Only one domain failing to resolve, unbound pi-hole

BangDroid · May 14, 2022, 3:36am

Kind of pulling my hair out with this one.. The domain twitterdatadash.com will not resolve with unbound recursively. I get SERVFAIL.

root.hints is up to date, local time on raspi is accurate. No other domains are failing.

Both dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5335 and dig sigok.verteiltesysteme.net @127.0.0.1 -p 5335 are as expected.

Switching to an upstream DNS in Pi-hole will get the domain to successfully resolve, as well as using a standard DNS forward-zone in unbound.conf.d/pi-hole.conf:

forward-zone:
name: “.”
forward-addr: 8.8.8.8

However, if I use a DoT forward zone (because suspected possible? DNS hijacking by ISP):

tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
forward-zone:
name: “.”
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-ssl-upstream: yes

Everything works exactly as expected, including https://1.1.1.1/help except twitterdatadash.com remains SERVFAIL.

Paste of dig outputs with various unbound configurations: https://pastebin.com/k1LtjzHB

pi-hole.conf: https://pastebin.com/szLmcNFj

unbound logs greped with “twitterdatadash” :

‘default’ pihole.conf : https://pastebin.com/JmgUDSRv

with DoT: https://pastebin.com/k3UgdZD4

Accessing that domain is not crucial by any means, I am only concerned it may be indicative of a bigger issue. It seems like there must be an issue with my configuration somewhere, but every test I run appear to indicate no issue. Is it possible the issue is not my end? Anyone have any ideas?

Georg_Pfuetzenreuter · May 14, 2022, 7:27am

Maybe you have DNSSEC validation enabled?

$ delv twitterdatadash.com
; unsigned answer
twitterdatadash.com. 7200 IN A 34.96.91.68

Joe_Abley · May 14, 2022, 12:01pm

I'm not sure why having validation enabled would affect resolution of unsigned data. Seems like that would cause problems with far more than one domain.

But I am certainly prepared to be surprised

Joe

George_Yorgos_Thessa · May 15, 2022, 10:25pm

Hi,

You can use the option 'log-servfail: yes' in the configuration file. That would make Unbound to log the reason a query is SERVFAIL'ing.

From the output you shared it seems that Unbound itself is getting an error answer from the server (e.g., SERVFAIL/NXDOMAIN/REFUSED) but I can't say for sure since the grepped output hides the interesting lines.

Best regards,
-- George

DANIEL_NANGHAKA · May 16, 2022, 5:23am

How do I get off this mailing list?

Am happy to be removed from it.

Donald_Pearson · May 16, 2022, 5:30am

https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users

Ron_Varburg · May 16, 2022, 5:33am

You can got to https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users.
At the bottom of the page you can read:
To unsubscribe from Unbound-users, get a password reminder, or change your subscription options enter your subscription email address: __________
and click the unsubscribe button.

How do I get off this mailing list?

Am happy to be removed from it.

DANIEL_NANGHAKA · May 16, 2022, 6:38am

Thanks!