Query results come back as bogus / servfail

Valiceemo · April 25, 2019, 10:18pm

Expected Behaviour:

Blocked sites are blocked, sites not in blocklists can be accessed

Actual Behaviour:

Sites not found in any blocklists are not accessible

Debug Token

Unable to upload one...

[?] Would you like to upload the log? [y/N] y
    * Using openssl for transmission.
[✗]  There was an error uploading your debug log.
   * Please try again or contact the Pi-hole team for assistance.

Quick snip of query log, trying to browse this site

Apr 25 23:07:12 dnsmasq[31998]: query[A] discourse.pi-hole.net from 192.168.0.100
Apr 25 23:07:12 dnsmasq[31998]: forwarded discourse.pi-hole.net to 127.0.0.1
Apr 25 23:07:12 dnsmasq[31998]: forwarded discourse.pi-hole.net to 127.0.0.1
Apr 25 23:07:13 dnsmasq[31998]: validation discourse.pi-hole.net is BOGUS
Apr 25 23:07:13 dnsmasq[31998]: reply error is SERVFAIL

Also see this on some other sites
No changes made to hardware or software?
Pihole version is latest and all upto date.

DanSchaper · April 25, 2019, 10:22pm

pi-hole.net is not DNSSEC enabled. You are getting an error from your upstream server (127.0.0.1) that is reporting the discourse.pi-hole.net record is DNSSEC BOGUS, which is not possible. What are you using as your upstream?

Valiceemo · April 25, 2019, 10:24pm

I'm using unbound

DanSchaper · April 25, 2019, 10:25pm

Did you follow any guides or instructions on your unbound configurations?

Valiceemo · April 25, 2019, 10:26pm

Yep, to the letter.
Everything was working perfectly up until tonight. I've not changed anything.
Just trying another debug

DanSchaper · April 25, 2019, 10:27pm

Which guide did you follow?

Valiceemo · April 25, 2019, 10:29pm

I followed the one in the pihole docs here

Got a debug: Your debug token is: https://tricorder.pi-hole.net/dl2lms2dhr!

DanSchaper · April 25, 2019, 10:42pm

Everything on the debug is fine, Pi-hole works correctly. Unbound is returning incorrect results.

Valiceemo · April 25, 2019, 10:43pm

Strange.
Why would it suddenly stop working?
Any tips on how to fix?

jfb · April 26, 2019, 12:19am

Check the time on the Pi. If it is incorrect, the DNSSEC cannot authenticate properly.

Valiceemo · April 26, 2019, 7:55am

Time is ok...

Last login: Thu Apr 25 23:22:11 2019 from 192.168.0.100
pi@pi-hole:~ $ timedatectl
      Local time: Fri 2019-04-26 08:53:43 BST
  Universal time: Fri 2019-04-26 07:53:43 UTC
        RTC time: n/a
       Time zone: Europe/London (BST, +0100)
 Network time on: yes
NTP synchronized: yes
 RTC in local TZ: no

I'm in the uk

Valiceemo · April 26, 2019, 11:06am

Something else I've just noticed....by blocked percentage has dropped from around 20-30% to approx. 5%
Significant?

jfb · April 26, 2019, 1:12pm

Turn off DNSSEC on Pi-Hole and see if this improves it. DNSSEC is already being handled by unbound.

Valiceemo · April 26, 2019, 4:46pm

That seems to have done the trick.
I'm certain the guide for unbound said to enable DNSSEC?
Maybe a quick note in the documentation would.be an idea?
Looking through logs, with DNSSEC enabled, every query was coming back with BOGUS status?
Anyhoo, looks to be resolved now.
But I am rather interested / intrigued as to why it suddenly caused problems out of the blue?

EDIT:
Still getting some problems...

Apr 26 17:49:18 dnsmasq[25337]: query[A] gameclipscontent-d2017.xboxlive.com from 192.168.0.100
Apr 26 17:49:18 dnsmasq[25337]: forwarded gameclipscontent-d2017.xboxlive.com to 127.0.0.1
Apr 26 17:49:18 dnsmasq[25337]: forwarded gameclipscontent-d2017.xboxlive.com to 127.0.0.1
Apr 26 17:49:18 dnsmasq[25337]: reply error is SERVFAIL

Or is this meaning the domain is blocked...seems not
Query log says the request was forwarded?

jfb · April 26, 2019, 5:08pm

The guide for unbound does not address DNSSEC settings in Pi-Hole. The guide enables DNSSEC in unbound only.

There have been some bugs reported in dnsmasq related to DNSSEC.

I believe this is unbound failing to return an IP for that requested domain.

One thing I would do is to temporarily increase the verbosity setting for unbound in file /etc/unbound/unbound.conf.d/pi-hole.conf using the guidance of the unbound configuration manual - this will show more detail in the unbound log and may provide some insight into what is happening within unbound:

Valiceemo · April 26, 2019, 5:16pm

Must have been a rookie error from me... entirely possible

Yeah, I've just had a query return SIGFAIL then second time returned NOERROR and the page loaded.

I've increased verbosity to level 3....do I need to restart unbound to have it take effect? How do I do this if so?
Thanks guys for your help btw!

jfb · April 26, 2019, 5:17pm

Yes. sudo service unbound restart

Valiceemo · April 26, 2019, 5:18pm

Thanks, I'll try to recreate and catch a debug log
Does the unbound log get included in pihole -d

Valiceemo · April 26, 2019, 6:08pm

Still having some problems...I think
Snip from log:

Apr 26 18:30:43 dnsmasq[25337]: query[A] gameclipscontent-d2017.xboxlive.com.local from 192.168.0.100
Apr 26 18:30:43 dnsmasq[25337]: forwarded gameclipscontent-d2017.xboxlive.com.local to 127.0.0.1
Apr 26 18:30:43 dnsmasq[25337]: reply gameclipscontent-d2017.xboxlive.com.local is NXDOMAIN

If I look for the unbound log, it doesn't exist.
Config file tells me it's at /var/log/unbound/unbound.log
But the file doesn't exist, I don't even have an unbound folder in /var/log

Got another debug log:

[✓] Your debug token is: https://tricorder.pi-hole.net/bzityptvcu!

Edit:
Just to confirm every query is resulting in SERVFAIL again?

jfb · April 26, 2019, 7:38pm

No. Unbound is a separate installation and not part of Pi-Hole, so not included.