Georg Pfuetzenreuter's reply

BangDroid bangdroid.bangas at gmail.com
Sun May 15 04:55:33 UTC 2022


I do have DNSSEC validation enabled, however all tests validate
successfully.
When I run
$ delv twitterdatadash.com
;; resolution failed: SERVFAIL

On Sat, 14 May 2022 at 21:30, <unbound-users-request at lists.nlnetlabs.nl>
wrote:

> Send Unbound-users mailing list submissions to
>         unbound-users at lists.nlnetlabs.nl
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
> or, via email, send a message with subject or body 'help' to
>         unbound-users-request at lists.nlnetlabs.nl
>
> You can reach the person managing the list at
>         unbound-users-owner at lists.nlnetlabs.nl
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Unbound-users digest..."
>
>
> Today's Topics:
>
>    1. Only one domain failing to resolve, unbound pi-hole (BangDroid)
>    2. Re: Only one domain failing to resolve, unbound pi-hole
>       (Georg Pfuetzenreuter)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 14 May 2022 13:06:26 +0930
> From: BangDroid <bangdroid.bangas at gmail.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Only one domain failing to resolve, unbound pi-hole
> Message-ID:
>         <
> CAA3iKSF5pvefZFoQ1n8t_wgYj+rV-Of6eRTXBXur24v2chbQ8A at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Kind of pulling my hair out with this one.. The domain twitterdatadash.com
> will
> not resolve with unbound recursively. I get SERVFAIL.
>
> root.hints is up to date, local time on raspi is accurate. No other domains
> are failing.
>
> Both dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335 and dig
> sigok.verteiltesysteme.net @127.0.0.1 -p 5335 are as expected.
>
> Switching to an upstream DNS in Pi-hole will get the domain to successfully
> resolve, as well as using a standard DNS forward-zone in
> unbound.conf.d/pi-hole.conf:
>
>     forward-zone:
>     name: "."
>     forward-addr: 8.8.8.8
>
> However, if I use a DoT forward zone (because suspected possible? DNS
> hijacking by ISP):
>
>     tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
>     forward-zone:
>         name: "."
>         forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
>         forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
>         forward-ssl-upstream: yes
>
> Everything works exactly as expected, including https://1.1.1.1/help
>  **except** twitterdatadash.com remains SERVFAIL.
>
> Paste of dig outputs with various unbound configurations:
> https://pastebin.com/k1LtjzHB
>
> pi-hole.conf: https://pastebin.com/szLmcNFj
>
> unbound logs greped with "twitterdatadash" :
>
> 'default' pihole.conf : https://pastebin.com/JmgUDSRv
>
> with DoT: https://pastebin.com/k3UgdZD4
>
> Accessing that domain is not crucial by any means, I am only concerned it
> may be indicative of a bigger issue. It seems like there must be an issue
> with my configuration somewhere, but every test I run appear to indicate no
> issue. Is it possible the issue is not my end? Anyone have any ideas?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm
> >
>
> ------------------------------
>
> Message: 2
> Date: Sat, 14 May 2022 09:27:17 +0200
> From: Georg Pfuetzenreuter <georg at syscid.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: Only one domain failing to resolve, unbound pi-hole
> Message-ID: <8b3813a3-5677-4011-1eac-c6921dd9e291 at syscid.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Maybe you have DNSSEC validation enabled?
>
> $ delv twitterdatadash.com
> ; unsigned answer
> twitterdatadash.com.    7200    IN      A       34.96.91.68
>
>
> On 5/14/22 05:36, BangDroid via Unbound-users wrote:
> > Kind of pulling my hair out with this one.. The domain
> > twitterdatadash.com <http://twitterdatadash.com/>?will not resolve with
> > unbound recursively. I get SERVFAIL.
> >
> > root.hints is up to date, local time on raspi is accurate. No other
> > domains are failing.
> >
> > Both dig sigfail.verteiltesysteme.net
> > <http://sigfail.verteiltesysteme.net/>?@127.0.0.1 <http://127.0.0.1/>?-p
>
> > 5335 and dig sigok.verteiltesysteme.net
> > <http://sigok.verteiltesysteme.net/>?@127.0.0.1 <http://127.0.0.1/>?-p
> > 5335 are as expected.
> >
> > Switching to an upstream DNS in Pi-hole will get the domain to
> > successfully resolve, as well as using a standard DNS forward-zone in
> > unbound.conf.d/pi-hole.conf:
> >
> >  ? ? forward-zone:
> >  ? ? name: "."
> >  ? ? forward-addr: 8.8.8.8
> >
> > However, if I use a DoT forward zone (because suspected possible? DNS
> > hijacking by ISP):
> >
> >  ? ? tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
> >  ? ? forward-zone:
> >  ? ? ? ? name: "."
> >  ? ? ? ? forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
> > <http://cloudflare-dns.com/>
> >  ? ? ? ? forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
> > <http://cloudflare-dns.com/>
> >  ? ? ? ? forward-ssl-upstream: yes
> >
> > Everything works exactly as expected, including https://1.1.1.1/help
> > <https://1.1.1.1/help>?**except** twitterdatadash.com
> > <http://twitterdatadash.com/>?remains SERVFAIL.
> >
> > Paste of dig outputs with various unbound configurations:
> > https://pastebin.com/k1LtjzHB <https://pastebin.com/k1LtjzHB>
> >
> > pi-hole.conf: https://pastebin.com/szLmcNFj <
> https://pastebin.com/szLmcNFj>
> >
> > unbound logs greped with "twitterdatadash" :
> >
> > 'default' pihole.conf : https://pastebin.com/JmgUDSRv
> > <https://pastebin.com/JmgUDSRv>
> >
> > with DoT: https://pastebin.com/k3UgdZD4 <https://pastebin.com/k3UgdZD4>
> >
> > Accessing that domain is not crucial by any means, I am only concerned
> > it may be indicative of a bigger issue. It seems like there must be an
> > issue with my configuration somewhere, but every test I run appear to
> > indicate no issue. Is it possible the issue is not my end? Anyone have
> > any ideas?
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
>
>
> ------------------------------
>
> End of Unbound-users Digest, Vol 29, Issue 9
> ********************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220515/305b60a7/attachment.htm>


More information about the Unbound-users mailing list