Getting SERVFAIL when trying to reach .co.il domains

Gil Levy just.gil at gmail.com
Fri Jan 1 14:29:30 UTC 2021 

Thanks, guys!
I'm running chroot on /etc/unbound.

I followed this guide to compile unbound on my machine:
https://pastebin.com/UUjss5aY
Some initial values there made use of /etc/unbound instead of
/var/log/unbound so after I compiled unbound-1.13.0, I changed the paths to
point to /var/log/unbound

The log file user is set to unbound with write permissions, but seems it's
not aware of its location (?)
The *unbound-checkconf* command is failing as well. It feels like the
solution is not complicated, yet I'm unsure how to fix it or if I should
try to compile all over again.
I'd rather try to fix it, if it's ok to ask for such type of help over this
thread.

*pi at raspberrypi:/etc/unbound $* grep chroot unbound.conf
    *chroot*: "/etc/unbound"

*pi at raspberrypi:/etc/unbound $* ls -l /var/log/unbound/unbound.log
-rw-r--r-- 1 unbound unbound 5553 Oct 21 00:16 /var/log/unbound/unbound.log

*pi at raspberrypi:/etc/unbound $* unbound-checkconf
/etc/unbound/var/log/unbound: *No such file or directory*
[1609510296] unbound-checkconf[2288:0] *fatal error*: logfile directory
does not exist

*pi at raspberrypi:/etc/unbound $* sudo systemctl status unbound
● unbound.service - Unbound DNS resolver
   Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor
preset: enabled)
   *Active: active* (running) since Sat 2021-01-02 00:46:44 AEDT; 25min ago
  Process: 457 ExecStartPre=/usr/sbin/unbound-anchor -r
/etc/unbound/root.hints -a /etc/unbound/root.key (code=exited,
status=0/SUCCESS)
 Main PID: 483 (unbound)
    Tasks: 1 (limit: 2063)
   CGroup: /system.slice/unbound.service
           └─483 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d

Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 199.7.83.42 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 198.41.0.4 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 199.7.91.13 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 198.97.190.53 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 199.7.91.13 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 193.0.14.129 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 199.7.91.13 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 192.33.4.12 port 53
Jan 02 00:46:49 raspberrypi unbound[483]: [1609508809] unbound[483:0]
error: udp connect failed: Network is unreachable for 192.58.128.30 port 53
Jan 02 00:46:50 raspberrypi unbound[483]: [1609508810] unbound[483:0] info:
generate keytag query _ta-4f66. NULL IN

*pi at raspberrypi:/etc/unbound $* sudo lsof -i :53
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
pihole-FT 829 pihole    4u  IPv4  27749      0t0  UDP *:domain
pihole-FT 829 pihole    5u  IPv4  27750      0t0  TCP *:domain (LISTEN)
pihole-FT 829 pihole    6u  IPv6  27751      0t0  UDP *:domain
pihole-FT 829 pihole    7u  IPv6  27752      0t0  TCP *:domain (LISTEN)

On Sat, 2 Jan 2021 at 01:05, Jaap Akkerhuis <jaap at nlnetlabs.nl> wrote:

>  Joe Abley via Unbound-users writes:
>
>
>  >
>  > On Jan 1, 2021, at 14:15, Gil Levy via Unbound-users <
> unbound-users at lists.nlnetlabs.nl> wrote:
>  >
>  > >> Are you running unbound in a chroot(8)?
>  > > I don't know how to check that.
>  >
>  > man chroot
>  >
>  > for a better description of what chroot does, and how the
> interpretation of
>  > absolute pathnames differs inside and outside the chroot namespace.
>  >
>  > man man
>  >
>  > if you're unfamiliar with how manual pages are organised. If you don't
> have
>  > manual pages installed and can't add them as a package, it should not
> be hard
>  >  to find collections of manual pages for your particular distribution
> if you
>  >  search for them.
>  >
>  > grep chroot unbound.conf
>
> For a running unbound, do
>
>         unbound-control get_option chroot
>
> to get the value it is using.
>
>  > seems like a reasonable place to start to find configuration options in
> your
>  >  environment that relate to chroot. You might also refer to the unbound
>  > documentation to understand the defaults and the specific meaning of
> individual
>  > parameters.
>
> Especially take notice what
>
>         man unbound.conf
>
> tells you about the interaction between chroot and absolute path names.
>
>  >
>  > Another common error is to try and write log files to places where the
> process
>  > generating them does not have the necessary permissions. Determine the
>  > user that unbound is running as and check the permissions in the
> filesystem.
>
> Or the directories are missing after the chroot took place...
>
>         jaap
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210102/00c270de/attachment-0001.htm>

More information about the Unbound-users mailing list