Regular bursts of SERVFAIL when forwarding to major DNS-over-TLS providers

Jason Mann via Unbound-users Fri, 02 Jun 2023 04:27:53 -0700

Hello.

I run an Unbound instance as the resolver for my home network.  It is
configured to forward queries to one of the three big providers of
public DNS (Google, Cloudflare or Quad9) using DNS-over-TLS.


Yesterday I noticed that I'm getting periodic bursts of SERVFAIL from
the upstream servers and this occurs no matter which of three three
providers I'm using.

Here's some examples of the log entries I'm seeing:

Jun 02 04:28:19 unbound[3372:0] error: SERVFAIL
<lh3.googleusercontent.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 2620:fe::fe upstream server
timeout
Jun 02 04:28:19 unbound[3372:1] error: SERVFAIL <www.googleapis.com.
HTTPS IN>: all the configured stub or forward servers failed, at zone
. from 149.112.112.112 upstream server timeout
Jun 02 04:28:19 unbound[3372:0] error: SERVFAIL
<oauth2.googleapis.com. HTTPS IN>: all the configured stub or forward
servers failed, at zone . from 2620:fe::fe upstream server timeout
Jun 02 04:28:19 unbound[3372:1] error: SERVFAIL <docs.google.com. A
IN>: all the configured stub or forward servers failed, at zone . from
149.112.112.112 upstream server timeout
Jun 02 04:28:19 unbound[3372:1] error: SERVFAIL
<oauthaccountmanager.googleapis.com. AAAA IN>: all the configured stub
or forward servers failed, at zone . from 2620:fe::fe upstream server
timeout
Jun 02 04:28:19 unbound[3372:1] error: SERVFAIL
<lh3.googleusercontent.com. HTTPS IN>: all the configured stub or
forward servers failed, at zone . from 2620:fe::fe upstream server
timeout
Jun 02 04:28:19 unbound[3372:0] error: SERVFAIL
<people-pa.googleapis.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 9.9.9.9 upstream server timeout
Jun 02 04:28:19 unbound[3372:0] error: SERVFAIL <www.google.com. AAAA
IN>: all the configured stub or forward servers failed, at zone . from
9.9.9.9 upstream server timeout

Jun 02 09:35:27 unbound[3372:1] error: SERVFAIL
<oauth2.googleapis.com. A IN>: all the configured stub or forward
servers failed, at zone . from 149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:1] error: SERVFAIL
<oauth2.googleapis.com. HTTPS IN>: all the configured stub or forward
servers failed, at zone . from 149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<people-pa.googleapis.com. HTTPS IN>: all the configured stub or
forward servers failed, at zone . from 9.9.9.9 upstream server timeout
Jun 02 09:35:27 unbound[3372:1] error: SERVFAIL
<people-pa.googleapis.com. A IN>: all the configured stub or forward
servers failed, at zone . from 149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<notifications-pa.googleapis.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 149.112.112.112 upstream server
timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<lh3.googleusercontent.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 149.112.112.112 upstream server
timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <maps.googleapis.com.
AAAA IN>: all the configured stub or forward servers failed, at zone .
from 149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <web.facebook.com.
HTTPS IN>: all the configured stub or forward servers failed, at zone
. no server to query nameserver addresses not usable have no
nameserver names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <web.facebook.com.
AAAA IN>: all the configured stub or forward servers failed, at zone .
no server to query nameserver addresses not usable have no nameserver
names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <web.facebook.com. A
IN>: all the configured stub or forward servers failed, at zone . no
server to query nameserver addresses not usable have no nameserver
names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<edge-mqtt.facebook.com. AAAA IN>: all the configured stub or forward
servers failed, at zone . no server to query nameserver addresses not
usable have no nameserver names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<edge-mqtt.facebook.com. A IN>: all the configured stub or forward
servers failed, at zone . no server to query nameserver addresses not
usable have no nameserver names
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL <www.google.com. A
IN>: all the configured stub or forward servers failed, at zone . from
149.112.112.112 upstream server timeout
Jun 02 09:35:27 unbound[3372:1] error: SERVFAIL
<notifications-pa.googleapis.com. HTTPS IN>: all the configured stub
or forward servers failed, at zone . from 149.112.112.112 upstream
server timeout
Jun 02 09:35:27 unbound[3372:0] error: SERVFAIL
<gnpfesdk-pa.googleapis.com. AAAA IN>: all the configured stub or
forward servers failed, at zone . from 149.112.112.112 upstream server
timeout

Jun 02 09:54:50 unbound[3372:0] error: SERVFAIL
<edge-mqtt.facebook.com. A IN>: all the configured stub or forward
servers failed, at zone . from 9.9.9.9 upstream server timeout
Jun 02 09:54:50 unbound[3372:0] error: SERVFAIL <app-measurement.com.
AAAA IN>: all the configured stub or forward servers failed, at zone .
from 9.9.9.9 upstream server timeout

The fact that this is occurring with all three providers suggests to
me that the problem may be at my end.  Can anyone advise on how I
might go about debugging this?

The forwarding part of my unbound configuration is as follows:

# Forward all other queries to these upstream servers
forward-zone:
        name: "."
        #forward-addr: 1.1.1.1
        #forward-addr: 1.0.0.1

        forward-tls-upstream: yes

        # Google Public DNS
        #forward-addr: 8.8.8.8@853
        #forward-addr: 8.8.8.8@853
        #forward-addr: 2001:4860:4860::8888@853
        #forward-addr: 2001:4860:4860::8844@853

        # CloudFlare 1.1.1.1
        #forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
        #forward-addr: 1.1.1.1@853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
        #forward-addr: 1.0.0.1@853#cloudflare-dns.com

        # CloudFlare malware blocking
        #forward-addr: 1.1.1.2@853#cloudflare-dns.com
        #forward-addr: 1.0.0.2@853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1112@853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1002@853#cloudflare-dns.com

        # CloudFlare malware and adult content blocking
        #forward-addr: 1.1.1.3@853#cloudflare-dns.com
        #forward-addr: 1.0.0.3@853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1113@853#cloudflare-dns.com
        #forward-addr: 2606:4700:4700::1003@853#cloudflare-dns.com

        # Quad9 with malicious domain blocking
        forward-addr: 9.9.9.9@853#dns.quad9.net
        forward-addr: 149.112.112.112@853#dns.quad9.net
        forward-addr: 2620:fe::fe@853#dns.quad9.net
        forward-addr: 2620:fe::9@853#dns.quad9.net

Thanks in advance for any advice.

Regards,
Jason

Regular bursts of SERVFAIL when forwarding to major DNS-over-TLS providers

Reply via email to