DNS Forwarding Fails After Unbound Restart

Networking DNS
1

DNS forwarding fails, i.e. hostnames are not resolved to IP addresses anymore, after doing a /etc/init.d/unbound restart. In /var/log/messages there are many log entries like:

Dec 16 18:14:53 ipfire unbound: [13668:2] debug: configured stub or forward servers failed -- returning SERVFAIL
Dec 16 18:14:53 ipfire unbound: [13668:2] debug: return error response SERVFAIL
...
Dec 16 18:14:53 ipfire unbound: [13668:2] query: 192.168.4.1 0.ipfire.pool.ntp.org. A IN
Dec 16 18:14:53 ipfire unbound: [13668:2] reply: 192.168.4.1 0.ipfire.pool.ntp.org. A IN SERVFAIL 0.000000 1 50

/etc/init.d/network restart brings DNS forwarding back to life.

Content of /etc/unbound/unbound.conf (after changing verbosity back to 1):

#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://www.unbound.net/documentation/unbound.conf.html
#

server:
	# Common Server Options
	chroot: ""
	directory: "/etc/unbound"
	username: "nobody"
	port: 53
	do-ip4: yes
	do-ip6: no
	do-udp: yes
	do-tcp: yes
	so-reuseport: yes
	do-not-query-localhost: yes

	# System Tuning
	include: "/etc/unbound/tuning.conf"

	# Logging Options
	verbosity: 1
	use-syslog: yes
	log-time-ascii: yes
	log-queries: yes
	log-replies: yes
	log-tag-queryreply: yes

	# Unbound Statistics
	statistics-interval: 86400
	statistics-cumulative: yes
	extended-statistics: yes

	# Prefetching
	prefetch: yes
	prefetch-key: yes

	# Randomise any cached responses
	rrset-roundrobin: yes

	# Privacy Options
	hide-identity: yes
	hide-version: yes
	qname-minimisation: yes
	minimal-responses: yes

	# DNSSEC
	auto-trust-anchor-file: "/var/lib/unbound/root.key"
	val-permissive-mode: no
	val-clean-additional: yes
	val-log-level: 1

	# Hardening Options
	harden-glue: yes
	harden-short-bufsize: no
	harden-large-queries: yes
	harden-dnssec-stripped: yes
	harden-below-nxdomain: yes
	harden-referral-path: yes
	harden-algo-downgrade: no
	use-caps-for-id: yes
	aggressive-nsec: yes

	# Harden against DNS cache poisoning
	unwanted-reply-threshold: 1000000

	# Listen on all interfaces
	interface-automatic: yes
	interface: 0.0.0.0

	# Allow access from everywhere
	access-control: 0.0.0.0/0 allow

	# Bootstrap root servers
	root-hints: "/etc/unbound/root.hints"

	# Include DHCP leases
	include: "/etc/unbound/dhcp-leases.conf"

	# Include any forward zones
	include: "/etc/unbound/forward.conf"

	# Include safe search settings
	include: "/etc/unbound/safe-search.conf"

remote-control:
	control-enable: yes
	control-use-cert: no
	control-interface: 127.0.0.1

# Import any local configurations
include: "/etc/unbound/local.d/*.conf"

Content of /etc/unbound/forward.conf:

# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!

forward-zone:
	name: .
	forward-addr: 8.8.8.8

System versions:

IPFire version: IPFire 2.23 (x86_64) - core138
Pakfire version: 2.23-x86_64
Kernel version: Linux ipfire.localdomain 4.14.154-ipfire #1 SMP Fri Nov 15 07:27:41 GMT 2019 x86_64 Intel® Atom™ CPU C3558 @ 2.20GHz GenuineIntel GNU/Linux

2

Can you show us the settings from the web UI?

What are you trying to configure here?

3

Hello Michael,

the UI settings regarding DNS are as follows:

Bildschirmfoto%20vom%202019-12-17%2020-28-02
Bildschirmfoto%20vom%202019-12-17%2020-28-021140Ă—857 64.9 KB

Bildschirmfoto%20vom%202019-12-17%2020-27-11
Bildschirmfoto%20vom%202019-12-17%2020-27-111140Ă—857 68.1 KB

Bildschirmfoto%20vom%202019-12-17%2020-38-26
Bildschirmfoto%20vom%202019-12-17%2020-38-261146Ă—1032 90.5 KB

Whenever I toggle the Enabled-checkbox for a current host of the “Edit Hosts” screen DNS starts failing for all LAN clients.

I noticed that this UI action triggers a call to the BuildConfiguration subroutine in hosts.cgi which then results in a restart of Unbound. I then checked if could restart Unbound manually to further isolate the error condition.

4

Hi!
Got an similar problem, after restarting unbound, I have problems with calling some (not allway the same) urls and get “server not found”. Clearing DNS cache (browser, system) doesn´t help. Sometimes waiting can help, sometimes I need to restart my fritzbox.
Setting: Internet <-> fritzbox <-> ipfire <-> my network
Best,
Edi

1 Like
5

I also encountered problems with DNS cache after restarting my ipfire box with 139. Several domains became unreachable (e.g. .org).
I had partly success switching dns to 8.8.8.8 and back to the original settings through the setup application.
I supposedly run the same setup as most of the other users here:
Internet - fritzbox - ipfire box - private network