Hi Dmitri,
You can increase the verbosity in Unbound to see what is happening from
Unbound's side. A value of 4 will be eloquent but it will log the
information needed.
You can also set that value during runtime with:
unbound-control verbosity 4
You can do this briefly when the SERVFAILs are observed in order to keep
your logfile size manageable.
You could then also try:
unbound-control flush_infra abc.local.
and see if it resolves the issue; this is not a proper solution though.
Best regards,
-- Yorgos
On 31/03/2023 17:44, Dmitri Stepanov via Unbound-users wrote:
I have two large enough (150-200 hosts) segments of internal network,
10.XXX.0.0 and 10.YYY.0.0. They are linked through Internet, speed is
not like local but high enough - about 50Mb/s. I used two authoritative
bind servers and three (two in one segment, one in the second) recursive
also bind ones. For making bind, unbound and nsd configuration and zone
files I'm using hostdb package, so all authoritative and recursive
servers are generated and distributed to at once by the hostdb.
Now I like to reconstruct dns. I've created in place of my three
recursive servers three combined ones with unbound and nsd which local
only listen on separate port.
This works fine first several minutes after reload unbound, and then for
local names - SERVFAIL all the configured stub or forward servers
failed, at zone abc.local. At the same time, Internet names continue to
be resolved normally.
Unbound:
server:
interface: 0.0.0.0
do-not-query-localhost: no
stub-zone:
name: "abc.local"
stub-addr: 127.0.0.1@5678
stub-zone:
name: "10.in-addr.arpa."
stub-addr: 127.0.0.1@5678
forward-zone:
name: "."
forward-addr: 8.8.8.8
I'm not sure which is the source of this problem - unbound or nsd. Nsd
has no such diagnostic, but dig -p 5678 @127.0.0.1 localname.abc.local
works fine.
It is difficult to catch the moment when it starts to SERVFAIL.
Looks like some resources are running out.
I've returned two separated authoritative servers, so now it is like:
stub-zone:
name: "abc.local"
stub-addr: 127.0.0.1@5678
stub-addr: ipofauthserver1
stub-addr: ipofauthserver2
Despite that there are not many hosts within the network, there are
about 10,000 names in local DNS zones.
All my dns servers are OpenBSD 6.5-7.0 64 bit virtual machines which are
running in several free ESXi 5.5 and 7.3 servers.
Unbound 1.8.1 — 1.13.2
Does anybody bump in the same situation when unbound after several
minutes of normal work stops resolve local names with SERVFAIL if it has
only one local nsd source of local names?
I think such configuration with unbound + nsd on one host is reasonable
for home users for example.
Regards
Dmitri Stepanov
