There is a domain that will not resolve with Unbound, but will resolve with when using a public DNS like Quad9 or Cloudflare.
The domain is common.iot.eic.lgthinq.com and I’ve had to redact/replace it from the below because of the limit for posting links, so used DOMAIN instead:
When doing a dig via Unbound it returns the following with a SERVFAIL error:
root@RPi4:~# dig @127.0.0.1 -p 5335 common.iot.eic.lgthinq.com
; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @127.0.0.1 -p 5335 common.iot.eic.lgthinq.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19843
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;common.iot.eic.lgthinq.com. IN A
;; ANSWER SECTION:
common.iot.eic.lgthinq.com. 294 IN CNAME a3phael99lf879-ats.iot.eu-west-1.amazonaws.com.
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 52.214.23.74
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.243.162.196
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 52.18.116.57
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.243.233.231
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.248.190.124
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 52.215.13.216
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.250.23.237
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.250.80.10
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Dec 12 17:28:01 CET 2023
;; MSG SIZE rcvd: 240
MAybe some temporary problems for you, reaching the root name servers?
Is unbound up and running? systemctl status unbound.service
And can you check other domains with dig and unbound?
Servfail doesn’t mean your unbound has a problem
Most of the time the problem lies on the authoritative server. This time the response is not secure. You can try to loosen up the unbound settings for DNSSEC validation or create a selective forwarding if you really need this domain resolved. Even better, you can notify their dns admins, although don’t hold your breath on that nor have high hopes.
There are some causes on the web where Unbound stop resolving single domains. I had that once and simple removed Unbound and did a fresh install. Theoretically you could try to trace the request using tcpdump or enable debug on Unbound.
Maybe there was some stale cache for a decommissioned authoritative resolver. Or maybe the authoritative nameservers have strict access list, although they shouldn’t. In the first case, clearing the cache can help, a reinstallation would have the same effect but it’s a bit overkill.