Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] DNS Resolver SERVFAIL

    DHCP and DNS
    2
    6
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sotirone
      last edited by sotirone

      I have been using DNS Resolver in Forwarding mode for a long time because I have been having problems.

      I just switched to regular mode and DNSSEC 10 minutes ago and I am experiencing the same problems.

      Trying to lookup www.lawrencesystems.com from my computer either through Firefox or the terminal I get SERVFAIL.

      Doing so through the DNS Lookup tab on pfsense, I get an answer with the IP of the server.

      What is going on?

      Edit: Also, before I do get valid replies, I have to refresh the browser page multiple times to finally get the resolved address. Is it supposed to be that slow? That does not happen on all sites but happens on about 50%.

      Edit2: Well the DNS Resolver works as expected after a reboot. The dig command does continue to act up but all of my DNS queries are getting resolved perfectly, even with DNSSEC on.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        @sotirone said in DNS Resolver SERVFAIL:

        www.lawrencesystems.com

        No issues resolving that here.. If you say your clients are having issues, but pfsense is not you sure your clients are pointing to pfsense? So your clients pointing to pfsense would use unbound, while the dns diag tab might use something else? If your going to use the resolver, the only thing pfsense should point to is itself

        loopbackonly.jpg

        See only 127.0.0.1 is listed and used, no other dns.

        If your having an issue resolving something, I would look to see where that might be failing.. You can do dig +trace on your pfsense box directly

        ; <<>> DiG 9.12.2-P1 <<>> www.lawrencesystems.com +trace
;; global options: +cmd
.                       75589   IN      NS      a.root-servers.net.
.                       75589   IN      NS      b.root-servers.net.
.                       75589   IN      NS      c.root-servers.net.
.                       75589   IN      NS      d.root-servers.net.
.                       75589   IN      NS      e.root-servers.net.
.                       75589   IN      NS      f.root-servers.net.
.                       75589   IN      NS      g.root-servers.net.
.                       75589   IN      NS      h.root-servers.net.
.                       75589   IN      NS      i.root-servers.net.
.                       75589   IN      NS      j.root-servers.net.
.                       75589   IN      NS      k.root-servers.net.
.                       75589   IN      NS      l.root-servers.net.
.                       75589   IN      NS      m.root-servers.net.
.                       75589   IN      RRSIG   NS 8 0 518400 20191104170000 20191022160000 22545 . Xr2Z0Y9f9gKZYzO9V4qNb6wVSkzcn/CYpOOzODP1SxJXspUjaDNwXYqL Ti87DOXHyF3nsokllVaCQCgYJwd8sKbWPenRwxaVKw6PtyH7ejuJ8qfJ KOpbCnzoGfGozTI6eVrYQwZuRxR7VnVG511j3cJ2Z0gJvkT6AUH4sTaW zly2uOG/hquLSpjXH9+LBi1NbN30lEVfYSBGwTd7Cti7L7epTpn1lPA0 Y/wqEbX+BxpdF4cFM2x7KPXlZNje7rihGAjYx/W+koNgrm/2skeJE36e bpf713wqEtYFtPWFRhUwt28mD6kvRiH8uS02cgq2+2w+IX795q46G3gX j9nPIQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20191104170000 20191022160000 22545 . j7kSiN/c4MXrk7tIPD8qnZqCg0gBbBoF6nKpDoRhDalnsR93968S/JA0 gHYxyls2nTfLI+2/eaKj3fXvHnAGsqZBJfxDz97h9/moWt0SdwchotPW VomLPQWpViNHMpvKHobfBgVtXBT+UBdxZfVuDpQswDSTl6vFNsqlVsjW zB3yTXmYwkVr6YAJmc0ga34EsgVh+C2bkppejQq5PjmfXzful6BCRvTu j+GfytbRTqOpknPHays0TfjaAmuhfVCXB/kTehX9zxGntHDhpJxk4vAR cKJFUglL6X57Gr6a2c2ct/eYe6VrnOlKBvQhSngi2vM3AJKyKEksi3om RT189g==
;; Received 1183 bytes from 2001:500:2d::d#53(d.root-servers.net) in 51 ms

lawrencesystems.com.    172800  IN      NS      ns1.lawrence.technology.
lawrencesystems.com.    172800  IN      NS      ns2.lawrence.technology.
lawrencesystems.com.    172800  IN      NS      ns3.lawrence.technology.
lawrencesystems.com.    172800  IN      NS      ns4.lawrence.technology.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20191026044727 20191019033727 12163 com. L8X10nb9SRkzwcSf3SNTRa/24YQW0ay6SOzHltG4lknjnQgtMbu0/N3s LQH9wqc0SLy+qN+AYBKC8MtLicMWvYcx/SGRVlvfdgwcAR7wU7qxtJ8T vlfETNOWMGMwkPu//+yaJfWziWFnoLqnNeDcvlqnF0J3z0Ur89Bpb/NT Wng/L/BRj46mgZmQjllYzPHkR0cPAxYoFrLSCpal170H+g==
U6O0JMHK5LJN50PGGG1K1NCPPGCO4KLM.com. 86400 IN NSEC3 1 1 0 - U6O1OQN01952GNK0TNI0KP3GAMMPMHL6 NS DS RRSIG
U6O0JMHK5LJN50PGGG1K1NCPPGCO4KLM.com. 86400 IN RRSIG NSEC3 8 2 86400 20191026042002 20191019031002 12163 com. MhFnFk0yN2XIe97VP5jnviBtI4EwDWY2KpMKet4QDroiVEhV1a6tychp 0B2yNygGmXfiOEkSJEXXQXKOxY2TW1WyCTciByo8bXA9losT2HX7kSIQ TQxd82xSErQHqjGgfIz70+KhhEW3eLJEzrzbsGEpymutCbyxY14YmC88 B7UXnLQDWbSpgwUZiZnlX+hTzwKOASxs5C2bBZ7EfgZb0g==
;; Received 692 bytes from 192.55.83.30#53(m.gtld-servers.net) in 51 ms

www.lawrencesystems.com. 14400  IN      CNAME   lawrencesystems.com.
lawrencesystems.com.    14400   IN      A       68.66.216.9
lawrencesystems.com.    86400   IN      NS      ns4.lawrence.technology.
lawrencesystems.com.    86400   IN      NS      ns1.lawrence.technology.
lawrencesystems.com.    86400   IN      NS      ns2.lawrence.technology.
lawrencesystems.com.    86400   IN      NS      ns3.lawrence.technology.
;; Received 237 bytes from 68.66.216.9#53(ns2.lawrence.technology) in 20 ms

[2.4.4-RELEASE][admin@sg4860.local.lan]/:

        That would show exactly how what your looking for is resolved.. And where you might be having issues.

        You can also use the unbound-control to look to see what unbound knows about the NS and such for any specific host.

        [2.4.4-RELEASE][admin@sg4860.local.lan]/: unbound-control -c /var/unbound/unbound.conf lookup www.lawrencesystems.com
The following name servers are used for lookup of www.lawrencesystems.com.
;rrset 85880 4 0 7 3
lawrencesystems.com.    85880   IN      NS      ns1.lawrence.technology.
lawrencesystems.com.    85880   IN      NS      ns4.lawrence.technology.
lawrencesystems.com.    85880   IN      NS      ns2.lawrence.technology.
lawrencesystems.com.    85880   IN      NS      ns3.lawrence.technology.
;rrset 3080 1 0 8 3
ns3.lawrence.technology.        3080    IN      A       68.66.216.9
;rrset 3080 1 0 8 3
ns2.lawrence.technology.        3080    IN      A       68.66.216.9
;rrset 3080 1 0 8 3
ns4.lawrence.technology.        3080    IN      A       68.66.216.9
;rrset 3080 1 0 8 3
ns1.lawrence.technology.        3080    IN      A       68.66.216.9
Delegation with 4 names, of which 4 can be examined to query further addresses.
It provides 1 IP addresses.
68.66.216.9             rto 214 msec, ttl 380, ping 6 var 52 rtt 214, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
[2.4.4-RELEASE][admin@sg4860.local.lan]/

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          sotirone
          last edited by

          I am trying to reply but it is getting flagged as spam by Akismet

          1 Reply Last reply Reply Quote 0
          • S
            sotirone
            last edited by

            Here is the dig +trace dump from the problematic machine:

            https://pastebin.com/ayWf9KV9
            I have to use pastebin as this post gets over the character limit of the forum.

            Here is a trace from another pfsense device I have. It is in a different location but has identical DNS Resolver settings and Firewall and NAT rules. It is also using the same VPN service as a gateway at the same location as the problematic one:

            https://pastebin.com/YZcqCn06

            I have tried with other domains as well. I don't actually know what the columns represent but I have noticed this:

            The machine that works correctly always shows 172800 and 86400 at the second column at the second stage after contacting the root servers (as does yours):

            https://pastebin.com/NjLF1BqS

            The problematic machine shows 56555 and 64147 in one instance and 56692 and 64284 in another.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              Ok this is a problem

              couldn't get address for 'j.gtld-servers.net': not found
couldn't get address for 'k.gtld-servers.net': not found
couldn't get address for 'f.gtld-servers.net': not found

              See this
              ;; BAD (HORIZONTAL) REFERRAL

              That means you are having a problem resolving.. Its a loop that yeah will time out and most likely give you a servfail..

              What specific machine was that done on? That was on pfsense machine, so look to see what IPs it has for roots. You could do the lookup command I did above for just .

              unbound-control -c /var/unbound/unbound.conf lookup .

              You should get back something like this at the end showing the IPs for roots.

              Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:ba3e::2:30     expired, rto 67164576 msec, tA 0 tAAAA 0 tother 0.
198.41.0.4              expired, rto 67164576 msec, tA 0 tAAAA 0 tother 0.
2001:500:200::b         expired, rto 67164576 msec, tA 0 tAAAA 0 tother 0.
199.9.14.201            rto 364 msec, ttl 831, ping 8 var 89 rtt 364, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:2::c           not in infra cache.
192.33.4.12             not in infra cache.
2001:500:2d::d          not in infra cache.
199.7.91.13             not in infra cache.
2001:500:a8::e          rto 376 msec, ttl 826, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.203.230.10          not in infra cache.
2001:500:2f::f          rto 376 msec, ttl 826, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.5.5.241             not in infra cache.
2001:500:12::d0d        rto 376 msec, ttl 826, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
192.112.36.4            rto 306 msec, ttl 826, ping 2 var 76 rtt 306, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:1::53          rto 376 msec, ttl 826, ping 0 var 94 rtt 376, tA 0, tAAAA 0, tother 0, EDNS 0 assumed.
198.97.190.53           not in infra cache.
2001:7fe::53            not in infra cache.
192.36.148.17           not in infra cache.
2001:503:c27::2:30      not in infra cache.
192.58.128.30           not in infra cache.
2001:7fd::1             not in infra cache.
193.0.14.129            not in infra cache.
2001:500:9f::42         not in infra cache.
199.7.83.42             not in infra cache.
2001:dc3::35            not in infra cache.
202.12.27.33            not in infra cache.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • S
                sotirone
                last edited by

                @johnpoz said in DNS Resolver SERVFAIL:

                What specific machine was that done on?

                Do you mean what hardware? It is not a Netgate device, it is an HP T620 Plus thin client.

                unbound-control -c /var/unbound/unbound.conf lookup .
The following name servers are used for lookup of .
;rrset 52503 13 1 11 5
.       52503   IN      NS      a.root-servers.net.
.       52503   IN      NS      b.root-servers.net.
.       52503   IN      NS      c.root-servers.net.
.       52503   IN      NS      d.root-servers.net.
.       52503   IN      NS      e.root-servers.net.
.       52503   IN      NS      f.root-servers.net.
.       52503   IN      NS      g.root-servers.net.
.       52503   IN      NS      h.root-servers.net.
.       52503   IN      NS      i.root-servers.net.
.       52503   IN      NS      j.root-servers.net.
.       52503   IN      NS      k.root-servers.net.
.       52503   IN      NS      l.root-servers.net.
.       52503   IN      NS      m.root-servers.net.
.       52503   IN      RRSIG   NS 8 0 518400 20191105170000 20191023160000 22545 . W1Px4SeZe4f3Y4hwceNfLQqibpKA3rAIyc5d278lXmS5gxR948mWtGNqCjMLe/rn0P9bftmT5Gbi94AoqepaHXJ6tNl/P5v12KVKB6k5CvN9qDRpVcVxib3eiOLBp2Wm4FXlssZTS9oXVPmIuSMxoMdV4gCF6ykyDfW0F7j/Ka0tFXiCq5G+cRoimTrQ2QVNkD0gCOQTb4G3W1xZfKvIReYTQwlAbBGGHJdlmVnZThsQGf/hJ/MC1veeK62pdAuUFWhuU5idAko0q5OhXoLfrlCjuCgx8fCza/ccgjdAVu0yBO+zaIoZxm+v8lYs9b8bcbp+aCswp7UCe7uLSs0oRA== ;{id = 22545}
;rrset 52558 1 0 8 3
m.root-servers.net.     52558   IN      A       202.12.27.33
;rrset 52558 1 0 5 3
m.root-servers.net.     52558   IN      AAAA    2001:dc3::35
;rrset 52558 1 0 8 3
l.root-servers.net.     52558   IN      A       199.7.83.42
;rrset 52558 1 0 5 3
l.root-servers.net.     52558   IN      AAAA    2001:500:9f::42
;rrset 52556 1 0 8 3
k.root-servers.net.     52556   IN      A       193.0.14.129
;rrset 52557 1 0 8 3
k.root-servers.net.     52557   IN      AAAA    2001:7fd::1
;rrset 52556 1 0 8 3
j.root-servers.net.     52556   IN      A       192.58.128.30
;rrset 52556 1 0 8 3
j.root-servers.net.     52556   IN      AAAA    2001:503:c27::2:30
;rrset 52553 1 0 8 3
i.root-servers.net.     52553   IN      A       192.36.148.17
;rrset 52556 1 0 8 3
i.root-servers.net.     52556   IN      AAAA    2001:7fe::53
;rrset 52552 1 0 8 3
h.root-servers.net.     52552   IN      A       198.97.190.53
;rrset 52553 1 0 8 3
h.root-servers.net.     52553   IN      AAAA    2001:500:1::53
;rrset 52551 1 0 8 3
g.root-servers.net.     52551   IN      A       192.112.36.4
;rrset 52551 1 0 8 3
g.root-servers.net.     52551   IN      AAAA    2001:500:12::d0d
;rrset 52551 1 0 8 3
f.root-servers.net.     52551   IN      A       192.5.5.241
;rrset 52551 1 0 8 3
f.root-servers.net.     52551   IN      AAAA    2001:500:2f::f
;rrset 52550 1 0 8 3
e.root-servers.net.     52550   IN      A       192.203.230.10
;rrset 52551 1 0 8 3
e.root-servers.net.     52551   IN      AAAA    2001:500:a8::e
;rrset 52549 1 0 8 3
d.root-servers.net.     52549   IN      A       199.7.91.13
;rrset 52550 1 0 8 3
d.root-servers.net.     52550   IN      AAAA    2001:500:2d::d
;rrset 52547 1 0 8 3
c.root-servers.net.     52547   IN      A       192.33.4.12
;rrset 52548 1 0 8 3
c.root-servers.net.     52548   IN      AAAA    2001:500:2::c
;rrset 52546 1 0 8 3
b.root-servers.net.     52546   IN      A       199.9.14.201
;rrset 52547 1 0 8 3
b.root-servers.net.     52547   IN      AAAA    2001:500:200::b
;rrset 52546 1 0 8 3
a.root-servers.net.     52546   IN      A       198.41.0.4
;rrset 52546 1 0 8 3
a.root-servers.net.     52546   IN      AAAA    2001:503:ba3e::2:30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:ba3e::2:30     not in infra cache.
198.41.0.4              expired, rto 67163840 msec, tA 0 tAAAA 0 tother 0.
2001:500:200::b         not in infra cache.
199.9.14.201            expired, rto 67163840 msec, tA 0 tAAAA 0 tother 0.
2001:500:2::c           not in infra cache.
192.33.4.12             rto 306 msec, ttl 397, ping 2 var 76 rtt 306, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:2d::d          not in infra cache.
199.7.91.13             not in infra cache.
2001:500:a8::e          not in infra cache.
192.203.230.10          not in infra cache.
2001:500:2f::f          not in infra cache.
192.5.5.241             not in infra cache.
2001:500:12::d0d        not in infra cache.
192.112.36.4            not in infra cache.
2001:500:1::53          not in infra cache.
198.97.190.53           not in infra cache.
2001:7fe::53            not in infra cache.
192.36.148.17           not in infra cache.
2001:503:c27::2:30      not in infra cache.
192.58.128.30           not in infra cache.
2001:7fd::1             not in infra cache.
193.0.14.129            not in infra cache.
2001:500:9f::42         not in infra cache.
199.7.83.42             not in infra cache.
2001:dc3::35            not in infra cache.
202.12.27.33            not in infra cache.

                IPv6 is disabled on my machine, I don't know if it is relevant or not, just mentioning because I see that your dig +trace used IPv6.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.