Unbound and dynamic DNS

Networking DNS
1

In the last days I get error messages like

unbound: [1617:0] error: SERVFAIL <“MYDYNDNSHOST”. A IN>: all the configured stub or forward servers failed, at zone . from 176.9.93.198 got SERVFAIL
unbound: [1617:0] error: SERVFAIL <“MYDYNDNSHOST”. A IN>: all the configured stub or forward servers failed, at zone . from 176.9.1.117 got SERVFAIL

and this always coincides with the update of the Dynamic DNS service.
But only since a certain time, why is that?

The two DNS servers are from DNSforge.

Thank you.

2

I get those messages also.

Do you get 1000’s or 10’s of those messages?

Also, please post a screenshot of your DNS Servers:
https://ipfire.localdomain:444/cgi-bin/dns.cgi

3

That is the last 3 days over 200 messages, a total of almost 700, as I said, with each update of the dynamic DNS service.

But now I just ask myself why is there so often an update with the dynamic DNS, normally the IP always remains the same? This was not the case before.

The forum has just no desire to upload images, spins endlessly here.
But there I have no error messages.

4

You do have permission to upload images (I checked!)

Are you doing a drag & drop? Or something else??

There is also an upload button above. Maybe that will work…

Screen Shot 2022-04-24 at 8.59.56 PM
Screen Shot 2022-04-24 at 8.59.56 PM1006×210 15.6 KB

5

No, I used the upload function, twice, after selecting the 756KB image it loads for minutes.
Processing: Screenshot19.jpg…

6

Very odd…

As a wild guess - do you have IPS turned on? Can you turn it off temporarily? (until this is figured out)

Screen Shot 2022-04-24 at 9.40.34 PM
Screen Shot 2022-04-24 at 9.40.34 PM1962×878 71.5 KB

7

I have now deactivated IPS. I also disabled the Dynamic DNS service and restarted it. It updates again every 10-15 minutes and immediately the unbound error message appears.

Could it have something to do with the TorProxy that I recently added, I previously had only the Tor Relay running?
This is the only change I have made recently.

Edit:
To come back to the dynamic DNS service, I logged on to the homepage, the last update of my IP was 18 days ago. Why is ipfire now suddenly updated every 10-15 minutes? It is enough if this happens when my IP changes, so was it before.

Edit2:
I got this message in the log from dynamic DNS on 21.04. The next day about 12 hours later it started with the constant updates every 10-15 minutes. What does this mean?

Dynamic DNS update for “MYDYNDNSHOST” (TwoDNS) threw an unhandled excep tion: Traceback (most recent call last): File “/usr/lib/python3.10/site-packag es/ddns/system.py”, line 272, in get_address return self.__addresses[proto] KeyError: ‘ipv4’ During handling of the above exception, another exception occu rred: Traceback (most recent call last): File “/usr/lib/python3.10/site-packa ges/ddns/init.py”, line 178, in update entry(force=force) File “/usr/ lib/python3.10/site-packages/ddns/providers.py”, line 157, in call elif self.has_failure or not self.requires_update: File “/usr/lib/python3.10/site-p ackages/ddns/providers.py”, line 202, in requires_update if self.ip_address changed(self.protocols): File “/usr/lib/python3.10/site-packages/ddns/provider s.py”, line 270, in ip_address_changed current_address = self.get_address(pr oto) File “/usr/lib/python3.10/site-packages/ddns/providers.py”, line 329, in get_address return self.core.system.get_ad

8

DNSServer
DNSServer948×702 60.2 KB

I have found the “error” with the upload function, I could have earlier the idea, my browser settings have neutered the forum in this regard. So now I can upload any image you want :smiley:

9

Hi,

a possible explanation for this would be your dynamic DNS provider started to conduct DNSSEC signing. If your IP address changes, and ddns submits that update to your DDNS provider, there might be a short period while they did update the A record of your FQDN, but did not do DNSSEC resigning.

To verify this theory, please post

  • which DDNS provider you use
  • the output of dig a [your DDNS FQDN]

Thanks, and best regards,
Peter Müller

10

But I did not get a new IP. As I said, the last update of the IP address on the DDNS service took place 18 days ago. I am with the provider TwoDNS, is also written in the error message I posted and shortly after that error it started with the regular updates. Before I had no updates of the DDNS service every 10-15 minutes, before that was updated only when I got a new IP.
I don’t understand this behavior and I would like to change it, because this is definitely where the fault lies, but unfortunately I don’t know what I have to do.

[root@******* /]# dig a ***********************

; <<>> DiG 9.16.26 <<>> a ****************************
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47619
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;***************************. IN A

;; ANSWER SECTION:
***************************. 60 IN A MYIPNOW

;; Query time: 202 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 25 21:03:54 CEST 2022
;; MSG SIZE rcvd: 67

11

Hi,

thanks for your reply.

Okay, so DNSSEC signing delays are not the issue, since your DDNS FQDN is not signed anyways - if so, there would be an ad flag (for “authenticated data”) in the dig output.

So far, I could only conclude that this might be an issue related to the DNS resolvers you use. Does switching to different ones temporarily cause behaviour changes?

Thanks, and best regards,
Peter Müller

2 Likes
12

Yeah, that was the solution. After selecting a different DNS provider, I was able to turn Dynamic DNS on, no more constant updates and thus no more errors in the unbound log. After some time I switched back the DNS Provider and it seems to run normally again.
Thank you very much! But how do you come up with something like this? :smiley:

1 Like
13

Hi,

hm, this kind of leaves a bad taste, as the problem does not seem to be reproducible. :expressionless:

Should the issue appear again, please do let us know, so we can investigate further onto this. Might have been a hiccup at DNSforge as well, but that would be a pretty unlikely coincidence…

You’re welcome. Years of debugging, I guess… :slight_smile:

Thanks, and best regards,
Peter Müller

3 Likes
14

Hi,
the error came again but this time switching to other DNS servers (quad9) and back did not bring any improvement.
A successful update with the otherwise registered dnsforge DNS servers is currently no longer possible.
But now I have observed something interesting. On the android I have also entered dnsforge under the private DNS settings, when I now try to connect to my host with OpenVPN, there is no name resolution, as soon as I change the DNS server, it works, although with an IPv6 address, but it works. If I connect to my IPv4 directly it works too, btw.

I would like to continue using dnsforge as DNS because they use an excellent ad filter, but why is the name resolution not working? Did dnsforge block my host or IP?

15

So I have this error of unbound now permanently, no matter which DNS server I choose, earlier at least 9.9.9.9 still worked, but that now also no longer works.
Web pages build now also felt 5 times slower.

Any ideas how I can solve this?

16

Please post a screenshot of your DNS Servers (menu Network > Domain Name System)

1 Like
17

Screenshot (85)
Screenshot (85)996×876 84.1 KB

Hi,

normally I use the dnsforge.de server

Regards

18

Hello,
I see the same unbound errors as menttioned above.
My DNS Configuration:

DnsServers
DnsServers1010×715 35.6 KB

19

@mumpitz - can you run this command? It will tell us how may of these errors you see:

grep -i SERVFAIL /var/log/messages | wc -l

And post the results.

I usually see numbers between 0 to 200 per week ← this is normal !


If the number is small go ahead and run:

grep -i SERVFAIL /var/log/messages

and then post the results.

EDIT: If you want to see how many SERVFAILs over the past 12 weeks then run:

for logf in $(ls /var/log/messages* | sort -rV | tail -12) ; do ls -al $logf ; zgrep --color -ic "SERVFAIL" $logf ; done

The output will be:

[root@ipfire ~] # for logf in $(ls /var/log/messages* | sort -rV | tail -12) ; do ls -al $logf ; zgrep --color -ic "SERVFAIL" $logf ; done

-rw-rw-r-- 1 root syslogd 1570707 Jul 17 00:00 /var/log/messages.11.gz
29
-rw-rw-r-- 1 root syslogd 1579141 Jul 24 00:00 /var/log/messages.10.gz
0
-rw-rw-r-- 1 root syslogd 1462215 Jul 31 00:00 /var/log/messages.9.gz
1
-rw-rw-r-- 1 root syslogd 1459897 Aug  7 00:00 /var/log/messages.8.gz
59
20

Hi,
first, sry for late respond.

second, at the moment I have stopped all services since a week, so only a few errors are in the logs now, BUT
if i do your last command in the end and look into messages.3 for example it looks different–>

 grep -i SERVFAIL /var/log/messages.3 | wc -l
1423

and the most, only a few are different, looks like here–>

Sep 10 09:37:37 PEEP unbound: [1657:0] error: SERVFAIL <MYTwoDNSHostName.my-wan.de. A IN>: all the configured stub or forward servers failed, at zone . from 176.9.1.117 got SERVFAIL
Sep 10 09:37:48 PEEP unbound: [1657:0] error: SERVFAIL <MYTwoDNSHostName.my-wan.de. A IN>: all the configured stub or forward servers failed, at zone . from 176.9.93.198 got SERVFAIL

and at the same time I get the DDNS update massages without any update of my IP

Dynamic DNS update for MYTwoDNSHostName.my-wan.de (TwoDNS) successful

or in numbers

grep -i ddns /var/log/messages.3 | wc -l
1022

and in webgui under services–>DDNS
the hostname of my chosen service is always red now not green like before in the main time after a successful update.

That unbound sometimes hiccups can happen, but that over days only DDNS fails and every 15 minutes an update is performed, although my IP has not changed for days and apparently the check on it also fails, I suspect that my IP has come to a block list that you can no longer reach my host via dnsforge, for whatever reason. Because on the android I could not reach the host via dnsforge using OpenVPN request to the Ipfire OpenVPN server, I assume that now once simply.

Greetz