Installed unbound working great however I receive DNS_PROBE_FINISHED_NXDOMAIN error when browsing to github.com. all other sites work fine.
Linux Ubuntu 18.04
installed unbound
Installed unbound working great however I receive DNS_PROBE_FINISHED_NXDOMAIN error when browsing to github.com. all other sites work fine.
Linux Ubuntu 18.04
installed unbound
Unbound can resolve other domains but not this particular domain?
Yes all other domains are resolved just not github.com
$ dig github.com @127.0.1.1 -p 5335
; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> github.com @127.0.1.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14069
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;github.com. IN A
;; ANSWER SECTION:
github.com. 60 IN A 140.82.121.3
;; Query time: 41 msec
;; SERVER: 127.0.1.1#5335(127.0.1.1)
;; WHEN: Wed May 12 08:54:31 CEST 2021
;; MSG SIZE rcvd: 55
It is not uncommon to observe SERVFAILs every now and then, see also my older, more detailed reply in MS Teams gets no presence status for contacts - #6 by Bucking_Horn.
What does the unbound
log show?
Maybe below helps a bit understanding whats happening when resolving recursively like unbound
is setup to do and help to diagnose.
If you enable unbound
remote control by creating below additional config file:
sudo tee /etc/unbound/unbound.conf.d/remote-control.conf <<< $'remote-control:\n control-enable: yes'
Check syntax:
unbound-checkconf
And reload to apply:
sudo service unbound reload
Your able to see which DNS server(s) are going to be called upon by unbound
to resolve for example github.com
:
pi@ph5b:~ $ sudo unbound-control lookup github.com
The following name servers are used for lookup of github.com.
;rrset 581 13 0 2 0
com. 581 IN NS a.gtld-servers.net.
com. 581 IN NS b.gtld-servers.net.
com. 581 IN NS c.gtld-servers.net.
com. 581 IN NS d.gtld-servers.net.
com. 581 IN NS e.gtld-servers.net.
com. 581 IN NS f.gtld-servers.net.
com. 581 IN NS g.gtld-servers.net.
com. 581 IN NS h.gtld-servers.net.
com. 581 IN NS i.gtld-servers.net.
com. 581 IN NS j.gtld-servers.net.
com. 581 IN NS k.gtld-servers.net.
com. 581 IN NS l.gtld-servers.net.
com. 581 IN NS m.gtld-servers.net.
;rrset 581 1 1 11 5
com. 581 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com. 581 IN RRSIG DS 8 1 86400 20210524050000 20210511040000 14631 . pK9YpC5gVf/m6S5Q7Gr4kiJzhiBe0N6YP7eS/jQQWXKb7ANyjLGL+QSAdkgza/tBs7LdCId5iEjKKcoIM3Y8Pub2LTVX7wvsHNg7CgGobYj8QlKrVo0PJiwoV636aPWWtWDC/Aqs35R9CyJ4IjCGH4Kr8brHmJapjK8CVig7q218JCPvvgeMJ3dQ3NCnMtN0ZDzevIRHvCQ1G0Vohr4PvlgWZ8xW3aDe4tDcloH5cjED4Bnuckf3LK9ND50GdBdLbrTUs6/OsJR2CgvCzf615rLDK2B+DmjgRw6VrPmsmwnROkAX84YaeCcmVRTzSvS4gFXiHE2qAb0ipIEih7fiow== ;{id = 14631}
;rrset 581 1 0 1 0
m.gtld-servers.net. 581 IN A 192.55.83.30
;rrset 581 1 0 1 0
m.gtld-servers.net. 581 IN AAAA 2001:501:b1f9::30
;rrset 581 1 0 1 0
l.gtld-servers.net. 581 IN A 192.41.162.30
;rrset 581 1 0 1 0
l.gtld-servers.net. 581 IN AAAA 2001:500:d937::30
;rrset 581 1 0 1 0
k.gtld-servers.net. 581 IN A 192.52.178.30
;rrset 581 1 0 1 0
k.gtld-servers.net. 581 IN AAAA 2001:503:d2d::30
;rrset 581 1 0 1 0
j.gtld-servers.net. 581 IN A 192.48.79.30
;rrset 581 1 0 1 0
j.gtld-servers.net. 581 IN AAAA 2001:502:7094::30
;rrset 581 1 0 1 0
i.gtld-servers.net. 581 IN A 192.43.172.30
;rrset 581 1 0 1 0
i.gtld-servers.net. 581 IN AAAA 2001:503:39c1::30
;rrset 581 1 0 1 0
h.gtld-servers.net. 581 IN A 192.54.112.30
;rrset 581 1 0 1 0
h.gtld-servers.net. 581 IN AAAA 2001:502:8cc::30
;rrset 581 1 0 1 0
g.gtld-servers.net. 581 IN A 192.42.93.30
;rrset 581 1 0 1 0
g.gtld-servers.net. 581 IN AAAA 2001:503:eea3::30
;rrset 581 1 0 1 0
f.gtld-servers.net. 581 IN A 192.35.51.30
;rrset 581 1 0 1 0
f.gtld-servers.net. 581 IN AAAA 2001:503:d414::30
;rrset 581 1 0 1 0
e.gtld-servers.net. 581 IN A 192.12.94.30
;rrset 581 1 0 1 0
e.gtld-servers.net. 581 IN AAAA 2001:502:1ca1::30
;rrset 581 1 0 1 0
d.gtld-servers.net. 581 IN A 192.31.80.30
;rrset 581 1 0 1 0
d.gtld-servers.net. 581 IN AAAA 2001:500:856e::30
;rrset 581 1 0 1 0
c.gtld-servers.net. 581 IN A 192.26.92.30
;rrset 581 1 0 1 0
c.gtld-servers.net. 581 IN AAAA 2001:503:83eb::30
;rrset 581 1 0 1 0
b.gtld-servers.net. 581 IN A 192.33.14.30
;rrset 581 1 0 1 0
b.gtld-servers.net. 581 IN AAAA 2001:503:231d::2:30
;rrset 581 1 0 1 0
a.gtld-servers.net. 581 IN A 192.5.6.30
;rrset 581 1 0 1 0
a.gtld-servers.net. 581 IN AAAA 2001:503:a83e::2:30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:a83e::2:30 not in infra cache.
192.5.6.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:231d::2:30 not in infra cache.
192.33.14.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:83eb::30 not in infra cache.
192.26.92.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:856e::30 not in infra cache.
192.31.80.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:1ca1::30 not in infra cache.
192.12.94.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:d414::30 not in infra cache.
192.35.51.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:eea3::30 not in infra cache.
192.42.93.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:8cc::30 not in infra cache.
192.54.112.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:39c1::30 not in infra cache.
192.43.172.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:7094::30 not in infra cache.
192.48.79.30 expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:d2d::30 not in infra cache.
192.52.178.30 rto 302 msec, ttl 762, ping 2 var 75 rtt 302, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:d937::30 not in infra cache.
192.41.162.30 not in infra cache.
2001:501:b1f9::30 not in infra cache.
192.55.83.30 not in infra cache.
unbound
is going to ask one of them who the authoritative nameserver(s) is for github.com
:
pi@ph5b:~ $ dig +noall +authority @192.55.83.30 ns github.com.
github.com. 172800 IN NS ns-520.awsdns-01.net.
github.com. 172800 IN NS ns-421.awsdns-52.com.
github.com. 172800 IN NS ns-1707.awsdns-21.co.uk.
github.com. 172800 IN NS ns-1283.awsdns-32.org.
github.com. 172800 IN NS dns1.p08.nsone.net.
github.com. 172800 IN NS dns2.p08.nsone.net.
github.com. 172800 IN NS dns3.p08.nsone.net.
github.com. 172800 IN NS dns4.p08.nsone.net.
Next, suppose an A record needs to be resolved, unbound
is going to ask one of them for the final answer:
pi@ph5b:~ $ dig +noall +answer @ns-520.awsdns-01.net. a github.com
github.com. 60 IN A 140.82.121.4
Hope this can narrow the field a bit.
not sure why but my ubound is not logging.
Did the above steps and these are my results.
The following name servers are used for lookup of github.com.
;rrset 549 13 1 5 0
com. 549 IN NS i.gtld-servers.net.
com. 549 IN NS c.gtld-servers.net.
com. 549 IN NS d.gtld-servers.net.
com. 549 IN NS f.gtld-servers.net.
com. 549 IN NS l.gtld-servers.net.
com. 549 IN NS k.gtld-servers.net.
com. 549 IN NS m.gtld-servers.net.
com. 549 IN NS a.gtld-servers.net.
com. 549 IN NS g.gtld-servers.net.
com. 549 IN NS h.gtld-servers.net.
com. 549 IN NS j.gtld-servers.net.
com. 549 IN NS e.gtld-servers.net.
com. 549 IN NS b.gtld-servers.net.
com. 549 IN RRSIG NS 8 1 172800 20210516042406 20210509031406 54714 com. rq4GGd+7VBrnTg8dVisKZdVgScFLKdXv8KowpnIcJ0NfTvyHm5i+pmozP58ywXNK8zi4HpvhAcPlp02YWC5IIfUkn4aYpGJHrzGGSc8OGRyMikPIemN0U55GDD6uVHiaO54h1HN96tsTr00htOm2Z4pPUHzitcdWMx8v4LashL4C3SmZAM7symKqvvae0s8W6mDPuvHJAlDL5V27tjemvg== ;{id = 54714}
;rrset 453 1 1 11 4
com. 453 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com. 453 IN RRSIG DS 8 1 86400 20210525050000 20210512040000 14631 . o/c7cxcT52FCuNwXAfz86Rl8WZjWmmEXScBCCe4oa04PpCoJYvipYkee7JWqj9n0GfQF6giHRQpky2D3W+Vv/ntjO375NOlosl4c7oP88Sw3AUHE50gv24aDoWq3D53RpkEzfCsWm/F1LDB40qSx+VkGXY2FiJKJY031B+U3nWwb0lMRFYfckb7KL9mn+A4c6vimle/XTdIOIW3RpEFIfX05rK1Za4cw8qv7p/9SJ+YLI3codzVrpVDOHQmygLMiF2hAx5z2DD9i2Y/ILLxACqDklHSeFN4iyoEGQwFvHEIOxvPBIRPmb8WkjI2W99OIEBMl43fZi0VrI/RL/ZGq6A== ;{id = 14631}
;rrset 549 1 0 5 0
b.gtld-servers.net. 549 IN A 192.33.14.30
;rrset 453 1 0 1 0
b.gtld-servers.net. 453 IN AAAA 2001:503:231d::2:30
;rrset 549 1 0 5 0
e.gtld-servers.net. 549 IN A 192.12.94.30
;rrset 453 1 0 1 0
e.gtld-servers.net. 453 IN AAAA 2001:502:1ca1::30
;rrset 549 1 0 5 0
j.gtld-servers.net. 549 IN A 192.48.79.30
;rrset 453 1 0 1 0
j.gtld-servers.net. 453 IN AAAA 2001:502:7094::30
;rrset 549 1 0 5 0
h.gtld-servers.net. 549 IN A 192.54.112.30
;rrset 453 1 0 1 0
h.gtld-servers.net. 453 IN AAAA 2001:502:8cc::30
;rrset 549 1 0 5 0
g.gtld-servers.net. 549 IN A 192.42.93.30
;rrset 453 1 0 1 0
g.gtld-servers.net. 453 IN AAAA 2001:503:eea3::30
;rrset 549 1 0 5 0
a.gtld-servers.net. 549 IN A 192.5.6.30
;rrset 453 1 0 1 0
a.gtld-servers.net. 453 IN AAAA 2001:503:a83e::2:30
;rrset 549 1 0 5 0
m.gtld-servers.net. 549 IN A 192.55.83.30
;rrset 453 1 0 1 0
m.gtld-servers.net. 453 IN AAAA 2001:501:b1f9::30
;rrset 549 1 0 5 0
k.gtld-servers.net. 549 IN A 192.52.178.30
;rrset 453 1 0 1 0
k.gtld-servers.net. 453 IN AAAA 2001:503:d2d::30
;rrset 549 1 0 5 0
l.gtld-servers.net. 549 IN A 192.41.162.30
;rrset 453 1 0 1 0
l.gtld-servers.net. 453 IN AAAA 2001:500:d937::30
;rrset 549 1 0 5 0
f.gtld-servers.net. 549 IN A 192.35.51.30
;rrset 453 1 0 1 0
f.gtld-servers.net. 453 IN AAAA 2001:503:d414::30
;rrset 549 1 0 5 0
d.gtld-servers.net. 549 IN A 192.31.80.30
;rrset 453 1 0 1 0
d.gtld-servers.net. 453 IN AAAA 2001:500:856e::30
;rrset 549 1 0 5 0
c.gtld-servers.net. 549 IN A 192.26.92.30
;rrset 453 1 0 1 0
c.gtld-servers.net. 453 IN AAAA 2001:503:83eb::30
;rrset 549 1 0 5 0
i.gtld-servers.net. 549 IN A 192.43.172.30
;rrset 453 1 0 1 0
i.gtld-servers.net. 453 IN AAAA 2001:503:39c1::30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:503:39c1::30 not in infra cache.
192.43.172.30 NoAuthButRecursive rto 230 msec, ttl 623, ping 58 var 43 rtt 230, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:83eb::30 not in infra cache.
192.26.92.30 NoAuthButRecursive rto 188 msec, ttl 623, ping 48 var 35 rtt 188, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:856e::30 not in infra cache.
192.31.80.30 NoAuthButRecursive rto 160 msec, ttl 623, ping 28 var 33 rtt 160, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:d414::30 not in infra cache.
192.35.51.30 NoAuthButRecursive rto 150 msec, ttl 623, ping 42 var 27 rtt 150, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:500:d937::30 not in infra cache.
192.41.162.30 NoAuthButRecursive rto 240 msec, ttl 623, ping 56 var 46 rtt 240, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:d2d::30 not in infra cache.
192.52.178.30 NoAuthButRecursive rto 226 msec, ttl 623, ping 54 var 43 rtt 226, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:501:b1f9::30 not in infra cache.
192.55.83.30 NoAuthButRecursive rto 145 msec, ttl 623, ping 45 var 25 rtt 145, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:a83e::2:30 not in infra cache.
192.5.6.30 NoAuthButRecursive rto 76 msec, ttl 623, ping 32 var 11 rtt 76, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:eea3::30 not in infra cache.
192.42.93.30 NoAuthButRecursive rto 184 msec, ttl 623, ping 52 var 33 rtt 184, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:8cc::30 not in infra cache.
192.54.112.30 NoAuthButRecursive rto 194 msec, ttl 623, ping 50 var 36 rtt 194, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:7094::30 not in infra cache.
192.48.79.30 NoAuthButRecursive rto 500 msec, ttl 623, ping 38 var 53 rtt 250, tA 1, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:1ca1::30 not in infra cache.
192.12.94.30 NoAuthButRecursive rto 157 msec, ttl 623, ping 49 var 27 rtt 157, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:231d::2:30 not in infra cache.
192.33.14.30 NoAuthButRecursive rto 137 msec, ttl 623, ping 45 var 23 rtt 137, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
dig +noall +authority @192.55.83.30 ns github.com
nominum.cloud. 199 IN SOA ns4.nominum.net. hostmaster.nominum.com. 2020042997 1200 600 604800 900
dig +noall +answer @ns-520.awsdns-01.net. a github.com
github.com. 600 IN A 74.121.125.9
github.com. 600 IN A 74.121.125.8
That's an old Parental Filtering service.
hmmm... I wonder where that is coming from maybe my internet provider. Let me see if that might be it and i will let you know.
finally got my logging working. This is what it shows.
[1620941718] unbound[49323:0] info: finishing processing for github.com. DS IN
[1620941718] unbound[49323:0] debug: validator[module 1] operate: extstate:module_wait_module event:module_event_moddone
[1620941718] unbound[49323:0] info: validator operate: query github.com. DS IN
[1620941718] unbound[49323:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1620941718] unbound[49323:0] info: subnet operate: query github.com. DS IN
[1620941718] unbound[49323:0] debug: validator[module 1] operate: extstate:module_wait_subquery event:module_event_pass
[1620941718] unbound[49323:0] info: validator operate: query github.com. A IN
[1620941718] unbound[49323:0] info: Could not establish a chain of trust to keys for github.com. DNSKEY IN
[1620941718] unbound[49323:0] debug: subnet[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1620941718] unbound[49323:0] info: subnet operate: query github.com. A IN
[1620941718] unbound[49323:0] debug: cache memory msg=105107 rrset=123966 infra=17208 val=73135 subnet=74488
That's correct, github.com
is not signed for DNSSEC.
There should be a whole lot more after that.
Something is intercepting your queries, these are the servers that you should be seeing for the NS list. They are the same ones that deHakkelaar has shown.
Found the problem. So apparently my Business ISP uses SecurityEdge. Logged in and turned off web filtering and it worked. The odd thing is that github is listed under "Computer & Technology" which is allowed but it blocks it anyways. So I added it to the allow list and it worked. The weird thing is i run this command dig +noall +authority @192.55.83.30 ns github.com.
and does not display as shown above. It just give me a blank response.
@pihole1:~$ dig +noall +authority @192.55.83.30 ns github.com.
@pihole1:~$
Try dig +authority @192.55.83.30 ns github.com.
and dig @192.55.83.30 ns github.com.
See if either of those come back and hat a status
section in the HEADER.
I figured it out just removed +noall and i was able to get the same results. Thanks!
Aha so the NS records got high jacked.
Sweet you got it working!
Yeah I shouldnt have done the +noall
thingy.
You can check those [no]...
arguments on the man
page:
man dig
For everything a first
EDIT: "hijacked" oc
Yea, they were being hijacked by my Business ISP... Web Filtering by Comcast Business. Even though github is listed as safe by their web filter it still blocked it... Glad I got it working. Thanks for your help deHakkellar!
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.