(Some) domains returning "SERVFAIL" but no DNSSEC enabled

Expected Behaviour:

Domains such as ProtonMail.com (and mail.protonmail.com), intoDNS.com and several other seemingly random domains fail to resolve through Pi-Hole. They are not listed in any blacklist and resolve just fine through another pi-hole installation I have with the same setup procedures.

I am using unbound on this new installation, as well as a previous working installation.

Actual Behaviour:

The domains that fail to resolve appear in the query log with:

Status: OK (forwarded to localhost#5335)
Reply: SERVFAIL

However I do not have DNSSEC enabled. (And enabling doesn't resolve or adjust the issue)

Debug Token:

https://tricorder.pi-hole.net/53ouga0drd

What is not clear to me is if this other system also runs unbound or if that we just on

If so, compare your unbound configs against each other, too.

Note that unbound does DNSSEC by default on its own, irrespective of whether or not it is enabled in Pi-hole.

1 Like

Sorry, I should have specified. The other system also uses unbound. Using the same example as above (protonmail.com), that pi-hole will respond as:

Type: AAAA
Status: OK (forwarded to localhost#5335)
Reply: NODATA (26.3ms)

or

Type: A
Status: OK (forwarded to localhost#5335)
Reply: IP (30.0ms)

I'll closely compare the two configurations. Both systems are unbound on Debian 10 with IPv6 enabled.

I think that I discovered the issue. On https://docs.pi-hole.net/guides/dns/unbound/#disable-resolvconf-for-unbound-optional I followed the steps for the optional unbound setting in regards to resolv.conf

Comparing cat /etc/resolv.conf between the two servers (the pihole that is older, and works fine and the new installation that is causing my problems) I see that the pihole that works is using the automatically generated local network nameserver whereas the new one is using 127.0.0.1#5335

What is the best way to reverse this step? I can modify /etc/resolv.conf manually however it will be overwritten if rebooted and chattr +i'ing the file seems like a temporary fix at best.

Okay, yet another fresh install and I can confirm that the issue persists. The only difference I can find between the new install, and the currently working installs are the software versions of Pi-Hole.

New install version that does not work properly for me:

  Current Pi-hole version is v5.3.1.
  Current AdminLTE version is v5.5.
  Current FTL version is v5.8.1.

Old install version that does work properly for me:

  Pi-hole version is v5.2.4 (Latest: v5.3.1)
  AdminLTE version is v5.4 (Latest: v5.5)
  FTL version is v5.7 (Latest: v5.8.1)

Both installs are similar in that they're Debian 10 servers with Unbound install. On the brand new install I still can't resolve domains that -should- work, and do work, if using DNS from the other Pi-Hole.

The old pi-hole will be decommissioned soon and I need to get the other one working as reliably as the old one.

Any thoughts?

Edit file /etc/dhcpcd.conf and change the static nameserver in that file. Example of a Pi using Pi-hole for DNS - you would change the loopback IP to the IP of the DNS(s) of your choice.

interface eth0
    static ip_address=192.168.0.155/24
    static routers=192.168.0.1
    static domain_name_servers=127.0.0.1

This points to a problem with the unbound install on that Pi. Pi-hole is insensitive to the inner workings of unbound - it just receives a reply from unbound. If the reply is SERVFAIL, that's an indicator that unbound was unable to resolve.

Have you checked that the date/time on that Pi is correct? Any errors when you run unbound-checkconf ?

This sounds a bit similar as below thread:

You could try diagnose similar for that mail.protonmail.com domain.
Enable unbound remote control first:

With this, you can see what DNS servers unbound is going to ask for the mail.protonmail.com domain:

pi@ph5b:~ $ sudo unbound-control lookup mail.protonmail.com.
The following name servers are used for lookup of mail.protonmail.com.
;rrset 598 13 0 2 0
com.    598     IN      NS      l.gtld-servers.net.
com.    598     IN      NS      b.gtld-servers.net.
com.    598     IN      NS      c.gtld-servers.net.
com.    598     IN      NS      d.gtld-servers.net.
com.    598     IN      NS      e.gtld-servers.net.
com.    598     IN      NS      f.gtld-servers.net.
com.    598     IN      NS      g.gtld-servers.net.
com.    598     IN      NS      a.gtld-servers.net.
com.    598     IN      NS      h.gtld-servers.net.
com.    598     IN      NS      i.gtld-servers.net.
com.    598     IN      NS      j.gtld-servers.net.
com.    598     IN      NS      k.gtld-servers.net.
com.    598     IN      NS      m.gtld-servers.net.
;rrset 598 1 1 11 5
com.    598     IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com.    598     IN      RRSIG   DS 8 1 86400 20210527170000 20210514160000 14631 . S0HbAhlHla5719KHvyczUV6jXtOCoIVHIlFUUDB1i/5PYxskNSLSziOwulDBL7AOnpZwlHCLjcBEdPPMaJSYjnpLTr5YBbq+uWKLLJTwOgBCobqa2ucUNI7RLNfO4AnBMlfFh3gVcHzLBaYpM+eJZ6masjzc6vX/dw3CXb3yzLI7KQOO8QwH814I2sE4+WUluBFwr+5utGdfe2qpqgdXSBzrXND4p1INdcN+wBhDs1zskaTC1IuCn6A8dXwr45sPfK13SMx1CJfFsMzB3WbSv4JJoW1ZqyMcsvecuz0g0LC/g6Rv6HPgr/sfxCodsJi8tiwCUFNUnkbIAgURTfw2iw== ;{id = 14631}
;rrset 598 1 0 1 0
m.gtld-servers.net.     598     IN      A       192.55.83.30
;rrset 598 1 0 1 0
m.gtld-servers.net.     598     IN      AAAA    2001:501:b1f9::30
;rrset 598 1 0 1 0
k.gtld-servers.net.     598     IN      A       192.52.178.30
;rrset 598 1 0 1 0
k.gtld-servers.net.     598     IN      AAAA    2001:503:d2d::30
;rrset 598 1 0 1 0
j.gtld-servers.net.     598     IN      A       192.48.79.30
;rrset 598 1 0 1 0
j.gtld-servers.net.     598     IN      AAAA    2001:502:7094::30
;rrset 598 1 0 1 0
i.gtld-servers.net.     598     IN      A       192.43.172.30
;rrset 598 1 0 1 0
i.gtld-servers.net.     598     IN      AAAA    2001:503:39c1::30
;rrset 598 1 0 1 0
h.gtld-servers.net.     598     IN      A       192.54.112.30
;rrset 598 1 0 1 0
h.gtld-servers.net.     598     IN      AAAA    2001:502:8cc::30
;rrset 598 1 0 1 0
a.gtld-servers.net.     598     IN      A       192.5.6.30
;rrset 598 1 0 1 0
a.gtld-servers.net.     598     IN      AAAA    2001:503:a83e::2:30
;rrset 598 1 0 1 0
g.gtld-servers.net.     598     IN      A       192.42.93.30
;rrset 598 1 0 1 0
g.gtld-servers.net.     598     IN      AAAA    2001:503:eea3::30
;rrset 598 1 0 1 0
f.gtld-servers.net.     598     IN      A       192.35.51.30
;rrset 598 1 0 1 0
f.gtld-servers.net.     598     IN      AAAA    2001:503:d414::30
;rrset 598 1 0 1 0
e.gtld-servers.net.     598     IN      A       192.12.94.30
;rrset 598 1 0 1 0
e.gtld-servers.net.     598     IN      AAAA    2001:502:1ca1::30
;rrset 598 1 0 1 0
d.gtld-servers.net.     598     IN      A       192.31.80.30
;rrset 598 1 0 1 0
d.gtld-servers.net.     598     IN      AAAA    2001:500:856e::30
;rrset 598 1 0 1 0
c.gtld-servers.net.     598     IN      A       192.26.92.30
;rrset 598 1 0 1 0
c.gtld-servers.net.     598     IN      AAAA    2001:503:83eb::30
;rrset 598 1 0 1 0
b.gtld-servers.net.     598     IN      A       192.33.14.30
;rrset 598 1 0 1 0
b.gtld-servers.net.     598     IN      AAAA    2001:503:231d::2:30
;rrset 598 1 0 1 0
l.gtld-servers.net.     598     IN      A       192.41.162.30
;rrset 598 1 0 1 0
l.gtld-servers.net.     598     IN      AAAA    2001:500:d937::30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:500:d937::30       not in infra cache.
192.41.162.30           expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:231d::2:30     not in infra cache.
192.33.14.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:83eb::30       not in infra cache.
192.26.92.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:856e::30       not in infra cache.
192.31.80.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:1ca1::30       not in infra cache.
192.12.94.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:d414::30       not in infra cache.
192.35.51.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:eea3::30       not in infra cache.
192.42.93.30            rto 415 msec, ttl 324, ping 15 var 100 rtt 415, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:a83e::2:30     not in infra cache.
192.5.6.30              rto 311 msec, ttl 324, ping 3 var 77 rtt 311, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:8cc::30        not in infra cache.
192.54.112.30           rto 419 msec, ttl 324, ping 15 var 101 rtt 419, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:39c1::30       not in infra cache.
192.43.172.30           not in infra cache.
2001:502:7094::30       not in infra cache.
192.48.79.30            not in infra cache.
2001:503:d2d::30        not in infra cache.
192.52.178.30           not in infra cache.
2001:501:b1f9::30       not in infra cache.
192.55.83.30            not in infra cache.

Ask one of those IP's who is authoritative for the protonmail.com domain:

pi@ph5b:~ $ dig +norecurse @192.55.83.30 ns protonmail.com.

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> +norecurse @192.55.83.30 ns protonmail.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39531
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;protonmail.com.                        IN      NS

;; AUTHORITY SECTION:
protonmail.com.         172800  IN      NS      ns1.protonmail.com.
protonmail.com.         172800  IN      NS      ns2.protonmail.com.
protonmail.com.         172800  IN      NS      ns3.protonmail.com.

;; ADDITIONAL SECTION:
ns1.protonmail.com.     172800  IN      A       185.70.40.19
ns2.protonmail.com.     172800  IN      A       185.70.41.19
ns3.protonmail.com.     172800  IN      A       3.127.12.149

;; Query time: 19 msec
;; SERVER: 192.55.83.30#53(192.55.83.30)
;; WHEN: Sat May 15 21:23:35 CEST 2021
;; MSG SIZE  rcvd: 145

And ask one of them for the A record for mail.protonmail.com:

pi@ph5b:~ $ dig +norecurse @185.70.40.19 a mail.protonmail.com.

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> +norecurse @185.70.40.19 a mail.protonmail.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56500
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c4b02d65ee2c9081683a9d9160a020040f4099610ddcc3c5 (good)
;; QUESTION SECTION:
;mail.protonmail.com.           IN      A

;; ANSWER SECTION:
mail.protonmail.com.    1200    IN      A       185.70.41.130

;; AUTHORITY SECTION:
protonmail.com.         1200    IN      NS      ns2.protonmail.com.
protonmail.com.         1200    IN      NS      ns3.protonmail.com.
protonmail.com.         1200    IN      NS      ns1.protonmail.com.

;; ADDITIONAL SECTION:
ns1.protonmail.com.     1200    IN      A       185.70.40.19
ns2.protonmail.com.     1200    IN      A       185.70.41.19
ns3.protonmail.com.     1200    IN      A       3.127.12.149

;; Query time: 32 msec
;; SERVER: 185.70.40.19#53(185.70.40.19)
;; WHEN: Sat May 15 21:24:52 CEST 2021
;; MSG SIZE  rcvd: 194

Could you post output for those to see if anything differs?
And are the resolv.conf files the same now on both nodes and what is content?

cat /etc/resolv.conf

EDIT: changed the unbound-control lookup a bit to include the full domain instead of only the .com domain.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.