SERVFAIL with unbound


#1

Expected Behaviour:

[Www.google.com.hk website should be properly parsed]

Actual Behaviour:

[www.google.com.hk reply error is SERVFAIL]

Mar 12 22:48:39 dnsmasq[1053]: query[A] www.facebook.com from 192.168.1.1
Mar 12 22:48:39 dnsmasq[1053]: cached www.facebook.com is 69.171.235.64
Mar 12 22:48:39 dnsmasq[1053]: query[A] www.google.com.hk from 192.168.1.1
Mar 12 22:48:39 dnsmasq[1053]: forwarded www.google.com.hk to 127.0.0.1
Mar 12 22:48:39 dnsmasq[1053]: query[AAAA] www.google.com.hk from 192.168.1.1
Mar 12 22:48:39 dnsmasq[1053]: forwarded www.google.com.hk to 127.0.0.1
Mar 12 22:48:39 dnsmasq[1053]: reply error is SERVFAIL
Mar 12 22:48:39 dnsmasq[1053]: reply error is SERVFAIL

Debug Token:

debug token is: https://tricorder.pi-hole.net/ojmb3bm5ce!


#2

Run these two commands from the Pi terminal and post the output:

dig www.google.com.hk @127.0.0.1 -p5353

dig www.google.com.hk @1.1.1.1


#3

root@rockpi:~# dig www.google.com.hk @1.1.1.1

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com.hk @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18067
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.hk.             IN      A

;; ANSWER SECTION:
www.google.com.hk.      80      IN      A       31.13.80.17

;; Query time: 17 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Mar 12 23:48:32 CST 2019

;; MSG SIZE rcvd: 51

root@rockpi:~# dig www.google.com.hk @127.0.0.1 -p5353

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com.hk @127.0.0.1 -p5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21715
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;www.google.com.hk.             IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Tue Mar 12 23:48:46 CST 2019
;; MSG SIZE  rcvd: 46

#4

This indicates a problem with your unbound. SERVFAIL can be caused by an incorrect date/time on the Pi, which interferes with authentication.

Check that the date/time on your Pi matches your local time: date


#5

root@rockpi:~# date
2019年 03月 12日 星期二 23:56:12 CST
root@rockpi:~#


#6

Is this the only domain that results in SERVFAIL, or is this common to all requested domains?


#7

only www.google.com.hk


#8

I just synced the system time


#9

Mar 13 00:13:53 dnsmasq[1053]: cached www.facebook.com is 59.24.3.173
Mar 13 00:13:53 dnsmasq[1053]: query[A] www.google.com.hk from 192.168.1.1
Mar 13 00:13:53 dnsmasq[1053]: forwarded www.google.com.hk to 127.0.0.1
Mar 13 00:13:53 dnsmasq[1053]: query[AAAA] www.google.com.hk from 192.168.1.1
Mar 13 00:13:53 dnsmasq[1053]: forwarded www.google.com.hk to 127.0.0.1
Mar 13 00:13:56 dnsmasq[1053]: forwarded www.google.com.hk to 127.0.0.1
Mar 13 00:13:56 dnsmasq[1053]: reply error is SERVFAIL
Mar 13 00:13:56 dnsmasq[1053]: forwarded www.google.com.hk to 127.0.0.1
Mar 13 00:13:56 dnsmasq[1053]: reply error is SERVFAIL
Mar 13 00:13:58 dnsmasq[1053]: query[PTR] 0.1.168.192.in-addr.arpa from 192.168.1.1
Mar 13 00:13:58 dnsmasq[1053]: forwarded 0.1.168.192.in-addr.arpa to 192.168.1.1
The time to synchronize the system is still not resolved!


#10

Try restarting unbound - sudo service unbound restart


#11

Mar 13 00:22:20 dnsmasq[1053]: cached www.a.shifen.com is 163.177.151.109
Mar 13 00:22:20 dnsmasq[1053]: cached www.a.shifen.com is 163.177.151.110
Mar 13 00:22:20 dnsmasq[1053]: query[A] www.google.com.hk from 192.168.1.149
Mar 13 00:22:20 dnsmasq[1053]: forwarded www.google.com.hk to 127.0.0.1
Mar 13 00:22:22 dnsmasq[1053]: forwarded www.google.com.hk to 127.0.0.1
Mar 13 00:22:22 dnsmasq[1053]: reply error is SERVFAIL
Mar 13 00:22:22 dnsmasq[1053]: query[A] Sb.ADtIdy.org from 192.168.1.149
Mar 13 00:22:22 dnsmasq[1053]: cached Sb.ADtIdy.org is 176.103.133.60
Mar 13 00:22:22 dnsmasq[1053]: query[AAAA] sb.AdTIDY.oRg from 192.168.1.149
Mar 13 00:22:22 dnsmasq[1053]: cached sb.AdTIDY.oRg is NODATA-IPv6
Mar 13 00:22:24 dnsmasq[1053]: query[A] adservice.google.com.hk from 192.168.1.149
Mar 13 00:22:24 dnsmasq[1053]: forwarded adservice.google.com.hk to 127.0.0.1
Mar 13 00:22:24 dnsmasq[1053]: forwarded adservice.google.com.hk to 127.0.0.1
Mar 13 00:22:24 dnsmasq[1053]: reply error is SERVFAIL


#12

Restart unbound does not work or can not resolve


#13

I don’t know what is causing this. When I dig that domain with my instance of unbound (version 1.6.0 running on Stretch latest), it returns the correct IP, so it isn’t a problem with the domain. I would check on some of the unbound forums.

dig +short www.google.com.hk
172.217.4.67

#14

ok I am waiting for your answer!


#15

[ General system configuration (beta): armbian-config ]

Last login: Tue Mar 12 23:48:28 2019 from 192.168.1.149

root@rockpi:~# dig +short www.google.com.hk
172.217.194.94
root@rockpi:~#


#16

That looks like a correct reply - if unbound is your DNS resolver through Pi-Hole, then this reply came from unbound.


#17


#18

I used an unbound


#19
Mar 13 01:09:53 dnsmasq[20647]: reply www.163.com is &lt;CNAME&gt; 
Mar 13 01:09:53 dnsmasq[20647]: reply www.163.com.lxdns.com is 112.91.129.163
Mar 13 01:09:53 dnsmasq[20647]: query[A] www.facebook.com from 192.168.1.1 
Mar 13 01:09:53 dnsmasq[20647]: forwarded www.facebook.com to 127.0.0.1 
Mar 13 01:09:56 dnsmasq[20647]: forwarded www.facebook.com to 127.0.0.1 
Mar 13 01:09:56 dnsmasq[20647]: reply error is SERVFAIL 
Mar 13 01:09:57 dnsmasq[20647]: reply 208.67.220.220 is resolver2.opendns.com

MY GOD


#20

Your problem lies with your unbound instance. I would check the unbound forums for a resolution for the SERVFAIL.