DNSSec fails sometimes

Majesty00 · June 24, 2024, 10:54pm

Hello!

It's my first time posting here and I've looked for a solution to my "specific" problem for a few weeks already (here and elsewhere) and I never found it. I bought a Raspberry Pi 5 a few weeks back when I learned about making my own DNS.

Following the guides from docs.pi-hole.net, I configured all services. I've setup Pi-Hole, WireGuard and unbound. Everything works, BUT for a single "problem". I'm well versed in computers, but I lack knowledge in Linux.

That single problem is when I run dig fail01.dnssec.works @127.0.0.1 -p 5335, I receive a "communications error". The thing is, it's not happening every time. It's only happening sometimes...

As you can see below, I ran the command back to back and it failed first and then it was successful.

user@raspberry:~ $ dig fail01.dnssec.works @127.0.0.1 -p 5335
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out

; <<>> DiG 9.18.24-1-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; no servers could be reached

user@raspberry:~ $ dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.18.24-1-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46764
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works.           IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Jun 24 18:24:53 EDT 2024
;; MSG SIZE  rcvd: 48

Here's a few things I think could help.

unbound config

unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf

hosts content

cat /etc/hosts
127.0.0.1 localhost
#::1 localhost ip6-localhost ip6-loopback
#ff02::1 ip6-allnodes
#ff02::2 ip6-allrouters

127.0.1.1 raspberry

Here's my debug token: https://tricorder.pi-hole.net/d15BB0BG/

Don't hesitate to ask me run a few commands to help you.

Thank you very much for your help!

chrislph · June 24, 2024, 11:18pm

Note that the syntax for dig uses a @ before the server, ie

dig fail01.dnssec.works @127.0.0.1 -p 5335

That said, I also have intermittent results from that server (example from March). It will often time out the first time and then work (as in SERVFAIL as expected) the second time. I set up Pi-hole and Unhound for a couple of friends and saw the same behaviour on their setups too.

Majesty00 · June 25, 2024, 1:48am

Thanks for your answer!

Yes, I know. When I added the @ before the IP, I couldn't post because, as a new user, I got the message that I "can't tag users".

Oh my! I've been scratching my head for finding the cause of this and there was no problems at all! Thank you! You make my day!

rdwebdesign · June 25, 2024, 7:36am

You need to put the command inside a code block, like

this: dig @127.0.0.1 domain.com or
this: @Majesty00 (this won't trigger the mention plugin)

Type the command inside backticks (`), or select the command and press CTRL+E

Majesty00 · June 25, 2024, 9:52am

Thanks! I fixed my main topic with code blocks.

system · July 16, 2024, 9:53am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.