search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.14k stars 358 forks source link

SERVFAIL while running unbound 1.18 on FreeBSD with setfib and set private-address #957

Open hshh opened 1 year ago

hshh commented 1 year ago

Describe the bug While running unbound 1.18 on FreeBSD with setfib and set private-address, it returned SERVFAIL. The error log is "exceeded the maximum number of sends". Unbound 1.18 run without setfib works correctly. Unbound 1.17.1 with the same configuration file works correctly.

To reproduce Steps to reproduce the behavior:

  1. set unbound.conf with private-address: ::/0
  2. run unbound with setfib 1 /usr/local/sbin/unbound -c unbound.conf

System:

Configure line: --with-libexpat=/usr/local --with-ssl=/usr --disable-dnscrypt --disable-dnstap --with-libnghttp2 --with-dynlibmodule --enable-ecdsa --disable-event-api --enable-gost --with-libevent --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd13.2 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1t-freebsd 7 Feb 2023 Linked modules: dns64 dynlib respip validator iterator



**Additional information**
Add any other information that you may have gathered about the issue here.
wcawijngaards commented 1 year ago

I believe this issue could be caused by https://github.com/NLnetLabs/unbound/commit/b865aca03a5c653356334c789b54e70c0bd0e08d . Applying that fix may solve it. If the commit fixes it, then what happens could be that the fib change set it to use a particular upstream connectivity. The private address is an unusual setting here, that removes all IPv6 AAAA records from the answers. They could then all turn into nodata answers, or look like that, and then the fix could perhaps stop the issue by accepting the nodata answer eventually.

Another possibility is that the fib does not work an unbound cannot actually send, and what is exceeded is the number of send attempts. If that is the case, something like verbosity 4 or 5 and then see if the logs print issues around sending packets on that configured fib.

mmiller7 commented 12 months ago

The private address is an unusual setting here, that removes all IPv6 AAAA records from the answers.

I'm surprised its unusual, is there some other way to prevent IPv6 AAAA records being returned?

The reason I ended up doing that is I found an increasing number of things seemed to be attempting to use the IPv6 addresses when DNS returns them which results in a painful user experience as it tries to connect to an address that can never be reached because my ISP doesn't support IPv6, and then I have to wait an extra 5-ish seconds for everything that wants to use IPv6 because it got an IPv6 address.

It seems silly to return an address to a client when you know the network can't route anywhere.

This can't be that uncommon...I know my ISP seems to be smaller but heck even Verizon FiOS at my parents there's no IPv6 support yet its all IPv4. Maybe most people are just living with the extra delay and thinking they need to buy faster ISP plans?

hshh commented 12 months ago

It fixed in unbound 1.19.