Unbound not resolving domains reliably

Alecz · March 25, 2024, 2:33am

I have installed pihole on an Alpine Linux LXC Container using this script:

For the most part everything went smoothly and I noticed it configured unbound as the upstream server. After reading about it, I think I understand why it is preferred over a public upstream server.

Expected Behaviour:

Domains resolve reliable as when using a public DNS.

-OS: Alpine Linux 3.19 LXC container running on Proxmox
-AMD64-based PC
-unbound 1.19.3

Pi Hole versions:

- Pi-hole 77523d6

FTL 5.25.1
Web Interface v5.21

Actual Behaviour:

Some domains, sometimes do not resolve.
For example: discuss.linuxcontainers.org resolved on March 22 and March 24th, but not on March 23rd.

Debug Token: 3EUzeCTY

https://tricorder.pi-hole.net/3EUzeCTY/

My troubleshooting from yesterday:

using dig:

# dig discuss.linuxcontainers.org @127.0.0.1 -p5335
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out

dig with trace

# dig discuss.linuxcontainers.org @127.0.0.1 -p 5335  +trace

; <<>> DiG 9.18.24 <<>> discuss.linuxcontainers.org @127.0.0.1 -p 5335 +trace
;; global options: +cmd
.                       85797   IN      NS      a.root-servers.net.
.                       85797   IN      NS      d.root-servers.net.
.                       85797   IN      NS      h.root-servers.net.
.                       85797   IN      NS      f.root-servers.net.
.                       85797   IN      NS      e.root-servers.net.
.                       85797   IN      NS      j.root-servers.net.
.                       85797   IN      NS      l.root-servers.net.
.                       85797   IN      NS      i.root-servers.net.
.                       85797   IN      NS      g.root-servers.net.
.                       85797   IN      NS      b.root-servers.net.
.                       85797   IN      NS      m.root-servers.net.
.                       85797   IN      NS      c.root-servers.net.
.                       85797   IN      NS      k.root-servers.net.
.                       85797   IN      RRSIG   NS 8 0 518400 20240406050000 20240324040000 30903 . PXAHAtT68xN58D0gPzHiNY3YNnsOpb0tdxI/vwa+/kRlPtxLJoCyMLRO LrVP7Vcb7k6xYPTNKyJHkWDXRJ+pVB/ZUZ7rNg2Nvd5gH8Jtk1MJKRwa rs5lPOtwl560LbitE1HHuQLOJ5d2qbQy+hogq25+ADYhkvyLulCkpegg 54VpVrxPE6a3T0bmyI0pXEdKGqH1PvUnj007KRGK/y8I0EG00Rge5c9q XSybnk1lFqtZ9/md9DpgKMcbkdKOKiflQMuWGCuCqmb0MtdUOon40Bkw Ozigge1QNTxrLU9EAhAnE8TwGubWjPL6+6m1vys0OZ7hS7tlUcn6Cng7 rEQlWQ==
;; Received 1097 bytes from 127.0.0.1#5335(127.0.0.1) in 0 ms

;; UDP setup with 2001:500:1::53#5335(2001:500:1::53) for discuss.linuxcontainers.org failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2001:500:1::53#5335(2001:500:1::53) for discuss.linuxcontainers.org failed: network unreachable.
;; no servers could be reached

;; UDP setup with 2001:500:1::53#5335(2001:500:1::53) for discuss.linuxcontainers.org failed: network unreachable.
;; UDP setup with 2001:7fd::1#5335(2001:7fd::1) for discuss.linuxcontainers.org failed: network unreachable.
;; UDP setup with 2001:500:2d::d#5335(2001:500:2d::d) for discuss.linuxcontainers.org failed: network unreachable.
;; communications error to 192.112.36.4#5335: timed out
;; communications error to 193.0.14.129#5335: timed out
;; communications error to 192.5.5.241#5335: timed out
;; communications error to 202.12.27.33#5335: timed out
;; UDP setup with 2001:500:a8::e#5335(2001:500:a8::e) for discuss.linuxcontainers.org failed: network unreachable.
;; communications error to 192.58.128.30#5335: timed out
;; UDP setup with 2001:500:2f::f#5335(2001:500:2f::f) for discuss.linuxcontainers.org failed: network unreachable.
;; communications error to 192.33.4.12#5335: connection refused
;; communications error to 199.7.83.42#5335: timed out
;; communications error to 198.41.0.4#5335: timed out
;; UDP setup with 2001:500:12::d0d#5335(2001:500:12::d0d) for discuss.linuxcontainers.org failed: network unreachable.
;; communications error to 198.97.190.53#5335: host unreachable
;; UDP setup with 2001:7fe::53#5335(2001:7fe::53) for discuss.linuxcontainers.org failed: network unreachable.
;; communications error to 192.203.230.10#5335: host unreachable
;; UDP setup with 2001:dc3::35#5335(2001:dc3::35) for discuss.linuxcontainers.org failed: network unreachable.
;; UDP setup with 2001:500:9f::42#5335(2001:500:9f::42) for discuss.linuxcontainers.org failed: network unreachable.
;; UDP setup with 2001:503:ba3e::2:30#5335(2001:503:ba3e::2:30) for discuss.linuxcontainers.org failed: network unreachable.
;; UDP setup with 2001:500:2::c#5335(2001:500:2::c) for discuss.linuxcontainers.org failed: network unreachable.
;; UDP setup with 2801:1b8:10::b#5335(2801:1b8:10::b) for discuss.linuxcontainers.org failed: network unreachable.
;; communications error to 170.247.170.2#5335: timed out
;; UDP setup with 2001:503:c27::2:30#5335(2001:503:c27::2:30) for discuss.linuxcontainers.org failed: network unreachable.
;; communications error to 192.36.148.17#5335: connection refused
;; communications error to 199.7.91.13#5335: timed out
;; no servers could be reached

/etc/unbound/unbound.conf (without comments)

server:

   verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no
    prefer-ip6: no
    root-hints: "/etc/unbound/root.hints"
    harden-glue: yes
    harden-dnssec-stripped: yes
    use-caps-for-id: no
    edns-buffer-size: 1232
    prefetch: yes
    num-threads: 1
    so-rcvbuf: 1m

    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

/etc/unbound/root.hints (without comments)

.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30

.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     170.247.170.2
B.ROOT-SERVERS.NET.      3600000      AAAA  2801:1b8:10::b

.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c

.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d

.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e

.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f

.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d

.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53

.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53

.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30

.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1

.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42

.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35

Dig today: (works)

dig discuss.linuxcontainers.org @127.0.0.1 -p 5335

; <<>> DiG 9.18.24 <<>> discuss.linuxcontainers.org @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53683
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;discuss.linuxcontainers.org.   IN      A

;; ANSWER SECTION:
discuss.linuxcontainers.org. 900 IN     A       45.45.148.7

;; Query time: 115 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Sun Mar 24 22:30:11 EDT 2024
;; MSG SIZE  rcvd: 72

I read several other treads about issues with unbound but they usually cannot resolve any domains (obvious misconfiguration).
What could cause unbound to sometimes be unable to resolve some domains.

Can I configure unbound to resolve domains more reliably?
Can I configure a backup upstream server if it is unable to resolve a domain itself?

jfb · March 25, 2024, 2:43am

*** [ DIAGNOSING ]: Operating system
[✗] Distro:  Alpine
[✓] dig return code: 0
[i] dig response: "Raspbian=10,11,12 Ubuntu=20,22,23 Debian=10,11,12 Fedora=36,37,38 CentOS=8,9"
[✗] Error: Alpine is not a supported distro (https://docs.pi-hole.net/main/prerequisites/)

You are not running Pi-hole on a supported OS.

And, you are not running our core code:

*** [ DIAGNOSING ]: Core version
[✓] Version: 
[i] Remotes: origin	https://gitlab.com/yvelon/pi-hole.git (fetch)
             origin	https://gitlab.com/yvelon/pi-hole.git (push)
[i] Branch: master
[i] Commit: 77523d6

*** [ DIAGNOSING ]: Web version
[✓] Version: v5.21
[i] Remotes: origin	https://github.com/pi-hole/web.git (fetch)
             origin	https://github.com/pi-hole/web.git (push)
[i] Branch: master
[i] Commit: v5.21-0-gbe05b0f

*** [ DIAGNOSING ]: FTL version
[✓] Version: 5.25.1
[i] Branch: 
[i] Commit:

rdwebdesign · March 25, 2024, 3:33am

https://gitlab.com/yvelon/pi-hole.git

You are using a different code in an unsupported OS.

You will probably receive better answers on that repository: Issues · yvelon / pi-hole · GitLab

Alecz · March 25, 2024, 3:27pm

Thanks for the replies.

I didn't realize the OS I'm running Pi Hole on could have such an impact particularly since the issue is more with unbound rather than pihole.

I'll spin a Debian container and test there, but it would be hard to detect this intermittent issue.

I guess there's nothing else particularly obviously wrong with my configuration.

Alecz · March 26, 2024, 3:08am

I installed PI Hole on a Debian LXC Container using the official instructions, but at the step for the upstream server, there wasn't an option to set unbound.

So I installed & configured unbound as per unbound - Pi-hole documentation

However at the DNSSEC validation testing I get:

root@pi2:~# dig fail01.dnssec.works @127.0.0.1 -p 5335
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out

; <<>> DiG 9.18.24-1-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; no servers could be reached

instead of SERVFAIL. Is this a PASS?

Other than that all else seemed ok. Now will test it to see if I get any random failed resolutions.

DanSchaper · March 26, 2024, 6:45pm

There isn't one, you have to manually enter the information.

No, it's a time out to the DNS server at 127.0.0.1:5335.

Alecz · March 26, 2024, 7:57pm

Unbound runs at 127.0.0.1:5335.
How can I troubleshoot why unbound times out (instead of SERVFAIL) for this query:

dig fail01.dnssec.works @127.0.0.1 -p 5335

?

I set verbosity to 2 and this is the log:

Mar 26 15:51:21 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:21 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <.> 170.247.170.2#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <works.> 161.232.12.6#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: resolving ns3.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: resolving ns5.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: response for ns3.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <.> 170.247.170.2#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: response for ns5.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <.> 192.112.36.4#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: response for ns5.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <org.> 199.19.54.1#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: resolving ns.udag.net. A IN
Mar 26 15:51:21 unbound[17919:0] info: resolving ns.udag.de. A IN
Mar 26 15:51:21 unbound[17919:0] info: response for ns3.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <org.> 199.19.54.1#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: response for ns5.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <myinfrastructure.org.> 176.97.158.91#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: response for ns3.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <myinfrastructure.org.> 176.97.158.91#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: response for ns.udag.de. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <.> 192.36.148.17#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: response for ns.udag.net. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <.> 202.12.27.33#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <dnssec.works.> 185.92.221.212#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: validated DS works. DS IN
Mar 26 15:51:21 unbound[17919:0] info: resolving works. DNSKEY IN
Mar 26 15:51:21 unbound[17919:0] info: response for ns.udag.de. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <de.> 81.91.164.5#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: response for works. DNSKEY IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <works.> 161.232.12.6#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: validated DNSKEY works. DNSKEY IN
Mar 26 15:51:21 unbound[17919:0] info: validated DS dnssec.works. DS IN
Mar 26 15:51:21 unbound[17919:0] info: resolving dnssec.works. DNSKEY IN
Mar 26 15:51:21 unbound[17919:0] info: response for ns.udag.de. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <udag.de.> 192.174.68.8#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: response for ns.udag.net. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <net.> 192.26.92.30#53
Mar 26 15:51:21 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:21 unbound[17919:0] info: response for ns.udag.net. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <udag.net.> 176.97.158.8#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: response for dnssec.works. DNSKEY IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <dnssec.works.> 185.92.221.212#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: validated DNSKEY dnssec.works. DNSKEY IN
Mar 26 15:51:21 unbound[17919:0] info: resolving fail01.dnssec.works. DS IN
Mar 26 15:51:21 unbound[17919:0] info: response for fail01.dnssec.works. DS IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <dnssec.works.> 185.92.221.212#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: validated DS fail01.dnssec.works. DS IN
Mar 26 15:51:21 unbound[17919:0] info: resolving fail01.dnssec.works. DNSKEY IN
Mar 26 15:51:21 unbound[17919:0] info: resolving ns2.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: response for ns2.myinfrastructure.org. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <myinfrastructure.org.> 192.174.68.8#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: response for fail01.dnssec.works. DNSKEY IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:21 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:21 unbound[17919:0] info: validated DNSKEY fail01.dnssec.works. DNSKEY IN
Mar 26 15:51:21 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:21 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:21 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:21 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:21 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:26 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:26 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:26 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:26 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:26 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:26 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:31 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:31 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:31 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:31 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:31 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:31 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:39 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:39 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:39 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:39 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:39 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:39 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:39 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:39 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:39 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:39 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:39 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:39 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:39 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:39 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:39 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:39 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:39 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:39 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:39 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:39 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:40 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:40 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:40 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:40 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:40 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:40 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:40 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:45 unbound[17919:0] info: resolving update.googleapis.com. A IN
Mar 26 15:51:45 unbound[17919:0] info: resolving update.googleapis.com. HTTPS IN
Mar 26 15:51:45 unbound[17919:0] info: response for update.googleapis.com. A IN
Mar 26 15:51:45 unbound[17919:0] info: reply from <com.> 192.54.112.30#53
Mar 26 15:51:45 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:45 unbound[17919:0] info: response for update.googleapis.com. HTTPS IN
Mar 26 15:51:45 unbound[17919:0] info: reply from <com.> 192.42.93.30#53
Mar 26 15:51:45 unbound[17919:0] info: query response was REFERRAL
Mar 26 15:51:45 unbound[17919:0] info: response for update.googleapis.com. A IN
Mar 26 15:51:45 unbound[17919:0] info: reply from <googleapis.com.> 216.239.34.10#53
Mar 26 15:51:45 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:45 unbound[17919:0] info: NSEC3s for the referral proved no DS.
Mar 26 15:51:45 unbound[17919:0] info: Verified that unsigned response is INSECURE
Mar 26 15:51:45 unbound[17919:0] info: response for update.googleapis.com. HTTPS IN
Mar 26 15:51:45 unbound[17919:0] info: reply from <googleapis.com.> 216.239.32.10#53
Mar 26 15:51:45 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:45 unbound[17919:0] info: response for update.googleapis.com. HTTPS IN
Mar 26 15:51:45 unbound[17919:0] info: reply from <googleapis.com.> 216.239.38.10#53
Mar 26 15:51:45 unbound[17919:0] info: query response was nodata ANSWER
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:51 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:51 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:51 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:51 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:51 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:51 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:51 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:51 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:51 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:51 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:51 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:51 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:51 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:51 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:51 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:51 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:51 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:51 unbound[17919:0] info: resolving fail01.dnssec.works. A IN
Mar 26 15:51:52 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:52 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:52 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:52 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:52 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:52 unbound[17919:0] info: query response was DNSSEC LAME
Mar 26 15:51:52 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:52 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:52 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:52 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:51:52 unbound[17919:0] info: response for fail01.dnssec.works. A IN
Mar 26 15:51:52 unbound[17919:0] info: reply from <fail01.dnssec.works.> 5.45.109.212#53
Mar 26 15:51:52 unbound[17919:0] info: query response was ANSWER
Mar 26 15:51:52 unbound[17919:0] info: Could not establish validation of INSECURE status of unsigned response.
Mar 26 15:52:34 unbound[17919:0] info: resolving prod-3-realtime-lb-840806869.us-east-1.elb.amazonaws.com. A IN
....

From which I cannot tell why I get the Timeout from unbound.

For posterity, this is my new debug token:
https://tricorder.pi-hole.net/HebH3DYj/

EDIT: querying NextDNS DNS servers through my router correctly gives SERVFAIL.

DanSchaper · March 26, 2024, 8:55pm

Try setting that to no and retry the queries.

chrislph · March 26, 2024, 9:36pm

I think it's that test site. Every time I set up Unbound anywhere, I see this behaviour from that test site. Eg right now on my Unbound, the first attempt times out, the second attempt gets the correct failure answer, no change between attempts from my setup.

$ dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.48-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.48-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38969
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
...

Bucking_Horn · March 26, 2024, 10:51pm

Could you please share the result of the following command:

dig fail01.dnssec.works +dnssec +multi @127.0.0.1 -p 5335

Alecz · March 27, 2024, 3:02am

@chrislph ,
I see what you mean, but you do not get the

;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out

And if run this against NextDNS, I get the expected SERVFAIL.

@Bucking_Horn ,
Here is the output:

root@pi2:~# dig fail01.dnssec.works +dnssec +multi @127.0.0.1 -p 5335

; <<>> DiG 9.18.24-1-Debian <<>> fail01.dnssec.works +dnssec +multi @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8296
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works.	IN A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Mar 26 22:54:26 EDT 2024
;; MSG SIZE  rcvd: 48

I get SERVFAIL.

And now if I run the original command, I get SERVFAIL as well:
(maybe cached?)

root@pi2:~# dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.18.24-1-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38958
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works.		IN	A

;; Query time: 3 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Tue Mar 26 22:59:40 EDT 2024
;; MSG SIZE  rcvd: 48

Which gives?

DanSchaper, I will need to try that tomorrow just to ensure the cache is expired.

Alecz · April 2, 2024, 7:42pm

Changed harden-dnssec-stripped to no.

Same behavior:

root@pi2:~# dig fail01.dnssec.works @127.0.0.1 -p 5335
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out
;; communications error to 127.0.0.1#5335: timed out

; <<>> DiG 9.18.24-1-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; no servers could be reached

root@pi2:~#

I think @chrislph is correct:

the first attempt times out, the second attempt gets the correct failure answer, no change between attempts from my setup.

because on 2nd attempt I got SERVFAIL.

This seems to happen everytime unbound is restarted: 1st attempt timeout, 2nd SERVFAIL.

I think this thread has lived its useful life.
I haven't found other domains not resolving reliably since having moved to debian container and automated installation.

Alecz · April 8, 2024, 6:34pm

The issue started happening again today, but the problem seems to be PI-HOLE this time:

Unbound resolves login.mso.msidentity.com:

root@pi2:~# dig login.mso.msidentity.com @127.0.0.1 -p 5335

; <<>> DiG 9.18.24-1-Debian <<>> login.mso.msidentity.com @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59209
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;login.mso.msidentity.com.	IN	A

;; ANSWER SECTION:
login.mso.msidentity.com. 300	IN	CNAME	ak.privatelink.msidentity.com.
ak.privatelink.msidentity.com. 300 IN	CNAME	www.tm.ak.prd.aadg.trafficmanager.net.
www.tm.ak.prd.aadg.trafficmanager.net. 300 IN A	40.126.28.19
www.tm.ak.prd.aadg.trafficmanager.net. 300 IN A	40.126.28.18
www.tm.ak.prd.aadg.trafficmanager.net. 300 IN A	40.126.7.35
www.tm.ak.prd.aadg.trafficmanager.net. 300 IN A	40.126.7.32
www.tm.ak.prd.aadg.trafficmanager.net. 300 IN A	40.126.28.12
www.tm.ak.prd.aadg.trafficmanager.net. 300 IN A	40.126.28.21
www.tm.ak.prd.aadg.trafficmanager.net. 300 IN A	40.126.28.14
www.tm.ak.prd.aadg.trafficmanager.net. 300 IN A	40.126.28.11

;; Query time: 279 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Mon Apr 08 14:27:05 EDT 2024
;; MSG SIZE  rcvd: 261

Pi-HOLE doesn't

root@pi2:~# dig login.mso.msidentity.com @127.0.0.1 -p 53

; <<>> DiG 9.18.24-1-Debian <<>> login.mso.msidentity.com @127.0.0.1 -p 53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16279
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;login.mso.msidentity.com.	IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Apr 08 14:27:25 EDT 2024
;; MSG SIZE  rcvd: 53

logs:
cat /var/log/pihole.log | grep login.mso.msidentity.com

Apr  8 13:14:47 dnsmasq[153]: reply login.mso.msidentity.com is <CNAME>
Apr  8 13:25:00 dnsmasq[153]: reply login.mso.msidentity.com is NODATA-IPv4
Apr  8 13:30:00 dnsmasq[153]: cached login.mso.msidentity.com is NODATA-IPv4
Apr  8 14:27:25 dnsmasq[153]: query[A] login.mso.msidentity.com from 127.0.0.1
Apr  8 14:27:25 dnsmasq[153]: cached login.mso.msidentity.com is NODATA-IPv4

Why doesn't PI-hole (dnsmasq) pick the IP from unbound?

Alecz · April 9, 2024, 2:55pm

.... and it works today. No changes in config:

root@pi2:~# dig login.mso.msidentity.com @127.0.0.1 -p 53 +short
ak.privatelink.msidentity.com.
www.tm.ak.prd.aadg.akadns.net.
40.126.29.15
20.190.157.11
40.126.29.13
40.126.29.8
40.126.29.6
40.126.29.5
40.126.29.10
40.126.29.14

So how to have Pi-hole reliably resolve domains?
(I didn't have this issue with an older version of Pi-hole, but a I made the mistake of attempting an upgrade which broke the installation completely due to running on Ubunti 16.04. I know it was old, but it was stable )