      (Georg Pfuetzenreuter)<br>

<br>

<br>

----------------------------------------------------------------------<br>

<br>

Message: 1<br>

Date: Sat, 14 May 2022 13:06:26 +0930<br>

From: BangDroid <<a href="mailto:bangdroid.bangas@gmail.com" target="_blank">bangdroid.bangas@gmail.com</a>><br>

To: <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank">unbound-users@lists.nlnetlabs.nl</a><br>

Subject: Only one domain failing to resolve, unbound pi-hole<br>

Message-ID:<br>

        <<a href="mailto:CAA3iKSF5pvefZFoQ1n8t_wgYj%2BrV-Of6eRTXBXur24v2chbQ8A@mail.gmail.com" target="_blank">CAA3iKSF5pvefZFoQ1n8t_wgYj+rV-Of6eRTXBXur24v2chbQ8A@mail.gmail.com</a>><br>

Content-Type: text/plain; charset="utf-8"<br>

<br>

Kind of pulling my hair out with this one.. The domain <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a> will<br>

not resolve with unbound recursively. I get SERVFAIL.<br>

<br>

root.hints is up to date, local time on raspi is accurate. No other domains<br>

are failing.<br>

<br>

Both dig <a href="http://sigfail.verteiltesysteme.net" rel="noreferrer" target="_blank">sigfail.verteiltesysteme.net</a> @<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> -p 5335 and dig<br>

<a href="http://sigok.verteiltesysteme.net" rel="noreferrer" target="_blank">sigok.verteiltesysteme.net</a> @<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> -p 5335 are as expected.<br>

<br>

Switching to an upstream DNS in Pi-hole will get the domain to successfully<br>

resolve, as well as using a standard DNS forward-zone in<br>

unbound.conf.d/pi-hole.conf:<br>

<br>

    forward-zone:<br>

    name: "."<br>

    forward-addr: 8.8.8.8<br>

<br>

However, if I use a DoT forward zone (because suspected possible? DNS<br>

hijacking by ISP):<br>

<br>

    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt<br>

    forward-zone:<br>

        name: "."<br>

        forward-addr: 1.1.1.1@853#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a><br>

        forward-addr: 1.0.0.1@853#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a><br>

        forward-ssl-upstream: yes<br>

<br>

Everything works exactly as expected, including <a href="https://1.1.1.1/help" rel="noreferrer" target="_blank">https://1.1.1.1/help</a><br>

 **except** <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a> remains SERVFAIL.<br>

<br>

Paste of dig outputs with various unbound configurations:<br>

<a href="https://pastebin.com/k1LtjzHB" rel="noreferrer" target="_blank">https://pastebin.com/k1LtjzHB</a><br>

<br>

pi-hole.conf: <a href="https://pastebin.com/szLmcNFj" rel="noreferrer" target="_blank">https://pastebin.com/szLmcNFj</a><br>

<br>

unbound logs greped with "twitterdatadash" :<br>

<br>

'default' pihole.conf : <a href="https://pastebin.com/JmgUDSRv" rel="noreferrer" target="_blank">https://pastebin.com/JmgUDSRv</a><br>

<br>

with DoT: <a href="https://pastebin.com/k3UgdZD4" rel="noreferrer" target="_blank">https://pastebin.com/k3UgdZD4</a><br>

<br>

Accessing that domain is not crucial by any means, I am only concerned it<br>

may be indicative of a bigger issue. It seems like there must be an issue<br>

with my configuration somewhere, but every test I run appear to indicate no<br>

issue. Is it possible the issue is not my end? Anyone have any ideas?<br>

-------------- next part --------------<br>

An HTML attachment was scrubbed...<br>

URL: <<a href="http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm" rel="noreferrer" target="_blank">http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm</a>><br>

<br>

------------------------------<br>

<br>

Message: 2<br>

Date: Sat, 14 May 2022 09:27:17 +0200<br>

From: Georg Pfuetzenreuter <<a href="mailto:georg@syscid.com" target="_blank">georg@syscid.com</a>><br>

To: <a href="mailto:unbound-users@lists.nlnetlabs.nl" target="_blank">unbound-users@lists.nlnetlabs.nl</a><br>

Subject: Re: Only one domain failing to resolve, unbound pi-hole<br>

Message-ID: <<a href="mailto:8b3813a3-5677-4011-1eac-c6921dd9e291@syscid.com" target="_blank">8b3813a3-5677-4011-1eac-c6921dd9e291@syscid.com</a>><br>

Content-Type: text/plain; charset=UTF-8; format=flowed<br>

<br>

Maybe you have DNSSEC validation enabled?<br>

<br>

$ delv <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a><br>

; unsigned answer<br>

<a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a>.    7200    IN      A       34.96.91.68<br>

<br>

<br>

On 5/14/22 05:36, BangDroid via Unbound-users wrote:<br>

> Kind of pulling my hair out with this one.. The domain <br>

> <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a> <<a href="http://twitterdatadash.com/" rel="noreferrer" target="_blank">http://twitterdatadash.com/</a>>?will not resolve with <br>

> unbound recursively. I get SERVFAIL.<br>

> <br>

> root.hints is up to date, local time on raspi is accurate. No other <br>

> domains are failing.<br>

> <br>

> Both dig <a href="http://sigfail.verteiltesysteme.net" rel="noreferrer" target="_blank">sigfail.verteiltesysteme.net</a> <br>

> <<a href="http://sigfail.verteiltesysteme.net/" rel="noreferrer" target="_blank">http://sigfail.verteiltesysteme.net/</a>>?@<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> <<a href="http://127.0.0.1/" rel="noreferrer" target="_blank">http://127.0.0.1/</a>>?-p <br>

> 5335 and dig <a href="http://sigok.verteiltesysteme.net" rel="noreferrer" target="_blank">sigok.verteiltesysteme.net</a> <br>

> <<a href="http://sigok.verteiltesysteme.net/" rel="noreferrer" target="_blank">http://sigok.verteiltesysteme.net/</a>>?@<a href="http://127.0.0.1" rel="noreferrer" target="_blank">127.0.0.1</a> <<a href="http://127.0.0.1/" rel="noreferrer" target="_blank">http://127.0.0.1/</a>>?-p <br>

> 5335 are as expected.<br>

> <br>

> Switching to an upstream DNS in Pi-hole will get the domain to <br>

> successfully resolve, as well as using a standard DNS forward-zone in <br>

> unbound.conf.d/pi-hole.conf:<br>

> <br>

>  ? ? forward-zone:<br>

>  ? ? name: "."<br>

>  ? ? forward-addr: 8.8.8.8<br>

> <br>

> However, if I use a DoT forward zone (because suspected possible? DNS <br>

> hijacking by ISP):<br>

> <br>

>  ? ? tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt<br>

>  ? ? forward-zone:<br>

>  ? ? ? ? name: "."<br>

>  ? ? ? ? forward-addr: 1.1.1.1@853#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a> <br>

> <<a href="http://cloudflare-dns.com/" rel="noreferrer" target="_blank">http://cloudflare-dns.com/</a>><br>

>  ? ? ? ? forward-addr: 1.0.0.1@853#<a href="http://cloudflare-dns.com" rel="noreferrer" target="_blank">cloudflare-dns.com</a> <br>

> <<a href="http://cloudflare-dns.com/" rel="noreferrer" target="_blank">http://cloudflare-dns.com/</a>><br>

>  ? ? ? ? forward-ssl-upstream: yes<br>

> <br>

> Everything works exactly as expected, including <a href="https://1.1.1.1/help" rel="noreferrer" target="_blank">https://1.1.1.1/help</a> <br>

> <<a href="https://1.1.1.1/help" rel="noreferrer" target="_blank">https://1.1.1.1/help</a>>?**except** <a href="http://twitterdatadash.com" rel="noreferrer" target="_blank">twitterdatadash.com</a> <br>

> <<a href="http://twitterdatadash.com/" rel="noreferrer" target="_blank">http://twitterdatadash.com/</a>>?remains SERVFAIL.<br>

> <br>

> Paste of dig outputs with various unbound configurations: <br>

> <a href="https://pastebin.com/k1LtjzHB" rel="noreferrer" target="_blank">https://pastebin.com/k1LtjzHB</a> <<a href="https://pastebin.com/k1LtjzHB" rel="noreferrer" target="_blank">https://pastebin.com/k1LtjzHB</a>><br>

> <br>

> pi-hole.conf: <a href="https://pastebin.com/szLmcNFj" rel="noreferrer" target="_blank">https://pastebin.com/szLmcNFj</a> <<a href="https://pastebin.com/szLmcNFj" rel="noreferrer" target="_blank">https://pastebin.com/szLmcNFj</a>><br>

> <br>

> unbound logs greped with "twitterdatadash" :<br>

> <br>

> 'default' pihole.conf : <a href="https://pastebin.com/JmgUDSRv" rel="noreferrer" target="_blank">https://pastebin.com/JmgUDSRv</a> <br>

> <<a href="https://pastebin.com/JmgUDSRv" rel="noreferrer" target="_blank">https://pastebin.com/JmgUDSRv</a>><br>

> <br>

> with DoT: <a href="https://pastebin.com/k3UgdZD4" rel="noreferrer" target="_blank">https://pastebin.com/k3UgdZD4</a> <<a href="https://pastebin.com/k3UgdZD4" rel="noreferrer" target="_blank">https://pastebin.com/k3UgdZD4</a>><br>

> <br>

> Accessing that domain is not crucial by any means, I am only concerned <br>

> it may be indicative of a bigger issue. It seems like there must be an <br>

> issue with my configuration somewhere, but every test I run appear to <br>

> indicate no issue. Is it possible the issue is not my end? Anyone have <br>

> any ideas?<br>

<br>

<br>

------------------------------<br>

<br>

Subject: Digest Footer<br>

<br>

_______________________________________________<br>

Unbound-users mailing list<br>

<a href="mailto:Unbound-users@lists.nlnetlabs.nl" target="_blank">Unbound-users@lists.nlnetlabs.nl</a><br>

<a href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users" rel="noreferrer" target="_blank">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>

<br>

<br>

------------------------------<br>

<br>

End of Unbound-users Digest, Vol 29, Issue 9<br>

********************************************<br>

</blockquote></div></div>