Domain not resolving in Unbound

Troubleshooting
1

There is a domain that will not resolve with Unbound, but will resolve with when using a public DNS like Quad9 or Cloudflare.

The domain is common.iot.eic.lgthinq.com and I’ve had to redact/replace it from the below because of the limit for posting links, so used DOMAIN instead:

When doing a dig via Unbound it returns the following with a SERVFAIL error:

*dietpi@dietpi:~$ dig DOMAIN @127.0.0.1 -p 5335*

*; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> DOMAIN @127.0.0.1 -p 5335*
*;; global options: +cmd*
*;; Got answer:*
*;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5614*
*;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1*

*;; OPT PSEUDOSECTION:*
*; EDNS: version: 0, flags:; udp: 1232*
*;; QUESTION SECTION:*
*;DOMAIN.    IN      A*

*;; Query time: 0 msec*
*;; SERVER

: 127.0.0.1#5335(127.0.0.1) (UDP)*
*;; WHEN: Tue Dec 12 15:10:53 GMT 2023*
*;; MSG SIZE  rcvd: 55*

If I ping it from the local resolver on the RPi (Quad9) it resolves successfully with NOERROR:

*dietpi@dietpi:~$ dig DOMAIN*

*; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> DOMAIN*
*;; global options: +cmd*
*;; Got answer:*
*;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1895*
*;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1*

*;; OPT PSEUDOSECTION:*
*; EDNS: version: 0, flags:; udp: 512*
*;; QUESTION SECTION:*
*;DOMAIN.    IN      A*

*;; ANSWER SECTION:*
*DOMAIN. 238 IN      CNAME   a3phael99lf879-ats.iot.eu-west-1.amazonaws.com.*
*AS ABOVE. 60 IN A 34.252.121.160*
*AS ABOVE. 60 IN A 52.17.75.135*
*AS ABOVE. 60 IN A 52.215.14.62*
*AS ABOVE. 60 IN A 52.19.16.182*
*AS ABOVE. 60 IN A 52.214.51.104*
*AS ABOVE. 60 IN A 52.51.141.162*
*AS ABOVE. 60 IN A 52.31.42.221*
*AS ABOVE. 60 IN A 52.31.156.180*

*;; Query time: 7 msec*
*;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)*
*;; WHEN: Tue Dec 12 15:10:24 GMT 2023*
*;; MSG SIZE  rcvd: 240*
2

Hmm, works on my site:

root@RPi4:~# dig @127.0.0.1 -p 5335 common.iot.eic.lgthinq.com

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> @127.0.0.1 -p 5335 common.iot.eic.lgthinq.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19843
;; flags: qr rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;common.iot.eic.lgthinq.com.    IN      A

;; ANSWER SECTION:
common.iot.eic.lgthinq.com. 294 IN      CNAME   a3phael99lf879-ats.iot.eu-west-1.amazonaws.com.
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 52.214.23.74
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.243.162.196
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 52.18.116.57
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.243.233.231
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.248.190.124
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 52.215.13.216
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.250.23.237
a3phael99lf879-ats.iot.eu-west-1.amazonaws.com. 294 IN A 34.250.80.10

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Dec 12 17:28:01 CET 2023
;; MSG SIZE  rcvd: 240

MAybe some temporary problems for you, reaching the root name servers?
Is unbound up and running?
systemctl status unbound.service
And can you check other domains with dig and unbound?

3

Unbound is running:

dietpi@dietpi:~$ systemctl status unbound.service
● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; preset: enabled)
Drop-In: /etc/systemd/system/unbound.service.d
└─dietpi.conf
Active: active (running) since Mon 2023-12-11 11:05:49 GMT; 1 day 6h ago
Docs: man:unbound(8)
Main PID: 22269 (unbound)
Tasks: 4 (limit: 9293)
CPU: 44.482s
CGroup: /system.slice/unbound.service
└─22269 /usr/sbin/unbound -d -p

I can dig to other domains with no issue.

I use AdGuard Home as well, that returns a SERVFAIL (as it’s using Unbound).

But if I change the DNS for the client in AGH to a public DNS, it works… so the issue is definitely somewhere with Unbound…

4

Servfail doesn’t mean your unbound has a problem :smile:
Most of the time the problem lies on the authoritative server. This time the response is not secure. You can try to loosen up the unbound settings for DNSSEC validation or create a selective forwarding if you really need this domain resolved. Even better, you can notify their dns admins, although don’t hold your breath on that nor have high hopes. :roll_eyes:

5

That’s helpful - thanks.

Why is it resolvable for some other people with Unbound but not for me?

6

There are some causes on the web where Unbound stop resolving single domains. I had that once and simple removed Unbound and did a fresh install. Theoretically you could try to trace the request using tcpdump or enable debug on Unbound.

7

Maybe there was some stale cache for a decommissioned authoritative resolver. Or maybe the authoritative nameservers have strict access list, although they shouldn’t. In the first case, clearing the cache can help, a reinstallation would have the same effect but it’s a bit overkill.

8

How would I achieve either of these options?

Do I need to make changes or add entries to the Unbound config file?

9

To clear completely unbounds DNS cache you can do

unbound-control flush_zone .

The other problems with the servers are outside of your influence.

1 Like
10

Hey
I’m upping this post because I’ve found the same issue with two domains

https://sueletricidade.pt and https://www.parcl.co

any solution?

11

Another one About us – Revolution.eu

12

Not sure if we can do anything on this. Might be good if you ask Unbound guys in parallel