On 4/27/22 10:25, Stuart Henderson wrote:
> On 2022-04-27, Renaud Allard <renaud@allard.it> wrote:
>> This is a cryptographically signed message in MIME format.
>>
>> --------------ms080604030904040206090102
>> Content-Type: text/plain; charset=UTF-8; format=flowed
>> Content-Transfer-Encoding: 8bit
>>
>>
>>
>> On 4/26/22 16:25, Renaud Allard wrote:
>>>
>>> Hello,
>>>
>>> Since I upgraded my DNS servers to 7.1 with unbound 1.15.0, I have a lot
>>> of issues with DNS resolution (without changing anything in the config).
>>> I randomly get SERVFAIL (or somethings NXDOMAIN) for a lot of names, or
>>> something even stranger like some addresses and SERVFAIL for others (see
>>> dashlane example).
>>>
>>> Examples:
>>> host dashlane.com
>>> dashlane.com has address 65.9.82.43
>>> dashlane.com has address 65.9.82.13
>>> dashlane.com has address 65.9.82.36
>>> dashlane.com has address 65.9.82.97
>>> Host dashlane.com not found: 2(SERVFAIL)
>>> Host dashlane.com not found: 2(SERVFAIL)
>>>
>>>
>>> host forum.opnsense.org
>>> Host forum.opnsense.org not found: 2(SERVFAIL)
>>>
>>
>>> use-caps-for-id: yes
>>
>> After removing the use-caps-for-id, it seems the resolver works fine. I
>> opened the following bug report
>> https://github.com/NLnetLabs/unbound/issues/670
>
> I'm not aware of intentional changes in use-caps-for-id between the
> versions of Unbound in 7.0 and 7.1, it might be worth trying the old
> version again to rule out a coincidental change on the authoritative
> servers for those domains, it can happen.
Indeed, I searched all the git history until 1.13.0 and couldn't find
any intentional change for that specific parameter. And, it would seem
strange that multiple unrelated domains would be affected by the same
issue, although the issue was way more present for cloudflare hosted
domains.
>
> (there is some fallback in unbound for hosts which don't handle this,
> but I think it might not cope if there's differing behaviour between
> multiple hosts load-balanced behind a single backend IP).
>
> Maybe consider packet captures to the auth servers for some domains
> you've seen problems? You aren't on an ISP which might be intercepting
> some DNS requests are you?
I had the issue on 7 machines, located at different places with
different providers, in Belgium, Switzerland, Italy and France. So, I
guess interception is not the cause.
Given that the issue is sporadic, it's really very hard to trace as once
you have it in the cache, you need to clear it to test and once cleared,
you might not see the issue right after.
What I am more concerned is that the issue could be OpenBSD 7.1 related,
but I don't see any reason why either. Hence why I opened the bug report
at unbound.
No comments:
Post a Comment