Re: Only one domain failing to resolve, unbound pi-hole

Sun, 15 May 2022 15:26:31 -0700 

Hi,
You can use the option 'log-servfail: yes' in the configuration file. That would make Unbound to log the reason a query is SERVFAIL'ing. 


From the output you shared it seems that Unbound itself is getting an 
error answer from the server (e.g., SERVFAIL/NXDOMAIN/REFUSED) but I 
can't say for sure since the grepped output hides the interesting lines.


Best regards,
-- George

On 14/05/2022 05:36, BangDroid via Unbound-users wrote:

Kind of pulling my hair out with this one.. The domain 
twitterdatadash.com <http://twitterdatadash.com/> will not resolve with 
unbound recursively. I get SERVFAIL.



root.hints is up to date, local time on raspi is accurate. No other 
domains are failing.



Both dig sigfail.verteiltesysteme.net 
<http://sigfail.verteiltesysteme.net/> @127.0.0.1 <http://127.0.0.1/> -p 
5335 and dig sigok.verteiltesysteme.net 
<http://sigok.verteiltesysteme.net/> @127.0.0.1 <http://127.0.0.1/> -p 
5335 are as expected.



Switching to an upstream DNS in Pi-hole will get the domain to 
successfully resolve, as well as using a standard DNS forward-zone in 
unbound.conf.d/pi-hole.conf:


     forward-zone:
     name: "."
     forward-addr: 8.8.8.8


However, if I use a DoT forward zone (because suspected possible? DNS 
hijacking by ISP):


     tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
     forward-zone:
         name: "."

         forward-addr: 1.1.1.1@853#cloudflare-dns.com 
<http://cloudflare-dns.com/>
         forward-addr: 1.0.0.1@853#cloudflare-dns.com 
<http://cloudflare-dns.com/>

         forward-ssl-upstream: yes


Everything works exactly as expected, including https://1.1.1.1/help 
<https://1.1.1.1/help> **except** twitterdatadash.com 
<http://twitterdatadash.com/> remains SERVFAIL.



Paste of dig outputs with various unbound configurations: 
https://pastebin.com/k1LtjzHB <https://pastebin.com/k1LtjzHB>


pi-hole.conf: https://pastebin.com/szLmcNFj <https://pastebin.com/szLmcNFj>

unbound logs greped with "twitterdatadash" :


'default' pihole.conf : https://pastebin.com/JmgUDSRv 
<https://pastebin.com/JmgUDSRv>


with DoT: https://pastebin.com/k3UgdZD4 <https://pastebin.com/k3UgdZD4>


Accessing that domain is not crucial by any means, I am only concerned 
it may be indicative of a bigger issue. It seems like there must be an 
issue with my configuration somewhere, but every test I run appear to 
indicate no issue. Is it possible the issue is not my end? Anyone have 
any ideas?






















					Reply via email to