Unbound fails to resolve

stinga · 9 August 2021 02:25

G’day all,

Does anyone else have issues with unbound?
I have two issues:

Just now unbound stopped resolving, it was running, but would not resolve on green, blue was working. (Unless my phone had switched to mobile data, I did not check that)
Restarting unbound made no difference.
I had to reboot

On another install, unbound now longer resolves the local host names.
Restarting unbound fixes that issue.

There is nothing in the logs of interest but then there is not really any unbound logging, on the whole I find unbound very unsatisfactory!

They may or may not be related.

Also, while I am here, can ipfire/unbound deal with or create cnames?

saiyato · 9 August 2021 06:38

Hi,

Haven’t had issues with unbound, but maybe someone can help on the forums. You say “stopped resolving”.

Are you getting responses at all? Or only SERVFAIL/NXDOMAIN replies?
Are you using upstream resolvers, or do you use unbound as your local recursor?
Have you configured anything additional like the protocol or DNSSEC?

Any chance you could post a dig or drill response here?

I’ll see if I can do the same for my lab setup (on my phone now).

saiyato · 9 August 2021 07:59

Hereby my queries:

On the kali WSL

└─$ dig @10.0.100.1 tweakers.net

; <<>> DiG 9.16.15-Debian <<>> @10.0.100.1 tweakers.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44743
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;tweakers.net.                  IN      A

;; ANSWER SECTION:
tweakers.net.           42      IN      A       213.239.154.30

;; Query time: 30 msec
;; SERVER: 10.0.100.1#53(10.0.100.1)
;; WHEN: Mon Aug 09 09:53:23 CEST 2021
;; MSG SIZE  rcvd: 57

I had to specifically configure the query to use 10.0.100.1, because it’s a WSL machine and typically uses the host (comparable to how Docker works) as (DNS) gateway, which forwards it (not transparently) to its own DNS server.

On the Windows laptop connected to GREEN

C:\Users\X>nslookup tweakers.net
Server:  ipfire-arm.domain.nl
Address:  10.0.100.1

Non-authoritative answer:
Name:    tweakers.net
Addresses:  2001:9a8:0:e:1337:0:80:1
          213.239.154.30

As you can see it queries the site @ 10.0.100.1 by default (because it’s the advertised DNS server).

Both return the same public IP-address of the website, which makes sense of course. Just wanted to prove dig/nslookup is the same thing, but with different options/output formats.

Update (09-08-2021)
As for your last question, yes unbound is able to resolve CNAME records (which are, put simply, just aliases). Can you elaborate on what you mean with creating CNAME records? You can define your internal zone and use hosts defined therein, but the software itself doesn’t (as far as I know) create entries by itself. Maybe while transferring zones… but that’s beyond me at this point.

stinga · 9 August 2021 11:32

Here is a sample of /var/log/messages

ug  9 09:59:58 wr-fw unbound: [22057:0] error: SERVFAIL <signaler-pa.clients6.google.com.wolf-rock.com. A IN>: all the configured stub or forward servers failed, at zone .
Aug  9 09:59:59 wr-fw unbound: [22057:0] error: SERVFAIL <beacons2.gvt2.com. A IN>: all the configured stub or forward servers failed, at zone .
Aug  9 09:59:59 wr-fw unbound: [22057:0] error: SERVFAIL <beacons2.gvt2.com.wolf-rock.com. A IN>: all the configured stub or forward servers failed, at zone .
Aug  9 10:00:00 wr-fw unbound: [22057:0] error: SERVFAIL <au.download.windowsupdate.com. A IN>: all the configured stub or forward servers failed, at zone .
Aug  9 10:00:00 wr-fw unbound: [22057:0] error: SERVFAIL <www.google.com. A IN>: all the configured stub or forward servers failed, at zone .
Aug  9 10:00:00 wr-fw unbound: [22057:0] error: SERVFAIL <www.google.com.wolf-rock.com. A IN>: all the configured stub or forward servers failed, at zone .
type or paste code here

I also stopped and ran unbound with debug, of interest is…

Aug  9 10:04:30 wr-fw unbound: [25123:0] info: sending query: a.slack-edge.com. A IN
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: sending to target: <.> 8.8.8.8#53
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: dnssec status: not expected
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: EDNS lookup known=0 vs=0
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: serviced query UDP timeout=376 msec
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: inserted new pending reply id=801d
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: opened UDP if=0 port=34464
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: comm point start listening 12 (-1 msec)
Aug  9 10:04:30 wr-fw unbound: [25123:0] notice: send failed: Operation not permitted
Aug  9 10:04:30 wr-fw unbound: [25123:0] notice: remote address is ip4 8.8.8.8 port 53 (len 16)
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: close of port 34464
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: close fd 12
Aug  9 10:04:30 wr-fw unbound: [25123:0] info: error sending query to auth server ip4 8.8.8.8 port 53 (len 16)
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: iter_handle processing q with state QUERY TARGETS STATE
Aug  9 10:04:30 wr-fw unbound: [25123:0] info: processQueryTargets: a.slack-edge.com. A IN
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
Aug  9 10:04:30 wr-fw unbound: [25123:0] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (3 result, 0 avail) parentNS
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug:    ip4 8.8.8.8 port 53 (len 16)
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug:    ip4 1.1.1.1 port 53 (len 16)
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug:    ip4 1.0.0.1 port 53 (len 16)
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: attempt to get extra 3 targets
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: servselect ip4 8.8.8.8 port 53 (len 16)
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug:    rtt=376
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: selrtt 376
Aug  9 10:04:30 wr-fw unbound: [25123:0] info: sending query: a.slack-edge.com. A IN
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: sending to target: <.> 8.8.8.8#53
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: dnssec status: not expected
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: EDNS lookup known=0 vs=0
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: serviced query UDP timeout=376 msec
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: inserted new pending reply id=14b4
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: opened UDP if=0 port=61168
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: comm point start listening 12 (-1 msec)
Aug  9 10:04:30 wr-fw unbound: [25123:0] notice: send failed: Operation not permitted
Aug  9 10:04:30 wr-fw unbound: [25123:0] notice: remote address is ip4 8.8.8.8 port 53 (len 16)
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: close of port 61168
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: close fd 12
Aug  9 10:04:30 wr-fw unbound: [25123:0] info: error sending query to auth server ip4 8.8.8.8 port 53 (len 16)
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: iter_handle processing q with state QUERY TARGETS STATE
Aug  9 10:04:30 wr-fw unbound: [25123:0] info: processQueryTargets: a.slack-edge.com. A IN
Aug  9 10:04:30 wr-fw unbound: [25123:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
Aug  9 10:04:30 wr-fw unbound: [25123:0] info: DelegationPoint<.>: 0 names (0 missing), 3 addrs (3 result, 0 avail) parentNS
type or paste code here

ms · 9 August 2021 12:38

You created a firewall rule so that unbound can no longer reach your DNS servers. DNS resolution doesn’t work then.