<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Use unbound-host -rvdD twitterdatadash.com</p>
<p>Add more -d to increase verbosity. It might reveal why its
validation is failing. SERVFAIL usually means validation failure.
Or network outage. Check whether its servers are not in
unbound-control dump_infra.<br>
</p>
<div class="moz-cite-prefix">On 5/15/22 06:55, BangDroid via
Unbound-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAA3iKSHeKdsa4-ad-N-hdzmyp9fV2MqASxFbFHz+Dp2tF9cj8w@mail.gmail.com">
<div dir="ltr">
<div>I do have DNSSEC validation enabled, however all tests
validate successfully.</div>
<div>When I run</div>
<div>$ delv <a href="http://twitterdatadash.com"
moz-do-not-send="true">twitterdatadash.com</a></div>
<div>;; resolution failed: SERVFAIL<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Sat, 14 May 2022 at
21:30, <<a
href="mailto:unbound-users-request@lists.nlnetlabs.nl"
moz-do-not-send="true" class="moz-txt-link-freetext">unbound-users-request@lists.nlnetlabs.nl</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote">Send Unbound-users mailing
list submissions to<br>
<a href="mailto:unbound-users@lists.nlnetlabs.nl"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">unbound-users@lists.nlnetlabs.nl</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a
href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a
href="mailto:unbound-users-request@lists.nlnetlabs.nl"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">unbound-users-request@lists.nlnetlabs.nl</a><br>
<br>
You can reach the person managing the list at<br>
<a
href="mailto:unbound-users-owner@lists.nlnetlabs.nl"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">unbound-users-owner@lists.nlnetlabs.nl</a><br>
<br>
When replying, please edit your Subject line so it is more
specific<br>
than "Re: Contents of Unbound-users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Only one domain failing to resolve, unbound pi-hole
(BangDroid)<br>
2. Re: Only one domain failing to resolve, unbound
pi-hole<br>
(Georg Pfuetzenreuter)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Sat, 14 May 2022 13:06:26 +0930<br>
From: BangDroid <<a
href="mailto:bangdroid.bangas@gmail.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">bangdroid.bangas@gmail.com</a>><br>
To: <a href="mailto:unbound-users@lists.nlnetlabs.nl"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Only one domain failing to resolve, unbound pi-hole<br>
Message-ID:<br>
<<a
href="mailto:CAA3iKSF5pvefZFoQ1n8t_wgYj%2BrV-Of6eRTXBXur24v2chbQ8A@mail.gmail.com"
target="_blank" moz-do-not-send="true">CAA3iKSF5pvefZFoQ1n8t_wgYj+rV-Of6eRTXBXur24v2chbQ8A@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Kind of pulling my hair out with this one.. The domain <a
href="http://twitterdatadash.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">twitterdatadash.com</a>
will<br>
not resolve with unbound recursively. I get SERVFAIL.<br>
<br>
root.hints is up to date, local time on raspi is accurate.
No other domains<br>
are failing.<br>
<br>
Both dig <a href="http://sigfail.verteiltesysteme.net"
rel="noreferrer" target="_blank" moz-do-not-send="true">sigfail.verteiltesysteme.net</a>
@<a href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a> -p 5335 and dig<br>
<a href="http://sigok.verteiltesysteme.net" rel="noreferrer"
target="_blank" moz-do-not-send="true">sigok.verteiltesysteme.net</a>
@<a href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a> -p 5335 are as
expected.<br>
<br>
Switching to an upstream DNS in Pi-hole will get the domain
to successfully<br>
resolve, as well as using a standard DNS forward-zone in<br>
unbound.conf.d/pi-hole.conf:<br>
<br>
forward-zone:<br>
name: "."<br>
forward-addr: 8.8.8.8<br>
<br>
However, if I use a DoT forward zone (because suspected
possible? DNS<br>
hijacking by ISP):<br>
<br>
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt<br>
forward-zone:<br>
name: "."<br>
forward-addr: 1.1.1.1@853#<a
href="http://cloudflare-dns.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">cloudflare-dns.com</a><br>
forward-addr: 1.0.0.1@853#<a
href="http://cloudflare-dns.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">cloudflare-dns.com</a><br>
forward-ssl-upstream: yes<br>
<br>
Everything works exactly as expected, including <a
href="https://1.1.1.1/help" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://1.1.1.1/help</a><br>
**except** <a href="http://twitterdatadash.com"
rel="noreferrer" target="_blank" moz-do-not-send="true">twitterdatadash.com</a>
remains SERVFAIL.<br>
<br>
Paste of dig outputs with various unbound configurations:<br>
<a href="https://pastebin.com/k1LtjzHB" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/k1LtjzHB</a><br>
<br>
pi-hole.conf: <a href="https://pastebin.com/szLmcNFj"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/szLmcNFj</a><br>
<br>
unbound logs greped with "twitterdatadash" :<br>
<br>
'default' pihole.conf : <a
href="https://pastebin.com/JmgUDSRv" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/JmgUDSRv</a><br>
<br>
with DoT: <a href="https://pastebin.com/k3UgdZD4"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/k3UgdZD4</a><br>
<br>
Accessing that domain is not crucial by any means, I am only
concerned it<br>
may be indicative of a bigger issue. It seems like there
must be an issue<br>
with my configuration somewhere, but every test I run appear
to indicate no<br>
issue. Is it possible the issue is not my end? Anyone have
any ideas?<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a
href="http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Sat, 14 May 2022 09:27:17 +0200<br>
From: Georg Pfuetzenreuter <<a
href="mailto:georg@syscid.com" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">georg@syscid.com</a>><br>
To: <a href="mailto:unbound-users@lists.nlnetlabs.nl"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">unbound-users@lists.nlnetlabs.nl</a><br>
Subject: Re: Only one domain failing to resolve, unbound
pi-hole<br>
Message-ID: <<a
href="mailto:8b3813a3-5677-4011-1eac-c6921dd9e291@syscid.com"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">8b3813a3-5677-4011-1eac-c6921dd9e291@syscid.com</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
Maybe you have DNSSEC validation enabled?<br>
<br>
$ delv <a href="http://twitterdatadash.com"
rel="noreferrer" target="_blank" moz-do-not-send="true">twitterdatadash.com</a><br>
; unsigned answer<br>
<a href="http://twitterdatadash.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">twitterdatadash.com</a>.
7200 IN A 34.96.91.68<br>
<br>
<br>
On 5/14/22 05:36, BangDroid via Unbound-users wrote:<br>
> Kind of pulling my hair out with this one.. The domain
<br>
> <a href="http://twitterdatadash.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">twitterdatadash.com</a>
<<a href="http://twitterdatadash.com/" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://twitterdatadash.com/</a>>?will
not resolve with <br>
> unbound recursively. I get SERVFAIL.<br>
> <br>
> root.hints is up to date, local time on raspi is
accurate. No other <br>
> domains are failing.<br>
> <br>
> Both dig <a href="http://sigfail.verteiltesysteme.net"
rel="noreferrer" target="_blank" moz-do-not-send="true">sigfail.verteiltesysteme.net</a>
<br>
> <<a href="http://sigfail.verteiltesysteme.net/"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://sigfail.verteiltesysteme.net/</a>>?@<a
href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a> <<a
href="http://127.0.0.1/" rel="noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">http://127.0.0.1/</a>>?-p
<br>
> 5335 and dig <a
href="http://sigok.verteiltesysteme.net" rel="noreferrer"
target="_blank" moz-do-not-send="true">sigok.verteiltesysteme.net</a>
<br>
> <<a href="http://sigok.verteiltesysteme.net/"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://sigok.verteiltesysteme.net/</a>>?@<a
href="http://127.0.0.1" rel="noreferrer" target="_blank"
moz-do-not-send="true">127.0.0.1</a> <<a
href="http://127.0.0.1/" rel="noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">http://127.0.0.1/</a>>?-p
<br>
> 5335 are as expected.<br>
> <br>
> Switching to an upstream DNS in Pi-hole will get the
domain to <br>
> successfully resolve, as well as using a standard DNS
forward-zone in <br>
> unbound.conf.d/pi-hole.conf:<br>
> <br>
> ? ? forward-zone:<br>
> ? ? name: "."<br>
> ? ? forward-addr: 8.8.8.8<br>
> <br>
> However, if I use a DoT forward zone (because suspected
possible? DNS <br>
> hijacking by ISP):<br>
> <br>
> ? ? tls-cert-bundle:
/etc/ssl/certs/ca-certificates.crt<br>
> ? ? forward-zone:<br>
> ? ? ? ? name: "."<br>
> ? ? ? ? forward-addr: 1.1.1.1@853#<a
href="http://cloudflare-dns.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">cloudflare-dns.com</a>
<br>
> <<a href="http://cloudflare-dns.com/"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://cloudflare-dns.com/</a>><br>
> ? ? ? ? forward-addr: 1.0.0.1@853#<a
href="http://cloudflare-dns.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">cloudflare-dns.com</a>
<br>
> <<a href="http://cloudflare-dns.com/"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://cloudflare-dns.com/</a>><br>
> ? ? ? ? forward-ssl-upstream: yes<br>
> <br>
> Everything works exactly as expected, including <a
href="https://1.1.1.1/help" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://1.1.1.1/help</a> <br>
> <<a href="https://1.1.1.1/help" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://1.1.1.1/help</a>>?**except**
<a href="http://twitterdatadash.com" rel="noreferrer"
target="_blank" moz-do-not-send="true">twitterdatadash.com</a>
<br>
> <<a href="http://twitterdatadash.com/"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">http://twitterdatadash.com/</a>>?remains
SERVFAIL.<br>
> <br>
> Paste of dig outputs with various unbound
configurations: <br>
> <a href="https://pastebin.com/k1LtjzHB"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/k1LtjzHB</a>
<<a href="https://pastebin.com/k1LtjzHB" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/k1LtjzHB</a>><br>
> <br>
> pi-hole.conf: <a href="https://pastebin.com/szLmcNFj"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/szLmcNFj</a>
<<a href="https://pastebin.com/szLmcNFj" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/szLmcNFj</a>><br>
> <br>
> unbound logs greped with "twitterdatadash" :<br>
> <br>
> 'default' pihole.conf : <a
href="https://pastebin.com/JmgUDSRv" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/JmgUDSRv</a>
<br>
> <<a href="https://pastebin.com/JmgUDSRv"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/JmgUDSRv</a>><br>
> <br>
> with DoT: <a href="https://pastebin.com/k3UgdZD4"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/k3UgdZD4</a>
<<a href="https://pastebin.com/k3UgdZD4" rel="noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://pastebin.com/k3UgdZD4</a>><br>
> <br>
> Accessing that domain is not crucial by any means, I am
only concerned <br>
> it may be indicative of a bigger issue. It seems like
there must be an <br>
> issue with my configuration somewhere, but every test I
run appear to <br>
> indicate no issue. Is it possible the issue is not my
end? Anyone have <br>
> any ideas?<br>
<br>
<br>
------------------------------<br>
<br>
Subject: Digest Footer<br>
<br>
_______________________________________________<br>
Unbound-users mailing list<br>
<a href="mailto:Unbound-users@lists.nlnetlabs.nl"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Unbound-users@lists.nlnetlabs.nl</a><br>
<a
href="https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users"
rel="noreferrer" target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users</a><br>
<br>
<br>
------------------------------<br>
<br>
End of Unbound-users Digest, Vol 29, Issue 9<br>
********************************************<br>
</blockquote>
</div>
</div>
</blockquote>
<pre class="moz-signature" cols="72">--
Petr Menšík
Software Engineer
Red Hat, <a class="moz-txt-link-freetext" href="http://www.redhat.com/">http://www.redhat.com/</a>
email: <a class="moz-txt-link-abbreviated" href="mailto:pemensik@redhat.com">pemensik@redhat.com</a>
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB</pre>
</body>
</html>