Hello,
Since I upgraded my DNS servers to 7.1 with unbound 1.15.0, I have a lot
of issues with DNS resolution (without changing anything in the config).
I randomly get SERVFAIL (or somethings NXDOMAIN) for a lot of names, or
something even stranger like some addresses and SERVFAIL for others (see
dashlane example).
Examples:
host dashlane.com
dashlane.com has address 65.9.82.43
dashlane.com has address 65.9.82.13
dashlane.com has address 65.9.82.36
dashlane.com has address 65.9.82.97
Host dashlane.com not found: 2(SERVFAIL)
Host dashlane.com not found: 2(SERVFAIL)
host forum.opnsense.org
Host forum.opnsense.org not found: 2(SERVFAIL)
host www.takewaway.com
Host www.takewaway.com not found: 3(NXDOMAIN)
My unbound config is like this:
server:
log-replies: yes
interface: 0.0.0.0@853
tls-port: 853
tls-service-pem: *********
tls-service-key: *********
outgoing-range: 8192
outgoing-num-tcp: 256
incoming-num-tcp: 256
serve-expired: yes
outbound-msg-retry: 5
cache-max-negative-ttl: 1
msg-cache-size: 64m
msg-cache-slabs: 4
num-queries-per-thread: 32
rrset-cache-size: 128m
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
hide-identity: yes
hide-version: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes
qname-minimisation: yes
aggressive-nsec: yes
edns-tcp-keepalive: yes
so-reuseport: no
deny-any: yes
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
minimal-responses: yes
I added those afterwards as it seems it helps, but there is still an issue.
serve-expired: yes
outbound-msg-retry: 5
cache-max-negative-ttl: 1
Is there anyone noticing this too?
Thanks
No comments:
Post a Comment