Hello! Long-time user of pi-hole here, but just getting around to setting up unbound. I’m following the instructions here: unbound - Pi-hole documentation
Everything seemed pretty straightforward. I got down to the “Test validation” section to make sure unbound was working properly with pi-hole, and I was getting intermittent timeouts when trying to test the SERVFAIL scenario. Specifically, here’s what I would get in my Raspberry Pi’s terminal:
user@localpi:/etc/unbound/unbound.conf.d $ dig fail01.dnssec.works @127.0.0.1 -p 5335
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
Sometimes it times out completely even after retries like the output above, sometimes it would timeout once and then get the correct SERVFAIL response status, and sometimes it would work immediately without any problems for a few minutes. I’m seeing maybe 5-10% of my tests to that domain time out?
I was scratching my head because I’ve got a pretty vanilla setup of pi-hole and only a few custom things on my Raspberry Pi, but with timeouts so frequent I was loathe to actually activate unbound lest it slow DNS resolves on my home network. It wasn’t a firewall issue because it was intermittent, and I double-checked that the unbound-resolvconf service was not running, as per the documentation at the link above. It wasn’t a load issue either, because I had not even set my pi-hole setup to use unbound, so my test commands in the terminal were literally the only queries to unbound. I did have a CPU monitor running while doing the tests and there was no high load when I would get the intermittent timeouts. I started searching and found a few other topics here, like this and this. Finally I stumbled upon this thread where @chrislph states:
That said, I also have intermittent results from that server (example from March). It will often time out the first time and then work (as in SERVFAIL as expected) the second time. I set up Pi-hole and Unhound for a couple of friends and saw the same behaviour on their setups too.
Gahhhhh, I thought I was doing something wrong. If the fail01.dnssec.works domain is going to be used in the official documentation, wouldn’t it be prudent to put a warning that sometimes you’ll get intermittent timeouts like this? (I’ve been checking google.com in the same test command, and am seeing absolutely zero timeouts, so it does seem like this particular domain has connectivity problems.)
I’m happy to submit a PR to update the documentation if that’s the best path, but I thought I’d check here first and confirm that this domain does indeed produce intermittent timeouts for others besides me and chrislph. And are there any style guides to this kind of warning that I can refer to when making the PR? Or does anyone know a different domain that more reliably produces SERVFAIL errors consistently, rather than fairly regularly producing timeouts?