1000s of "SERVFAIL . . . service.arpa" messages

Olivier Benghozi olivier.benghozi at wifirst.fr
Tue Jan 14 15:37:26 UTC 2025 

By the way it looks like
https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml
also includes the zone resolver.arpa [RFC9462] to be served the same way...


Le mar. 14 janv. 2025 à 15:41, Yorgos Thessalonikefs via Unbound-users <
unbound-users at lists.nlnetlabs.nl> a écrit :

> Hi Jon,
>
> We will probably include this in the future.
> For now you can configure your current Unbound to have the same behavior
> as with home.arpa with:
>
> local-zone: "service.arpa." static
> local-data: "service.arpa. 10800 IN NS localhost."
> local-data: "service.arpa. 10800 IN SOA localhost. nobody.invalid. 1
> 3600 1200 604800 10800"
>
> which is the default content for home.arpa taken from the manpage
> (
> https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-local-zone);
>
> further down where it notes the default local zones.
>
> Best regards,
> -- Yorgos
>
> On 10/01/2025 20:21, Jon Murphy via Unbound-users wrote:
> > Hello,
> >
> > Happy new year everyone!
> >
> > Since the beginning of October 2024 I have been seeing lots of these
> messages:
> >
> > ```
> > Oct  2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL
> <default.service.arpa. SOA IN>: all the configured stub or forward servers
> failed, at zone . from 149.112.112.112 got SERVFAIL
> > Oct  2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL <service.arpa.
> SOA IN>: all the configured stub or forward servers failed, at zone . from
> 149.112.112.11 got SERVFAIL
> > Oct  2 17:53:32 ipfire unbound: [15153:0] error: SERVFAIL
> <_matter._tcp.default.service.arpa. PTR IN>: all the configured stub or
> forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
> > Oct  2 17:53:40 ipfire unbound: [15153:0] error: SERVFAIL
> <_L1234._sub._matterc._udp.default.service.arpa. SOA IN>: all the
> configured stub or forward servers failed, at zone . from 149.112.112.11
> got SERVFAIL
> > Oct  2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL
> <_sub._matterc._udp.default.service.arpa. SOA IN>: all the configured stub
> or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
> > Oct  2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL
> <_matterc._udp.default.service.arpa. SOA IN>: all the configured stub or
> forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
> > Oct  2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL
> <_udp.default.service.arpa. SOA IN>: all the configured stub or forward
> servers failed, at zone . from 149.112.112.11 got SERVFAIL
> > Oct  2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL
> <_1234._sub._matterc._udp.default.service.arpa. PTR IN>: all the configured
> stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
> > Oct  2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL
> <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. SRV
> IN>: all the configured stub or forward servers failed, at zone . from
> 149.112.112.112 got SERVFAIL
> > Oct  2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL
> <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. TXT
> IN>: all the configured stub or forward servers failed, at zone . from
> 149.112.112.112 got SERVFAIL
> > ```
> >
> > There are 1000s of these messages "SERVFAIL . . . service.arpa" every
> week and 144,028 messages since Oct 2, 2024.  Best I can these are all
> local DNS lookups and they are failing an external DNS lookup for
> "service.arpa".
> >
> > This happens with unbound 1.21.0 and persists with unbound 1.22.0.
> >
> > And I believe this is related to this:
> >
> https://datatracker.ietf.org/doc/html/draft-ietf-dnssd-srp-25#section-10.1
> >
> >
> > So my ask, to stop "service.arpa" from escaping my local network, can
> "service.arpa" be added to the unbound code as a Special Use Domain Name
> similar to "home.arpa"?
> >
> >
> > Best regards,
> > Jon
> >
>
>

-- 
*Ce message et toutes les pièces jointes (ci-après le "message") sont 
établis à l’intention exclusive des destinataires désignés. Il contient des 
informations confidentielles et pouvant être protégé par le secret 
professionnel. Si vous recevez ce message par erreur, merci d'en avertir 
immédiatement l'expéditeur et de détruire le message. Toute utilisation de 
ce message non conforme à sa destination, toute diffusion ou toute 
publication, totale ou partielle, est interdite, sauf autorisation expresse 
de l'émetteur*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250114/e425d704/attachment.htm>

More information about the Unbound-users mailing list