Regular bursts of SERVFAIL when forwarding to major DNS-over-TLS providers

Jason Mann jason.mann at gmail.com
Fri Jun 2 11:26:47 UTC 2023 

Hello.

I run an Unbound instance as the resolver for my home network.  It is
configured to forward queries to one of the three big providers of
public DNS (Google, Cloudflare or Quad9) using DNS-over-TLS.

Yesterday I noticed that I'm getting periodic bursts of SERVFAIL from
the upstream servers and this occurs no matter which of three three
providers I'm using.

Here's some examples of the log entries I'm seeing:

Jun 02 04:28:19 unbound[3372:0] error: SERVFAIL
<lh3.googleusercontent.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 2620:fe::fe upstream server
timeout
Jun 02 04:28:19 unbound[3372:1] error: SERVFAIL <www.googleapis.com.
HTTPS IN>: all the configured stub or forward servers failed, at zone
. from 149.112.112.112 upstream server timeout
Jun 02 04:28:19 unbound[3372:0] error: SERVFAIL
<oauth2.googleapis.com. HTTPS IN>: all the configured stub or forward
servers failed, at zone . from 2620:fe::fe upstream server timeout
Jun 02 04:28:19 unbound[3372:1] error: SERVFAIL <docs.google.com. A
IN>: all the configured stub or forward servers failed, at zone . from
149.112.112.112 upstream server timeout
Jun 02 04:28:19 unbound[3372:1] error: SERVFAIL
<oauthaccountmanager.googleapis.com. AAAA IN>: all the configured stub
or forward servers failed, at zone . from 2620:fe::fe upstream server
timeout
Jun 02 04:28:19 unbound[3372:1] error: SERVFAIL
<lh3.googleusercontent.com. HTTPS IN>: all the configured stub or
forward servers failed, at zone . from 2620:fe::fe upstream server
timeout
Jun 02 04:28:19 unbound[3372:0] error: SERVFAIL
<people-pa.googleapis.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 9.9.9.9 upstream server timeout
Jun 02 04:28:19 unbound[3372:0] error: SERVFAIL <www.google.com. AAAA
IN>: all the configured stub or forward servers failed, at zone . from
9.9.9.9 upstream server timeout

Jun 02 09:35:27 unbound[3372:1] error: SERVFAIL
<oauth2.googleapis.com. A IN>: all the configured stub or forward
servers failed, at zone . from 149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:1] error: SERVFAIL
<oauth2.googleapis.com. HTTPS IN>: all the configured stub or forward
servers failed, at zone . from 149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<people-pa.googleapis.com. HTTPS IN>: all the configured stub or
forward servers failed, at zone . from 9.9.9.9 upstream server timeout
Jun 02 09:35:27 unbound[3372:1] error: SERVFAIL
<people-pa.googleapis.com. A IN>: all the configured stub or forward
servers failed, at zone . from 149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<notifications-pa.googleapis.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 149.112.112.112 upstream server
timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<lh3.googleusercontent.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 149.112.112.112 upstream server
timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <maps.googleapis.com.
AAAA IN>: all the configured stub or forward servers failed, at zone .
from 149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <web.facebook.com.
HTTPS IN>: all the configured stub or forward servers failed, at zone
. no server to query nameserver addresses not usable have no
nameserver names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <web.facebook.com.
AAAA IN>: all the configured stub or forward servers failed, at zone .
no server to query nameserver addresses not usable have no nameserver
names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <web.facebook.com. A
IN>: all the configured stub or forward servers failed, at zone . no
server to query nameserver addresses not usable have no nameserver
names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<edge-mqtt.facebook.com. AAAA IN>: all the configured stub or forward
servers failed, at zone . no server to query nameserver addresses not
usable have no nameserver names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<edge-mqtt.facebook.com. A IN>: all the configured stub or forward
servers failed, at zone . no server to query nameserver addresses not
usable have no nameserver names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <www.google.com. A
IN>: all the configured stub or forward servers failed, at zone . from
149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:1] error: SERVFAIL
<notifications-pa.googleapis.com. HTTPS IN>: all the configured stub
or forward servers failed, at zone . from 149.112.112.112 upstream
server timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<gnpfesdk-pa.googleapis.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 149.112.112.112 upstream server
timeout

Jun 02 09:54:50 unbound[3372:0] error: SERVFAIL
<edge-mqtt.facebook.com. A IN>: all the configured stub or forward
servers failed, at zone . from 9.9.9.9 upstream server timeout
Jun 02 09:54:50 unbound[3372:0] error: SERVFAIL <app-measurement.com.
AAAA IN>: all the configured stub or forward servers failed, at zone .
from 9.9.9.9 upstream server timeout

The fact that this is occurring with all three providers suggests to
me that the problem may be at my end.  Can anyone advise on how I
might go about debugging this?

The forwarding part of my unbound configuration is as follows:

# Forward all other queries to these upstream servers
forward-zone:
        name: "."
        #forward-addr: 1.1.1.1
        #forward-addr: 1.0.0.1

        forward-tls-upstream: yes

        # Google Public DNS
        #forward-addr: 8.8.8.8 at 853
        #forward-addr: 8.8.8.8 at 853
        #forward-addr: 2001:4860:4860::8888 at 853
        #forward-addr: 2001:4860:4860::8844 at 853

        # CloudFlare 1.1.1.1
        #forward-addr: 2606:4700:4700::1111 at 853#cloudflare-dns.com
        #forward-addr: 1.1.1.1 at 853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1001 at 853#cloudflare-dns.com
        #forward-addr: 1.0.0.1 at 853#cloudflare-dns.com

        # CloudFlare malware blocking
        #forward-addr: 1.1.1.2 at 853#cloudflare-dns.com
        #forward-addr: 1.0.0.2 at 853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1112 at 853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1002 at 853#cloudflare-dns.com

        # CloudFlare malware and adult content blocking
        #forward-addr: 1.1.1.3 at 853#cloudflare-dns.com
        #forward-addr: 1.0.0.3 at 853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1113 at 853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1003 at 853#cloudflare-dns.com

        # Quad9 with malicious domain blocking
        forward-addr: 9.9.9.9 at 853#dns.quad9.net
        forward-addr: 149.112.112.112 at 853#dns.quad9.net
        forward-addr: 2620:fe::fe at 853#dns.quad9.net
        forward-addr: 2620:fe::9 at 853#dns.quad9.net

Thanks in advance for any advice.

Regards,
Jason

More information about the Unbound-users mailing list