Pi-hole unbound servfail

Installed unbound working great however I receive DNS_PROBE_FINISHED_NXDOMAIN error when browsing to github.com. all other sites work fine.

Linux Ubuntu 18.04

installed unbound

Unbound can resolve other domains but not this particular domain?

Yes all other domains are resolved just not github.com

That domain is resolving correctly through my unbound instance (click for details):
$  dig github.com @127.0.1.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> github.com @127.0.1.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14069
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;github.com.                    IN      A

;; ANSWER SECTION:
github.com.             60      IN      A       140.82.121.3

;; Query time: 41 msec
;; SERVER: 127.0.1.1#5335(127.0.1.1)
;; WHEN: Wed May 12 08:54:31 CEST 2021
;; MSG SIZE  rcvd: 55

It is not uncommon to observe SERVFAILs every now and then, see also my older, more detailed reply in MS Teams gets no presence status for contacts - #6 by Bucking_Horn.

What does the unbound log show?

Maybe below helps a bit understanding whats happening when resolving recursively like unbound is setup to do and help to diagnose.
If you enable unbound remote control by creating below additional config file:

sudo tee /etc/unbound/unbound.conf.d/remote-control.conf <<< $'remote-control:\n control-enable: yes'

Check syntax:

unbound-checkconf

And reload to apply:

sudo service unbound reload

Your able to see which DNS server(s) are going to be called upon by unbound to resolve for example github.com:

pi@ph5b:~ $ sudo unbound-control lookup github.com
The following name servers are used for lookup of github.com.
;rrset 581 13 0 2 0
com.    581     IN      NS      a.gtld-servers.net.
com.    581     IN      NS      b.gtld-servers.net.
com.    581     IN      NS      c.gtld-servers.net.
com.    581     IN      NS      d.gtld-servers.net.
com.    581     IN      NS      e.gtld-servers.net.
com.    581     IN      NS      f.gtld-servers.net.
com.    581     IN      NS      g.gtld-servers.net.
com.    581     IN      NS      h.gtld-servers.net.
com.    581     IN      NS      i.gtld-servers.net.
com.    581     IN      NS      j.gtld-servers.net.
com.    581     IN      NS      k.gtld-servers.net.
com.    581     IN      NS      l.gtld-servers.net.
com.    581     IN      NS      m.gtld-servers.net.
;rrset 581 1 1 11 5
com.    581     IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com.    581     IN      RRSIG   DS 8 1 86400 20210524050000 20210511040000 14631 . pK9YpC5gVf/m6S5Q7Gr4kiJzhiBe0N6YP7eS/jQQWXKb7ANyjLGL+QSAdkgza/tBs7LdCId5iEjKKcoIM3Y8Pub2LTVX7wvsHNg7CgGobYj8QlKrVo0PJiwoV636aPWWtWDC/Aqs35R9CyJ4IjCGH4Kr8brHmJapjK8CVig7q218JCPvvgeMJ3dQ3NCnMtN0ZDzevIRHvCQ1G0Vohr4PvlgWZ8xW3aDe4tDcloH5cjED4Bnuckf3LK9ND50GdBdLbrTUs6/OsJR2CgvCzf615rLDK2B+DmjgRw6VrPmsmwnROkAX84YaeCcmVRTzSvS4gFXiHE2qAb0ipIEih7fiow== ;{id = 14631}
;rrset 581 1 0 1 0
m.gtld-servers.net.     581     IN      A       192.55.83.30
;rrset 581 1 0 1 0
m.gtld-servers.net.     581     IN      AAAA    2001:501:b1f9::30
;rrset 581 1 0 1 0
l.gtld-servers.net.     581     IN      A       192.41.162.30
;rrset 581 1 0 1 0
l.gtld-servers.net.     581     IN      AAAA    2001:500:d937::30
;rrset 581 1 0 1 0
k.gtld-servers.net.     581     IN      A       192.52.178.30
;rrset 581 1 0 1 0
k.gtld-servers.net.     581     IN      AAAA    2001:503:d2d::30
;rrset 581 1 0 1 0
j.gtld-servers.net.     581     IN      A       192.48.79.30
;rrset 581 1 0 1 0
j.gtld-servers.net.     581     IN      AAAA    2001:502:7094::30
;rrset 581 1 0 1 0
i.gtld-servers.net.     581     IN      A       192.43.172.30
;rrset 581 1 0 1 0
i.gtld-servers.net.     581     IN      AAAA    2001:503:39c1::30
;rrset 581 1 0 1 0
h.gtld-servers.net.     581     IN      A       192.54.112.30
;rrset 581 1 0 1 0
h.gtld-servers.net.     581     IN      AAAA    2001:502:8cc::30
;rrset 581 1 0 1 0
g.gtld-servers.net.     581     IN      A       192.42.93.30
;rrset 581 1 0 1 0
g.gtld-servers.net.     581     IN      AAAA    2001:503:eea3::30
;rrset 581 1 0 1 0
f.gtld-servers.net.     581     IN      A       192.35.51.30
;rrset 581 1 0 1 0
f.gtld-servers.net.     581     IN      AAAA    2001:503:d414::30
;rrset 581 1 0 1 0
e.gtld-servers.net.     581     IN      A       192.12.94.30
;rrset 581 1 0 1 0
e.gtld-servers.net.     581     IN      AAAA    2001:502:1ca1::30
;rrset 581 1 0 1 0
d.gtld-servers.net.     581     IN      A       192.31.80.30
;rrset 581 1 0 1 0
d.gtld-servers.net.     581     IN      AAAA    2001:500:856e::30
;rrset 581 1 0 1 0
c.gtld-servers.net.     581     IN      A       192.26.92.30
;rrset 581 1 0 1 0
c.gtld-servers.net.     581     IN      AAAA    2001:503:83eb::30
;rrset 581 1 0 1 0
b.gtld-servers.net.     581     IN      A       192.33.14.30
;rrset 581 1 0 1 0
b.gtld-servers.net.     581     IN      AAAA    2001:503:231d::2:30
;rrset 581 1 0 1 0
a.gtld-servers.net.     581     IN      A       192.5.6.30
;rrset 581 1 0 1 0
a.gtld-servers.net.     581     IN      AAAA    2001:503:a83e::2:30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:a83e::2:30     not in infra cache.
192.5.6.30              expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:231d::2:30     not in infra cache.
192.33.14.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:83eb::30       not in infra cache.
192.26.92.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:856e::30       not in infra cache.
192.31.80.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:1ca1::30       not in infra cache.
192.12.94.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:d414::30       not in infra cache.
192.35.51.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:eea3::30       not in infra cache.
192.42.93.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:8cc::30        not in infra cache.
192.54.112.30           expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:39c1::30       not in infra cache.
192.43.172.30           expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:7094::30       not in infra cache.
192.48.79.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:d2d::30        not in infra cache.
192.52.178.30           rto 302 msec, ttl 762, ping 2 var 75 rtt 302, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:d937::30       not in infra cache.
192.41.162.30           not in infra cache.
2001:501:b1f9::30       not in infra cache.
192.55.83.30            not in infra cache.

unbound is going to ask one of them who the authoritative nameserver(s) is for github.com:

pi@ph5b:~ $ dig +noall +authority @192.55.83.30 ns github.com.
github.com.             172800  IN      NS      ns-520.awsdns-01.net.
github.com.             172800  IN      NS      ns-421.awsdns-52.com.
github.com.             172800  IN      NS      ns-1707.awsdns-21.co.uk.
github.com.             172800  IN      NS      ns-1283.awsdns-32.org.
github.com.             172800  IN      NS      dns1.p08.nsone.net.
github.com.             172800  IN      NS      dns2.p08.nsone.net.
github.com.             172800  IN      NS      dns3.p08.nsone.net.
github.com.             172800  IN      NS      dns4.p08.nsone.net.

Next, suppose an A record needs to be resolved, unbound is going to ask one of them for the final answer:

pi@ph5b:~ $ dig +noall +answer @ns-520.awsdns-01.net. a github.com
github.com.             60      IN      A       140.82.121.4

Hope this can narrow the field a bit.

1 Like

not sure why but my ubound is not logging.

Did the above steps and these are my results.

The following name servers are used for lookup of github.com.
;rrset 549 13 1 5 0
com.    549     IN      NS      i.gtld-servers.net.
com.    549     IN      NS      c.gtld-servers.net.
com.    549     IN      NS      d.gtld-servers.net.
com.    549     IN      NS      f.gtld-servers.net.
com.    549     IN      NS      l.gtld-servers.net.
com.    549     IN      NS      k.gtld-servers.net.
com.    549     IN      NS      m.gtld-servers.net.
com.    549     IN      NS      a.gtld-servers.net.
com.    549     IN      NS      g.gtld-servers.net.
com.    549     IN      NS      h.gtld-servers.net.
com.    549     IN      NS      j.gtld-servers.net.
com.    549     IN      NS      e.gtld-servers.net.
com.    549     IN      NS      b.gtld-servers.net.
com.    549     IN      RRSIG   NS 8 1 172800 20210516042406 20210509031406 54714 com. rq4GGd+7VBrnTg8dVisKZdVgScFLKdXv8KowpnIcJ0NfTvyHm5i+pmozP58ywXNK8zi4HpvhAcPlp02YWC5IIfUkn4aYpGJHrzGGSc8OGRyMikPIemN0U55GDD6uVHiaO54h1HN96tsTr00htOm2Z4pPUHzitcdWMx8v4LashL4C3SmZAM7symKqvvae0s8W6mDPuvHJAlDL5V27tjemvg== ;{id = 54714}
;rrset 453 1 1 11 4
com.    453     IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com.    453     IN      RRSIG   DS 8 1 86400 20210525050000 20210512040000 14631 . o/c7cxcT52FCuNwXAfz86Rl8WZjWmmEXScBCCe4oa04PpCoJYvipYkee7JWqj9n0GfQF6giHRQpky2D3W+Vv/ntjO375NOlosl4c7oP88Sw3AUHE50gv24aDoWq3D53RpkEzfCsWm/F1LDB40qSx+VkGXY2FiJKJY031B+U3nWwb0lMRFYfckb7KL9mn+A4c6vimle/XTdIOIW3RpEFIfX05rK1Za4cw8qv7p/9SJ+YLI3codzVrpVDOHQmygLMiF2hAx5z2DD9i2Y/ILLxACqDklHSeFN4iyoEGQwFvHEIOxvPBIRPmb8WkjI2W99OIEBMl43fZi0VrI/RL/ZGq6A== ;{id = 14631}
;rrset 549 1 0 5 0
b.gtld-servers.net.     549     IN      A       192.33.14.30
;rrset 453 1 0 1 0
b.gtld-servers.net.     453     IN      AAAA    2001:503:231d::2:30
;rrset 549 1 0 5 0
e.gtld-servers.net.     549     IN      A       192.12.94.30
;rrset 453 1 0 1 0
e.gtld-servers.net.     453     IN      AAAA    2001:502:1ca1::30
;rrset 549 1 0 5 0
j.gtld-servers.net.     549     IN      A       192.48.79.30
;rrset 453 1 0 1 0
j.gtld-servers.net.     453     IN      AAAA    2001:502:7094::30
;rrset 549 1 0 5 0
h.gtld-servers.net.     549     IN      A       192.54.112.30
;rrset 453 1 0 1 0
h.gtld-servers.net.     453     IN      AAAA    2001:502:8cc::30
;rrset 549 1 0 5 0
g.gtld-servers.net.     549     IN      A       192.42.93.30
;rrset 453 1 0 1 0
g.gtld-servers.net.     453     IN      AAAA    2001:503:eea3::30
;rrset 549 1 0 5 0
a.gtld-servers.net.     549     IN      A       192.5.6.30
;rrset 453 1 0 1 0
a.gtld-servers.net.     453     IN      AAAA    2001:503:a83e::2:30
;rrset 549 1 0 5 0
m.gtld-servers.net.     549     IN      A       192.55.83.30
;rrset 453 1 0 1 0
m.gtld-servers.net.     453     IN      AAAA    2001:501:b1f9::30
;rrset 549 1 0 5 0
k.gtld-servers.net.     549     IN      A       192.52.178.30
;rrset 453 1 0 1 0
k.gtld-servers.net.     453     IN      AAAA    2001:503:d2d::30
;rrset 549 1 0 5 0
l.gtld-servers.net.     549     IN      A       192.41.162.30
;rrset 453 1 0 1 0
l.gtld-servers.net.     453     IN      AAAA    2001:500:d937::30
;rrset 549 1 0 5 0
f.gtld-servers.net.     549     IN      A       192.35.51.30
;rrset 453 1 0 1 0
f.gtld-servers.net.     453     IN      AAAA    2001:503:d414::30
;rrset 549 1 0 5 0
d.gtld-servers.net.     549     IN      A       192.31.80.30
;rrset 453 1 0 1 0
d.gtld-servers.net.     453     IN      AAAA    2001:500:856e::30
;rrset 549 1 0 5 0
c.gtld-servers.net.     549     IN      A       192.26.92.30
;rrset 453 1 0 1 0
c.gtld-servers.net.     453     IN      AAAA    2001:503:83eb::30
;rrset 549 1 0 5 0
i.gtld-servers.net.     549     IN      A       192.43.172.30
;rrset 453 1 0 1 0
i.gtld-servers.net.     453     IN      AAAA    2001:503:39c1::30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:39c1::30       not in infra cache.
192.43.172.30           NoAuthButRecursive rto 230 msec, ttl 623, ping 58 var 43 rtt 230, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:83eb::30       not in infra cache.
192.26.92.30            NoAuthButRecursive rto 188 msec, ttl 623, ping 48 var 35 rtt 188, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:856e::30       not in infra cache.
192.31.80.30            NoAuthButRecursive rto 160 msec, ttl 623, ping 28 var 33 rtt 160, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:d414::30       not in infra cache.
192.35.51.30            NoAuthButRecursive rto 150 msec, ttl 623, ping 42 var 27 rtt 150, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:d937::30       not in infra cache.
192.41.162.30           NoAuthButRecursive rto 240 msec, ttl 623, ping 56 var 46 rtt 240, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:d2d::30        not in infra cache.
192.52.178.30           NoAuthButRecursive rto 226 msec, ttl 623, ping 54 var 43 rtt 226, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:501:b1f9::30       not in infra cache.
192.55.83.30            NoAuthButRecursive rto 145 msec, ttl 623, ping 45 var 25 rtt 145, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:a83e::2:30     not in infra cache.
192.5.6.30              NoAuthButRecursive rto 76 msec, ttl 623, ping 32 var 11 rtt 76, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:eea3::30       not in infra cache.
192.42.93.30            NoAuthButRecursive rto 184 msec, ttl 623, ping 52 var 33 rtt 184, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:8cc::30        not in infra cache.
192.54.112.30           NoAuthButRecursive rto 194 msec, ttl 623, ping 50 var 36 rtt 194, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:7094::30       not in infra cache.
192.48.79.30            NoAuthButRecursive rto 500 msec, ttl 623, ping 38 var 53 rtt 250, tA 1, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:1ca1::30       not in infra cache.
192.12.94.30            NoAuthButRecursive rto 157 msec, ttl 623, ping 49 var 27 rtt 157, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:231d::2:30     not in infra cache.
192.33.14.30            NoAuthButRecursive rto 137 msec, ttl 623, ping 45 var 23 rtt 137, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
dig +noall +authority @192.55.83.30 ns github.com
nominum.cloud.          199     IN      SOA     ns4.nominum.net. hostmaster.nominum.com. 2020042997 1200 600 604800 900

dig +noall +answer @ns-520.awsdns-01.net. a github.com
github.com.             600     IN      A       74.121.125.9
github.com.             600     IN      A       74.121.125.8

That's an old Parental Filtering service.

1 Like

hmmm... I wonder where that is coming from maybe my internet provider. Let me see if that might be it and i will let you know.

finally got my logging working. This is what it shows.

[1620941718] unbound[49323:0] info: finishing processing for github.com. DS IN
[1620941718] unbound[49323:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1620941718] unbound[49323:0] info: validator operate: query github.com. DS IN
[1620941718] unbound[49323:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1620941718] unbound[49323:0] info: subnet operate: query github.com. DS IN
[1620941718] unbound[49323:0] debug: validator[module 1] operate: extstate:module_wait_subquery event:module_event_pass
[1620941718] unbound[49323:0] info: validator operate: query github.com. A IN
[1620941718] unbound[49323:0] info: Could not establish a chain of trust to keys for github.com. DNSKEY IN
[1620941718] unbound[49323:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1620941718] unbound[49323:0] info: subnet operate: query github.com. A IN
[1620941718] unbound[49323:0] debug: cache memory msg=105107 rrset=123966 infra=17208 val=73135 subnet=74488


That's correct, github.com is not signed for DNSSEC.

There should be a whole lot more after that.

Something is intercepting your queries, these are the servers that you should be seeing for the NS list. They are the same ones that deHakkelaar has shown.

https://dnstools.ws/traversal/github.com/NS/

1 Like

Found the problem. So apparently my Business ISP uses SecurityEdge. Logged in and turned off web filtering and it worked. The odd thing is that github is listed under "Computer & Technology" which is allowed but it blocks it anyways. So I added it to the allow list and it worked. The weird thing is i run this command dig +noall +authority @192.55.83.30 ns github.com. and does not display as shown above. It just give me a blank response.

@pihole1:~$ dig +noall +authority @192.55.83.30 ns github.com.
@pihole1:~$

Try dig +authority @192.55.83.30 ns github.com. and dig @192.55.83.30 ns github.com.

See if either of those come back and hat a status section in the HEADER.

1 Like

I figured it out just removed +noall and i was able to get the same results. Thanks!

1 Like

Aha so the NS records got high jacked.
Sweet you got it working!

Yeah I shouldnt have done the +noall thingy.
You can check those [no]... arguments on the man page:

man dig

For everything a first :wink:

EDIT: "hijacked" oc :smiley:

2 Likes

Yea, they were being hijacked by my Business ISP... Web Filtering by Comcast Business. Even though github is listed as safe by their web filter it still blocked it... Glad I got it working. Thanks for your help deHakkellar!

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.