DNS unbound servfail errors

error1533 · 18 July 2022 09:35

Hello,
i have a strange problem with DNS unbound:
IPFire 2.27 (x86_64) - Core Update 168
Static IP configuration via TV cable Modem to vodafone

If i call some Websites, here eg “disapo.de” , i get the error “site not found”
If i refresh the DNS server configuration by clicking “save” in the web-gui, the sites will be found.
If i wait 5 to 10 minutes and call the site again, i again get the error “site not found”
This happens only on very few, but always the same, sites.

The problem persists with other DNS servers.

Is there any idea, what to do?
thanks a lot for your help.

roberto · 18 July 2022 11:05

Hi @error1533.

Have You Router or cable modem?.

Vodafone have something called “SECURE DNS” or similar how impossibilite to use another DNSs. I think is in Router mode. If You have in this mode, You need unable this. If that is not the case, maybe another guy can help you.

It’s an idea.

Greetings.

error1533 · 18 July 2022 11:32

Hi Roberto,

as i wrote, TV cable modem with multiple fixed IP’s.

Next query, a few minutes later

|11:00:41|unbound: [1814:0]|error: SERVFAIL <www.disapo.de. A IN>: all the configured stub or forward serve rs failed, at zone . from (inet_ntop_error) upstream server timeout|

|—|—|—|

At this time mark ( |10:15:52 ) the query works

|10:15:52|unbound: [1814:0]|info: generate keytag query _ta-4a5c-4f66. NULL IN|

|10:15:52|unbound: [1814:0]|info: start of service (unbound 1.14.0).|

|10:15:52|unbound: [1814:0]|notice: init module 1: iterator|

|10:15:52|unbound: [1814:0]|notice: init module 0: validator|

|10:15:52|unbound: [1814:0]|notice: Restart of unbound 1.14.0.|

|10:15:52|unbound: [1814:0]|info: 32.000000 64.000000 1|

|10:15:52|unbound: [1814:0]|info: 16.000000 32.000000 6|

|10:15:52|unbound: [1814:0]|info: 8.000000 16.000000 1|

|10:15:52|unbound: [1814:0]|info: 4.000000 8.000000 5|

|10:15:52|unbound: [1814:0]|info: 2.000000 4.000000 1|

|10:15:52|unbound: [1814:0]|info: 0.524288 1.000000 1|

|10:15:52|unbound: [1814:0]|info: 0.131072 0.262144 5|

|10:15:52|unbound: [1814:0]|info: 0.065536 0.131072 22|

|10:15:52|unbound: [1814:0]|info: 0.032768 0.065536 25|

|10:15:52|unbound: [1814:0]|info: 0.016384 0.032768 27|

|10:15:52|unbound: [1814:0]|info: 0.008192 0.016384 20|

|10:15:52|unbound: [1814:0]|info: 0.002048 0.004096 1|

|10:15:52|unbound: [1814:0]|info: 0.000000 0.000001 25|

|10:15:52|unbound: [1814:0]|info: lower(secs) upper(secs) recursions|

|10:15:52|unbound: [1814:0]|info: [25%]=0.0118784 median[50%]=0.0309476 [75%]=0.0863884|

|10:15:52|unbound: [1814:0]|info: histogram of recursion processing times|

|10:15:52|unbound: [1814:0]|info: average recursion processing time 1.630828 sec|

|10:15:52|unbound: [1814:0]|info: server stats for thread 0: requestlist max 3 avg 0.277778 exceeded 0 jost led 0|

|10:15:52|unbound: [1814:0]|info: server stats for thread 0: 172 queries, 28 answers from cache, 144 recurs ions, 0 prefetch, 0 rejected by ip ratelimiting|

|10:15:52|unbound: [1814:0]|info: service stopped (unbound 1.14.0).|

|10:12:14|unbound: [1814:0]|error: SERVFAIL <www.disapo.de. A IN>: all the configured stub or forward serve rs failed, at zone . upstream server timeout|

bonnietwin · 18 July 2022 12:20

This is saying that unbound had a timeout waiting for a response from the upstream DNS server.

Unbound then won’t use that server for a short while and will try one of the other dns servers from the list you have defined and enabled. Sometimes servers can timeout because they are very busy but will be able to respond again after a short while. Alternatively if the dns server has had some form of outage then it will have repetitive fails. Unbound will then mark that dns server down in terms of using it.

It could be that the specific website(s) you are trying to access have some problem with their dns records and it is taking too long to resolve. I am not familiar enough with the DNS system to be sure on that.

Do you have multiple dns servers listed and enabled in the IPFire DNS Server page?

If yes then I don’t understand why the timeout would persist across other dns servers unless there is some problem with the dns records for that website.

When unbound fails to get the dns info and you get a site not found error, does that stay with that error when you repetitively try and access it until you re-select the dns servers on the IPFire wui page. If yes, then when you have the problem try running a dig or kdig command on the website to see what messages come back. There might be a bit more info than what unbound shows.

error1533 · 18 July 2022 13:04

Hello, thank you for your reply.

I am using 8.8.8.8 and 8.8.4.4 as DNS servers. I tryed others, but always same result.

DIG says :
disapo.de. 300 IN A 51.89.126.194
disapo.de. 300 IN A 145.239.136.54

The websites that i cannot reach are availeble. If i try over a different IP connection, everything works fine.

hvacguy · 18 July 2022 14:54

Assuming you are using UDP
Have you tried switching to TCP?

error1533 · 18 July 2022 15:41

Thank you,
i just tried TCP, no change, same problem.
Changed back to UDP

If i do a DIG to the missing website, the output of dig on the firewall itself does not change, before or after the problem reappears.