-
-
Notifications
You must be signed in to change notification settings - Fork 348
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unbound cannot resolve a hostname from a dedicated location #694
Comments
with the help of an IRC user U could narrow it down to
at 65.21.94.49, whereas the same query works fine at 77.0.163.53 :
|
Yes the domain shows a number of warnings. I can resolve it here just fine, but I also see that it returns NXDOMAIN for intermediate labels, which it should not do. But unbound retries with the full query name, and thus recovers from the failure, and continue with query-minimisation to resolve. The server for jcloud-cdn.com. with name ns7.jdgslb.com. and ip 114.67.121.112 shows failures. I mean it has a number of timeouts, maybe one in ten queries. Also that does not stop a resolve, because of retries. The link you have shows that another error exists, qiniudns.com has records next to a CNAME. That is likely to confuse the resolver. If the CNAME is fetched into cache, a next query will use that CNAME to continue from there, and miss these records next to the name. This all does not actually explain what happened when the lookup failed for you. For that perhaps enable log-servfail: yes and see what the log error line is about the failure. What is also useful is to enable verbosity at level 4 and get the long log trace that is produced, it details what happened. It could be that the timeouts are more frequent from that location, eg. it uses a different route or destination for that IP, and it has timeouts. Unbound keeps trying for longer than dig tries, you may find it continue in logs. |
I attached the output with verbosity:4 and val-log-level:2 and log-servfail: yes here. |
It looks like the jcloud-cdn.com. domain has nameservers that all return timeouts. No packets are returned. Also for jdgslb.com. At the end of the trace, unbound has performed retries for all 8 for the one and all 10 for the other domain. Sent queries to the nameservers and a timeout resulted. Unbound is not yet done, it can do more probing, this can take a lot longer, with exponential backoff going to 2 minutes, until at some point it gives up. Then the log-serverfail log item would be logged with an explanation, that all the nameservers are not reachable. So it looks like the issue is that for those two domains the nameservers do not respond, at that location. That is And jdgslb.com. with ns4.jdgslb.com. and ns3.jdgslb.com. with Those servers do not respond. You can find it in the log file, search for 'timeout udp' or 'DelegationPoint' printouts where the 'rtt=' values become large because of the exponential backoff. |
From a dedicated server (hosted by Hetzner in FI) I cannot resolve wdl1.pcfg.cache.wpscdn.com with unbound whereas it works fine here from Hamburg (DE) - from my desktop.
I tested at both systems with unbound version 1.13.2. and at the server with 1.15.0 too but w/o success.
The OS at both systems is a hardened stable Gentoo.
https://dnsviz.net/d/wdl1.pcfg.cache.wpscdn.com/dnssec/ shows a lot of warnings - but I do still wonder about the different behaviour.
Using 8.8.8.8 as a resolver works fine so far.
The text was updated successfully, but these errors were encountered: