Unbound DNS stops resolving certain domains

Started by mickelson, August 18, 2025, 08:11:24 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 18, 2025, 08:11:24 PM
I'm running OPNsense 25.7.1. Sometimes Unbound stops resolving certain domains, seemingly at random (the domains that can't be resolved in one situation work just fine when the issue reappears with respect to other domains). The issue seems to go away if I just wait for a few minutes or - instantly - if I reboot the Unbound service. Just now I had a problem with "linkedin.com". When I tried to open it the domain couldn't be resolved and I encountered the following in the logs:

[99803:1] error: SERVFAIL <linkedin.com.com.pl. AAAA IN>: all servers for this domain failed, at zone com.com.pl. from 5.39.99.217 got REFUSED
[99803:0] error: SERVFAIL <linkedin.com.com.pl. A IN>: all servers for this domain failed, at zone com.com.pl. from 5.39.99.217 got REFUSED

I have absolutely no idea where the additional ".com.pl" came from. After a couple of minutes it started to work fine without me rebooting the service. The issues only started after I upgraded to 25.7, it worked flawlessly before (though I can see that other people had similar issues even with previous versions: https://www.reddit.com/r/opnsense/comments/1fp77p3/unbound_dns_woes_it_just_stops_working/). Is there a way to fix it?
August 18, 2025, 08:27:35 PM #1
A recursive nameserver aka resolver never adds domains to the end of a query. The resolver library on the client does that.

So one of your clients has a domain of or a domain search path containing com.pl. Then the client asks for linkedin.com, for some reason does not get an answer, and retries with its search domain appended.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 19, 2025, 09:15:36 AM #2
Thanks for the answer. I've verified it and indeed adding "com.pl" to the end of a query seems to be an issue with the client, independent of my main problem. Right now everything works fine, but when I do nslookup google.com (I'm using Windows 11) I get the following non-authoritative answer:
Name:    google.com
Addresses:  2a00:1450:401b:80d::200e
          142.250.186.206

However, Unbound logs still show me this:
[99803:0] error: SERVFAIL <google.com.com.pl. AAAA IN>: all servers for this domain failed, at zone com.com.pl. from 178.32.3.81 got REFUSED
[99803:1] error: SERVFAIL <google.com.com.pl. A IN>: all servers for this domain failed, at zone com.com.pl. from 178.32.3.81 got REFUSED

I have no idea why nslookup would try the "com.pl" suffix, especially when it gets the answer for google.com. Nonetheless, now that I know it occurs even when domains are successfully resolved, I think that my main problem - i.e. Unbound ceasing to resolve some domains for a few minutes - is not connected to that issue. Do you know how I could fix the Unbound problem, or at least what I could do to better diagnose what's going on?
Print
Go Up Pages1
User actions