unbound unstable?

johnpoz

@david_moo did you disable dnssec for some specific reason - your not forwarding.. So not sure why you would have that off, unless you had disabled it in an attempt and fixing the issue?

david_moo

@johnpoz

Yes it was disabled in the past to try and fix the issue.
I have reenabled it.

johnpoz

@david_moo so since you disabled dhcp hows it working?

david_moo

@johnpoz

I would say no change:
It does find some websites, but not zoom?

david@iMac ~ % sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
david@iMac ~ % nslookup zoom.us
Server:		192.168.9.1
Address:	192.168.9.1#53

** server can't find zoom.us: SERVFAIL

The unbound server doesn't seem to be restarting (looking at the end of the log).
log2.txt

johnpoz

@david_moo well if you can not find something specific.. try doing a trace and see where your failing.. I am not having any issues resolving that.

But when you resolve - its possible your having a hard time talking to the authoritative NS for that domain.

I set it not to do dnssec in the trace - so its easier to read.

[21.05.2-RELEASE][admin@sg4860.local.lan]/root: dig zoom.us +trace +nodnssec

; <<>> DiG 9.16.16 <<>> zoom.us +trace +nodnssec
;; global options: +cmd
.                       72211   IN      NS      i.root-servers.net.
.                       72211   IN      NS      j.root-servers.net.
.                       72211   IN      NS      k.root-servers.net.
.                       72211   IN      NS      l.root-servers.net.
.                       72211   IN      NS      m.root-servers.net.
.                       72211   IN      NS      a.root-servers.net.
.                       72211   IN      NS      b.root-servers.net.
.                       72211   IN      NS      c.root-servers.net.
.                       72211   IN      NS      d.root-servers.net.
.                       72211   IN      NS      e.root-servers.net.
.                       72211   IN      NS      f.root-servers.net.
.                       72211   IN      NS      g.root-servers.net.
.                       72211   IN      NS      h.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

us.                     172800  IN      NS      b.cctld.us.
us.                     172800  IN      NS      f.cctld.us.
us.                     172800  IN      NS      k.cctld.us.
us.                     172800  IN      NS      w.cctld.us.
us.                     172800  IN      NS      x.cctld.us.
us.                     172800  IN      NS      y.cctld.us.
;; Received 402 bytes from 192.203.230.10#53(e.root-servers.net) in 13 ms

zoom.us.                7200    IN      NS      ns-1137.awsdns-14.org.
zoom.us.                7200    IN      NS      ns-1772.awsdns-29.co.uk.
zoom.us.                7200    IN      NS      ns-387.awsdns-48.com.
zoom.us.                7200    IN      NS      ns-888.awsdns-47.net.
;; Received 176 bytes from 2001:dcd:1::15#53(w.cctld.us) in 33 ms

zoom.us.                60      IN      A       170.114.10.71
zoom.us.                172800  IN      NS      ns-1137.awsdns-14.org.
zoom.us.                172800  IN      NS      ns-1772.awsdns-29.co.uk.
zoom.us.                172800  IN      NS      ns-387.awsdns-48.com.
zoom.us.                172800  IN      NS      ns-888.awsdns-47.net.
;; Received 192 bytes from 2600:9000:5303:7800::1#53(ns-888.awsdns-47.net) in 54 ms

[21.05.2-RELEASE][admin@sg4860.local.lan]/root: 

Does your trace work from pfsense?

david_moo

@johnpoz

Works from pfsense shell and not from desktop's.

From

[21.05.2-RELEASE][root@pfsense]/root: dig zoom.us +trace +nodnssec

; <<>> DiG 9.16.16 <<>> zoom.us +trace +nodnssec
;; global options: +cmd
.			81920	IN	NS	b.root-servers.net.
.			81920	IN	NS	m.root-servers.net.
.			81920	IN	NS	h.root-servers.net.
.			81920	IN	NS	e.root-servers.net.
.			81920	IN	NS	l.root-servers.net.
.			81920	IN	NS	d.root-servers.net.
.			81920	IN	NS	j.root-servers.net.
.			81920	IN	NS	f.root-servers.net.
.			81920	IN	NS	g.root-servers.net.
.			81920	IN	NS	a.root-servers.net.
.			81920	IN	NS	i.root-servers.net.
.			81920	IN	NS	c.root-servers.net.
.			81920	IN	NS	k.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

us.			172800	IN	NS	y.cctld.us.
us.			172800	IN	NS	b.cctld.us.
us.			172800	IN	NS	w.cctld.us.
us.			172800	IN	NS	f.cctld.us.
us.			172800	IN	NS	k.cctld.us.
us.			172800	IN	NS	x.cctld.us.
;; Received 432 bytes from 192.112.36.4#53(g.root-servers.net) in 55 ms

zoom.us.		7200	IN	NS	ns-1137.awsdns-14.org.
zoom.us.		7200	IN	NS	ns-387.awsdns-48.com.
zoom.us.		7200	IN	NS	ns-888.awsdns-47.net.
zoom.us.		7200	IN	NS	ns-1772.awsdns-29.co.uk.
;; Received 176 bytes from 37.209.192.15#53(w.cctld.us) in 38 ms

zoom.us.		60	IN	A	170.114.10.80
zoom.us.		172800	IN	NS	ns-1137.awsdns-14.org.
zoom.us.		172800	IN	NS	ns-1772.awsdns-29.co.uk.
zoom.us.		172800	IN	NS	ns-387.awsdns-48.com.
zoom.us.		172800	IN	NS	ns-888.awsdns-47.net.
;; Received 192 bytes from 205.251.195.120#53(ns-888.awsdns-47.net) in 34 ms

[21.05.2-RELEASE][root@pfsense]/root:

From Desktop:

david@iMac ~ % dig zoom.us +trace +nodnssec

; <<>> DiG 9.10.6 <<>> zoom.us +trace +nodnssec
;; global options: +cmd
;; Received 17 bytes from 192.168.9.1#53(192.168.9.1) in 0 ms

david@iMac ~ %

johnpoz

@david_moo just try dig zoom.us

ServFail is something else going wrong, and not specific wrong with NS resolving - it could be lots of things that are going wrong.

david_moo

@johnpoz

Works from pfsense, and linux boxes. Fails from MacOS boxes (I tried 2). Works from MacOS boxes if I spec another DNS server.

david@iMac Desktop % dig zoom.us +trace +nodnssec

; <<>> DiG 9.10.6 <<>> zoom.us +trace +nodnssec
;; global options: +cmd
;; Received 17 bytes from 192.168.9.1#53(192.168.9.1) in 0 ms

david@iMac Desktop % dig @8.8.8.8 +trace +nodnssec zoom.us

; <<>> DiG 9.10.6 <<>> @8.8.8.8 +trace +nodnssec zoom.us
; (1 server found)
;; global options: +cmd
.			34761	IN	NS	b.root-servers.net.
.			34761	IN	NS	f.root-servers.net.
.			34761	IN	NS	k.root-servers.net.
.			34761	IN	NS	a.root-servers.net.
.			34761	IN	NS	d.root-servers.net.
.			34761	IN	NS	j.root-servers.net.
.			34761	IN	NS	l.root-servers.net.
.			34761	IN	NS	g.root-servers.net.
.			34761	IN	NS	c.root-servers.net.
.			34761	IN	NS	e.root-servers.net.
.			34761	IN	NS	h.root-servers.net.
.			34761	IN	NS	i.root-servers.net.
.			34761	IN	NS	m.root-servers.net.
;; Received 239 bytes from 8.8.8.8#53(8.8.8.8) in 23 ms

us.			172800	IN	NS	f.cctld.us.
us.			172800	IN	NS	y.cctld.us.
us.			172800	IN	NS	w.cctld.us.
us.			172800	IN	NS	x.cctld.us.
us.			172800	IN	NS	b.cctld.us.
us.			172800	IN	NS	k.cctld.us.
;; Received 404 bytes from 193.0.14.129#53(k.root-servers.net) in 58 ms

zoom.us.		7200	IN	NS	ns-387.awsdns-48.com.
zoom.us.		7200	IN	NS	ns-1137.awsdns-14.org.
zoom.us.		7200	IN	NS	ns-888.awsdns-47.net.
zoom.us.		7200	IN	NS	ns-1772.awsdns-29.co.uk.
;; Received 176 bytes from 37.209.192.15#53(w.cctld.us) in 39 ms

zoom.us.		60	IN	A	170.114.10.75
zoom.us.		172800	IN	NS	ns-1137.awsdns-14.org.
zoom.us.		172800	IN	NS	ns-1772.awsdns-29.co.uk.
zoom.us.		172800	IN	NS	ns-387.awsdns-48.com.
zoom.us.		172800	IN	NS	ns-888.awsdns-47.net.
;; Received 192 bytes from 205.251.198.236#53(ns-1772.awsdns-29.co.uk) in 24 ms

johnpoz

@david_moo what does the imac say when just dig zoom.us

its says servfail?

what about www.zoom.us, which is just the cname that points to zoom.us

david_moo

@johnpoz

same

david@iMac Desktop % dig www.zoom.us +trace

; <<>> DiG 9.10.6 <<>> www.zoom.us +trace
;; global options: +cmd
;; Received 17 bytes from 192.168.9.1#53(192.168.9.1) in 0 ms

but remove the trace and all is ok? MacOS trace issue?

david@iMac Desktop % dig www.zoom.us  +nodnssec

; <<>> DiG 9.10.6 <<>> www.zoom.us +nodnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34020
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.zoom.us.			IN	A

;; ANSWER SECTION:
www.zoom.us.		231	IN	CNAME	zoom.us.
zoom.us.		60	IN	A	170.114.10.74

;; Query time: 23 msec
;; SERVER: 192.168.9.1#53(192.168.9.1)
;; WHEN: Mon Jan 31 16:24:26 AST 2022
;; MSG SIZE  rcvd: 70

johnpoz

@david_moo what does it do with just

dig zoom.us

before you got a servfail? Is that still happening?

david_moo

@johnpoz

No it's working.

david@iMac Desktop % dig zoom.us

; <<>> DiG 9.10.6 <<>> zoom.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37066
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;zoom.us.			IN	A

;; ANSWER SECTION:
zoom.us.		60	IN	A	170.114.10.77

;; Query time: 23 msec
;; SERVER: 192.168.9.1#53(192.168.9.1)
;; WHEN: Mon Jan 31 17:20:38 AST 2022
;; MSG SIZE  rcvd: 52

so in theory everything is ok.

johnpoz

@david_moo yeah sure looks like it to me.. Servfails can be tricky sometimes to track down - its an error, but its very vague ;) Going forward there with newer versions of dns clients and servers be possible to get a rcode back via ede that will give you clue to why exactly it failed, etc.

https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6

edns and the ede can provide lots of info to what is going on, what went wrong, etc.

david_moo

@johnpoz

Awsome. Nice RFC should help things when implemented.

johnpoz

@david_moo here is prob easier to read with info

https://tools.ietf.org/id/draft-ietf-dnsop-extended-error-11.html

I think I saw somewhere while back cloudflare was starting to provide EDE codes.. Let me see if can find that article

edit: here you go
https://blog.cloudflare.com/unwrap-the-servfail/

in the days of just asking your ISP dns, it either worked or it didn't asking for something. But when you start to run your own actual resolver like unbound does out of the box.. Sometimes you need to get a bit deeper into the weeds on why something specific isn't working.. Servfail is just a catch all that doesn't really give you even hint to what is wrong ;) Other than what you asked for failed ;)