unbound
unbound copied to clipboard
NLnetLabs
Raspberry Pi4 Unbound Servfails on specific Domains
I have Raspberry Pi4 with latest 32bit RaspianOS Installed Pi-hole (v5.11.4) Installed Telerising-API (0.8.2) Installed Unbound 1.13.1-1
Unbound working fine with Pi-Hole but i have the Issue that some Domains like Zattoo.com or Wilmaa or Teleboy getting a SERVFAIL
This Names of Providers are added in Telerising-API but I don't know how that is related
Describe the bug A clear and concise description of what the bug is. I gettin SERVFAIL from Zattoo.com, Wilmaa, Teleboy and some other Domains
To reproduce Steps to reproduce the behavior:
- Install Pi-Hole
- Install Unbound
- Install Telerising-API (https://github.com/sunsettrack4/telerising-api)
- disable unbound-resolvconf.service for getting own Nameservers (Serverside)
- Static IP Settings in /etc/network/interfaces
- configure pihole and unbound same as here:
- At least if all is running fine try to connect from Webbrowser to Zattoo.com , Wilmaa , Teleboy
Expected behavior A clear and concise description of what you expected to happen.
System:
- Unbound version: 1.13.1-1
- OS: Bullseye V11 (Kernel 5.15)
unbound -Voutput:
Additional information Add any other information that you may have gathered about the issue here.
To get an idea of what unbound is doing, and what is going on, it is possible to enable debug output. With log-servfail: yes in the config, unbound logs short, one line, messages about servfails during lookups.
It could be something that is not that easily logged as that, enable the debug output with verbosity: 4 and with that there are long debug outputs. That should describe precisely what is going on, and thus also what is causing the lookup failures.
To see those outputs, it may be needed to stop and then start unbound again, this clears the cache, and if then the domain names that produce the problems are looked up, it starts fresh, and the errors are logged at that moment. Otherwise, the names, and also the previous failures could be in the cache, and then the log may not happen at exactly the time where the domain name is looked up.
This line is of interest [1661777530] unbound[1175:0] info: validation failure <zattoo.com. A IN>: no DNSSEC records from 152.67.75.144 for DS zattoo.com. while building chain of trust.
This is your forward zone server that does not reply with DNSSEC records when queries for the domain for its DS record are issued. The upstream server responds with
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
zattoo.com. IN DS
;; ANSWER SECTION:
;; AUTHORITY SECTION:
zappn.ml. 3600 IN SOA gabe.ns.cloudflare.com. dns.cloudflare.com. 2281628019 10000 2400 604800 3600
;; ADDITIONAL SECTION:
;; MSG SIZE rcvd: 95
This looks like it queries for type DS at the wrong side of the zone cut. The upstream server does not support DNSSEC. The server would need to be upgraded in version, of type of server software to enable dnssec support. In this case for fetching the DS record from the correct place.
In your config, there is another error: [1661777515] unbound[1175:0] error: duplicate forward zone . ignored.
This error is there because there are two forward zones for ".". And they try to direct the traffic. You should comment out one of them and then use the other. Right now, unbound ignores the second forward zone config.
Another solution, that makes it work, is to disable dnssec. This can be done by setting the trust anchor to not load, commenting out the config item or using "". Or using val-permissive-mode: yes that still creates timeouts and wait times as it tries to validate but fails. Because your upstream does not do DNSSEC, disabling DNSSEC validation may be a thing that makes the domains resolve, but this does not solve the underlying problem, of course.
The Problem is i had old entrys in /etc/network/interfaces
But how can i configure the Unbound DNS Servers own Nameservers ? and let use other connected Client the Unbound Server itself ?
If i delete Dns-Nameservers in /etc/network/interfaces all connections say SERVFAIL
Not sure what sort of configuration is happening. It seems to be about the forward-zone configuration.
With no forward-zones, unbound resolves by itself. It then looks up names from servers on the internet.
For clients to use unbound, the IPs need to be allowed by the access-control statements in config.
Now Unbound is working properly, but how can I tell that the Unbound server itself is using another online DNS name server (e.g. 8.8.8.8) but all other clients in the Network are using the Unbound for name resolution?
For the clients, however, the unbound should then generate the DNS. In other words, the Network clients should not use the online DNS-NameServer that the unbound server uses itself for resolving.
I hope you can understand that
If i use /etc/resolv.conf with 8.8.8.8 i think Unbound Server and Clients uses the Google DNS or ?
You want to instruct the clients that they should use unbound for DNS resolution? That would mean instructing the client to do that, by entering the IP address of unbound in the DNS server entry. Or by having the DHCP nameserver response use the unbound IP address. Or by setting the ip address of unbound in /etc/resolv.conf, that type of thing.
Or by having the DHCP nameserver response use the unbound IP address.
This is what pi-hole suggests (https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245) and you should have stumbled upon it while configuring from the guide you posted. I mean you may have already done that step :)
Yes that worked i think
I set the DNS Nameservers into /etc/resolv.conf instead of 127.0.0.1
The Problem before was the DNS-Nameservers in /etc/network/interfaces and the Forward-Zone in the Unbound.conf
I removed both now it works