Unbound SERVFAIL Exceeded maximum number of sends

[Azokul]

Hi,
I have had a problem where sometimes (usually in the peak moments of the day) DNS request gets a SERVFAIL for exceeded number of sends. (It's usually 3-4 times a days)

Before upgrading to OPNsense 24.1.3_1-amd64 i didn't have this kind of problem.
I tried double checking my setup just to be sure, but nothing there seemed out of place.

IPv6 Is disabled overall, I'm using 8.8.8.8 or 1.1.1.1 as default DNS on Opnsense, with no override on LANs.

In unbound I don't have DNSSEC and I don't have query forwarding ON.

Every now and then I get SERVFAIL for exceeded maximum requests, I have up to 8000 contemporary requests at specific times of the day.
If i switch to dnsqmasq I have no problems.

Code: [Select]

2024-03-13T15:30:01 Error unbound [87768:2] error: SERVFAIL <mi-speedtest.optimaitalia.com. A IN>: exceeded the maximum number of sends
2024-03-13T15:06:43 Error unbound [87768:2] error: SERVFAIL <cdn.id5-sync.com. A IN>: exceeded the maximum number of sends
2024-03-13T13:42:53 Error unbound [87768:1] error: SERVFAIL <ecs.office.com. A IN>: exceeded the maximum number of sends
2024-03-13T13:37:06 Error unbound [87768:1] error: SERVFAIL <www.msftncsi.com. AAAA IN>: exceeded the maximum number of sends

An example of an extended log:

Code: [Select]

2024-03-13T18:33:03 Informational unbound [8352:2] info: query response was REFERRAL
2024-03-13T18:33:03 Informational unbound [8352:2] info: reply from <com.> 192.35.51.30#53
2024-03-13T18:33:03 Informational unbound [8352:2] info: response for _https._tcp.developer.download.nvidia.com. SRV IN
2024-03-13T18:33:03 Informational unbound [8352:2] info: resolving _https._tcp.developer.download.nvidia.com. SRV IN
2024-03-13T18:33:03 Error unbound [8352:0] error: SERVFAIL <_https._tcp.developer.download.nvidia.com. SRV IN>: exceeded the maximum number of sends
2024-03-13T18:33:03 Informational unbound [8352:1] info: resolving ns3.canonical.com. AAAA IN
2024-03-13T18:33:03 Informational unbound [8352:0] info: resolving _https._tcp.developer.download.nvidia.com. SRV IN
2024-03-13T18:33:03 Informational unbound [8352:1] info: resolving _http._tcp.archive.ubuntu.com. SRV IN
Thanks in advance
EDIT. Dum dum here. I double checked ACL and I had allow as default action, while unbound was servicing WAN. I removed WAN, set ACL to Deny and everything is running smoothly.

[gspannu]

EDIT. Dum dum here. I double checked ACL and I had allow as default action, while unbound was servicing WAN. I removed WAN, set ACL to Deny and everything is running smoothly.

Can you please explain how your removed WAN, and set set ACL to Deny - in order to fix the problem.

Apologies, but I could not understand your fix from the screenshots.

Thanks.

[Azokul]

Hi,
I had Unbound DNS: Access Lists on Allow as default action as i was doing tests, and servicing WAN while doing so was a bad idea.
I re-set everything to Deny, on the General tab on  Network Interfaces i simply left LAN and my VLAN and removed WAN