unbound unstable?

david_moo

Works from pfsense shell and not from desktop's.

From

[21.05.2-RELEASE][root@pfsense]/root: dig zoom.us +trace +nodnssec

; <<>> DiG 9.16.16 <<>> zoom.us +trace +nodnssec
;; global options: +cmd
.			81920	IN	NS	b.root-servers.net.
.			81920	IN	NS	m.root-servers.net.
.			81920	IN	NS	h.root-servers.net.
.			81920	IN	NS	e.root-servers.net.
.			81920	IN	NS	l.root-servers.net.
.			81920	IN	NS	d.root-servers.net.
.			81920	IN	NS	j.root-servers.net.
.			81920	IN	NS	f.root-servers.net.
.			81920	IN	NS	g.root-servers.net.
.			81920	IN	NS	a.root-servers.net.
.			81920	IN	NS	i.root-servers.net.
.			81920	IN	NS	c.root-servers.net.
.			81920	IN	NS	k.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

us.			172800	IN	NS	y.cctld.us.
us.			172800	IN	NS	b.cctld.us.
us.			172800	IN	NS	w.cctld.us.
us.			172800	IN	NS	f.cctld.us.
us.			172800	IN	NS	k.cctld.us.
us.			172800	IN	NS	x.cctld.us.
;; Received 432 bytes from 192.112.36.4#53(g.root-servers.net) in 55 ms

zoom.us.		7200	IN	NS	ns-1137.awsdns-14.org.
zoom.us.		7200	IN	NS	ns-387.awsdns-48.com.
zoom.us.		7200	IN	NS	ns-888.awsdns-47.net.
zoom.us.		7200	IN	NS	ns-1772.awsdns-29.co.uk.
;; Received 176 bytes from 37.209.192.15#53(w.cctld.us) in 38 ms

zoom.us.		60	IN	A	170.114.10.80
zoom.us.		172800	IN	NS	ns-1137.awsdns-14.org.
zoom.us.		172800	IN	NS	ns-1772.awsdns-29.co.uk.
zoom.us.		172800	IN	NS	ns-387.awsdns-48.com.
zoom.us.		172800	IN	NS	ns-888.awsdns-47.net.
;; Received 192 bytes from 205.251.195.120#53(ns-888.awsdns-47.net) in 34 ms

[21.05.2-RELEASE][root@pfsense]/root:

From Desktop:

david@iMac ~ % dig zoom.us +trace +nodnssec

; <<>> DiG 9.10.6 <<>> zoom.us +trace +nodnssec
;; global options: +cmd
;; Received 17 bytes from 192.168.9.1#53(192.168.9.1) in 0 ms

david@iMac ~ %

johnpoz

@david_moo just try dig zoom.us

ServFail is something else going wrong, and not specific wrong with NS resolving - it could be lots of things that are going wrong.

david_moo

@johnpoz

Works from pfsense, and linux boxes. Fails from MacOS boxes (I tried 2). Works from MacOS boxes if I spec another DNS server.

david@iMac Desktop % dig zoom.us +trace +nodnssec

; <<>> DiG 9.10.6 <<>> zoom.us +trace +nodnssec
;; global options: +cmd
;; Received 17 bytes from 192.168.9.1#53(192.168.9.1) in 0 ms


david@iMac Desktop % dig @8.8.8.8 +trace +nodnssec zoom.us

; <<>> DiG 9.10.6 <<>> @8.8.8.8 +trace +nodnssec zoom.us
; (1 server found)
;; global options: +cmd
.			34761	IN	NS	b.root-servers.net.
.			34761	IN	NS	f.root-servers.net.
.			34761	IN	NS	k.root-servers.net.
.			34761	IN	NS	a.root-servers.net.
.			34761	IN	NS	d.root-servers.net.
.			34761	IN	NS	j.root-servers.net.
.			34761	IN	NS	l.root-servers.net.
.			34761	IN	NS	g.root-servers.net.
.			34761	IN	NS	c.root-servers.net.
.			34761	IN	NS	e.root-servers.net.
.			34761	IN	NS	h.root-servers.net.
.			34761	IN	NS	i.root-servers.net.
.			34761	IN	NS	m.root-servers.net.
;; Received 239 bytes from 8.8.8.8#53(8.8.8.8) in 23 ms

us.			172800	IN	NS	f.cctld.us.
us.			172800	IN	NS	y.cctld.us.
us.			172800	IN	NS	w.cctld.us.
us.			172800	IN	NS	x.cctld.us.
us.			172800	IN	NS	b.cctld.us.
us.			172800	IN	NS	k.cctld.us.
;; Received 404 bytes from 193.0.14.129#53(k.root-servers.net) in 58 ms

zoom.us.		7200	IN	NS	ns-387.awsdns-48.com.
zoom.us.		7200	IN	NS	ns-1137.awsdns-14.org.
zoom.us.		7200	IN	NS	ns-888.awsdns-47.net.
zoom.us.		7200	IN	NS	ns-1772.awsdns-29.co.uk.
;; Received 176 bytes from 37.209.192.15#53(w.cctld.us) in 39 ms

zoom.us.		60	IN	A	170.114.10.75
zoom.us.		172800	IN	NS	ns-1137.awsdns-14.org.
zoom.us.		172800	IN	NS	ns-1772.awsdns-29.co.uk.
zoom.us.		172800	IN	NS	ns-387.awsdns-48.com.
zoom.us.		172800	IN	NS	ns-888.awsdns-47.net.
;; Received 192 bytes from 205.251.198.236#53(ns-1772.awsdns-29.co.uk) in 24 ms

johnpoz

@david_moo what does the imac say when just dig zoom.us

its says servfail?

what about www.zoom.us, which is just the cname that points to zoom.us

david_moo

@johnpoz

same

david@iMac Desktop % dig www.zoom.us +trace

; <<>> DiG 9.10.6 <<>> www.zoom.us +trace
;; global options: +cmd
;; Received 17 bytes from 192.168.9.1#53(192.168.9.1) in 0 ms

but remove the trace and all is ok? MacOS trace issue?

david@iMac Desktop % dig www.zoom.us  +nodnssec

; <<>> DiG 9.10.6 <<>> www.zoom.us +nodnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34020
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.zoom.us.			IN	A

;; ANSWER SECTION:
www.zoom.us.		231	IN	CNAME	zoom.us.
zoom.us.		60	IN	A	170.114.10.74

;; Query time: 23 msec
;; SERVER: 192.168.9.1#53(192.168.9.1)
;; WHEN: Mon Jan 31 16:24:26 AST 2022
;; MSG SIZE  rcvd: 70

johnpoz

@david_moo what does it do with just

dig zoom.us

before you got a servfail? Is that still happening?

david_moo

@johnpoz

No it's working.

david@iMac Desktop % dig zoom.us

; <<>> DiG 9.10.6 <<>> zoom.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37066
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;zoom.us.			IN	A

;; ANSWER SECTION:
zoom.us.		60	IN	A	170.114.10.77

;; Query time: 23 msec
;; SERVER: 192.168.9.1#53(192.168.9.1)
;; WHEN: Mon Jan 31 17:20:38 AST 2022
;; MSG SIZE  rcvd: 52

so in theory everything is ok.

johnpoz

@david_moo yeah sure looks like it to me.. Servfails can be tricky sometimes to track down - its an error, but its very vague ;) Going forward there with newer versions of dns clients and servers be possible to get a rcode back via ede that will give you clue to why exactly it failed, etc.

https://www.iana.org/assignments/dns-parameters/dns-parameters.xhtml#dns-parameters-6

edns and the ede can provide lots of info to what is going on, what went wrong, etc.

david_moo

@johnpoz

Awsome. Nice RFC should help things when implemented.

johnpoz

@david_moo here is prob easier to read with info

https://tools.ietf.org/id/draft-ietf-dnsop-extended-error-11.html

I think I saw somewhere while back cloudflare was starting to provide EDE codes.. Let me see if can find that article

edit: here you go
https://blog.cloudflare.com/unwrap-the-servfail/

in the days of just asking your ISP dns, it either worked or it didn't asking for something. But when you start to run your own actual resolver like unbound does out of the box.. Sometimes you need to get a bit deeper into the weeds on why something specific isn't working.. Servfail is just a catch all that doesn't really give you even hint to what is wrong ;) Other than what you asked for failed ;)