What's new

Unbound unbound_manager DNS resolution fails

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

theibus

New Around Here
Hi all,

When I have unbound enabled on my ASUS RT-68U, I am unable to resolve the IPs for discourse.haproxy.org and haproxy.org. As such, the sites fail to load unless I have static entries for them in my hosts file.

My unbound config has not been modified outside of Easy installation options, and IPv6 is disabled.

In the unbound.log file, I see the following:

Code:
Nov 01 16:56:04 unbound[7187:0] error: SERVFAIL <ipv6.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 16:56:05 unbound[7187:0] error: SERVFAIL <haproxy.ipv6.1wt.eu. A IN>: all servers for this domain failed, at zone 1wt.eu.
Nov 01 16:56:11 unbound[7187:0] error: SERVFAIL <www.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:03:44 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:04:20 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. TYPE65 IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:09:23 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:10:36 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:10:36 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:11:18 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:11:18 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:14:19 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.
Nov 01 17:14:19 unbound[7187:0] error: SERVFAIL <discourse.haproxy.org. A IN>: all servers for this domain failed, at zone haproxy.org.

Has anyone else experienced a similar issue?

Thanks.
 
I am running a Country Blocking Script but The Netherlands is not being blocked. From my script, I have the following countries blocked:

BLOCKED_COUNTRY_LIST="ae af ar au bd br cn es fr id il in ir iq jo kh kp kw kz lb ly ma mn mo ne om pk ph ro rs ru sa sy sc tj tm tr tw ua uz va vn"

The country code for The Netherlands (NL) is not among the codes in that line.
 
Ah, good to know. I was under the impression that the country blocking script was only blocking incoming connections and therefore should not affect the ability to resolve DNS IPs in a blocked country's IP space.

Your reply set me on the right path actually. I had some iptable entries that were dropping outbound traffic in the /jffs/scripts/firewall-start script. After I commented out those entries and rebooted, Unbound is now able to resolve the aforementioned IPs. This is with the country blocking script still enabled.

Thanks for the quick reply!
 
Hiya, is there any way to exclude in unbound certains domains to prevent from their IPs being cached - for example google.com, www.google.com
 
Hiya, is there any way to exclude in unbound certains domains to prevent from their IPs being cached - for example google.com, www.google.com

Ideally you should have opened a new unbound tagged thread as your query isn't strictly related to the OPs thread title?

However, Unbound "Zone Refresh" is apparently a long standing feature request i.e. unlike BIND, Unbound explicitly "doesn't support NOTIFY" ?

So, given Unbound's ability to set a low TTL is unfortunately global, perhaps a clunky hack would be to schedule the appropriate unbound-control flush command ?

e.g. unbound-control flush google.com etc
 
Ideally you should have opened a new unbound tagged thread as your query isn't strictly related to the OPs thread title?

However, Unbound "Zone Refresh" is apparently a long standing feature request i.e. unlike BIND, Unbound explicitly "doesn't support NOTIFY" ?

So, given Unbound's ability to set a low TTL is unfortunately global, perhaps a clunky hack would be to schedule the appropriate unbound-control flush command ?

e.g. unbound-control flush google.com etc
You are right as always :) - yes it should have been seperate thread - I am not so good at this, especially that there is no general unbound_manager thread anymore. Thanks for responding. I am looking closely at google.com resolution as I encoured once a situation that IP I had for google.com in my unbound cache wasn't responsive. Flushing cache for particular zone is indeed a helpful solution! I was also looking yesterday that there is a way to foward for particular zone rather than do recursive search for it (for example forwarding google.com domain search to 8.8.8.8).
Doing a quick domain check I see that below have different IPs due to some kind of load balancing.
nslookup google.com ns1.google.com
nslookup google.com 1.1.1.1
nslookup google.com 8.8.8.8
nslookup google.com 9.9.9.9
nslookup www.google.com ns1.google.com
nslookup www.google.com 1.1.1.1
nslookup www.google.com 8.8.8.8
nslookup www.google.com 9.9.9.9
ns1.google.com-ns4 look consistent.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top