Ability to detect when queries are being blocked at the network level

Mahdi Adnan mahdi.adnan at outlook.com
Thu May 3 15:33:58 UTC 2018

 Im having the same issue here with my servers. several queries fails when using my server's source IP but, Google public DNS return an answer.
my workaround was to forward those queries to using forward domain.
i wonder if there's a way to find what's causing those SERVFAIL.


Mahdi A. Mahdi

From: Unbound-users <unbound-users-bounces at unbound.net> on behalf of John Peacock via Unbound-users <unbound-users at unbound.net>
Sent: Thursday, May 3, 2018 4:07 PM
To: unbound-users at unbound.net
Subject: Ability to detect when queries are being blocked at the network level

We run a robust carrier-grade e-mail service in the cloud and have a dedicated DNS infrastructure that has undergone extensive tuning to work in AWS, see


We occasionally have issues where we are unable to perform MX lookups for what appears to be a perfectly valid domain.  I tracked down one such incident yesterday and in this case the authoritative name servers for the domain were deliberately blocking queries (something i confirmed from the NS box using dnstracer).  The MX query works fine with the Google resolver or indeed the AWS VPC default resolver (which we cannot rely on, see above).

I can't find a way to monitor for this condition (which manifests as SERVFAIL ultimately).  I've read the docs about how Unbound handles probes and backoff, but I don't see any metric exposed that would tell me the domains where this is happening.  If I could have a way to get the list of domains that display SERVFAIL, I could write an out-of-band script that attempts to resolve them via alternate paths and adds them to a whitelist config.

Thanks in advance for any suggestions


lead software engineer - sre

tel 877-887-3031 x239
mobile 240-429-9334
email john.peacock at sparkpost.com<mailto:john.peacock at sparkpost.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180503/35f13ff4/attachment.htm>

More information about the Unbound-users mailing list