1000s of "SERVFAIL . . . service.arpa" messages

Yorgos Thessalonikefs yorgos at nlnetlabs.nl
Tue Jan 14 14:41:05 UTC 2025 

Hi Jon,

We will probably include this in the future.
For now you can configure your current Unbound to have the same behavior 
as with home.arpa with:

local-zone: "service.arpa." static
local-data: "service.arpa. 10800 IN NS localhost."
local-data: "service.arpa. 10800 IN SOA localhost. nobody.invalid. 1 
3600 1200 604800 10800"

which is the default content for home.arpa taken from the manpage
(https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-local-zone); 
further down where it notes the default local zones.

Best regards,
-- Yorgos

On 10/01/2025 20:21, Jon Murphy via Unbound-users wrote:
> Hello,
> 
> Happy new year everyone!
> 
> Since the beginning of October 2024 I have been seeing lots of these messages:
> 
> ```
> Oct  2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL <default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
> Oct  2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL <service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
> Oct  2 17:53:32 ipfire unbound: [15153:0] error: SERVFAIL <_matter._tcp.default.service.arpa. PTR IN>: all the configured stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
> Oct  2 17:53:40 ipfire unbound: [15153:0] error: SERVFAIL <_L1234._sub._matterc._udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
> Oct  2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL <_sub._matterc._udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
> Oct  2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL <_matterc._udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
> Oct  2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL <_udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
> Oct  2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL <_1234._sub._matterc._udp.default.service.arpa. PTR IN>: all the configured stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
> Oct  2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. SRV IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
> Oct  2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. TXT IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
> ```
> 
> There are 1000s of these messages "SERVFAIL . . . service.arpa" every week and 144,028 messages since Oct 2, 2024.  Best I can these are all local DNS lookups and they are failing an external DNS lookup for "service.arpa".
> 
> This happens with unbound 1.21.0 and persists with unbound 1.22.0.
> 
> And I believe this is related to this:
> https://datatracker.ietf.org/doc/html/draft-ietf-dnssd-srp-25#section-10.1
> 
> 
> So my ask, to stop "service.arpa" from escaping my local network, can "service.arpa" be added to the unbound code as a Special Use Domain Name similar to "home.arpa"?
> 
> 
> Best regards,
> Jon
>

More information about the Unbound-users mailing list