Ability to detect when queries are being blocked at the network level
mahdi.adnan at outlook.com
Thu May 3 15:33:58 UTC 2018
Im having the same issue here with my servers. several queries fails when using my server's source IP but, Google public DNS return an answer.
my workaround was to forward those queries to 184.108.40.206 using forward domain.
i wonder if there's a way to find what's causing those SERVFAIL.
Mahdi A. Mahdi
From: Unbound-users <unbound-users-bounces at unbound.net> on behalf of John Peacock via Unbound-users <unbound-users at unbound.net>
Sent: Thursday, May 3, 2018 4:07 PM
To: unbound-users at unbound.net
Subject: Ability to detect when queries are being blocked at the network level
We run a robust carrier-grade e-mail service in the cloud and have a dedicated DNS infrastructure that has undergone extensive tuning to work in AWS, see
We occasionally have issues where we are unable to perform MX lookups for what appears to be a perfectly valid domain. I tracked down one such incident yesterday and in this case the authoritative name servers for the domain were deliberately blocking queries (something i confirmed from the NS box using dnstracer). The MX query works fine with the Google 220.127.116.11 resolver or indeed the AWS VPC default resolver (which we cannot rely on, see above).
I can't find a way to monitor for this condition (which manifests as SERVFAIL ultimately). I've read the docs about how Unbound handles probes and backoff, but I don't see any metric exposed that would tell me the domains where this is happening. If I could have a way to get the list of domains that display SERVFAIL, I could write an out-of-band script that attempts to resolve them via alternate paths and adds them to a whitelist config.
Thanks in advance for any suggestions
lead software engineer - sre
tel 877-887-3031 x239
email john.peacock at sparkpost.com<mailto:john.peacock at sparkpost.com>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Unbound-users