Local DNS issue.

[abhishekgirme]

We had setup unbound couple of months back and it was working.

https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway

Since yesterday, it stopped working. No changes were made to PMG which may have an impact. Service is running and active.

unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-01-16 12:07:17 IST; 1 day 6h ago
Docs: man:unbound(8)


> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> mail.XXXXX.com
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find mail.XXXXX.com: SERVFAIL

 

[Stoiko Ivanov]

* restart unbound
* check the journal for any messages from unbound
* can the system reach the public internet on port 53 (udp and tcp) ? - i.e. maybe there was a change in the firewall rules?

 

[abhishekgirme]

Did reboot entire system post update yesterday.

Jan 09 23:27:55 unbound[843]: [843:0] info: generate keytag query _ta-4f66. NULL IN

Yes, system can reach internet / DNS.

 

[Stoiko Ivanov]

* what's the output of `dig google.com @127.0.0.1`?

if this works as expected - maybe the issue is with the DNS-records of mail.XXXXX.com ...

 

[abhishekgirme]

I googled it and looks like it is using DNSSEC and failing..

https://forum.netgate.com/topic/161563/unbound-question-generate-keytag-query-_ta-4f66

Any solution for this behavior?

 

[Stoiko Ivanov]

Depends where the issue is acutally rooted - but as written in:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway

      # depending on your internal DNS-servers capabilities these options might be necessary
      # harden-dnssec-stripped: no 
      # module-config: "iterator"

you can try to disable dnssec completely with the parameters - for more details check the unbound documentation (e.g. `man unbound.conf`)

I hope this helps!