Georg Pfuetzenreuter's reply
Petr Menšík
pemensik at redhat.com
Sat May 28 12:24:05 UTC 2022
Use unbound-host -rvdD twitterdatadash.com
Add more -d to increase verbosity. It might reveal why its validation is
failing. SERVFAIL usually means validation failure. Or network outage.
Check whether its servers are not in unbound-control dump_infra.
On 5/15/22 06:55, BangDroid via Unbound-users wrote:
> I do have DNSSEC validation enabled, however all tests validate
> successfully.
> When I run
> $ delv twitterdatadash.com <http://twitterdatadash.com>
> ;; resolution failed: SERVFAIL
>
> On Sat, 14 May 2022 at 21:30,
> <unbound-users-request at lists.nlnetlabs.nl> wrote:
>
> Send Unbound-users mailing list submissions to
> unbound-users at lists.nlnetlabs.nl
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
> or, via email, send a message with subject or body 'help' to
> unbound-users-request at lists.nlnetlabs.nl
>
> You can reach the person managing the list at
> unbound-users-owner at lists.nlnetlabs.nl
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Unbound-users digest..."
>
>
> Today's Topics:
>
> 1. Only one domain failing to resolve, unbound pi-hole (BangDroid)
> 2. Re: Only one domain failing to resolve, unbound pi-hole
> (Georg Pfuetzenreuter)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 14 May 2022 13:06:26 +0930
> From: BangDroid <bangdroid.bangas at gmail.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Only one domain failing to resolve, unbound pi-hole
> Message-ID:
>
> <CAA3iKSF5pvefZFoQ1n8t_wgYj+rV-Of6eRTXBXur24v2chbQ8A at mail.gmail.com
> <mailto:CAA3iKSF5pvefZFoQ1n8t_wgYj%2BrV-Of6eRTXBXur24v2chbQ8A at mail.gmail.com>>
> Content-Type: text/plain; charset="utf-8"
>
> Kind of pulling my hair out with this one.. The domain
> twitterdatadash.com <http://twitterdatadash.com> will
> not resolve with unbound recursively. I get SERVFAIL.
>
> root.hints is up to date, local time on raspi is accurate. No
> other domains
> are failing.
>
> Both dig sigfail.verteiltesysteme.net
> <http://sigfail.verteiltesysteme.net> @127.0.0.1
> <http://127.0.0.1> -p 5335 and dig
> sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net>
> @127.0.0.1 <http://127.0.0.1> -p 5335 are as expected.
>
> Switching to an upstream DNS in Pi-hole will get the domain to
> successfully
> resolve, as well as using a standard DNS forward-zone in
> unbound.conf.d/pi-hole.conf:
>
> forward-zone:
> name: "."
> forward-addr: 8.8.8.8
>
> However, if I use a DoT forward zone (because suspected possible? DNS
> hijacking by ISP):
>
> tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
> forward-zone:
> name: "."
> forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
> <http://cloudflare-dns.com>
> forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
> <http://cloudflare-dns.com>
> forward-ssl-upstream: yes
>
> Everything works exactly as expected, including https://1.1.1.1/help
> **except** twitterdatadash.com <http://twitterdatadash.com>
> remains SERVFAIL.
>
> Paste of dig outputs with various unbound configurations:
> https://pastebin.com/k1LtjzHB
>
> pi-hole.conf: https://pastebin.com/szLmcNFj
>
> unbound logs greped with "twitterdatadash" :
>
> 'default' pihole.conf : https://pastebin.com/JmgUDSRv
>
> with DoT: https://pastebin.com/k3UgdZD4
>
> Accessing that domain is not crucial by any means, I am only
> concerned it
> may be indicative of a bigger issue. It seems like there must be
> an issue
> with my configuration somewhere, but every test I run appear to
> indicate no
> issue. Is it possible the issue is not my end? Anyone have any ideas?
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 14 May 2022 09:27:17 +0200
> From: Georg Pfuetzenreuter <georg at syscid.com>
> To: unbound-users at lists.nlnetlabs.nl
> Subject: Re: Only one domain failing to resolve, unbound pi-hole
> Message-ID: <8b3813a3-5677-4011-1eac-c6921dd9e291 at syscid.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Maybe you have DNSSEC validation enabled?
>
> $ delv twitterdatadash.com <http://twitterdatadash.com>
> ; unsigned answer
> twitterdatadash.com <http://twitterdatadash.com>. 7200 IN
> A 34.96.91.68
>
>
> On 5/14/22 05:36, BangDroid via Unbound-users wrote:
> > Kind of pulling my hair out with this one.. The domain
> > twitterdatadash.com <http://twitterdatadash.com>
> <http://twitterdatadash.com/>?will not resolve with
> > unbound recursively. I get SERVFAIL.
> >
> > root.hints is up to date, local time on raspi is accurate. No other
> > domains are failing.
> >
> > Both dig sigfail.verteiltesysteme.net
> <http://sigfail.verteiltesysteme.net>
> > <http://sigfail.verteiltesysteme.net/>?@127.0.0.1
> <http://127.0.0.1> <http://127.0.0.1/>?-p
> > 5335 and dig sigok.verteiltesysteme.net
> <http://sigok.verteiltesysteme.net>
> > <http://sigok.verteiltesysteme.net/>?@127.0.0.1
> <http://127.0.0.1> <http://127.0.0.1/>?-p
> > 5335 are as expected.
> >
> > Switching to an upstream DNS in Pi-hole will get the domain to
> > successfully resolve, as well as using a standard DNS
> forward-zone in
> > unbound.conf.d/pi-hole.conf:
> >
> > ? ? forward-zone:
> > ? ? name: "."
> > ? ? forward-addr: 8.8.8.8
> >
> > However, if I use a DoT forward zone (because suspected
> possible? DNS
> > hijacking by ISP):
> >
> > ? ? tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
> > ? ? forward-zone:
> > ? ? ? ? name: "."
> > ? ? ? ? forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
> <http://cloudflare-dns.com>
> > <http://cloudflare-dns.com/>
> > ? ? ? ? forward-addr: 1.0.0.1 at 853#cloudflare-dns.com
> <http://cloudflare-dns.com>
> > <http://cloudflare-dns.com/>
> > ? ? ? ? forward-ssl-upstream: yes
> >
> > Everything works exactly as expected, including
> https://1.1.1.1/help
> > <https://1.1.1.1/help>?**except** twitterdatadash.com
> <http://twitterdatadash.com>
> > <http://twitterdatadash.com/>?remains SERVFAIL.
> >
> > Paste of dig outputs with various unbound configurations:
> > https://pastebin.com/k1LtjzHB <https://pastebin.com/k1LtjzHB>
> >
> > pi-hole.conf: https://pastebin.com/szLmcNFj
> <https://pastebin.com/szLmcNFj>
> >
> > unbound logs greped with "twitterdatadash" :
> >
> > 'default' pihole.conf : https://pastebin.com/JmgUDSRv
> > <https://pastebin.com/JmgUDSRv>
> >
> > with DoT: https://pastebin.com/k3UgdZD4
> <https://pastebin.com/k3UgdZD4>
> >
> > Accessing that domain is not crucial by any means, I am only
> concerned
> > it may be indicative of a bigger issue. It seems like there must
> be an
> > issue with my configuration somewhere, but every test I run
> appear to
> > indicate no issue. Is it possible the issue is not my end?
> Anyone have
> > any ideas?
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users
>
>
> ------------------------------
>
> End of Unbound-users Digest, Vol 29, Issue 9
> ********************************************
>
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220528/c20c861b/attachment-0001.htm>
More information about the Unbound-users
mailing list