Hi,
I tried configuring dnss to use unbound on localhost as the fallback_upstream
, but I'm getting SERVFAIL
some of the time. Not always, just some of the time. From the logs, I think dnss might be trying to use the system resolver (systemd-resolved) instead of unbound to lookup fallback_domains
.
I'm on Debian stable, using dnss 0.0~git20180721.0.2de63ab0-1+b11
, so apologies if this is something that's been fixed already. I looked at the git history and didn't see anything that looked relevant though.
dnss command, from ps
:
/usr/bin/dnss --dns_listen_addr=systemd --enable_cache=false --enable_dns_to_https --fallback_domains=dns.google. --fallback_upstream=[::1]:14653 --force_mode=DoH --https_upstream=https://dns.google/dns-query
Relevant ports, from ss
:
udp UNCONN 0 0 [::1]:25953 [::]:* users:(("dnss",pid=384,fd=5),("systemd",pid=1,fd=57))
tcp LISTEN 0 128 [::1]:25953 [::]:* users:(("dnss",pid=384,fd=3),("systemd",pid=1,fd=58))
udp UNCONN 0 0 [::1]:14653 [::]:* users:(("unbound",pid=440,fd=3))
tcp LISTEN 0 128 [::1]:14653 [::]:* users:(("unbound",pid=440,fd=4))
unbound is correctly resolving dns.google.
:
# dig dns.google @::1 -p 14653
; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> dns.google @::1 -p 14653
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1118
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns.google. IN A
;; ANSWER SECTION:
dns.google. 744 IN A 8.8.8.8
dns.google. 744 IN A 8.8.4.4
;; Query time: 0 msec
;; SERVER: ::1#14653(::1)
;; WHEN: Mon Mar 01 23:31:20 EST 2021
;; MSG SIZE rcvd: 71
But dnss is returning SERVFAIL
:
# dig google.com @::1 -p 25953
; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> google.com @::1 -p 25953
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 4451
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;google.com. IN A
;; Query time: 4001 msec
;; SERVER: ::1#25953(::1)
;; WHEN: Mon Mar 01 23:31:35 EST 2021
;; MSG SIZE rcvd: 28
System logs, starting when I queried dnss for google.com
:
Mar 01 23:33:51 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:33:51 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question . IN SOA: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question google IN DS: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question google IN SOA: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question google IN DNSKEY: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question dns.google IN DS: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question dns.google IN DNSKEY: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question dns.google IN AAAA: no-signature
Mar 01 23:33:51 sakaar systemd-resolved[843]: DNSSEC validation failed for question dns.google IN A: no-signature
Mar 01 23:33:54 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:33:55 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:33:55 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:33:56 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: dial tcp: lookup dns.google: Temporary failure in name resolution
Mar 01 23:33:56 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: dial tcp: lookup dns.google: Temporary failure in name resolution
Mar 01 23:34:00 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:34:00 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:34:04 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:34:04 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:34:05 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
Mar 01 23:34:06 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: dial tcp: lookup dns.google: Temporary failure in name resolution
Mar 01 23:34:06 sakaar dnss[786]: _ server.go:134 resolver query error: POST failed: Post https://dns.google/dns-query: dial tcp: lookup dns.google: Temporary failure in name resolution
The fact that systemd-resolved appears to be trying to look up dns.google
makes me think that somehow dnss is using the local resolver via getaddrinfo()
or similar, instead of querying the fallback_upstream
, but I'm just guessing. Any ideas how this could happen?