Unbound unbound_manager DNS resolution fails

  • ATTENTION! You'll notice a Prefix dropdown when you create a thread. If your post applies to one of the topics listed, please use that Prefix for your post. When browsing the thread list you can use the Prefix to filter the view.
  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

theibus

New Around Here
Hi all,

When I have unbound enabled on my ASUS RT-68U, I am unable to resolve the IPs for discourse.haproxy.org and haproxy.org. As such, the sites fail to load unless I have static entries for them in my hosts file.

My unbound config has not been modified outside of Easy installation options, and IPv6 is disabled.

In the unbound.log file, I see the following:

Code:
Nov 01 16:56:04 unbound[7187:0] error: SERVFAIL <ipv6.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 16:56:05 unbound[7187:0] error: SERVFAIL <haproxy.ipv6.1wt.eu. A IN>: all servers for this domain failed, at zone 1wt.eu.
Nov 01 16:56:11 unbound[7187:0] error: SERVFAIL <www.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:03:44 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:04:20 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. TYPE65 IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:09:23 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:10:36 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:10:36 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:11:18 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:11:18 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:14:19 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:14:19 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.

Has anyone else experienced a similar issue?

Thanks.
 

dave14305

Part of the Furniture
Do you have any other scripts that may be blocking countries like The Netherlands?
 

theibus

New Around Here
I am running a Country Blocking Script but The Netherlands is not being blocked. From my script, I have the following countries blocked:

BLOCKED_COUNTRY_LIST="ae af ar au bd br cn es fr id il in ir iq jo kh kp kw kz lb ly ma mn mo ne om pk ph ro rs ru sa sy sc tj tm tr tw ua uz va vn"

The country code for The Netherlands (NL) is not among the codes in that line.
 

theibus

New Around Here
Ah, good to know. I was under the impression that the country blocking script was only blocking incoming connections and therefore should not affect the ability to resolve DNS IPs in a blocked country's IP space.

Your reply set me on the right path actually. I had some iptable entries that were dropping outbound traffic in the /jffs/scripts/firewall-start script. After I commented out those entries and rebooted, Unbound is now able to resolve the aforementioned IPs. This is with the country blocking script still enabled.

Thanks for the quick reply!
 

Slawek P

Regular Contributor
Hiya, is there any way to exclude in unbound certains domains to prevent from their IPs being cached - for example google.com, www.google.com
 

Martineau

Part of the Furniture
Hiya, is there any way to exclude in unbound certains domains to prevent from their IPs being cached - for example google.com, www.google.com

Ideally you should have opened a new unbound tagged thread as your query isn't strictly related to the OPs thread title?

However, Unbound "Zone Refresh" is apparently a long standing feature request i.e. unlike BIND, Unbound explicitly "doesn't support NOTIFY" ?

So, given Unbound's ability to set a low TTL is unfortunately global, perhaps a clunky hack would be to schedule the appropriate unbound-control flush command ?

e.g. unbound-control flush google.com etc
 

Slawek P

Regular Contributor
Ideally you should have opened a new unbound tagged thread as your query isn't strictly related to the OPs thread title?

However, Unbound "Zone Refresh" is apparently a long standing feature request i.e. unlike BIND, Unbound explicitly "doesn't support NOTIFY" ?

So, given Unbound's ability to set a low TTL is unfortunately global, perhaps a clunky hack would be to schedule the appropriate unbound-control flush command ?

e.g. unbound-control flush google.com etc
You are right as always :) - yes it should have been seperate thread - I am not so good at this, especially that there is no general unbound_manager thread anymore. Thanks for responding. I am looking closely at google.com resolution as I encoured once a situation that IP I had for google.com in my unbound cache wasn't responsive. Flushing cache for particular zone is indeed a helpful solution! I was also looking yesterday that there is a way to foward for particular zone rather than do recursive search for it (for example forwarding google.com domain search to 8.8.8.8).
Doing a quick domain check I see that below have different IPs due to some kind of load balancing.
nslookup google.com ns1.google.com
nslookup google.com 1.1.1.1
nslookup google.com 8.8.8.8
nslookup google.com 9.9.9.9
nslookup www.google.com ns1.google.com
nslookup www.google.com 1.1.1.1
nslookup www.google.com 8.8.8.8
nslookup www.google.com 9.9.9.9
ns1.google.com-ns4 look consistent.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top