search

madnuttah / unbound-docker

🛡️ This distroless Unbound Docker image is based on Alpine Linux with focus on security, privacy, performance and a small image size. And with Pi-hole in mind.
https://hub.docker.com/r/madnuttah/unbound
MIT License
237 stars 21 forks source link

SERVFAIL on certain domains #68

Closed bunkerman closed 4 months ago

bunkerman commented 4 months ago

Hi, me again :) I have one domain which can't be resolved and I can't debug it. On pihole I saw that the the domain geizhals.at gives a SERVFAIL and the dig command gives me:

dig geizhals.at @xxx -p 5335

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> geizhals.at @xxx -p 5335 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53922 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;geizhals.at. IN A

;; Query time: 0 msec ;; SERVER: xxx#5335(xxx) (UDP) ;; WHEN: Sun May 26 13:53:20 CEST 2024 ;; MSG SIZE rcvd: 40

do you know what happens here? I also tried other unbound docker images with their standard conf and that domain works.

bunkerman commented 4 months ago

I saw that issue https://github.com/madnuttah/unbound-docker/issues/63 and did try it without redis. geizhals.at gets resolved.

madnuttah commented 4 months ago

Hey there, I was about to pointing you to that very issue. So, I think you made sure that the time is consistent on all containers involved?

Please up the verbosity (edit: to 5) and check if there's something strange happening (don't forget to put it back, it's really verbose). If you want me to tackle this issue with you, I'd need all your redis related config(s) of Unbound and a more verbose log.

bunkerman commented 4 months ago

I checked and the time is right and in sync. I did increase the verbose and gathered the unbound/redis logs. There's no SERVFAIL in the logs. That's strange isn't it? Can I share the logs and conf package via email or discord or similar?

bunkerman commented 4 months ago

I think I got it fixed. I changed the module config sequence according to the unbound manual https://unbound.docs.nlnetlabs.nl/en/release-1.20.0/manpages/unbound.conf.html#cache-db-module-options and placed cachedb second (before iterator) and the SERVFAIL is gone.

madnuttah commented 4 months ago

Thank you. Do you want to fix that part in the doc in a PR @bunkerman?

bunkerman commented 4 months ago

I did a commit, have a look into it!

bunkerman commented 4 months ago

I did a DNS benchmark with this Tool https://www.grc.com/dns/benchmark.htm and the changed sequence also makes it slightly slower. I don't know if this is a valid benchmark...

madnuttah commented 4 months ago

I did a commit, have a look into it!

Hi, did you wanted me to have a look at something?

bunkerman commented 4 months ago

somehow the pull request was not created. I tried it again. Did it work?

madnuttah commented 4 months ago

Yes and approved already. Thanks again!