(Some) domains returning "SERVFAIL" but no DNSSEC enabled

deHakkelaar · May 15, 2021, 7:41pm

This sounds a bit similar as below thread:

You could try diagnose similar for that mail.protonmail.com domain.
Enable unbound remote control first:

With this, you can see what DNS servers unbound is going to ask for the mail.protonmail.com domain:

pi@ph5b:~ $ sudo unbound-control lookup mail.protonmail.com.
The following name servers are used for lookup of mail.protonmail.com.
;rrset 598 13 0 2 0
com.    598     IN      NS      l.gtld-servers.net.
com.    598     IN      NS      b.gtld-servers.net.
com.    598     IN      NS      c.gtld-servers.net.
com.    598     IN      NS      d.gtld-servers.net.
com.    598     IN      NS      e.gtld-servers.net.
com.    598     IN      NS      f.gtld-servers.net.
com.    598     IN      NS      g.gtld-servers.net.
com.    598     IN      NS      a.gtld-servers.net.
com.    598     IN      NS      h.gtld-servers.net.
com.    598     IN      NS      i.gtld-servers.net.
com.    598     IN      NS      j.gtld-servers.net.
com.    598     IN      NS      k.gtld-servers.net.
com.    598     IN      NS      m.gtld-servers.net.
;rrset 598 1 1 11 5
com.    598     IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CFC41A5766
com.    598     IN      RRSIG   DS 8 1 86400 20210527170000 20210514160000 14631 . S0HbAhlHla5719KHvyczUV6jXtOCoIVHIlFUUDB1i/5PYxskNSLSziOwulDBL7AOnpZwlHCLjcBEdPPMaJSYjnpLTr5YBbq+uWKLLJTwOgBCobqa2ucUNI7RLNfO4AnBMlfFh3gVcHzLBaYpM+eJZ6masjzc6vX/dw3CXb3yzLI7KQOO8QwH814I2sE4+WUluBFwr+5utGdfe2qpqgdXSBzrXND4p1INdcN+wBhDs1zskaTC1IuCn6A8dXwr45sPfK13SMx1CJfFsMzB3WbSv4JJoW1ZqyMcsvecuz0g0LC/g6Rv6HPgr/sfxCodsJi8tiwCUFNUnkbIAgURTfw2iw== ;{id = 14631}
;rrset 598 1 0 1 0
m.gtld-servers.net.     598     IN      A       192.55.83.30
;rrset 598 1 0 1 0
m.gtld-servers.net.     598     IN      AAAA    2001:501:b1f9::30
;rrset 598 1 0 1 0
k.gtld-servers.net.     598     IN      A       192.52.178.30
;rrset 598 1 0 1 0
k.gtld-servers.net.     598     IN      AAAA    2001:503:d2d::30
;rrset 598 1 0 1 0
j.gtld-servers.net.     598     IN      A       192.48.79.30
;rrset 598 1 0 1 0
j.gtld-servers.net.     598     IN      AAAA    2001:502:7094::30
;rrset 598 1 0 1 0
i.gtld-servers.net.     598     IN      A       192.43.172.30
;rrset 598 1 0 1 0
i.gtld-servers.net.     598     IN      AAAA    2001:503:39c1::30
;rrset 598 1 0 1 0
h.gtld-servers.net.     598     IN      A       192.54.112.30
;rrset 598 1 0 1 0
h.gtld-servers.net.     598     IN      AAAA    2001:502:8cc::30
;rrset 598 1 0 1 0
a.gtld-servers.net.     598     IN      A       192.5.6.30
;rrset 598 1 0 1 0
a.gtld-servers.net.     598     IN      AAAA    2001:503:a83e::2:30
;rrset 598 1 0 1 0
g.gtld-servers.net.     598     IN      A       192.42.93.30
;rrset 598 1 0 1 0
g.gtld-servers.net.     598     IN      AAAA    2001:503:eea3::30
;rrset 598 1 0 1 0
f.gtld-servers.net.     598     IN      A       192.35.51.30
;rrset 598 1 0 1 0
f.gtld-servers.net.     598     IN      AAAA    2001:503:d414::30
;rrset 598 1 0 1 0
e.gtld-servers.net.     598     IN      A       192.12.94.30
;rrset 598 1 0 1 0
e.gtld-servers.net.     598     IN      AAAA    2001:502:1ca1::30
;rrset 598 1 0 1 0
d.gtld-servers.net.     598     IN      A       192.31.80.30
;rrset 598 1 0 1 0
d.gtld-servers.net.     598     IN      AAAA    2001:500:856e::30
;rrset 598 1 0 1 0
c.gtld-servers.net.     598     IN      A       192.26.92.30
;rrset 598 1 0 1 0
c.gtld-servers.net.     598     IN      AAAA    2001:503:83eb::30
;rrset 598 1 0 1 0
b.gtld-servers.net.     598     IN      A       192.33.14.30
;rrset 598 1 0 1 0
b.gtld-servers.net.     598     IN      AAAA    2001:503:231d::2:30
;rrset 598 1 0 1 0
l.gtld-servers.net.     598     IN      A       192.41.162.30
;rrset 598 1 0 1 0
l.gtld-servers.net.     598     IN      AAAA    2001:500:d937::30
Delegation with 13 names, of which 0 can be examined to query further addresses.
It provides 26 IP addresses.
2001:500:d937::30       not in infra cache.
192.41.162.30           expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:231d::2:30     not in infra cache.
192.33.14.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:83eb::30       not in infra cache.
192.26.92.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:500:856e::30       not in infra cache.
192.31.80.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:502:1ca1::30       not in infra cache.
192.12.94.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:d414::30       not in infra cache.
192.35.51.30            expired, rto 187184 msec, tA 0 tAAAA 0 tother 0.
2001:503:eea3::30       not in infra cache.
192.42.93.30            rto 415 msec, ttl 324, ping 15 var 100 rtt 415, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:a83e::2:30     not in infra cache.
192.5.6.30              rto 311 msec, ttl 324, ping 3 var 77 rtt 311, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:502:8cc::30        not in infra cache.
192.54.112.30           rto 419 msec, ttl 324, ping 15 var 101 rtt 419, tA 0, tAAAA 0, tother 0, EDNS 0 probed.
2001:503:39c1::30       not in infra cache.
192.43.172.30           not in infra cache.
2001:502:7094::30       not in infra cache.
192.48.79.30            not in infra cache.
2001:503:d2d::30        not in infra cache.
192.52.178.30           not in infra cache.
2001:501:b1f9::30       not in infra cache.
192.55.83.30            not in infra cache.

Ask one of those IP's who is authoritative for the protonmail.com domain:

pi@ph5b:~ $ dig +norecurse @192.55.83.30 ns protonmail.com.

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> +norecurse @192.55.83.30 ns protonmail.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39531
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;protonmail.com.                        IN      NS

;; AUTHORITY SECTION:
protonmail.com.         172800  IN      NS      ns1.protonmail.com.
protonmail.com.         172800  IN      NS      ns2.protonmail.com.
protonmail.com.         172800  IN      NS      ns3.protonmail.com.

;; ADDITIONAL SECTION:
ns1.protonmail.com.     172800  IN      A       185.70.40.19
ns2.protonmail.com.     172800  IN      A       185.70.41.19
ns3.protonmail.com.     172800  IN      A       3.127.12.149

;; Query time: 19 msec
;; SERVER: 192.55.83.30#53(192.55.83.30)
;; WHEN: Sat May 15 21:23:35 CEST 2021
;; MSG SIZE  rcvd: 145

And ask one of them for the A record for mail.protonmail.com:

pi@ph5b:~ $ dig +norecurse @185.70.40.19 a mail.protonmail.com.

; <<>> DiG 9.11.5-P4-5.1+deb10u5-Raspbian <<>> +norecurse @185.70.40.19 a mail.protonmail.com.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56500
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c4b02d65ee2c9081683a9d9160a020040f4099610ddcc3c5 (good)
;; QUESTION SECTION:
;mail.protonmail.com.           IN      A

;; ANSWER SECTION:
mail.protonmail.com.    1200    IN      A       185.70.41.130

;; AUTHORITY SECTION:
protonmail.com.         1200    IN      NS      ns2.protonmail.com.
protonmail.com.         1200    IN      NS      ns3.protonmail.com.
protonmail.com.         1200    IN      NS      ns1.protonmail.com.

;; ADDITIONAL SECTION:
ns1.protonmail.com.     1200    IN      A       185.70.40.19
ns2.protonmail.com.     1200    IN      A       185.70.41.19
ns3.protonmail.com.     1200    IN      A       3.127.12.149

;; Query time: 32 msec
;; SERVER: 185.70.40.19#53(185.70.40.19)
;; WHEN: Sat May 15 21:24:52 CEST 2021
;; MSG SIZE  rcvd: 194

Could you post output for those to see if anything differs?
And are the resolv.conf files the same now on both nodes and what is content?

cat /etc/resolv.conf

EDIT: changed the unbound-control lookup a bit to include the full domain instead of only the .com domain.