Unbound not resolving some domains

nettester

I have this weird problem that had me pulling my hair out for a while now. I have this very simple (simple meaning it's config is nothing but a server section with a verbosity and an interface option - as far as i know that should mean no DNSSec) unbound setup i use and it's working quite well in general.

There is a couple of domains that simply fail to resolve though, even if google (aka 8.8.8.8) or cloudflare (aka 1.1.1.1) have no problem resolving them. Examples of such domains are www.dhl.de or whois.denic.de. Running dig with +trace works until it reaches the actual DNS servers responsible for said domains (*.akam.net for www.dhl.de or ns*.denic.net for whois.denic.de) which fail to resolve making it impossible to query them. So far so good (or rather bad) but sadly i don't really have a clue what that should tell me.

I've tried a couple (rather random) unbound options such as edns-buffer-size: 4096, module-config: "iterator" or do-ip6: no but none yielded any improvement, so i am pretty much out of ideas. Does maybe anyone have a clue what could be wrong or how to fix this situation?

(I am not sure if this should be under NetBSD as it seems to rather be related to unbound in general but if any moderator thinks otherwise feel free to move my post)

rvp

nettester Can you show your unbound.conf?

rvp

nettester Examples of such domains are www.dhl.de or whois.denic.de. Running dig with +trace works until it reaches the actual DNS servers responsible for said domains (*.akam.net for www.dhl.de or ns*.denic.net for whois.denic.de) which fail to resolve making it impossible to query them.

Can't reproduce this using the unbound on a recent-ish 9.3_STABLE. All of these resolved fine: www.dhl.de, dhl.de, www.denic.de, denic.de. (The config. file is a stripped down /usr/share/examples/unbound/unbound.conf)

Querying the A-records using host using this script also works:

query-ns.sh

#!/bin/sh

set -eu
me=${0##*/}

die() {
	echo >&2 "$me: $*"
	exit 1
}

test $# -eq 1 || die "no site-name given"

# Get nameserver list from the WHOIS service.
#
site=$1
ns=$(whois $site | sed 's/\r$//' | while read s1 s2 v junk
do	if   [ "$s1" = Nserver: ]
	then	echo $s2
	elif [ "$s1" = Name ] && [ "$s2" = Server: ]
	then	echo $v
	fi
done)
test -n "$ns" || die "no nameservers found"

# Lookup A-records for $site and www.$site on each of the NSes.
#
for a in $ns
do	host -t A $site $a
	echo "		---"
	host -t A www.$site $a
	echo "----------------------------------------"
done

What does the script print if you run:

./query-ns.sh dhl.de
./query-ns.sh denic.de

It should print the A-records for site and www.site.

nettester

rvp Of course:

server:
        verbosity: 1
        interface: 127.0.0.1

It's quite minimalistic.

nettester

rvp Sadly i can tell that this script won't work here without even trying as querying whois for dhl.de will fail if whois.denic.de can't be resolved. Actually that originally also was my intent when i noticed www.dhl.de failing to resolve.

I am getting a feeling this might be a MTU (i am using 1450 which should be correctly set for all interfaces involved though) problem or something similar as i am behind a VPN and tcpdump sees the A queries (for *.akam.net or ns*.denic.net) but seemingly there's no replies coming in. I've just run a test with tcp-upstream: yes in unbound.conf which obviously is somewhat slow but magically fixes the problem (interestingly unbound doesn't seem to fallback to TCP on it's own by default and do-tcp: yes combined with do-udp: no results in no observable network traffic at all). I guess further investigation would mean checking incoming traffic on the VPN exit to see if that's where the reply packets disappear.

rvp

nettester I am getting a feeling this might be a MTU (i am using 1450 which should be correctly set for all interfaces involved though) problem or something similar as i am behind a VPN

Yeah...that could be it. I vaguely recall named defaulting to 512 bytes for its UDP DNS packets. Try setting edns-buffer-size to 512. The unbound.conf(5) man-page says the default for that is 1232, but, that might be a tad too large for VPN UDP traffic.

kim

Using the default edns-buffer-size of 1232 should have worked just fine with the VPN MTU of 1450.

An EDNS buffer size of 1232 bytes will avoid fragmentation on nearly all current networks. This is based on an MTU of 1280, which is required by the IPv6 specification, minus 48 bytes for the IPv6 and UDP headers and the aforementioned research.
http://www.dnsflagday.net/2020/#message-size-considerations

Is there a firewall configured on the VPN, perhaps?