Use unbound-host -rvdD twitterdatadash.com Add more -d to increase verbosity. It might reveal why its validation is failing. SERVFAIL usually means validation failure. Or network outage. Check whether its servers are not in unbound-control dump_infra.
On 5/15/22 06:55, BangDroid via Unbound-users wrote: > I do have DNSSEC validation enabled, however all tests validate > successfully. > When I run > $ delv twitterdatadash.com <http://twitterdatadash.com> > ;; resolution failed: SERVFAIL > > On Sat, 14 May 2022 at 21:30, > <unbound-users-requ...@lists.nlnetlabs.nl> wrote: > > Send Unbound-users mailing list submissions to > unbound-users@lists.nlnetlabs.nl > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > or, via email, send a message with subject or body 'help' to > unbound-users-requ...@lists.nlnetlabs.nl > > You can reach the person managing the list at > unbound-users-ow...@lists.nlnetlabs.nl > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Unbound-users digest..." > > > Today's Topics: > > 1. Only one domain failing to resolve, unbound pi-hole (BangDroid) > 2. Re: Only one domain failing to resolve, unbound pi-hole > (Georg Pfuetzenreuter) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 14 May 2022 13:06:26 +0930 > From: BangDroid <bangdroid.ban...@gmail.com> > To: unbound-users@lists.nlnetlabs.nl > Subject: Only one domain failing to resolve, unbound pi-hole > Message-ID: > > <caa3iksf5pvefzfoq1n8t_wgyj+rv-of6ertxbxur24v2chb...@mail.gmail.com > > <mailto:caa3iksf5pvefzfoq1n8t_wgyj%2brv-of6ertxbxur24v2chb...@mail.gmail.com>> > Content-Type: text/plain; charset="utf-8" > > Kind of pulling my hair out with this one.. The domain > twitterdatadash.com <http://twitterdatadash.com> will > not resolve with unbound recursively. I get SERVFAIL. > > root.hints is up to date, local time on raspi is accurate. No > other domains > are failing. > > Both dig sigfail.verteiltesysteme.net > <http://sigfail.verteiltesysteme.net> @127.0.0.1 > <http://127.0.0.1> -p 5335 and dig > sigok.verteiltesysteme.net <http://sigok.verteiltesysteme.net> > @127.0.0.1 <http://127.0.0.1> -p 5335 are as expected. > > Switching to an upstream DNS in Pi-hole will get the domain to > successfully > resolve, as well as using a standard DNS forward-zone in > unbound.conf.d/pi-hole.conf: > > forward-zone: > name: "." > forward-addr: 8.8.8.8 > > However, if I use a DoT forward zone (because suspected possible? DNS > hijacking by ISP): > > tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt > forward-zone: > name: "." > forward-addr: 1.1.1.1@853#cloudflare-dns.com > <http://cloudflare-dns.com> > forward-addr: 1.0.0.1@853#cloudflare-dns.com > <http://cloudflare-dns.com> > forward-ssl-upstream: yes > > Everything works exactly as expected, including https://1.1.1.1/help > **except** twitterdatadash.com <http://twitterdatadash.com> > remains SERVFAIL. > > Paste of dig outputs with various unbound configurations: > https://pastebin.com/k1LtjzHB > > pi-hole.conf: https://pastebin.com/szLmcNFj > > unbound logs greped with "twitterdatadash" : > > 'default' pihole.conf : https://pastebin.com/JmgUDSRv > > with DoT: https://pastebin.com/k3UgdZD4 > > Accessing that domain is not crucial by any means, I am only > concerned it > may be indicative of a bigger issue. It seems like there must be > an issue > with my configuration somewhere, but every test I run appear to > indicate no > issue. Is it possible the issue is not my end? Anyone have any ideas? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > > <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20220514/7c656de2/attachment-0001.htm> > > ------------------------------ > > Message: 2 > Date: Sat, 14 May 2022 09:27:17 +0200 > From: Georg Pfuetzenreuter <ge...@syscid.com> > To: unbound-users@lists.nlnetlabs.nl > Subject: Re: Only one domain failing to resolve, unbound pi-hole > Message-ID: <8b3813a3-5677-4011-1eac-c6921dd9e...@syscid.com> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Maybe you have DNSSEC validation enabled? > > $ delv twitterdatadash.com <http://twitterdatadash.com> > ; unsigned answer > twitterdatadash.com <http://twitterdatadash.com>. 7200 IN > A 34.96.91.68 > > > On 5/14/22 05:36, BangDroid via Unbound-users wrote: > > Kind of pulling my hair out with this one.. The domain > > twitterdatadash.com <http://twitterdatadash.com> > <http://twitterdatadash.com/>?will not resolve with > > unbound recursively. I get SERVFAIL. > > > > root.hints is up to date, local time on raspi is accurate. No other > > domains are failing. > > > > Both dig sigfail.verteiltesysteme.net > <http://sigfail.verteiltesysteme.net> > > <http://sigfail.verteiltesysteme.net/>?@127.0.0.1 > <http://127.0.0.1> <http://127.0.0.1/>?-p > > 5335 and dig sigok.verteiltesysteme.net > <http://sigok.verteiltesysteme.net> > > <http://sigok.verteiltesysteme.net/>?@127.0.0.1 > <http://127.0.0.1> <http://127.0.0.1/>?-p > > 5335 are as expected. > > > > Switching to an upstream DNS in Pi-hole will get the domain to > > successfully resolve, as well as using a standard DNS > forward-zone in > > unbound.conf.d/pi-hole.conf: > > > > ? ? forward-zone: > > ? ? name: "." > > ? ? forward-addr: 8.8.8.8 > > > > However, if I use a DoT forward zone (because suspected > possible? DNS > > hijacking by ISP): > > > > ? ? tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt > > ? ? forward-zone: > > ? ? ? ? name: "." > > ? ? ? ? forward-addr: 1.1.1.1@853#cloudflare-dns.com > <http://cloudflare-dns.com> > > <http://cloudflare-dns.com/> > > ? ? ? ? forward-addr: 1.0.0.1@853#cloudflare-dns.com > <http://cloudflare-dns.com> > > <http://cloudflare-dns.com/> > > ? ? ? ? forward-ssl-upstream: yes > > > > Everything works exactly as expected, including > https://1.1.1.1/help > > <https://1.1.1.1/help>?**except** twitterdatadash.com > <http://twitterdatadash.com> > > <http://twitterdatadash.com/>?remains SERVFAIL. > > > > Paste of dig outputs with various unbound configurations: > > https://pastebin.com/k1LtjzHB <https://pastebin.com/k1LtjzHB> > > > > pi-hole.conf: https://pastebin.com/szLmcNFj > <https://pastebin.com/szLmcNFj> > > > > unbound logs greped with "twitterdatadash" : > > > > 'default' pihole.conf : https://pastebin.com/JmgUDSRv > > <https://pastebin.com/JmgUDSRv> > > > > with DoT: https://pastebin.com/k3UgdZD4 > <https://pastebin.com/k3UgdZD4> > > > > Accessing that domain is not crucial by any means, I am only > concerned > > it may be indicative of a bigger issue. It seems like there must > be an > > issue with my configuration somewhere, but every test I run > appear to > > indicate no issue. Is it possible the issue is not my end? > Anyone have > > any ideas? > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > Unbound-users mailing list > Unbound-users@lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users > > > ------------------------------ > > End of Unbound-users Digest, Vol 29, Issue 9 > ******************************************** > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
