Dear unbound-team,
i have unbound on my openwrt router. everything works fine but i had 2 times a strange issue. everytime i did try to “dig xxxxxx.org” i got a reply: connection timed out; no servers could be reached.
i tried to resolve diverse .org domains and for a few minutes it was not possible while non .org domains resolved without a problem. after ~15minutes the issue was gone and i could resolve also the .org domains without changing anything on my setup.
what does the message “no servers could be reached” mean?
does it mean that my client in the local network could not reach the router with unbound?
or does it mean that unbound on router was reached but unbound could not reach/get response from root DNS servers?
Yours Faithfully
E
a message of 61 lines which said:
i tried to resolve diverse .org domains and for a few minutes it was
not possible while non .org domains resolved without a
problem. after ~15minutes the issue was gone and i could resolve
also the .org domains without changing anything on my setup.
During the problem, was it possible to resolve names in other TLDs?
.org name servers are quite concentrated in operator, IP prefix and AS
so a routing issue may, in theory, create trouble. But, AFAIK, nobody
reported a problem recently.
or does it mean that unbound on router was reached but unbound could
not reach/get response from root DNS servers?
Anyway, if it was specific to .org, it cannot be a problem with the
root (hence my first question).
as i wrote other TLDs (.net .com and some country TLDs) resolved all fine.
for .org i tried debian.org ietf.org gentoo.org and maybe some others with all failing.
until now i noticed this 2 times on 20191216 and 20200111 and it lasted for only ~15 minutes maybe less so it is hard to troubleshoot.
so you say the message ‘connection timed out; no servers could be reached’ from dig does not mean that my pc got trouble to connect the router but the router got trouble to connect to root DNS servers? if yes then it is really strange as there is no issue with other TLDs but for .org i do not get any answer at all.
looks like something is killing my (or returning) packets filtered by the presence of .org string.
MITM??? or who is now trying to screw .org??
E
ps: i am using DNSSEC but AFAIK this does not mean the resolve requests are encrypted…
a message of 109 lines which said:
as i wrote other TLDs (.net .com and some country TLDs) resolved all
fine. for .org i tried debian.org ietf.org gentoo.org and maybe
some others with all failing.
Then, I suggest to query directly the authoritative name servers of
.org, to see if they are reachable. (If not, it's not Unbound's fault.)
% dig @a0.org.afilias-nst.info. gentoo.org
...
;; AUTHORITY SECTION:
gentoo.org. 86400 IN NS ns1.gentoo.org.
gentoo.org. 86400 IN NS ns2.gentoo.org.
gentoo.org. 86400 IN NS ns3.gentoo.org.
...
;; Query time: 246 msec
;; SERVER: 2001:500:e::1#53(2001:500:e::1)
;; WHEN: Sun Jan 12 14:28:22 CET 2020
;; MSG SIZE rcvd: 408
so you say the message 'connection timed out; no servers could be reached'
from dig does not mean that my pc got trouble to connect the router but the
router got trouble to connect to root DNS servers?
Or other authoritative name servers. Probably not the root since other
TLDs work.
When you query the resolver, it has to contact the authoritative name
servers. May be dig timeouted before Unbound did. dig +timeout=30 to
see if, giving more time, Unbound makes a decision (probably SERVFAIL,
if there is a reachability problem)?
looks like something is killing my (or returning) packets filtered by the
presence of .org string.
MITM??? or who is now trying to screw .org??
Let's search simple explanations first: a routing/reachability
problem.
ps: i am using DNSSEC but AFAIK this does not mean the resolve requests are
encrypted...
Indeed. DNSSEC signs but does not encrypt.
$ dig debian.org
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> debian.org
;; global options: +cmd
;; connection timed out; no servers could be reached
kago@debian:~$ dig @a0.org.afilias-nst.info. debian.org
dig: couldn’t get address for ‘a0.org.afilias-nst.info.’: failure
anyone now???
E
it is gone 20200113 20:49 UTC+1