Georg Pfuetzenreuter's reply

Petr Menšík pemensik at redhat.com
Sat May 28 12:24:05 UTC 2022


Use unbound-host -rvdD twitterdatadash.com

Add more -d to increase verbosity. It might reveal why its validation is
failing. SERVFAIL usually means validation failure. Or network outage.
Check whether its servers are not in unbound-control dump_infra.

On 5/15/22 06:55, BangDroid via Unbound-users wrote:
> I do have DNSSEC validation enabled, however all tests validate
> successfully.
> When I run
> $ delv twitterdatadash.com <http://twitterdatadash.com>
> ;; resolution failed: SERVFAIL
>
> On Sat, 14 May 2022 at 21:30,
> <unbound-users-request at lists.nlnetlabs.nl> wrote:
>
>     Send Unbound-users mailing list submissions to
>             unbound-users at lists.nlnetlabs.nl
>
>     To subscribe or unsubscribe via the World Wide Web, visit
>             https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
>     or, via email, send a message with subject or body 'help' to
>             unbound-users-request at lists.nlnetlabs.nl
>
>     You can reach the person managing the list at
>             unbound-users-owner at lists.nlnetlabs.nl
>
>     When replying, please edit your Subject line so it is more specific
>     than "Re: Contents of Unbound-users digest..."
>
>
>     Today's Topics:
>
>        1. Only one domain failing to resolve, unbound pi-hole (BangDroid)
>        2. Re: Only one domain failing to resolve, unbound pi-hole
>           (Georg Pfuetzenreuter)
>
>
>     ----------------------------------------------------------------------
>
>     Message: 1
>     Date: Sat, 14 May 2022 13:06:26 +0930
>     From: BangDroid <bangdroid.bangas at gmail.com>
>     To: unbound-users at lists.nlnetlabs.nl
>     Subject: Only one domain failing to resolve, unbound pi-hole
>     Message-ID:
>            
>     <CAA3iKSF5pvefZFoQ1n8t_wgYj+rV-Of6eRTXBXur24v2chbQ8A at mail.gmail.com
>     <mailto:CAA3iKSF5pvefZFoQ1n8t_wgYj%2BrV-Of6eRTXBXur24v2chbQ8A at mail.gmail.com>>
>     Content-Type: text/plain; charset="utf-8"
>
>     Kind of pulling my hair out with this one.. The domain
>     twitterdatadash.com <http://twitterdatadash.com> will
>     not resolve with unbound recursively. I get SERVFAIL.
>
>     root.hints is up to date, local time on raspi is accurate. No
>     other domains
>     are failing.
>
>     Both dig sigfail.verteiltesysteme.net
>     <http://sigfail.verteiltesysteme.net> @127.0.0.1
>     <http://127.0.0.1> -p 5335 and dig
>     sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
>     @127.0.0.1 <http://127.0.0.1> -p 5335 are as expected.
>
>     Switching to an upstream DNS in Pi-hole will get the domain to
>     successfully
>     resolve, as well as using a standard DNS forward-zone in
>     unbound.conf.d/pi-hole.conf:
>
>         forward-zone:
>         name: "."
>         forward-addr: 8.8.8.8
>
>     However, if I use a DoT forward zone (because suspected possible? DNS
>     hijacking by ISP):
>
>         tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
>         forward-zone:
>             name: "."
>             forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
>     <http://cloudflare-dns.com>
>             forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
>     <http://cloudflare-dns.com>
>             forward-ssl-upstream: yes
>
>     Everything works exactly as expected, including https://1.1.1.1/help
>      **except** twitterdatadash.com <http://twitterdatadash.com>
>     remains SERVFAIL.
>
>     Paste of dig outputs with various unbound configurations:
>     https://pastebin.com/k1LtjzHB
>
>     pi-hole.conf: https://pastebin.com/szLmcNFj
>
>     unbound logs greped with "twitterdatadash" :
>
>     'default' pihole.conf : https://pastebin.com/JmgUDSRv
>
>     with DoT: https://pastebin.com/k3UgdZD4
>
>     Accessing that domain is not crucial by any means, I am only
>     concerned it
>     may be indicative of a bigger issue. It seems like there must be
>     an issue
>     with my configuration somewhere, but every test I run appear to
>     indicate no
>     issue. Is it possible the issue is not my end? Anyone have any ideas?
>     -------------- next part --------------
>     An HTML attachment was scrubbed...
>     URL:
>     <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm>
>
>     ------------------------------
>
>     Message: 2
>     Date: Sat, 14 May 2022 09:27:17 +0200
>     From: Georg Pfuetzenreuter <georg at syscid.com>
>     To: unbound-users at lists.nlnetlabs.nl
>     Subject: Re: Only one domain failing to resolve, unbound pi-hole
>     Message-ID: <8b3813a3-5677-4011-1eac-c6921dd9e291 at syscid.com>
>     Content-Type: text/plain; charset=UTF-8; format=flowed
>
>     Maybe you have DNSSEC validation enabled?
>
>     $ delv twitterdatadash.com <http://twitterdatadash.com>
>     ; unsigned answer
>     twitterdatadash.com <http://twitterdatadash.com>.    7200    IN   
>       A       34.96.91.68
>
>
>     On 5/14/22 05:36, BangDroid via Unbound-users wrote:
>     > Kind of pulling my hair out with this one.. The domain
>     > twitterdatadash.com <http://twitterdatadash.com>
>     <http://twitterdatadash.com/>?will not resolve with
>     > unbound recursively. I get SERVFAIL.
>     >
>     > root.hints is up to date, local time on raspi is accurate. No other
>     > domains are failing.
>     >
>     > Both dig sigfail.verteiltesysteme.net
>     <http://sigfail.verteiltesysteme.net>
>     > <http://sigfail.verteiltesysteme.net/>?@127.0.0.1
>     <http://127.0.0.1> <http://127.0.0.1/>?-p
>     > 5335 and dig sigok.verteiltesysteme.net
>     <http://sigok.verteiltesysteme.net>
>     > <http://sigok.verteiltesysteme.net/>?@127.0.0.1
>     <http://127.0.0.1> <http://127.0.0.1/>?-p
>     > 5335 are as expected.
>     >
>     > Switching to an upstream DNS in Pi-hole will get the domain to
>     > successfully resolve, as well as using a standard DNS
>     forward-zone in
>     > unbound.conf.d/pi-hole.conf:
>     >
>     >  ? ? forward-zone:
>     >  ? ? name: "."
>     >  ? ? forward-addr: 8.8.8.8
>     >
>     > However, if I use a DoT forward zone (because suspected
>     possible? DNS
>     > hijacking by ISP):
>     >
>     >  ? ? tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
>     >  ? ? forward-zone:
>     >  ? ? ? ? name: "."
>     >  ? ? ? ? forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
>     <http://cloudflare-dns.com>
>     > <http://cloudflare-dns.com/>
>     >  ? ? ? ? forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
>     <http://cloudflare-dns.com>
>     > <http://cloudflare-dns.com/>
>     >  ? ? ? ? forward-ssl-upstream: yes
>     >
>     > Everything works exactly as expected, including
>     https://1.1.1.1/help
>     > <https://1.1.1.1/help>?**except** twitterdatadash.com
>     <http://twitterdatadash.com>
>     > <http://twitterdatadash.com/>?remains SERVFAIL.
>     >
>     > Paste of dig outputs with various unbound configurations:
>     > https://pastebin.com/k1LtjzHB <https://pastebin.com/k1LtjzHB>
>     >
>     > pi-hole.conf: https://pastebin.com/szLmcNFj
>     <https://pastebin.com/szLmcNFj>
>     >
>     > unbound logs greped with "twitterdatadash" :
>     >
>     > 'default' pihole.conf : https://pastebin.com/JmgUDSRv
>     > <https://pastebin.com/JmgUDSRv>
>     >
>     > with DoT: https://pastebin.com/k3UgdZD4
>     <https://pastebin.com/k3UgdZD4>
>     >
>     > Accessing that domain is not crucial by any means, I am only
>     concerned
>     > it may be indicative of a bigger issue. It seems like there must
>     be an
>     > issue with my configuration somewhere, but every test I run
>     appear to
>     > indicate no issue. Is it possible the issue is not my end?
>     Anyone have
>     > any ideas?
>
>
>     ------------------------------
>
>     Subject: Digest Footer
>
>     _______________________________________________
>     Unbound-users mailing list
>     Unbound-users at lists.nlnetlabs.nl
>     https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
>
>
>     ------------------------------
>
>     End of Unbound-users Digest, Vol 29, Issue 9
>     ********************************************
>
-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220528/c20c861b/attachment-0001.htm>


More information about the Unbound-users mailing list