wcawijngaards
commented
2 years ago For this query name I cannot reproduce issues with 0x20, the logs say the 0x20 replies are good. Looking at your config, I can make a guess, but it is pretty vague. Your num-queries-per-thread: 32 setting is very low. That should be adjusted to like 1024, or use the default. The setting could cause servfail, when the num queries are full, and another query comes in, the not fitting query can be rejected with SERVFAIL. How that could happen, you have prefetch, you query for the name, this gives you an answer, and starts the prefetch. Somehow with 0x20 enabled this takes longer than without 0x20, because some names have 0x20 fallback and then unbound has to query a number of hosts, like 5 queries or so, and that is more work. This makes the entry exist for a little longer. Then your second query comes in, but the list of queries is full now, with the previous one. And the new query is rejected. That would only happen when the list is full, so there is a bunch of lookups. And perhaps also in combination with prefetch and a name for which 0x20 backoff has to be performed.
If this happens, that should be shown in the logs. Maybe at higher verbosity settings. That makes the logs show what happens and why servfail is happening. You could try to fix the num queries per thread setting, or capture the event with verbosity in logs, or if logs show output now. There is also log-servfail: yes that prints summary information about servfail replies to log, that you could enable to get more information about these servfails.
renaudallard
lohphat
Describe the bug Since I upgraded my DNS servers to OpenBSD 7.1 with unbound 1.15.0, I have a lot of issues with DNS resolution (without changing anything in the config). I randomly get SERVFAIL for a lot of names, or something even stranger like some addresses and SERVFAIL for others (see dashlane example). The exact same config was working just fine with unbound 1.13.0 on OpenBSD 7.0. Note that it does not happen every time, it's quite sporadic.
Examples: host dashlane.com dashlane.com has address 65.9.82.43 dashlane.com has address 65.9.82.13 dashlane.com has address 65.9.82.36 dashlane.com has address 65.9.82.97 Host dashlane.com not found: 2(SERVFAIL) Host dashlane.com not found: 2(SERVFAIL)
host forum.opnsense.org Host forum.opnsense.org not found: 2(SERVFAIL)
To reproduce Here is my partial config server: log-replies: yes interface: 0.0.0.0@853 tls-port: 853 tls-service-pem: tls-service-key: outgoing-range: 8192 outgoing-num-tcp: 256 incoming-num-tcp: 256 serve-expired: yes outbound-msg-retry: 5 cache-max-negative-ttl: 1 msg-cache-size: 64m msg-cache-slabs: 4 num-queries-per-thread: 32 rrset-cache-size: 128m rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 access-control: 0.0.0.0/0 allow access-control: ::0/0 allow hide-identity: yes hide-version: yes harden-short-bufsize: yes harden-large-queries: yes harden-glue: yes harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes use-caps-for-id: yes qname-minimisation: yes aggressive-nsec: yes edns-tcp-keepalive: yes so-reuseport: no deny-any: yes prefetch: yes prefetch-key: yes rrset-roundrobin: yes minimal-responses: yes
Expected behavior Names should resolve properly
System:
unbound -Voutput: Version 1.15.0 Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound --disable-shared --disable-explicit-port-randomisation --without-pthreads Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 3.5.2 Linked modules: dns64 respip validator iteratorAdditional information I tried removing every "hardening" parameter one by one to get nearer to the stock config. And it seems that disabling use-caps-for-id solves the issue.