I was searching through my message logs for SERVFAIL errors and I came across LOTS of these messages:
Oct 2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL <default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
Oct 2 17:53:31 ipfire unbound: [15153:0] error: SERVFAIL <service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
Oct 2 17:53:32 ipfire unbound: [15153:0] error: SERVFAIL <_matter._tcp.default.service.arpa. PTR IN>: all the configured stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
Oct 2 17:53:40 ipfire unbound: [15153:0] error: SERVFAIL <_L3887._sub._matterc._udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
Oct 2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL <_sub._matterc._udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
Oct 2 17:53:41 ipfire unbound: [15153:0] error: SERVFAIL <_matterc._udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
Oct 2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL <_udp.default.service.arpa. SOA IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.11 got SERVFAIL
Oct 2 17:53:42 ipfire unbound: [15153:0] error: SERVFAIL <_L3887._sub._matterc._udp.default.service.arpa. PTR IN>: all the configured stub or forward servers failed, at zone . from 9.9.9.11 got SERVFAIL
Oct 2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. SRV IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
Oct 2 17:53:52 ipfire unbound: [15153:0] error: SERVFAIL <1234567890123456-1234567890123456._matter._tcp.default.service.arpa. TXT IN>: all the configured stub or forward servers failed, at zone . from 149.112.112.112 got SERVFAIL
I believe these are all local DNS lookup and are failing an external DNS lookup for service.arpa.
All of the above messages started on Oct 2, 2024. At that time I was using:
CU 188
unbound 1.21.0
APU4D4
There are 1000s of these messages SERVFAIL . . . service.arpa every week and 144028 since Oct 2024.
These message still persist today.
I Giggled around for service.arpa and found this:
you may have missed that, but IANA decided to properly delegate previously to home.arpa - to avoid DNSSEC breakage.
from here:
I have no idea if the two are related or how they are related.
Is there an unbound (or maybe bind) way to block service.arpa dns requests to the outside world. Temporarily I did block them via RPZ, but that seems doesnât feel like the right way to fix this.
I have checked my logs from start of Nov 2024 to today and I donât have a single service.arpa entry in my unbound logs on my production server.
If you believe that these are supposed to be local DNS lookups then it seems to me that the only reason for these to be sent external would be if they could not be resolved locally (bear in mind I am also not an expert).
Do you have all your hostnames on your local domain listed and enabled in the Hosts WUI page. I would expect any local fqdn listed in the Hosts page should be able to get resolved locally.
Okay, I have no Apple related devices at all. Mine are all Linux based except for my phone which is Android.
Then I have a range of things like TV, Surround Sound system, that are connected into my Orange Zone.
I ran your command and it came back with small numbers such as 0 to 6 at the max.
There were two with 6, these covering the second half of November.
I then looked in the whole of November again and there were 16 entries that had servfail <IP.in-addr.arpa. these all being when my DDNS linkage to my Public IP got lost for a short while.
The messages were either âmisc failureâ or âexceeded the maximum nameserver nxdomainsâ
Sounds reasonable to me. Maybe you could test it out and see if it helps. If it stops your messages. However not sure how to get it added to the local-zone list. There doesnât appear to be any default local-zone list that is defined for IPFire so maybe just the default one from unbound is used.
EDIT: unbound must somehow get some of the information itself from the used network as my domain name used internally is also listed in the local-zone.
That suggests that there is a default set that is defined by unbound and that includes home.arpa. So if service.arpa has been added by IANA now then it looks like we will have to wait for unbound to update their default local zone set to include service.arpa.
home.arpa was added to unbound in version 1.14.0 from Dec 2021.
EDIT: A pdf file for RFC9665 looks to be an officially released RFC for this issue. However I havenât been able to find the actual RFC on the ietf website. The pdf is dated Oct 2024. https://ftp.nic.ad.jp/in-notes/authors/rfc9665.pdf
So it could be a few years still before service.arpa gets added into the local-zone.
So you might need to leave that entry in your unbound local.d directory.
Donât forget to add it to your include.user file so it gets backed up by IPFire so you donât miss it when you do a restore after a fresh install.
EDIT: The two authors of that draft proposal both work for Apple Inc.
If others find these âSERVFAIL . . . service.arpaâ errors in their logs, we can always add this quick fix to the standard build for the short term until it appears in the unbound code.
I went through the message logs and searched for resolver.arpa and I was getting 1000âs of these messages also:
Jan 14 11:03:01 ipfire unbound: [28585:0] info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 9.9.9.11 for DS resolver.arpa. while building chain of trust
Jan 14 11:03:01 ipfire unbound: [28585:0] info: validation failure <_dns.resolver.arpa. SVCB IN>: key for validation resolver.arpa. is marked as invalid because of a previous
Jan 14 11:05:58 ipfire unbound: [28585:0] info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 149.112.112.112 for DS resolver.arpa. while building chain of trust
Jan 14 11:11:57 ipfire unbound: [28585:0] info: validation failure <_dns.resolver.arpa. SVCB IN>: no NSEC3 records from 9.9.9.11 for DS resolver.arpa. while building chain of trust
Since they were an unbound: [PID] info: message, and considered INFORMATION, and not a unbound: [PID] error: SERVFAIL I was ignoring them.
I was getting 1000s of the resolver.arpa messages every week for the past year.
If you see a DNS query for âresolver.arpa,â it means that a device is trying to determine the domain name associated with the IP address of the DNS server it is currently using.
And I can see them in my logs for the past year.
EDIT:
And this is interesting (though I havenât completed the thread yet)