1000s of "SERVFAIL . . . service.arpa" messages

Unbound
1

Hello,

Happy new year everyone!

Since the beginning of October 2024 I have been seeing lots of these messages:

Oct  2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL <default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
Oct  2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL <service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
Oct  2 17:53:32 ipfire unbound: [15153:0] error: SERVFAIL <_matter._tcp.default.service.arpa. PTR IN>: all the configured stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
Oct  2 17:53:40 ipfire unbound: [15153:0] error: SERVFAIL <_L1234._sub._matterc._udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
Oct  2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL <_sub._matterc._udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
Oct  2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL <_matterc._udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
Oct  2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL <_udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
Oct  2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL <_1234._sub._matterc._udp.default.service.arpa. PTR IN>: all the configured stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
Oct  2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. SRV IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
Oct  2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. TXT IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL

There are 1000s of these messages "SERVFAIL . . . service.arpa" every week and 144,028 messages since Oct 2, 2024. Best I can these are all local DNS lookups and they are failing an external DNS lookup for "service.arpa".

This happens with unbound 1.21.0 and persists with unbound 1.22.0.

And I believe this is related to this:
https://datatracker.ietf.org/doc/html/draft-ietf-dnssd-srp-25#section-10.1

So my ask, to stop "service.arpa" from escaping my local network, can "service.arpa" be added to the unbound code as a Special Use Domain Name similar to "home.arpa"?

Best regards,
Jon

2

Hi Jon,

We will probably include this in the future.
For now you can configure your current Unbound to have the same behavior as with home.arpa with:

local-zone: "service.arpa." static
local-data: "service.arpa. 10800 IN NS localhost."
local-data: "service.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"

which is the default content for home.arpa taken from the manpage
(https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-local-zone); further down where it notes the default local zones.

Best regards,
-- Yorgos

3

By the way it looks like
https://www.iana.org/assignments/locally-served-dns-zones/locally-served-dns-zones.xhtml
also includes the zone resolver.arpa [RFC9462] to be served the same way…

4

Thanks Olivier,
I added both on the current master branch.
(https://github.com/NLnetLabs/unbound/commit/f52b2a6ea251749bb7c85e2074a6c17e28d2ae81)

Best regards,
-- Yorgos

5

Thank you Yorgos! Thank you Olivier!

You are the BEST!

Best regards,
Jon