Unbound SERVFAIL Exceeded maximum number of sends

Started by Azokul, March 13, 2024, 06:35:48 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 13, 2024, 06:35:48 PM Last Edit: March 15, 2024, 01:19:30 AM by Azokul
Hi,
I have had a problem where sometimes (usually in the peak moments of the day) DNS request gets a SERVFAIL for exceeded number of sends. (It's usually 3-4 times a days)

Before upgrading to OPNsense 24.1.3_1-amd64 i didn't have this kind of problem.
I tried double checking my setup just to be sure, but nothing there seemed out of place.

IPv6 Is disabled overall, I'm using 8.8.8.8 or 1.1.1.1 as default DNS on Opnsense, with no override on LANs.

In unbound I don't have DNSSEC and I don't have query forwarding ON.

Every now and then I get SERVFAIL for exceeded maximum requests, I have up to 8000 contemporary requests at specific times of the day.
If i switch to dnsqmasq I have no problems.

Code Select
2024-03-13T15:30:01 Error unbound [87768:2] error: SERVFAIL <mi-speedtest.optimaitalia.com. A IN>: exceeded the maximum number of sends
2024-03-13T15:06:43 Error unbound [87768:2] error: SERVFAIL <cdn.id5-sync.com. A IN>: exceeded the maximum number of sends
2024-03-13T13:42:53 Error unbound [87768:1] error: SERVFAIL <ecs.office.com. A IN>: exceeded the maximum number of sends
2024-03-13T13:37:06 Error unbound [87768:1] error: SERVFAIL <www.msftncsi.com. AAAA IN>: exceeded the maximum number of sends


An example of an extended log:

Code Select
2024-03-13T18:33:03 Informational unbound [8352:2] info: query response was REFERRAL
2024-03-13T18:33:03 Informational unbound [8352:2] info: reply from <com.> 192.35.51.30#53
2024-03-13T18:33:03 Informational unbound [8352:2] info: response for _https._tcp.developer.download.nvidia.com. SRV IN
2024-03-13T18:33:03 Informational unbound [8352:2] info: resolving _https._tcp.developer.download.nvidia.com. SRV IN
2024-03-13T18:33:03 Error unbound [8352:0] error: SERVFAIL <_https._tcp.developer.download.nvidia.com. SRV IN>: exceeded the maximum number of sends
2024-03-13T18:33:03 Informational unbound [8352:1] info: resolving ns3.canonical.com. AAAA IN
2024-03-13T18:33:03 Informational unbound [8352:0] info: resolving _https._tcp.developer.download.nvidia.com. SRV IN
2024-03-13T18:33:03 Informational unbound [8352:1] info: resolving _http._tcp.archive.ubuntu.com. SRV IN

Thanks in advance :)
EDIT. Dum dum here. I double checked ACL and I had allow as default action, while unbound was servicing WAN. I removed WAN, set ACL to Deny and everything is running smoothly.
March 27, 2024, 11:52:45 AM #1 Last Edit: March 27, 2024, 09:24:45 PM by gspannu
Quote from: Azokul on March 13, 2024, 06:35:48 PM
EDIT. Dum dum here. I double checked ACL and I had allow as default action, while unbound was servicing WAN. I removed WAN, set ACL to Deny and everything is running smoothly.

Can you please explain how your removed WAN, and set set ACL to Deny - in order to fix the problem.

Apologies, but I could not understand your fix from the screenshots.

Thanks.
April 11, 2024, 12:18:00 AM #2
Hi,
I had Unbound DNS: Access Lists on Allow as default action as i was doing tests, and servicing WAN while doing so was a bad idea.
I re-set everything to Deny, on the General tab on  Network Interfaces i simply left LAN and my VLAN and removed WAN
Print
Go Up Pages1
User actions