| CARVIEW |
Navigation Menu
-
-
Notifications
You must be signed in to change notification settings - Fork 397
Description
Describe the bug
Since I upgraded my DNS servers to OpenBSD 7.1 with unbound 1.15.0, I have a lot of issues with DNS resolution (without changing anything in the config). I randomly get SERVFAIL for a lot of names, or something even stranger like some addresses and SERVFAIL for others (see dashlane example). The exact same config was working just fine with unbound 1.13.0 on OpenBSD 7.0. Note that it does not happen every time, it's quite sporadic.
Examples:
host dashlane.com
dashlane.com has address 65.9.82.43
dashlane.com has address 65.9.82.13
dashlane.com has address 65.9.82.36
dashlane.com has address 65.9.82.97
Host dashlane.com not found: 2(SERVFAIL)
Host dashlane.com not found: 2(SERVFAIL)
host forum.opnsense.org
Host forum.opnsense.org not found: 2(SERVFAIL)
To reproduce
Here is my partial config
server:
log-replies: yes
interface: 0.0.0.0@853
tls-port: 853
tls-service-pem: *********
tls-service-key: *********
outgoing-range: 8192
outgoing-num-tcp: 256
incoming-num-tcp: 256
serve-expired: yes
outbound-msg-retry: 5
cache-max-negative-ttl: 1
msg-cache-size: 64m
msg-cache-slabs: 4
num-queries-per-thread: 32
rrset-cache-size: 128m
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
access-control: 0.0.0.0/0 allow
access-control: ::0/0 allow
hide-identity: yes
hide-version: yes
harden-short-bufsize: yes
harden-large-queries: yes
harden-glue: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
use-caps-for-id: yes
qname-minimisation: yes
aggressive-nsec: yes
edns-tcp-keepalive: yes
so-reuseport: no
deny-any: yes
prefetch: yes
prefetch-key: yes
rrset-roundrobin: yes
minimal-responses: yes
Expected behavior
Names should resolve properly
System:
- Unbound version: 1.15.0
- OS: OpenBSD 7.1
unbound -Voutput: Version 1.15.0
Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound --disable-shared --disable-explicit-port-randomisation --without-pthreads
Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 3.5.2
Linked modules: dns64 respip validator iterator
Additional information
I tried removing every "hardening" parameter one by one to get nearer to the stock config. And it seems that disabling use-caps-for-id solves the issue.