Query results come back as bogus / servfail

Valiceemo · May 7, 2019, 10:20pm

Ok, I've set interface: 127.0.0.1
The guide on the pihole docs doesn't mention that in the example conf file they have listed. I guess it's just 'making sure'?

Valiceemo · May 7, 2019, 10:26pm

Ok, I'll leave it set at 127.0.0.1 to be certain

And to disable qname-minimalisation I set it to no in the config file?

Valiceemo · May 7, 2019, 10:31pm

Ok thanks again for you time and help
I've set it no, will leave it over night and check the logs and report back in the morning

Valiceemo · May 8, 2019, 8:40am

So checking the logs this morning, I still see the SERVFAIL error with qname-minimisation: no
Also, changing that to no seemed to completely kill my web access, whereas with it set to yes, I still can access some sites, but get servfail for others.
I have set qname-minimisation back to yes and web access is back, but still getting SERVFAIL on some queries, this mornings examples include, pushbullet api, reddit.com and youtube.com again...all of which worked previously (and work OK when not using unbound)

Valiceemo · May 8, 2019, 10:17am

Yes, for now I have reverted back to using Cloudfare upstream.
When using unbound, I had no upstreams selected in the gui, only 'custom; and entered 127.0.0.1#5353 as detailed in the guide

Valiceemo · May 8, 2019, 11:32am

I followed the guide on the pi-hole docs page
This guide instructs to have no upstream servers ticked, only custom: 127.0.0.1#5353

Valiceemo · May 8, 2019, 1:01pm

just another observation from me.....
I noticed that the root.hints was updated recently.
My version on my machine is outdated by 1 month.
I guess this isn't normally an issue.

Valiceemo · May 9, 2019, 2:55pm

any further ideas at all?
Ive just made a little test, and it makes no sense to me!
Pi-hole configured as per the unbound guide (no upstream servers selected, custom IPV4 - 127.0.01.1#5353)
I see many servfails in the log...
Taking one as an example:

May  9 15:31:11 dnsmasq[15191]: query[A] feedr.search.sky.com from 192.168.0.128
May  9 15:31:11 dnsmasq[15191]: forwarded feedr.search.sky.com to 127.0.0.1
May  9 15:31:11 dnsmasq[15191]: forwarded feedr.search.sky.com to 127.0.0.1
May  9 15:31:11 dnsmasq[15191]: validation feedr.search.sky.com is BOGUS
May  9 15:31:11 dnsmasq[15191]: reply error is SERVFAIL

If I then dig this domain I see a no error reply?

pi@pi-hole:~ $ dig feedr.search.sky.com @127.0.0.1 -p5353

; <<>> DiG 9.10.3-P4-Raspbian <<>> feedr.search.sky.com @127.0.0.1 -p5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40055
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;feedr.search.sky.com.          IN      A

;; ANSWER SECTION:
feedr.search.sky.com.   1962    IN      CNAME   feedr3.search.sky.com.edgekey.net.
feedr3.search.sky.com.edgekey.net. 1963 IN CNAME e5591.b.akamaiedge.net.
e5591.b.akamaiedge.net. 1963    IN      A       104.78.176.213

;; Query time: 1 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Thu May 09 15:43:28 BST 2019
;; MSG SIZE  rcvd: 145

This pattern seems to be totally random, i.e. I can pick another servfail error from the log, dig it, and return SERVFAIL?

Valiceemo · May 9, 2019, 4:47pm

Yes you're right.
I disabled DNSSEC again and the behaviour returned to as before.... servfail error with no bogus results.

Valiceemo · May 10, 2019, 7:29am

Thanks, will try this later.
But, doesn't using upstream servers with Unbound kind of defeat the point of unbound, or do I misunderstand the usage of unbound?

Valiceemo · May 10, 2019, 9:11am

hmmm ok,
I think im part way to understanding
I use pi-hole as DHCP, as I am unable to manually set DNS resolvers on my ISP provided router.

I can have DNSSEC working, without unbound.
If I choose, for example, Cloudflare as my upstream in Pi-hole settings, and select DNSSEC it works as expected....so effectively I don't need Unbound, as it isn't 'working' as a recursive server?

Valiceemo · May 10, 2019, 11:08am

Yeah I'm certain. Which is also part of my confusion on this problem.
I'll be sure to double check it later when I'm back home.

Valiceemo · May 10, 2019, 6:07pm

I can confirm that if I select upstream in the DNS settings (Cloudflare) and tick the enable dnssec, everything works ok, and dnssec tests are passed.
So this would be the same as the above 'solution', i.e. using unbound with forward-control enabled?

pi@pi-hole:~ $ dnsmasq -v
Dnsmasq version 2.76  Copyright (c) 2000-2016 Simon Kelley
Compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify

Valiceemo · May 17, 2019, 1:13pm

Any more thoughts on this?
I cant help but think that using Unbound + Cloudflare is kind of redundant?

Valiceemo · May 20, 2019, 8:49pm

Short update, installed the latest pihole version today and still see the SERVFAIL error when using unbound.

Valiceemo · May 21, 2019, 6:05pm

Yea, I tried adding forward-zone to the unbound config, with Cloudflare as the upstream and it works....but it's kind of redundant isn't it?
No advantage to that method over the 'normal' way?

Valiceemo · May 22, 2019, 5:47pm

Sorry but I don't understand what you mean?

Valiceemo · May 29, 2019, 11:07am

Does anyone know of any other resources / forums for unbound?
Either they don't exist or my Google Fu is weak

Valiceemo · June 14, 2019, 9:21am

sorry to drag this one up again, really hoping for a solution to the unbound problem

system · July 5, 2019, 9:21am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.