unbound
unbound copied to clipboard
Published
20 hours ago •
NLnetLabs
NLnetLabs
Unbound not resolving many domains
I have an Unbound container running on a test server to proxy DNS traffic. The problem is that it fails for some domains while working perfectly for everything else. The domains not being resolved include:
- time.nist.gov
- meet.jit.si
- mail.protonmail.com
- etc
This is a response for a failed domain using dig:
dig @127.0.0.1 mail.protonmail.com
; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @127.0.0.1 mail.protonmail.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24960
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mail.protonmail.com. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jul 01 11:56:23 UTC 2021
;; MSG SIZE rcvd: 48
Looking at the logs I get a few interesting bits:
info: resolving mail.protonmail.com. A IN
info: error sending query to auth server 2001:503:39c1::30 port 53
info: error sending query to auth server 2001:503:a83e::2:30 port 53
info: error sending query to auth server 2001:502:7094::30 port 53
info: error sending query to auth server 2001:503:39c1::30 port 53
info: resolving com. DNSKEY IN
info: response for mail.protonmail.com. A IN
info: reply from <com.> 192.35.51.30#53
info: query response was REFERRAL
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving protonmail.com. DNSKEY IN
info: resolving ns1.protonmail.com. AAAA IN
info: response for ns3.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 3.127.12.149#53
info: query response was ANSWER
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
info: response for mail.protonmail.com. A IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was ANSWER
info: validated DS protonmail.com. DS IN
info: response for ns2.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was ANSWER
info: response for ns1.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was ANSWER
info: response for ns3.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was nodata ANSWER
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
info: response for ns2.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was nodata ANSWER
info: response for ns1.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was nodata ANSWER
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
info: resolving ns2.protonmail.com. AAAA IN
info: resolving protonmail.com. DNSKEY IN
info: response for protonmail.com. DNSKEY IN
info: reply from <com.> 192.48.79.30#53
info: query response was REFERRAL
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns2.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. A IN
info: error sending query to auth server 2001:502:7094::30 port 53
info: response for ns3.protonmail.com. AAAA IN
info: reply from <com.> 192.41.162.30#53
info: query response was REFERRAL
info: resolving ns1.protonmail.com. AAAA IN
info: response for ns3.protonmail.com. A IN
info: reply from <com.> 192.31.80.30#53
info: query response was REFERRAL
info: resolving ns2.protonmail.com. AAAA IN
info: response for ns3.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 185.70.41.19#53
info: query response was nodata ANSWER
info: response for ns3.protonmail.com. A IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was ANSWER
info: resolving ns2.protonmail.com. AAAA IN
info: error sending query to auth server 2001:500:d937::30 port 53
info: resolving ns2.protonmail.com. A IN
info: response for ns2.protonmail.com. A IN
info: reply from <com.> 192.43.172.30#53
info: query response was REFERRAL
info: response for ns2.protonmail.com. AAAA IN
info: reply from <com.> 192.43.172.30#53
info: query response was REFERRAL
info: response for ns2.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 3.127.12.149#53
info: query response was nodata ANSWER
info: response for ns2.protonmail.com. A IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was ANSWER
info: resolving ns1.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. A IN
info: error sending query to auth server 2001:503:d2d::30 port 53
info: error sending query to auth server 2001:500:d937::30 port 53
info: error sending query to auth server 2001:503:eea3::30 port 53
info: error sending query to auth server 2001:501:b1f9::30 port 53
info: response for ns1.protonmail.com. A IN
info: reply from <com.> 192.43.172.30#53
info: query response was REFERRAL
info: response for ns1.protonmail.com. AAAA IN
info: reply from <com.> 192.55.83.30#53
info: query response was REFERRAL
info: response for ns1.protonmail.com. AAAA IN
info: reply from <protonmail.com.> 3.127.12.149#53
info: query response was nodata ANSWER
info: response for ns1.protonmail.com. A IN
info: reply from <protonmail.com.> 185.70.40.19#53
info: query response was ANSWER
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
info: Missing DNSKEY RRset in response to DNSKEY query.
info: resolving protonmail.com. DNSKEY IN
info: resolving ns2.protonmail.com. AAAA IN
info: resolving ns3.protonmail.com. AAAA IN
info: resolving ns1.protonmail.com. AAAA IN
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.40.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 185.70.41.19 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
error: tcp sendmsg: Operation not supported for 3.127.12.149 port 53
info: **Missing DNSKEY RRset in response to DNSKEY query.**
info: **Could not establish a chain of trust to keys for protonmail.com. DNSKEY IN**
Unbound is running inside a docker container and it is synced with the host in terms of local time (was initially un-synced but I thought I should try and see if the bug is there).
Unbound config:
server:
cache-max-ttl: 86400
cache-min-ttl: 300
directory: "/opt/unbound/etc/unbound"
edns-buffer-size: 1232
interface: 0.0.0.0@53
rrset-roundrobin: yes
username: "_unbound"
log-local-actions: no
log-queries: no
log-replies: no
log-servfail: no
logfile: /var/log/unbound.log
verbosity: 2
aggressive-nsec: yes
delay-close: 10000
do-daemonize: no
do-not-query-localhost: no
neg-cache-size: 4M
qname-minimisation: yes
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
auto-trust-anchor-file: "var/root.key"
chroot: "/opt/unbound/etc/unbound"
deny-any: yes
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-glue: yes
harden-large-queries: yes
harden-referral-path: no
harden-short-bufsize: yes
hide-identity: yes
hide-version: yes
identity: "foo"
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
ratelimit: 1000
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
unwanted-reply-threshold: 10000
use-caps-for-id: no
val-clean-additional: yes
infra-cache-slabs: 2
incoming-num-tcp: 10
key-cache-slabs: 2
msg-cache-size: 275724970
msg-cache-slabs: 2
num-queries-per-thread: 4096
num-threads: 1
outgoing-range: 8192
rrset-cache-size: 551449941
rrset-cache-slabs: 2
minimal-responses: yes
prefetch: yes
prefetch-key: yes
serve-expired: yes
so-reuseport: yes
remote-control:
control-enable: no
System:
- Docker debian/host debian
-
unbound -Voutput: 1.13.1
Additional information
dockerfile used to compile unbound:
FROM debian:buster as openssl
ENV VERSION_OPENSSL=openssl-1.1.1k \
SHA256_OPENSSL=892a0875b9872acd04a9fde79b1f943075d5ea162415de3047c327df33fbaee5 \
SOURCE_OPENSSL=https://www.openssl.org/source/
WORKDIR /tmp/src
RUN set -e -x && \
build_deps="build-essential ca-certificates curl dirmngr gnupg libidn2-0-dev libssl-dev" && \
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
$build_deps && \
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz -o openssl.tar.gz && \
echo "${SHA256_OPENSSL} ./openssl.tar.gz" | sha256sum -c - && \
curl -L $SOURCE_OPENSSL$VERSION_OPENSSL.tar.gz.asc -o openssl.tar.gz.asc && \
GNUPGHOME="$(mktemp -d)" && \
export GNUPGHOME && \
tar xzf openssl.tar.gz && \
cd $VERSION_OPENSSL && \
./config \
--prefix=/opt/openssl \
--openssldir=/opt/openssl \
no-weak-ssl-ciphers \
no-ssl3 \
no-shared \
enable-ec_nistp_64_gcc_128 \
-DOPENSSL_NO_HEARTBEATS \
-fstack-protector-strong && \
make depend && \
make && \
make install_sw && \
apt-get purge -y --auto-remove \
$build_deps && \
rm -rf \
/tmp/* \
/var/tmp/* \
/var/lib/apt/lists/*
FROM debian:buster as unbound
ENV NAME=unbound \
UNBOUND_VERSION=1.13.1 \
UNBOUND_SHA256=8504d97b8fc5bd897345c95d116e0ee0ddf8c8ff99590ab2b4bd13278c9f50b8 \
UNBOUND_DOWNLOAD_URL=https://nlnetlabs.nl/downloads/unbound/unbound-1.13.1.tar.gz
WORKDIR /tmp/src
COPY --from=openssl /opt/openssl /opt/openssl
RUN build_deps="curl gcc libc-dev libevent-dev libexpat1-dev libnghttp2-dev make" && \
set -x && \
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
$build_deps \
bsdmainutils \
ca-certificates \
ldnsutils \
libevent-2.1-6 \
libexpat1 && \
curl -sSL $UNBOUND_DOWNLOAD_URL -o unbound.tar.gz && \
echo "${UNBOUND_SHA256} *unbound.tar.gz" | sha256sum -c - && \
tar xzf unbound.tar.gz && \
rm -f unbound.tar.gz && \
cd unbound-1.13.1 && \
groupadd _unbound && \
useradd -g _unbound -s /etc -d /dev/null _unbound && \
./configure \
--disable-dependency-tracking \
--prefix=/opt/unbound \
--with-pthreads \
--with-username=_unbound \
--with-ssl=/opt/openssl \
--with-libevent \
--with-libnghttp2 \
--enable-tfo-server \
--enable-tfo-client \
--enable-event-api && \
make install && \
mv /opt/unbound/etc/unbound/unbound.conf /opt/unbound/etc/unbound/unbound.conf.example && \
apt-get purge -y --auto-remove \
$build_deps && \
rm -rf \
/opt/unbound/share/man \
/tmp/* \
/var/tmp/* \
/var/lib/apt/lists/*
FROM debian:buster
ENV NAME=unbound \
VERSION=1.2 \
SUMMARY="${NAME} is a validating, recursive, and caching DNS resolver." \
DESCRIPTION="${NAME} is a validating, recursive, and caching DNS resolver."
LABEL summary="${SUMMARY}" \
description="${DESCRIPTION}" \
io.k8s.description="${DESCRIPTION}" \
io.k8s.display-name="Unbound ${UNBOUND_VERSION}" \
name="mvance/${NAME}" \
maintainer="Matthew Vance"
WORKDIR /tmp/src
COPY --from=unbound /opt /opt
RUN set -x && \
DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y --no-install-recommends \
bsdmainutils \
ca-certificates \
ldnsutils \
libevent-2.1-6 \
libnghttp2-14 \
libexpat1 && \
groupadd _unbound && \
useradd -g _unbound -s /etc -d /dev/null _unbound && \
apt-get purge -y --auto-remove \
$build_deps && \
rm -rf \
/opt/unbound/share/man \
/tmp/* \
/var/tmp/* \
/var/lib/apt/lists/*
A few mentions:
- If I run the same container on my PC - the query works so I'm guessing it's some sort of server config on the docker host
-
diginside the server tomail.protonmail.comreturns fine -
diginside the container tomail.protonmail.comreturns fine -
dig @localhost mail.protonmail.com(querying unbound) does not work so everything works until I reach unbound - other domains that don't work:
- time.nist.gov
- meet.jit.si
I am experiencing the same issue on a Pi Zero running Pi-Hole + Unbound. It's unable to resolve any of the domains you mentioned, as well as some others that I tested such as github.com. Other domains such as duckduckgo.com are being resolved normally as far as I can tell.
Same issue for me. Unbound version is 1.13.1 installed on Debian Sid. unbound-anchor has been run to update roots. Domain not resolving is "bit.ly".
Same issue for me. Unbound 1.13.1 installed on RPI Debian 11 (Bullseye). Domain "mail.protonmail.com" ends in SERVFAIL like "token.safebrowsing.apple" and many more ...
I'm experiencing the same SERVFAIL resolving domains as others have mentioned running on RPI Debian 11 (Bullseye) with Unbound 1.13.1 and Pi-Hole 5.5. I don't suspect Pi-Hole to be the issue as I have 2 RPI (2B & 3B) running Unbound while only the RPI 3B runs Pi-Hole. The RPI 2B has the Ultimate GPS HAT and is running as a stratum-1 NTP server peered with NTP running on the RPI 3B so time is synced and accurate.
Behaviors I've noticed is that sudo -u unbound unbound-anchor -v will fail but running as sudo -u unbound unbound-anchor -v -f path/to/backup/resolv.conf with a resolv.conf pointing to an external nameserver will pass.
What I was seeing when turning verbosity 4 on and checking the logs was that I was seeing rcode: REFUSED in the incoming scrubbed headers but the query result returned by Unbound is simply SERVFAIL. I am not sure if this was due to Unbound performing 'norecurse' requests as running the same queries using dig from CLI against the NS server Unbound had attempted and got REFUSED then succeeded. If I then re-ran the dig command add +norecurse it would fail just like Unbound had. I also am not sure if my provider (Spectrum in this case) is doing something with the packets causing issues.
As a work around I did add the following forward-zone to my config using DNS over TLS to Cloudflare, Google, and Quad9 and everything appears to be working but as I understand how forward-zones work in Unbound it isn't using the QNAME minimisation.
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
I've seen others say that some domains worked while others failed but from what I could tell every DNS query was failing until I introduced the workaround I mentioned above.
What I want is for Pi-Hole to use these 2 Unbound servers as authoritative recursive DNS servers without having to rely on forwarding DNS servers. If I wanted to rely on a forwarder outside my control I'd just use my providers.
I had the same issue. I solved it by enabling tcp fast open on the host system.
echo "3" | sudo tee /proc/sys/net/ipv4/tcp_fastopen
I had the same issue. I solved it by enabling tcp fast open on the host system.
echo "3" | sudo tee /proc/sys/net/ipv4/tcp_fastopen
-- Thanks, this worked for me. What are the implications of doing this?
EDIT: I spoke too soon. It didn't actually work. I forgot that I disabled unbound and was using the 1.1.1.1/1.0.0.1 DNS in PiHole when I ran the command, so I had the impression that it was working. I'm still having the issue unfortunately.
PiKVM.org:
nslookup pikvm.org 127.0.0.1
;; connection timed out; no servers could be reached
Google.com:
nslookup google.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: google.com
Address: 172.217.16.238
Name: google.com
Address: 2a00:1450:4009:821::200e
And dig for pikvm.org:
dig pikvm.org @127.0.0.1 -p 5335
; <<>> DiG 9.16.37-Raspbian <<>> pikvm.org @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached
Dig for google.com:
dig google.com @127.0.0.1 -p 5335
; <<>> DiG 9.16.37-Raspbian <<>> google.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27324
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 55 IN A 172.217.16.238
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Sat May 27 03:53:21 BST 2023
;; MSG SIZE rcvd: 55
I am having this same issue, seems PiKVM.org is a common issue with being a troublesome domain.
I am having this same issue, seems PiKVM.org is a common issue with being a troublesome domain.
Do you use Ubiquiti Unifi, and do you block Russia? I found that this ended up being the case for me. Maxim Devaev is the guy who "invented" PiKVM and he hosts his website and some PiKVM update files on his webserver located in Russia where he lives/is from. In my case, I block Russia, China and other threat countries (because of malwave, ransomware etc) and this is what was causing the issue. Unbound was correctly set up for me, but it didn't matter because my Unifi Network Application was set to block inbound and outbound from countries including Russia and once I disabled it temporarily and flushed DNS on onbound it started working... so confirmed that's what was tthe issue in my case
Haha. I do use UniFi and Russia is a country I block. I’ll test it when I get home. Never would have thought about that, although it does remind me the one time I had trouble with Aliexpress and it was cause I forgot I blocked China lol.
Thanks for the help.
Haha. I do use UniFi and Russia is a country I block. I’ll test it when I get home. Never would have thought about that, although it does remind me the one time I had trouble with Aliexpress and it was cause I forgot I blocked China lol.
Thanks for the help.
Then this is 100% your issue. Yes, please come back and confirm, then people on UniFi will have two confirmed reports to double check. I got around to this by blocking only inbound connections from russia and china, and then I used the traffic rules to block other regions entirely.
Ok I’ve switched it to incoming only and pikvm.org now resolves properly. Thanks.
Don’t think I would have thought about that.
Ok I’ve switched it to incoming only and pikvm.org now resolves properly. Thanks.
Don’t think I would have thought about that.
You're welcome.