NXDomain with Unbound
-
Does anyone have issues resolving infoblox.com when using unbound as their resolver (no forwarding)? If I setup a domain override and forward the request to 1.1.1.1 then it resolves just fine. Trying to figure out why this is happening and if it's affecting other domains without my knowledge.
[2.4.5-RELEASE][admin@fw.localdomain]/root: dig infoblox.com
; <<>> DiG 9.14.12 <<>> infoblox.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15937
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;infoblox.com. IN A
;; Query time: 1953 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 30 10:34:53 PDT 2020
;; MSG SIZE rcvd: 41
-
I built a new pfsense virtual appliance from the CE ISO and I get the same issue. Not sure what the deal is here.
Infoblox.com test
Microsoft.com test
-
As an extra data point, the lookup for infoblox.com fails when run directly on my pfSense box at the shell prompt using
dig
resolving usingunbound
. It succeeds on my Microsoft AD domain controller/DNS, but takes a long time to resolve there.So something about that particular domain appears to not be working with
unbound
, the DNS Resolver in pfSense.@johnpoz is our resident DNS expert. Perhaps he will drop by with some troubleshooting suggestions.
-
No issues here
[2.4.5-RELEASE][admin@sg4860.local.lan]/root: dig infoblox.com ; <<>> DiG 9.14.12 <<>> infoblox.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39044 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;infoblox.com. IN A ;; ANSWER SECTION: infoblox.com. 3568 IN A 23.185.0.3 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Thu Oct 01 08:05:36 CDT 2020 ;; MSG SIZE rcvd: 57 [2.4.5-RELEASE][admin@sg4860.local.lan]/root:
I would suggest you do a trace..
[2.4.5-RELEASE][admin@sg4860.local.lan]/root: dig infoblox.com +trace ; <<>> DiG 9.14.12 <<>> infoblox.com +trace ;; global options: +cmd . 6466 IN NS a.root-servers.net. . 6466 IN NS b.root-servers.net. . 6466 IN NS c.root-servers.net. . 6466 IN NS d.root-servers.net. . 6466 IN NS e.root-servers.net. . 6466 IN NS f.root-servers.net. . 6466 IN NS g.root-servers.net. . 6466 IN NS h.root-servers.net. . 6466 IN NS i.root-servers.net. . 6466 IN NS j.root-servers.net. . 6466 IN NS k.root-servers.net. . 6466 IN NS l.root-servers.net. . 6466 IN NS m.root-servers.net. . 6466 IN RRSIG NS 8 0 518400 20201013050000 20200930040000 46594 . Xu7cjJ+kdiHxSW27+Z3HpwACUprax7seN6Aoa1qhfhY6M82oxBsO0fpX J2XA2grBx/TfsSxwZQOSoW8VQeA4z9iTt5Oac0t5h7iPXfx5vO/+bJpR Fwh87FKUXEtePZrjcbr6a7ULZjzf4NYUZuQ9/7sJ5bNlXS4sOUCp/f+l ZBE2uZ8piKGiF4wafEh3FcBVCWk+UYzjPGfY0BkZ0g8QnPJkmO0KRSDM db1XDjeNITQdqJEE7+t74PkejY+GjiDT3oqvN51e3HTRZYB9BRoWmnlk nOQlIu+qE01HKdf6zTvkmEatDnQ4V/ii0nE5WslKNZpRkrCyN8NH1vjz cnJR7g== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20201014050000 20201001040000 26116 . Bdl9yw/8Y1O9NDLtYpEV9gyLFtHFuzpSbgioDM6rqmV4f/g6H5RXiJf7 AdAN43FBv5caxG5fnz9b2/zLPyM+wL9U4m5v4nHfvQrwXy8mmYbw+qUI 8l5AhA8PXMo2bXSPdZU2dA4QRK+hmFGL2g/FLxooJ+2rP4Z8+l4irBfI IpvyOjN0IzYezwh6Wq6GDcQh9GHZ0J0mFZQFq8XfMz6KL4XyuPpVQhoe DYuoXTSjbti5GravgDHMZN7xGtO7uXonca2xhlzreIpUtJQbNvk7+O3P OgaVn0IjhxkraXUYc/Tl6yiLX7fTNDytcf4y7lvtoMvNzvVKiNrf2MoB 3sdQ4g== ;; Received 1172 bytes from 198.97.190.53#53(h.root-servers.net) in 120 ms infoblox.com. 172800 IN NS ns1.infoblox.com. infoblox.com. 172800 IN NS ns2.infoblox.com. infoblox.com. 172800 IN NS ns3.infoblox.com. infoblox.com. 172800 IN NS ns4.infoblox.com. infoblox.com. 172800 IN NS ns5.infoblox.com. infoblox.com. 172800 IN NS ns6.infoblox.com. infoblox.com. 86400 IN DS 33613 5 2 339462CBAEB1773800EA8B688D2CA048FCAB0EB2933A97AEE2B86A9A 212F37C5 infoblox.com. 86400 IN DS 33613 5 1 629C2D6C060E2133CD0F4470F3ECC8834DA4FAD6 infoblox.com. 86400 IN DS 49879 5 2 605656DB7C9DFE4D8A453C350B3DA63039A78878DA089AD4247AB9A0 D3B43998 infoblox.com. 86400 IN DS 49879 5 1 C1DB78AD9A8928CB15A7E0CE9E4468D433F5C638 infoblox.com. 86400 IN RRSIG DS 8 2 86400 20201006050039 20200929035039 24966 com. 0B701Vk+rrbm7GABHxrVTr1ZnWEpbkeFGAlCXRldd+NCTpi6kzIquaXE 7c4hQR4uqSY1jSlcO4OMEUMrBy7ntRZsZX1j4JkOOL8YGvoYlMGVRPg8 alDfOm3iClKdfKlBh6/PsdGVaiZ1OE6IO3TrufajePz5mfs/sDr/Yni7 AzDTLsPzekori+SytpPPWxzjVL0Wa3nMAUaruDtoF2KpuA== ;; Received 664 bytes from 192.41.162.30#53(l.gtld-servers.net) in 53 ms infoblox.com. 30 IN A 23.185.0.3 infoblox.com. 30 IN RRSIG A 5 2 30 20201004225815 20200930225526 31023 infoblox.com. rs7SYJFiQdkfYUON+HhYAHD0Xh1UVhfZICugqzcVxtq4zGThqxLMn9Ic 38gtV0ZxRz2mkzSF1GAE5pTCqzizb16JXQOiPFJX58DNDhBjpB/nnapm gv8Z6SKb/GTKDxA5pxxeqiwAd6sMcmcdXG/xVzICNY6G20bzE2dcqbG7 SCc= infoblox.com. 30 IN RRSIG A 5 2 30 20201004225815 20200930225526 51612 infoblox.com. tO7NQDIqZ44fK2WUre9qAgc+xrxn2yHNApuQI3RUIFVDZG2MNrIqgJFc ni5AjW1jtzZKpBTvERZLIvpwSYNxdmAG+swHYy3t4b2cBKAJgFFPzzm3 KTO+83ik392U1+c4nQH3K6UQSDTHX6+fkmrfx10nLYnqEwY/ujdXrKEp IIM= ;; Received 429 bytes from 23.99.82.199#53(ns6.infoblox.com) in 70 ms [2.4.5-RELEASE][admin@sg4860.local.lan]/root:
To see where it could be failing.. Can you resolve the NS for it? Or find them else where and then do a directed query to one of the 6 of them
[2.4.5-RELEASE][admin@sg4860.local.lan]/root: dig @207.47.7.140 infoblox.com ; <<>> DiG 9.14.12 <<>> @207.47.7.140 infoblox.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24568 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 2cd556808dacc581bfdabf075f75d4ce7b07a330d4a5c8b5 (good) ;; QUESTION SECTION: ;infoblox.com. IN A ;; ANSWER SECTION: infoblox.com. 30 IN A 23.185.0.3 ;; AUTHORITY SECTION: infoblox.com. 3600 IN NS ns5.infoblox.com. infoblox.com. 3600 IN NS ns1.infoblox.com. infoblox.com. 3600 IN NS ns4.infoblox.com. infoblox.com. 3600 IN NS ns3.infoblox.com. infoblox.com. 3600 IN NS ns6.infoblox.com. infoblox.com. 3600 IN NS ns2.infoblox.com. ;; ADDITIONAL SECTION: ns4.infoblox.com. 3600 IN A 207.47.7.139 ns1.infoblox.com. 3600 IN A 207.47.7.140 ns2.infoblox.com. 3600 IN A 205.234.19.211 ns3.infoblox.com. 3600 IN A 205.234.19.10 ns5.infoblox.com. 3600 IN A 52.21.154.140 ns6.infoblox.com. 3600 IN A 23.99.82.199 ns2.infoblox.com. 3600 IN AAAA 2620:10a:6001:fffe::11 ns3.infoblox.com. 3600 IN AAAA 2620:10a:6001:fffe::10 ;; Query time: 65 msec ;; SERVER: 207.47.7.140#53(207.47.7.140) ;; WHEN: Thu Oct 01 08:08:30 CDT 2020 ;; MSG SIZE rcvd: 345
From the trace info and the directed query info - lets see what we see, from there depending on that info we can see what direction we need to go into why your failing.
My guess would be your having problems talking to one of the NS along the path.
A failure to resolve normally is something in the network connection that prevents you from talking to NS along the path to get to the authoritative NS for that domain.
Or sometimes something wrong with dnssec.. But that wouldn't return servfail, and if that was the case for infoblox would be funny as shit, since they are in the dns business ;)
Their 30 second ttl maybe they are in the middle of some sort of transition.. Such a low ttl is just absurd if you ask me without being in the middle of some sort of major change in dns.
-
Here is what I get with a trace direct from my firewall using
unbound
--[2.4.5-RELEASE][admin@firewall.themeeks.net]/root: dig infoblox.com +trace ; <<>> DiG 9.14.12 <<>> infoblox.com +trace ;; global options: +cmd . 7330 IN NS m.root-servers.net. . 7330 IN NS b.root-servers.net. . 7330 IN NS c.root-servers.net. . 7330 IN NS d.root-servers.net. . 7330 IN NS e.root-servers.net. . 7330 IN NS f.root-servers.net. . 7330 IN NS g.root-servers.net. . 7330 IN NS h.root-servers.net. . 7330 IN NS i.root-servers.net. . 7330 IN NS a.root-servers.net. . 7330 IN NS j.root-servers.net. . 7330 IN NS k.root-servers.net. . 7330 IN NS l.root-servers.net. . 7330 IN RRSIG NS 8 0 518400 20201013170000 20200930160000 46594 . f0NDvvk1VGB5ygfBlYVO+i7TT8ac9V+o1/g1xC2BPvlRljydfOgefJzA sIfW1AIZmjgMIelJgduaW02q0fqNJ6o7V71A9vy2I/CgD8hvFFkZL5fd bCpMnQ8OEmpgTAVcJeGly1vd0xogIOwLKKhjI3FyasLqiUx0ZdSgIxMQ uiIPkvnjPfh9E+8M1gRsQCy5rmki3zNWuUHeo4WP3GDFtR+8DD7tIozy v0wtORuHQPH0a+lCrx4JyHOdjHQFP+/L/qBUe1O+h1buuUImleYMG4HE s0R+Zbf8UMTk/WyPZiZjTb05NM4Wy2+6m/mXdzdeEqLv/Ce7z+JVSuCD mSZQgw== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20201014050000 20201001040000 26116 . Bdl9yw/8Y1O9NDLtYpEV9gyLFtHFuzpSbgioDM6rqmV4f/g6H5RXiJf7 AdAN43FBv5caxG5fnz9b2/zLPyM+wL9U4m5v4nHfvQrwXy8mmYbw+qUI 8l5AhA8PXMo2bXSPdZU2dA4QRK+hmFGL2g/FLxooJ+2rP4Z8+l4irBfI IpvyOjN0IzYezwh6Wq6GDcQh9GHZ0J0mFZQFq8XfMz6KL4XyuPpVQhoe DYuoXTSjbti5GravgDHMZN7xGtO7uXonca2xhlzreIpUtJQbNvk7+O3P OgaVn0IjhxkraXUYc/Tl6yiLX7fTNDytcf4y7lvtoMvNzvVKiNrf2MoB 3sdQ4g== ;; Received 1172 bytes from 193.0.14.129#53(k.root-servers.net) in 32 ms infoblox.com. 172800 IN NS ns1.infoblox.com. infoblox.com. 172800 IN NS ns2.infoblox.com. infoblox.com. 172800 IN NS ns3.infoblox.com. infoblox.com. 172800 IN NS ns4.infoblox.com. infoblox.com. 172800 IN NS ns5.infoblox.com. infoblox.com. 172800 IN NS ns6.infoblox.com. infoblox.com. 86400 IN DS 33613 5 2 339462CBAEB1773800EA8B688D2CA048FCAB0EB2933A97AEE2B86A9A 212F37C5 infoblox.com. 86400 IN DS 33613 5 1 629C2D6C060E2133CD0F4470F3ECC8834DA4FAD6 infoblox.com. 86400 IN DS 49879 5 2 605656DB7C9DFE4D8A453C350B3DA63039A78878DA089AD4247AB9A0 D3B43998 infoblox.com. 86400 IN DS 49879 5 1 C1DB78AD9A8928CB15A7E0CE9E4468D433F5C638 infoblox.com. 86400 IN RRSIG DS 8 2 86400 20201006050039 20200929035039 24966 com. 0B701Vk+rrbm7GABHxrVTr1ZnWEpbkeFGAlCXRldd+NCTpi6kzIquaXE 7c4hQR4uqSY1jSlcO4OMEUMrBy7ntRZsZX1j4JkOOL8YGvoYlMGVRPg8 alDfOm3iClKdfKlBh6/PsdGVaiZ1OE6IO3TrufajePz5mfs/sDr/Yni7 AzDTLsPzekori+SytpPPWxzjVL0Wa3nMAUaruDtoF2KpuA== couldn't get address for 'ns1.infoblox.com': not found couldn't get address for 'ns2.infoblox.com': not found couldn't get address for 'ns3.infoblox.com': not found couldn't get address for 'ns4.infoblox.com': not found couldn't get address for 'ns5.infoblox.com': not found couldn't get address for 'ns6.infoblox.com': not found dig: couldn't get address for 'ns1.infoblox.com': no more
A direct query with your second example works --
[2.4.5-RELEASE][admin@firewall.themeeks.net]/root: dig @207.47.7.140 infoblox.com ; <<>> DiG 9.14.12 <<>> @207.47.7.140 infoblox.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52658 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 6, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: cb9ae6a686d44f96d804fce45f75f6e035fe653e0d474cc4 (good) ;; QUESTION SECTION: ;infoblox.com. IN A ;; ANSWER SECTION: infoblox.com. 30 IN A 23.185.0.3 ;; AUTHORITY SECTION: infoblox.com. 3600 IN NS ns3.infoblox.com. infoblox.com. 3600 IN NS ns2.infoblox.com. infoblox.com. 3600 IN NS ns6.infoblox.com. infoblox.com. 3600 IN NS ns1.infoblox.com. infoblox.com. 3600 IN NS ns4.infoblox.com. infoblox.com. 3600 IN NS ns5.infoblox.com. ;; ADDITIONAL SECTION: ns4.infoblox.com. 3600 IN A 207.47.7.139 ns1.infoblox.com. 3600 IN A 207.47.7.140 ns2.infoblox.com. 3600 IN A 205.234.19.211 ns3.infoblox.com. 3600 IN A 205.234.19.10 ns5.infoblox.com. 3600 IN A 52.21.154.140 ns6.infoblox.com. 3600 IN A 23.99.82.199 ns2.infoblox.com. 3600 IN AAAA 2620:10a:6001:fffe::11 ns3.infoblox.com. 3600 IN AAAA 2620:10a:6001:fffe::10 ;; Query time: 81 msec ;; SERVER: 207.47.7.140#53(207.47.7.140) ;; WHEN: Thu Oct 01 11:33:52 EDT 2020 ;; MSG SIZE rcvd: 345
So for some reason my default
unbound
install does not seem to be able to locate the name servers for infoblox.com. -
@bmeeks said in NXDomain with Unbound:
couldn't get address for 'ns1.infoblox.com': not found
couldn't get address for 'ns2.infoblox.com': not found
couldn't get address for 'ns3.infoblox.com': not foundYeah looks like for whatever reason you didn't get back the NS for infoblox from .com NSs..
If you see here did a directed query to one of the .com NS and got back response.. Seems that is where your failing.. Trying doing directed query to one of them for the NSs
$ dig @c.gtld-servers.net infoblox.com NS ; <<>> DiG 9.16.6 <<>> @c.gtld-servers.net infoblox.com NS ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57228 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 9 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;infoblox.com. IN NS ;; AUTHORITY SECTION: infoblox.com. 172800 IN NS ns1.infoblox.com. infoblox.com. 172800 IN NS ns2.infoblox.com. infoblox.com. 172800 IN NS ns3.infoblox.com. infoblox.com. 172800 IN NS ns4.infoblox.com. infoblox.com. 172800 IN NS ns5.infoblox.com. infoblox.com. 172800 IN NS ns6.infoblox.com. ;; ADDITIONAL SECTION: ns1.infoblox.com. 172800 IN A 207.47.7.140 ns2.infoblox.com. 172800 IN A 205.234.19.211 ns2.infoblox.com. 172800 IN AAAA 2620:10a:6001:fffe::11 ns3.infoblox.com. 172800 IN A 205.234.19.10 ns3.infoblox.com. 172800 IN AAAA 2620:10a:6001:fffe::10 ns4.infoblox.com. 172800 IN A 207.47.7.139 ns5.infoblox.com. 172800 IN A 52.21.154.140 ns6.infoblox.com. 172800 IN A 23.99.82.199 ;; Query time: 30 msec ;; SERVER: 192.26.92.30#53(192.26.92.30) ;; WHEN: Thu Oct 01 10:42:56 Central Daylight Time 2020 ;; MSG SIZE rcvd: 301
I would think if your having issues talking to the .com NS you would have lots and lots of stuff failing..
-
@johnpoz,
Yeah, doing a directed query to gtld.servers.net works. Kind of weird. And my Microsoft AD DNS server can resolve it just fine. Other .com domains resolve fine. Just tested three other common .com domains and they resolve. -
Well digging a bit deeper they do seem to have a bit of issue, they list their soa as
SOA thens.infoblox.com. dns.infoblox.com. 2006564344 10800 1080 1209600 3600
But thens.infoblox.com is not being handed out as NS from the .com NS..
That could lead to some issues.. Its sometimes done on purpose, but could also be a misconfig, or they may be in the process of changing some stuff... Which could explain the super low 30 second ttls?
-
@johnpoz said in NXDomain with Unbound:
Well digging a bit deeper they do seem to have a bit of issue, they list their soa as
SOA thens.infoblox.com. dns.infoblox.com. 2006564344 10800 1080 1209600 3600
But thens.infoblox.com is not being handed out as NS from the .com NS..
That could lead to some issues.. Its sometimes done on purpose, but could also be a misconfig, or they may be in the process of changing some stuff... Which could explain the super low 30 second ttls?
Yeah, I'm thinking maybe it is just something specific to them temporarily. As you say, maybe they are making changes. I was just testing to see if I could reproduce the OP's error, and to my surprise I could.
-
They are one of the major players in dns.. their appliances are used across the globe with some really big players.. I would have to take it they in the process of changing something maybe?
If not - someone getting fired, if its just a stupid misconfig ;) hehehe