Maintained by: NLnet Labs

[Unbound-users] SERVFAIL on available servers

Leen Besselink
Mon Mar 31 20:47:58 CEST 2014


On Mon, Mar 31, 2014 at 11:24:47AM -0700, Dave Warren wrote:
> I have a permanent VPN between a couple sites which is not entirely
> reliable, and unbound is configured with a stub zone pointing to
> name servers within 192.168/16 space.
> 
> The zone is defined in my unbound.conf as: example.com. IN stub
> noprime: 192.168.182.1
> 
> After the VPN has been interrupted, I see SERVFAIL from unbound for
> all queries, despite the fact that the VPN is now available and I
> can query the DNS servers across the VPN directly. If I wait, it
> will resolve itself eventually. Restarting unbound resolves the
> problem immediately, so I think it's a case of unbound caching that
> the NS are unresponsive and not trying again.
> 
> How do I confirm the problem and/or what can I do to encourage
> unbound to try again? Or is there a way to tell unbound to always
> consider the NS responsible for this zone to be available?
> 

Hi Dave,

So there are a few things and possible solutions I can tell you about:

- Yes, Unbound is probably caching that it couldn't connect to the nameserver
  and thus when you ask it again shortly after your VPN is down, it will just
  respond with: this domain is no good

- Unbound has a commandline tool called: unbound-control which allows you to
  ask Unbound for all kinds of information or ask it to do something.

- For example you can ask Unbound what it thinks about your domain:
  unbound-control lookup example.com

- Or ask Unbound to show you what it remembered about certain servers:
  unbound-control dump_infra

- Or ask Unbound to forgot what it knows about a certain domain:
  unbound-control flush_zone example.com

- Now if your VPN software supports it, you might be able to configure that software
  to automatically flush the information about your example.com zone when it is connected.

- For example OpenVPN has an 'up' script option when it is connected again, which can call
  a script with this line: unbound-control flush_zone example.com

Hope this is helpful to you.

Have a good day,
 Leen.

> -- 
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/davejwarren
> 
> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users