Unbound Unbound suddenly not resolving certian domains!

[Khadanja]

Everything was working fine until a day or two ago but now suddenly unbuond won't resolve this domain my.nest.gq. DNS is working fine as it works with VPN or if I use a different DNS server. 2nd Dig result is when using Cloudflare DNS. There is one more domain I'm having exactly same issue with. I'm not blocking any country in Skynet.

; <<>> DiG 9.16.29 <<>> my.nest.gq
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61048
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;my.nest.gq.                    IN      A
;; Query time: 2 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jul 20 10:52:52 New Zealand Standard Time 2022
;; MSG SIZE  rcvd: 39

; <<>> DiG 9.18.1 <<>> my.nest.gq
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18636
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;my.nest.gq.                    IN      A
;; ANSWER SECTION:
my.nest.gq.             300     IN      A       172.67.134.106
my.nest.gq.             300     IN      A       104.21.25.172
;; Query time: 170 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Jul 19 22:54:27 UTC 2022
;; MSG SIZE  rcvd: 71

 

[Jumpstarter]

Everything was working fine until a day or two ago but now suddenly unbuond won't resolve this domain my.nest.gq. DNS is working fine as it works with VPN or if I use a different DNS server. 2nd Dig result is when using Cloudflare DNS. There is one more domain I'm having exactly same issue with. I'm not blocking any country in Skynet.

; <<>> DiG 9.16.29 <<>> my.nest.gq
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61048
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;my.nest.gq.                    IN      A
;; Query time: 2 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Wed Jul 20 10:52:52 New Zealand Standard Time 2022
;; MSG SIZE  rcvd: 39

; <<>> DiG 9.18.1 <<>> my.nest.gq
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18636
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;my.nest.gq.                    IN      A
;; ANSWER SECTION:
my.nest.gq.             300     IN      A       172.67.134.106
my.nest.gq.             300     IN      A       104.21.25.172
;; Query time: 170 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Jul 19 22:54:27 UTC 2022
;; MSG SIZE  rcvd: 71

Are you using DNSFirewall or Unbound adblock options?

 

[Khadanja]

Yes, I don't see any log relating to this getting blocked by DNS firewall or adblock though? Do you use unbound? Can you resolve it?

Are you using DNSFirewall or Unbound adblock options?

 

[L&LD]

Have you tried rebooting the router?

Is amtm, Unbound, and all other scripts (including Entware) fully updated?

Are you actually using firmware 386.3_2?

Any reason you're not using current firmware?

 

[Jumpstarter]

Yes, I don't see any log relating to this getting blocked by DNS firewall or adblock though? Do you use unbound? Can you resolve it?

Yes
dig my.nest.gq

; <<>> DiG 9.16.27-Raspbian <<>> my.nest.gq
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22960
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;my.nest.gq. IN A

;; ANSWER SECTION:
my.nest.gq. 1200 IN A 172.67.134.106
my.nest.gq. 1200 IN A 104.21.25.172

;; Query time: 99 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jul 19 19:02:28 EDT 2022
;; MSG SIZE rcvd: 71

However I don't use dnsfirewall or adblock features, also skynet has not blacklisted it for me either.

 

[Khadanja]

Have you tried rebooting the router?

Is amtm, Unbound, and all other scripts (including Entware) fully updated?

Are you actually using firmware 386.3_2?

Any reason you're not using current firmware?

Yes to all. Sorry forgot to update signature, using 386.7
If this helps - Jul 20 09:34:27 RT-AC68U-20E0 unbound: [3695:1] error: SERVFAIL <ad.nest.gq. A IN>: all servers for this domain failed, at zone gq. no server to query nameserver addresses not usable

 

[Jumpstarter]

My recommendation is to make sure you have it whitelisted in any blockers that may be blocking it DNS or firewall wise.

 

[Jumpstarter]

Yes to all. Sorry forgot to update signature, using 386.7
If this helps - Jul 20 09:34:27 RT-AC68U-20E0 unbound: [3695:1] error: SERVFAIL <ad.nest.gq. A IN>: all servers for this domain failed, at zone gq. no server to query nameserver addresses not usable

My first thought is your skynet or AI Protect may have somehow blacklisted it. I would whitelist it there first, then add it to any adblock whitelist you have.

 

[Khadanja]

My first thought is your skynet or AI Protect may have somehow blacklisted it. I would whitelist it there first, then add it to any adblock whitelist you have.

tried whitelisting in skynet & unbound adblock, no luck

 

[L&LD]

Did you reboot?

 

[Khadanja]

Did you reboot?

Yes twice

 

[Jumpstarter]

tried whitelisting in skynet & unbound adblock, no luck

Keep in mind you may need to reboot everything like @L&LD suggest so that it refreshes everything, your unbound cache may also need to be cleared or you need to wait for the entries to expire before you notice any change especially if you are relying on unbound managers cache restoration on reboots.

 

[Khadanja]

ok will shut down everything for a while, router & modem both. One other subdomain was working until few minutes ago but now that also doesn't work.

 

[Jumpstarter]

ok will shut down everything for a while, router & modem both. One other subdomain was working until few minutes ago but now that also doesn't work.

You may need to purge your unbound cache and start fresh. You could have some cache poisoning maybe?

 

[dave14305]

Yes to all. Sorry forgot to update signature, using 386.7
If this helps - Jul 20 09:34:27 RT-AC68U-20E0 unbound: [3695:1] error: SERVFAIL <ad.nest.gq. A IN>: all servers for this domain failed, at zone gq. no server to query nameserver addresses not usable

Try to ping any of these nameservers for gq (185.21…). I suspect they might be blocked by Skynet.

# dig NS gq.

; <<>> DiG 9.18.1 <<>> NS gq.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60877
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 953ebfb937b9b4617ed2ab7762d73bf082f57b5536453cfb (good)
;; QUESTION SECTION:
;gq.                            IN      NS

;; ANSWER SECTION:
gq.                     10800   IN      NS      a.ns.gq.
gq.                     10800   IN      NS      d.ns.gq.
gq.                     10800   IN      NS      b.ns.gq.
gq.                     10800   IN      NS      c.ns.gq.

;; ADDITIONAL SECTION:
a.ns.gq.                28800   IN      A       185.21.168.65
b.ns.gq.                28800   IN      A       185.21.169.65
c.ns.gq.                28800   IN      A       185.21.170.65
d.ns.gq.                28800   IN      A       185.21.171.65
a.ns.gq.                28800   IN      AAAA    2a04:1b00:10::1
b.ns.gq.                28800   IN      AAAA    2a04:1b00:11::1
c.ns.gq.                28800   IN      AAAA    2a04:1b00:12::1
d.ns.gq.                28800   IN      AAAA    2a04:1b00:13::1

 

[Khadanja]

Try to ping any of these nameservers for gq (185.21…). I suspect they might be blocked by Skynet.

# dig NS gq.

; <<>> DiG 9.18.1 <<>> NS gq.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60877
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 953ebfb937b9b4617ed2ab7762d73bf082f57b5536453cfb (good)
;; QUESTION SECTION:
;gq.                            IN      NS

;; ANSWER SECTION:
gq.                     10800   IN      NS      a.ns.gq.
gq.                     10800   IN      NS      d.ns.gq.
gq.                     10800   IN      NS      b.ns.gq.
gq.                     10800   IN      NS      c.ns.gq.

;; ADDITIONAL SECTION:
a.ns.gq.                28800   IN      A       185.21.168.65
b.ns.gq.                28800   IN      A       185.21.169.65
c.ns.gq.                28800   IN      A       185.21.170.65
d.ns.gq.                28800   IN      A       185.21.171.65
a.ns.gq.                28800   IN      AAAA    2a04:1b00:10::1
b.ns.gq.                28800   IN      AAAA    2a04:1b00:11::1
c.ns.gq.                28800   IN      AAAA    2a04:1b00:12::1
d.ns.gq.                28800   IN      AAAA    2a04:1b00:13::1

I can ping all of them

 

[Jumpstarter]

I can ping all of them

Maybe corrupt cache then?

 

[Khadanja]

I think something to do with timeout. https://www.nlnetlabs.nl/documentation/unbound/info-timeout/

Service Failed with 'timeout' · Issue #56 · NLnetLabs/unbound

I'm seeing serious issues with unbound where the service simply restarts itself intermittently. I say intermittently but I'm beginning to think it's related to the service failed timeout + the rest...

github.com

The following name servers are used for lookup of my.nest.gq.
;rrset 167531 4 0 10 0
gq.     167531  IN      NS      a.ns.gq.
gq.     167531  IN      NS      b.ns.gq.
gq.     167531  IN      NS      c.ns.gq.
gq.     167531  IN      NS      d.ns.gq.
;rrset 81131 1 1 10 0
gq.     81131   IN      NSEC    gr. NS RRSIG NSEC
gq.     81131   IN      RRSIG   NSEC 8 1 86400 20220801170000 20220719160000 20826 . kQDw63Ys3XeiWd8XHbW0qYJ67gKXFu6HZju82wavjAMER/fCh1cF+r88fCleAA5Sr3FpBES19HlZOFHX6Xpwxaa4OolfPcmz2qAFQIvQz22sjcxYUc7+YJdO7StoNXyMgGrAVb0aLyEyhpCMpAMsv6U}
;rrset 167531 1 0 10 0
d.ns.gq.        167531  IN      A       185.21.171.65
;rrset 167531 1 0 10 0
d.ns.gq.        167531  IN      AAAA    2a04:1b00:13::1
;rrset 167531 1 0 10 0
c.ns.gq.        167531  IN      A       185.21.170.65
;rrset 167531 1 0 10 0
c.ns.gq.        167531  IN      AAAA    2a04:1b00:12::1
;rrset 167531 1 0 10 0
b.ns.gq.        167531  IN      A       185.21.169.65
;rrset 167531 1 0 10 0
b.ns.gq.        167531  IN      AAAA    2a04:1b00:11::1
;rrset 167531 1 0 10 0
a.ns.gq.        167531  IN      A       185.21.168.65
;rrset 167531 1 0 10 0
a.ns.gq.        167531  IN      AAAA    2a04:1b00:10::1
Delegation with 4 names, of which 0 can be examined to query further addresses.
It provides 8 IP addresses.
2a04:1b00:10::1         not in infra cache.
185.21.168.65           not in infra cache.
2a04:1b00:11::1         not in infra cache.
185.21.169.65           rto 120000 msec, ttl 827, ping 0 var 94 rtt 376, tA 3, tAAAA 0, tother 3, probedelay 48, EDNS 0 assumed.
2a04:1b00:12::1         not in infra cache.
185.21.170.65           expired, rto 120000 msec, tA 3 tAAAA 0 tother 3.
2a04:1b00:13::1         not in infra cache.
185.21.171.65           expired, rto 120000 msec, tA 3 tAAAA 0 tother 0.

 

[dave14305]

I can ping all of them

Try

dig NS nest.gq. @185.21.168.65

 

[Khadanja]

Try

dig NS nest.gq. @185.21.168.65

; <<>> DiG 9.16.29 <<>> NS nest.gq. @185.21.168.65
;; global options: +cmd
;; connection timed out; no servers could be reached