Unbound + single localhost nsd starts return SERVFAIL for local names after several minutes of normal work

George (Yorgos) Thessalonikefs george at nlnetlabs.nl
Wed Apr 5 13:07:35 UTC 2023 

Hi Dmitri,

You can increase the verbosity in Unbound to see what is happening from 
Unbound's side. A value of 4 will be eloquent but it will log the 
information needed.

You can also set that value during runtime with:
     unbound-control verbosity 4

You can do this briefly when the SERVFAILs are observed in order to keep 
your logfile size manageable.

You could then also try:
     unbound-control flush_infra abc.local.

and see if it resolves the issue; this is not a proper solution though.

Best regards,
-- Yorgos

On 31/03/2023 17:44, Dmitri Stepanov via Unbound-users wrote:
> I have two large enough (150-200 hosts) segments of internal network, 
> 10.XXX.0.0 and 10.YYY.0.0. They are linked through Internet, speed is 
> not like local but high enough - about 50Mb/s. I used two authoritative 
> bind servers and three (two in one segment, one in the second) recursive 
> also bind ones. For making bind, unbound and nsd configuration and zone 
> files I'm using hostdb package, so all authoritative and recursive 
> servers are generated and distributed to at once by the hostdb.
> Now I like to reconstruct dns. I've created in place of my three 
> recursive servers three combined ones with unbound and nsd which local 
> only listen on separate port.
> This works fine first several minutes after reload unbound, and then for 
> local names - SERVFAIL all the configured stub or forward servers 
> failed, at zone abc.local. At the same time, Internet names continue to 
> be resolved normally.
> Unbound:
> server:
>          interface: 0.0.0.0
>          do-not-query-localhost: no
> stub-zone:
>          name: "abc.local"
>          stub-addr: 127.0.0.1 at 5678
> stub-zone:
>          name: "10.in-addr.arpa."
>          stub-addr: 127.0.0.1 at 5678
> forward-zone:
>          name: "."
>          forward-addr: 8.8.8.8
> I'm not sure which is the source of this problem - unbound or nsd. Nsd 
> has no such diagnostic, but dig -p 5678 @127.0.0.1 localname.abc.local 
> works fine.
> It is difficult to catch the moment when it starts to SERVFAIL.
> Looks like some resources are running out.
> I've returned two separated authoritative servers, so now it is like:
> stub-zone:
>          name: "abc.local"
>          stub-addr: 127.0.0.1 at 5678
>          stub-addr: ipofauthserver1
>          stub-addr: ipofauthserver2
> Despite that there are not many hosts within the network, there are 
> about 10,000 names in local DNS zones.
> All my dns servers are OpenBSD 6.5-7.0 64 bit virtual machines which are 
> running in several free ESXi 5.5 and 7.3 servers.
> Unbound 1.8.1 — 1.13.2
> Does anybody bump in the same situation when unbound after several 
> minutes of normal work stops resolve local names with SERVFAIL if it has 
> only one local nsd source of local names?
> I think such configuration with unbound + nsd on one host is reasonable 
> for home users for example.
> Regards
> Dmitri Stepanov

More information about the Unbound-users mailing list