I have moved to a new location with a new provider. I plugged in Turris and everything works fine except Unbound, which started returning SERVFAIL and I can’t discern why.
I’ll happily provide any necessary information, but I am at loss why it does that. When I change DNS manually in resolv.conf, resolving works as it should. Trying to setup DoT is not helpful.
Here is the output of resolver-debug
/etc/resolver/resolver-debug.sh start
Start debug
== enable verbose logging (reboot to disable it) ==
/usr/sbin/unbound-control
0
ok
resolver.common=resolver
resolver.common.interface='0.0.0.0' '::0'
resolver.common.port='53'
resolver.common.keyfile='/etc/root.keys'
resolver.common.verbose='0'
resolver.common.msg_buffer_size='4096'
resolver.common.msg_cache_size='20M'
resolver.common.net_ipv6='1'
resolver.common.net_ipv4='1'
resolver.common.prefered_resolver='unbound'
resolver.common.ignore_root_key='0'
resolver.common.static_domains='1'
resolver.common.dynamic_domains='1'
resolver.common.forward_custom='99_cloudflare'
resolver.common.forward_upstream='0'
resolver.kresd=resolver
resolver.kresd.rundir='/tmp/kresd'
resolver.kresd.log_stderr='0'
resolver.kresd.log_stdout='0'
resolver.kresd.forks='1'
resolver.unbound=resolver
resolver.unbound.outgoing_range='60'
resolver.unbound.outgoing_num_tcp='1'
resolver.unbound.incoming_num_tcp='1'
resolver.unbound.msg_cache_slabs='1'
resolver.unbound.num_queries_per_thread='30'
resolver.unbound.rrset_cache_size='100K'
resolver.unbound.rrset_cache_slabs='1'
resolver.unbound.infra_cache_slabs='1'
resolver.unbound.infra_cache_numhosts='200'
resolver.unbound.access_control='0.0.0.0/0 allow' '::0/0 allow'
resolver.unbound.pidfile='/var/run/unbound.pid'
resolver.unbound.root_hints='/etc/unbound/named.cache'
resolver.unbound.target_fetch_policy='2 1 0 0 0'
resolver.unbound.harden_short_bufsize='yes'
resolver.unbound.harden_large_queries='yes'
resolver.unbound.qname_minimisation='yes'
resolver.unbound.harden_below_nxdomain='yes'
resolver.unbound.key_cache_size='100k'
resolver.unbound.key_cache_slabs='1'
resolver.unbound.neg_cache_size='10k'
resolver.unbound.prefetch='yes'
resolver.unbound.prefetch_key='yes'
resolver.unbound_remote_control=resolver
resolver.unbound_remote_control.control_enable='yes'
resolver.unbound_remote_control.control_use_cert='no'
resolver.unbound_remote_control.control_interface='127.0.0.1'
== resolv.conf* ==
/etc/resolv.conf:search lan
/etc/resolv.conf:nameserver 127.0.0.1
/tmp/resolv.conf:search lan
/tmp/resolv.conf:nameserver 127.0.0.1
/tmp/resolv.conf.auto:# Interface wan
== DNSSEC root key file ==
cb02e46d912d6e4ab17dbc8289f4d14b /etc/root.keys
/etc/root.keys:. IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
. IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d
== resolver process ==
TBD
== resolution attempts ==
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec repo.turris.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47575
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;repo.turris.cz. IN A
;; Query time: 876 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:40 CEST 2022
;; MSG SIZE rcvd: 43
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 37374
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.google.com. IN A
;; Query time: 1672 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:42 CEST 2022
;; MSG SIZE rcvd: 43
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec www.facebook.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58906
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.facebook.com. IN A
;; Query time: 1712 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:43 CEST 2022
;; MSG SIZE rcvd: 45
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec www.youtube.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40408
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.youtube.com. IN A
;; Query time: 1656 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:45 CEST 2022
;; MSG SIZE rcvd: 44
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec www.rhybar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 7406
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.rhybar.cz. IN A
;; Query time: 880 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:46 CEST 2022
;; MSG SIZE rcvd: 42
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec *.wilda.rhybar.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43486
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;*.wilda.rhybar.0skar.cz. IN A
;; Query time: 879 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:47 CEST 2022
;; MSG SIZE rcvd: 52
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec *.wilda.nsec.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 19662
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;*.wilda.nsec.0skar.cz. IN A
;; Query time: 875 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:48 CEST 2022
;; MSG SIZE rcvd: 50
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec *.wild.nsec.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38153
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;*.wild.nsec.0skar.cz. IN A
;; Query time: 879 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:49 CEST 2022
;; MSG SIZE rcvd: 49
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec *.wilda.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56770
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;*.wilda.0skar.cz. IN A
;; Query time: 839 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:50 CEST 2022
;; MSG SIZE rcvd: 45
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec *.wild.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 15840
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;*.wild.0skar.cz. IN A
;; Query time: 875 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:51 CEST 2022
;; MSG SIZE rcvd: 44
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec www.wilda.nsec.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 64065
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.wilda.nsec.0skar.cz. IN A
;; Query time: 871 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:52 CEST 2022
;; MSG SIZE rcvd: 52
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec www.wilda.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32431
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;www.wilda.0skar.cz. IN A
;; Query time: 871 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:53 CEST 2022
;; MSG SIZE rcvd: 47
; <<>> DiG 9.16.31 <<>> @127.0.0.1 +dnssec *.wilda.rhybar.ecdsa.0skar.cz
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26170
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;*.wilda.rhybar.ecdsa.0skar.cz. IN A
;; Query time: 879 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 28 21:39:54 CEST 2022
;; MSG SIZE rcvd: 58