Installed
https://github.com/Angristan/Local-DNS-resolver/blob/master/ubuntu-unbound.sh on Ubuntu 16.04
also tried https://github.com/Angristan/Local-DNS-resolver/blob/master/centos-unbound.sh on CentOS 7.
Install succeeded. Service starts ok and is responsive:
root@dns2:~# unbound-control reload
ok
root@dns2:~# unbound-control status
version: 1.5.8
verbosity: 3
threads: 2
modules: 2 [ validator iterator ]
uptime: 415851 seconds
options: control(ssl)
unbound (pid 1469) is running...
As far as I can tell, I can usually resolve unsigned domains:
root@dns2:~# dig espncricinfo.com +dnssec +multi
; <<>> DiG 9.10.3-P4-Ubuntu <<>> espncricinfo.com +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 61648
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;espncricinfo.com. IN A
;; ANSWER SECTION:
espncricinfo.com. 573 IN **A 52.19.167.6**
Most DNSSEC signed domains resolve OK, too:
root@dns2:~# dig dnssectest.sidn.nl +dnssec +multi
; <<>> DiG 9.10.3-P4-Ubuntu <<>> dnssectest.sidn.nl +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54219
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 17
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;dnssectest.sidn.nl. IN A
_[truncated irrelevant output]_
Stuff that should fail also tends to fail:
root@dns2:~# dig www.dnssec-failed.org
; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.dnssec-failed.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: SERVFAIL**, id: 61846
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.dnssec-failed.org. IN A
However,
some lookups fail and I have no idea why.
Does not seem to matter if the domain is signed or not.
I first noticed that I can't visit http://ipleak.net anymore
Then half the apps on my Roku claimed they have no connectivity because lookups failed.
root@dns2:~# dig -t A ipleak.net @127.0.0.1
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t A ipleak.net @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 3183
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipleak.net. IN A
;; Query time: 190 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Oct 27 00:54:28 SGT 2017
;; MSG SIZE rcvd: 39
It returns NOERROR but then doesn't provide a response.
Compare with:
root@dns2:~# dig -t A ipleak.net @208.67.222.222
; <<>> DiG 9.10.3-P4-Ubuntu <<>> -t A ipleak.net @208.67.222.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, **status: NOERROR**, id: 775
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ipleak.net. IN A
;; ANSWER SECTION:
ipleak.net. 376 IN **A 95.85.16.212**
;; Query time: 177 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Oct 27 00:55:11 SGT 2017
;; MSG SIZE rcvd: 55
First I thought it may just be an Ubuntu thing. But it happens on CentOS, too. Then I thought it may be some root servers refuse queries from some of my hosts (Vultr netblock). But I ended up setting up on a bunch of other hosts on Softlayer, DO, etc. in various regions and the issue persists in all cases.
What's the best way to troubleshoot this ?
Some people with similar issues blamed UDP fragmentation as the culprit. I tried
edns-buffer-size: 1280
in unbound.conf but it did not help.