Comments (9)
Can you write the issue in English? If this is about resolution of a particular name, the logs when verbosity: 5 is enabled could be useful to look at to see what is going on.
from unbound.
this is log.
unbound.txt
from unbound.
This is useful: error: SERVFAIL <itp.hncsmtr.com. HTTPS IN>: all servers for this domain failed, at zone itp.hncsmtr.com. upstream server timeout
So all the servers for the zone give no response. This makes the lookup fail. In addition, all of the IPv6 addresses fail with network unreachable errors, it is probably a good idea to set do-ip6: no
because that would then not bother with the effort. But the lookup failure for the query is caused by the servers for the zone, on ip4, having timeouts.
Another interesting bit is this one, when sending to sending to target: <itp.hncsmtr.com.> 218.76.13.58#53
it receives the error error: recvfrom 82 failed: Connection refused
. So the upstream server has connection refused. Perhaps the upstream server is not running or the firewall disallows access from the outside.
And then this error, error: SERVFAIL <itp.hncsmtr.com. AAAA IN>: all servers for this domain failed, at zone itp.hncsmtr.com. from 111.22.160.50 could not parse upstream response
. And also for other types. The upstream server includes an EDNS record that says it contains 11 bytes of rdata, but those bytes are not in the packet. The packet length is too short. Possibly that is the reply for the edns client subnet rdata element. The upstream server malformed response is then not picked up by unbound and unbound continues to attempt other servers, that timeout.
Since the upstream servers respond with malformed EDNS record contents, it is probably best to not send them edns client subnet queries. It is possible to configure what upstream hosts get subnet info, with send-client-subnet
and client-subnet-zone
options, and then do not include this zone and its servers in that list.
from unbound.
This is useful:
error: SERVFAIL <itp.hncsmtr.com. HTTPS IN>: all servers for this domain failed, at zone itp.hncsmtr.com. upstream server timeout
So all the servers for the zone give no response. This makes the lookup fail. In addition, all of the IPv6 addresses fail with network unreachable errors, it is probably a good idea to set
do-ip6: no
because that would then not bother with the effort. But the lookup failure for the query is caused by the servers for the zone, on ip4, having timeouts.Another interesting bit is this one, when sending to
sending to target: <itp.hncsmtr.com.> 218.76.13.58#53
it receives the errorerror: recvfrom 82 failed: Connection refused
. So the upstream server has connection refused. Perhaps the upstream server is not running or the firewall disallows access from the outside.And then this error,
error: SERVFAIL <itp.hncsmtr.com. AAAA IN>: all servers for this domain failed, at zone itp.hncsmtr.com. from 111.22.160.50 could not parse upstream response
. And also for other types. The upstream server includes an EDNS record that says it contains 11 bytes of rdata, but those bytes are not in the packet. The packet length is too short. Possibly that is the reply for the edns client subnet rdata element. The upstream server malformed response is then not picked up by unbound and unbound continues to attempt other servers, that timeout.Since the upstream servers respond with malformed EDNS record contents, it is probably best to not send them edns client subnet queries. It is possible to configure what upstream hosts get subnet info, with
send-client-subnet
andclient-subnet-zone
options, and then do not include this zone and its servers in that list.
So, how should these domain names be configured to exclude from the edns client subnet? If this also happens on the root domain name and all subdomains of the domain name, how to configure and exclude it?
from unbound.
I think something like client-subnet-always-forward: no
, and then client-subnet-zone: "example.com"
to send to example.com and other zones for which subnet is desired. But then hncsmtr.com
is not configured in that way and also its nameservers are not configured. With send-client-subnet: 192.0.2.1
specific nameservers can be configured to send subnet to.
from unbound.
I think something like
client-subnet-always-forward: no
, and thenclient-subnet-zone: "example.com"
to send to example.com and other zones for which subnet is desired. But thenhncsmtr.com
is not configured in that way and also its nameservers are not configured. Withsend-client-subnet: 192.0.2.1
specific nameservers can be configured to send subnet to.
But I need every request to go through the edns client subnet. Except hncsmtr.com and the subdomain of the domain name.
from unbound.
The edns subnet configuration is set up to have an allowlist, and it does not have rejectlist configuration.
from unbound.
The edns subnet configuration is set up to have an allowlist, and it does not have rejectlist configuration.
Can it be developed? Because this kind of unresolved domain name is a small number of domain names. Most domain names are resolved.
from unbound.
We do not want to support this. This is caused by edns-client-subnet. The feature is not meant to be deployed at large. It should be deployed only to a whitelisted range. The reasons for that are because of privacy reasons, and the standards issues that arise from probing complexity and dns architecture decisions wanting to have the query name as determinant of outcome. The other server is buggy, in that it sends a bad reply. Unbound should not deploy fixups for it, this has been a topic of discussion, eg. dns flag day 2019. Unbound does not implement the probing strategy from RFC 7871 section 12.1, but uses the whitelist approach from section 12.2.
from unbound.
Related Issues (20)
- [FR] Add support for valkey HOT 2
- RPM for rhel 9 HOT 5
- fatal error: Could not initialize thread / error: reading root hints HOT 8
- a heap-buffer-overflow issue in function cfg_mark_ports of file util/config_file.c
- Unable to resolve .eu TLD HOT 5
- Low Throughput Issue with unbound DNS over TLS on Ubuntu 22.04 HOT 14
- unbound compiling question HOT 5
- Option for unbound-control list_forwards to list IPv6 only or IPv4 only upsreams
- There are memory leaks with SIGHUP HOT 6
- [FR] Introduce libunbound-control library for external consumers HOT 2
- [FR] Does latest unbound to supports on Ubuntu 24.04 HOT 1
- Intermittent DNS blocking failure with local-zone and always_nxdomain HOT 23
- [SERVFAIL] Unbound with DoT enabled fails to resolve certain websites HOT 4
- [FR] Managing Cache Deletion and Fallback to Forwarding During Unbound Recursive DNS Failures HOT 3
- [BUG] Problems to build unbound with nghttp2 and OpenSSL 3.3.0 / 3.2.1 HOT 3
- Unbound 1.20 Cachedb broken? HOT 34
- SHOULD in section 4.2 of RFC 9460 not implemented
- Unbound cache question because I'm confused HOT 2
- Chroot location question HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unbound.