Trying to find out why my unbound will not resolve www.startpuntgeldzaken.nl

John Todd jtodd at loligo.com
Wed May 5 21:04:47 UTC 2021 

(disclaimer: I work for Quad9.)

For clarification on this: Quad9 uses both unbound and PowerDNS recursor 
(and on some addresses, BIND) to serve queries so it is somewhat random 
which resolver may receive any particular attempt.  I did however try 
manually to query unbound and PowerDNS recursor separately in our 
infrastructure, and both are able to resolve the domain in question from 
the POP in which my attempts were made, so I suspect this is a transient 
problem.

DNSViz shows nothing horribly wrong 
(https://dnsviz.net/d/www.startpuntgeldzaken.nl/dnssec/) but it is a 
wildcard entry with some minor warnings.  This domain is served 
exclusively by TransIP.

Viktor Dukhovni mentioned in the DNS-OARC chat room today that “I'm 
now seeing poor results for DANE survey lookups of many .NL domains 
hosted by TransIP, with Google sometimes returning REFUSED and overall 
an atypically high SERVFAIL rate.”  His remarks were in reference to 
DoT to auth servers, which Quad9 is currently not using, so I’m not 
sure if those are related issues, but it does seem that there are 
anecdotal problems with .nl domains and TransIP authoritative servers so 
that would be the path you may want to pursue first for additional 
debugging.

JT


On 5 May 2021, at 12:33, Olivier Benghozi via Unbound-users wrote:

> Seems to me that this domain has some transient issues, independent of 
> Unbound:
>
>
>
> % dig www.startpuntgeldzaken.nl @9.9.9.9
>
> ; <<>> DiG 9.10.6 <<>> www.startpuntgeldzaken.nl @9.9.9.9
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
>
>
> % dig www.startpuntgeldzaken.nl @8.8.8.8
>
> ; <<>> DiG 9.10.6 <<>> www.startpuntgeldzaken.nl @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47521
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;www.startpuntgeldzaken.nl.	IN	A
>
> ;; Query time: 61 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed May 05 21:29:40 CEST 2021
> ;; MSG SIZE  rcvd: 54
>
>
>
>> Le 5 mai 2021 à 19:03, Gerben Wierda via Unbound-users 
>> <unbound-users at lists.nlnetlabs.nl> a écrit :
>>
>> My unbound 1.12.0 will not resolve www.startpuntgeldzaken.nl 
>> <http://www.startpuntgeldzaken.nl/> but it does resolve most other 
>> domains without a problem
>>
>> May 05 16:54:50 unbound-default[40069:0] info: resolving 
>> www.startpuntgeldzaken.nl <http://www.startpuntgeldzaken.nl/>. A IN
>> May 05 16:54:50 unbound-default[40069:0] info: processQueryTargets: 
>> www.startpuntgeldzaken.nl <http://www.startpuntgeldzaken.nl/>. A IN
>> May 05 16:54:50 unbound-default[40069:0] info: sending query: 
>> www.startpuntgeldzaken.nl. A IN
>> May 05 16:54:50 unbound-default[40069:0] debug: sending to target: 
>> <.> 9.9.9.9#53
>> May 05 16:54:50 unbound-default[40069:0] debug: cache memory 
>> msg=297432 rrset=298522 infra=30866 val=296000
>> May 05 16:54:53 unbound-default[40069:0] debug: tcp error for address 
>> 9.9.9.9 port 53
>> May 05 16:54:53 unbound-default[40069:0] debug: iterator[module 1] 
>> operate: extstate:module_wait_reply event:module_event_noreply
>> May 05 16:54:53 unbound-default[40069:0] info: iterator operate: 
>> query www.startpuntgeldzaken.nl. A IN
>> May 05 16:54:53 unbound-default[40069:0] info: processQueryTargets: 
>> www.startpuntgeldzaken.nl. A IN
>> May 05 16:54:53 unbound-default[40069:0] info: sending query: 
>> www.startpuntgeldzaken.nl. A IN
>> May 05 16:54:53 unbound-default[40069:0] debug: sending to target: 
>> <.> 149.112.112.112#53
>> May 05 16:54:53 unbound-default[40069:0] debug: cache memory 
>> msg=297432 rrset=298522 infra=30866 val=296000
>> May 05 16:54:55 unbound-default[40069:0] info: 192.168.2.66 
>> www.startpuntgeldzaken.nl. A IN
>> May 05 16:54:55 unbound-default[40069:0] debug: cache memory 
>> msg=297432 rrset=298522 infra=30866 val=296000
>>
>> The problem seems to be tcp error, but I have no clue what causes 
>> that error. I could use some help in hunting this down.
>>
>> Note, asking the forwarder directly resolves without problem. So it 
>> is the communication between my unbound and the other resolver.
>>
>> Gerben Wierda (LinkedIn <https://www.linkedin.com/in/gerbenwierda>)
>> R&A Enterprise Architecture <https://ea.rna.nl/> (main site)
>> Book: Chess and the Art of Enterprise Architecture 
>> <https://ea.rna.nl/the-book/>
>> Book: Mastering ArchiMate <https://ea.rna.nl/the-book-edition-iii/>
>>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210505/d23e6d61/attachment-0001.htm>

More information about the Unbound-users mailing list