SERVFAIL for domain klarna.com

cmonty14 · May 27, 2022, 5:23pm

Expected Behaviour:

Domain klarna.com should respond.

Actual Behaviour:

Any attempt to access klarna.com fails with error: reply error is SERVFAIL
Here's some more details from log:

May 27 18:52:54 dnsmasq[15940]: query[A] klarna.com from 192.168.1.83                                                                                           
May 27 18:52:54 dnsmasq[15940]: forwarded klarna.com to 127.0.0.1#5353                                                                                          
May 27 18:52:54 dnsmasq[15940]: query[AAAA] klarna.com from 192.168.1.83                                                                                        
May 27 18:52:54 dnsmasq[15940]: forwarded klarna.com to 127.0.0.1#5353
May 27 18:52:54 dnsmasq[15940]: reply error is SERVFAIL
May 27 18:52:54 dnsmasq[15940]: reply error is SERVFAIL
May 27 18:52:54 dnsmasq[15940]: query[A] klarna.com from 192.168.1.83
May 27 18:52:54 dnsmasq[15940]: forwarded klarna.com to 127.0.0.1#5353
May 27 18:52:54 dnsmasq[15940]: query[AAAA] klarna.com from 192.168.1.83
May 27 18:52:54 dnsmasq[15940]: forwarded klarna.com to 127.0.0.1#5353
May 27 18:52:54 dnsmasq[15940]: reply error is SERVFAIL
May 27 18:52:54 dnsmasq[15940]: reply error is SERVFAIL

After disabling Pi-hole name resolution works as expected.

Debug Token:

https://tricorder.pi-hole.net/nmIBbon2/

I know that I don't have a standard setup of Pi-hole.
However, this is (currently) the only URL that fails with SERVFAIL.

Any advice for solving this issue is highly appreciated.

Bucking_Horn · May 27, 2022, 5:54pm

It would seem that SERVFAIL is returned by Pi-hole's upstream DNS server.
Your debug log suggests you are using unbound as upstream server:

*** [ DIAGNOSING ]: Ports in use
    udp:127.0.0.1:5353 is in use by unbound
    tcp:127.0.0.1:5353 is in use by unbound

(On a side note: You should change your unbound's port - 5353 is reserved for mDNS protocol usage and should not be used for DNS.)

What's the result of the following lookups:

dig klarna.com

dig klarna.com @127.0.0.1 -p 5353

cmonty14 · May 27, 2022, 5:59pm

I corrected unbound's port; the service is now running on port 5335.

Here's the requested output:

locadmin@vm250-pihole:~$ dig klarna.com

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> klarna.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13371
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;klarna.com.                    IN      A

;; ANSWER SECTION:
klarna.com.             1775    IN      A       99.83.187.101
klarna.com.             1775    IN      A       75.2.22.31

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fr Mai 27 19:56:27 CEST 2022
;; MSG SIZE  rcvd: 71

locadmin@vm250-pihole:~$ dig klarna.com @127.0.0.1 -p 5335

; <<>> DiG 9.11.5-P4-5.1+deb10u7-Debian <<>> klarna.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28032
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;klarna.com.                    IN      A

;; ANSWER SECTION:
klarna.com.             1769    IN      A       75.2.22.31
klarna.com.             1769    IN      A       99.83.187.101

;; Query time: 12 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Fr Mai 27 19:56:33 CEST 2022
;; MSG SIZE  rcvd: 71

I'm not sure, but is this (still) cached?

Bucking_Horn · May 27, 2022, 6:09pm

I do not see any SERVFAIL here.

Note that SERVFAIL is a valid DNS reply as can be received from upstream servers. Respective replies are both common and expected every once in a while, but normally shouldn't reoccur when retrying a bit later, see also MS Teams gets no presence status for contacts - #6 by Bucking_Horn.

If that happens next time, check the OPT PSEUDOSECTION for RFC8914 EDE error codes, which may have more specific information as to why the SERVFAIL occured (e.g. it could be censored upstream).

You also may have to scrutinise unbound's log files in order to find out more.

cmonty14 · May 27, 2022, 6:12pm

Thanks for your support.
I'll wait until this issue is reproducible again.
Then I'll update the ticket accordingly and provide additional information as documented here.

deHakkelaar · May 27, 2022, 8:18pm

FYI, I've seen SERVFAIL status returned in a few cases.

The most common is DNSSEC validation failing because date/time on the Pi-hole host is of too much.
A DNS loop or partial loop that triggers rate-limiting;
One of the many upstream (authoritative) DNS servers that unbound is querying is blocked or has no proper route.

jpgpi250 · May 27, 2022, 10:36pm

Today (actually yesterday), I also had a DNSSEC problem (SERVFAIL in the pihole log) for www.paypal.com and some related domains. Using dnsec on unbound, NOT on pihole-FTL.

I restarted unbound and the problem was gone, no idea what the cause is / was.

I regulary run into (read) topics (not just on this forum) that mention unbound doesn't work for a single (just one) domain, strange...

DanSchaper · May 28, 2022, 8:36pm

Could you share some of your Unbound config, just the DNSSEC stuff like hardening, prefetch, anchor records and the like?

system · June 18, 2022, 8:37pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.