Only one domain failing to resolve, unbound pi-hole

Georg Pfuetzenreuter georg at syscid.com
Sat May 14 07:27:17 UTC 2022 

Maybe you have DNSSEC validation enabled?

$ delv twitterdatadash.com
; unsigned answer
twitterdatadash.com.    7200    IN      A       34.96.91.68


On 5/14/22 05:36, BangDroid via Unbound-users wrote:
> Kind of pulling my hair out with this one.. The domain 
> twitterdatadash.com <http://twitterdatadash.com/> will not resolve with 
> unbound recursively. I get SERVFAIL.
> 
> root.hints is up to date, local time on raspi is accurate. No other 
> domains are failing.
> 
> Both dig sigfail.verteiltesysteme.net 
> <http://sigfail.verteiltesysteme.net/> @127.0.0.1 <http://127.0.0.1/> -p 
> 5335 and dig sigok.verteiltesysteme.net 
> <http://sigok.verteiltesysteme.net/> @127.0.0.1 <http://127.0.0.1/> -p 
> 5335 are as expected.
> 
> Switching to an upstream DNS in Pi-hole will get the domain to 
> successfully resolve, as well as using a standard DNS forward-zone in 
> unbound.conf.d/pi-hole.conf:
> 
>      forward-zone:
>      name: "."
>      forward-addr: 8.8.8.8
> 
> However, if I use a DoT forward zone (because suspected possible? DNS 
> hijacking by ISP):
> 
>      tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
>      forward-zone:
>          name: "."
>          forward-addr: 1.1.1.1 at 853#cloudflare-dns.com 
> <http://cloudflare-dns.com/>
>          forward-addr: 1.0.0.1 at 853#cloudflare-dns.com 
> <http://cloudflare-dns.com/>
>          forward-ssl-upstream: yes
> 
> Everything works exactly as expected, including https://1.1.1.1/help 
> <https://1.1.1.1/help> **except** twitterdatadash.com 
> <http://twitterdatadash.com/> remains SERVFAIL.
> 
> Paste of dig outputs with various unbound configurations: 
> https://pastebin.com/k1LtjzHB <https://pastebin.com/k1LtjzHB>
> 
> pi-hole.conf: https://pastebin.com/szLmcNFj <https://pastebin.com/szLmcNFj>
> 
> unbound logs greped with "twitterdatadash" :
> 
> 'default' pihole.conf : https://pastebin.com/JmgUDSRv 
> <https://pastebin.com/JmgUDSRv>
> 
> with DoT: https://pastebin.com/k3UgdZD4 <https://pastebin.com/k3UgdZD4>
> 
> Accessing that domain is not crucial by any means, I am only concerned 
> it may be indicative of a bigger issue. It seems like there must be an 
> issue with my configuration somewhere, but every test I run appear to 
> indicate no issue. Is it possible the issue is not my end? Anyone have 
> any ideas?

More information about the Unbound-users mailing list