search

klutchell / unbound-docker

unofficial unbound multiarch docker image
BSD 3-Clause "New" or "Revised" License
112 stars 23 forks source link

Receiving SERVFAIL with no custom changes #500

Closed garlic-hub closed 1 month ago

garlic-hub commented 1 month ago

Hello. I was attempting to pair unbound with pihole and would only receive SERVFAIL so I decided to attempt a minimal config to see if it works.

Expected behavior: receive no error and a valid DNS A record for google.com

$ docker run --rm -d --name unbound klutchell/unbound

Using latest and did a pull to ensure it is up to date:

$ docker pull klutchell/unbound
Using default tag: latest
latest: Pulling from klutchell/unbound
Digest: sha256:41a37ebbfc522155cc68c21b783f7b30f041438ae1c3c1ab011cd2e73c1624c5
Status: Image is up to date for klutchell/unbound:latest
docker.io/klutchell/unbound:latest

The SERVFAIL:

$ docker exec unbound drill @127.0.0.1 google.com
;; ->>HEADER<<- opcode: QUERY, rcode: SERVFAIL, id: 864
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; google.com.  IN  A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Sep 22 06:19:21 2024
;; MSG SIZE  rcvd: 28

example.com and dnssec.works both SERVFAIL as well

Router firewall is not blocking port 53 for device because I can reach cloudflare DNS without problem with this command:

$ dig google.com @1.1.1.1

System: Ubuntu 24.04 Docker version 27.2.0, build 3ab4256

Not sure what's going on and I have no experience with these distroless containers

klutchell commented 1 month ago

Can you share the logs from the container output?

garlic-hub commented 1 month ago

Ah, sorry about that.

[1727017398] unbound[1:0] notice: init module 0: subnetcache
[1727017398] unbound[1:0] warning: subnetcache: serve-expired is set but not working for data originating from the subnet module cache.
[1727017398] unbound[1:0] warning: subnetcache: prefetch is set but not working for data originating from the subnet module cache.
[1727017398] unbound[1:0] notice: init module 1: validator
[1727017398] unbound[1:0] notice: init module 2: iterator
[1727017398] unbound[1:0] info: start of service (unbound 1.21.0).

And after I terminate


[1727017496] unbound[1:0] info: service stopped (unbound 1.21.0).
[1727017496] unbound[1:0] info: server stats for thread 0: 1 queries, 0 answers from cache, 1 recursions, 0 prefetch, 0 rejected by ip ratelimiting
[1727017496] unbound[1:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
[1727017496] unbound[1:0] info: average recursion processing time 1.407212 sec
[1727017496] unbound[1:0] info: histogram of recursion processing times
[1727017496] unbound[1:0] info: [25%]=0 median[50%]=0 [75%]=0
[1727017496] unbound[1:0] info: lower(secs) upper(secs) recursions
[1727017496] unbound[1:0] info:    1.000000    2.000000 1```
klutchell commented 1 month ago

I wasn't able to reproduce the issue, following the same steps using the latest image.

Can you try adding -v -v to the end of your docker run command to turn up the verbosity of the unbound container logs?

garlic-hub commented 1 month ago

After a lot of messing around I found the "Block Ads" setting in my Unifi router was causing the issue. Not sure why; I assume it's just a DNS block list itself. It must be hijacking DNS requests or working at the IP level and blocking something. Sorry for the trouble.