This is running 14.0-CURRENT as of ea6d1692666 but I am pretty sure I've seen this before. For a long time, this road warrior/laptop install has been plagued with unstable DNS resolution. It is almost never possible to quickly change networks (from one WLAN to another one or to USB tethering) and not lose ability to resolve DNS. Even when working on one network for a longer time, I get DNS resolution errors in Firefox regularly. Switching to 8.8.8.8 or something given via DHCP usually rectifies the issue. I am pretty sure my tethering DNS server is not hijacking the requests. I use "nameserver ::1" in my /etc/resolv.conf Today, when things are really bad, I have enabled some more debug # more /etc/unbound/conf.d/logging.conf server: log-local-actions: no log-queries: yes log-replies: yes log-servfail: yes logfile: /log/unbound.log val-log-level: 2 [1681416195] local-unbound[48019:0] error: SERVFAIL <push.services.mozilla.com. A IN>: exceeded the maximum number of sends there are also AAAA queries [1681416195] local-unbound[48019:0] error: SERVFAIL <push.services.mozilla.com. AAAA IN>: exceeded the maximum number of sends I've tried to follow if this is related to https://github.com/NLnetLabs/unbound/issues/422 but I am not sure. Additional config changes (trying to turn off DNSSEC validation) but they do not seem to help (commenting out "auto-trust-anchor-file" and adding "module:config: "iterator"") $ more /etc/unbound/unbound.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. server: username: unbound directory: /var/unbound chroot: /var/unbound pidfile: /var/run/local_unbound.pid # auto-trust-anchor-file: /var/unbound/root.key module-config: "iterator" # include: /var/unbound/forward.conf include: /var/unbound/lan-zones.conf include: /var/unbound/control.conf include: /var/unbound/conf.d/*.conf $ more /var/unbound/lan-zones.conf # This file was generated by local-unbound-setup. # Modifications will be overwritten. server: # Unblock reverse lookups for LAN addresses unblock-lan-zones: yes insecure-lan-zones: yes Another log sample: [1681415385] local-unbound[48019:0] error: SERVFAIL <bugs.freebsd.org. A IN>: exceeded the maximum number of sends [1681415385] local-unbound[48019:0] info: ::1 bugs.freebsd.org. A IN SERVFAIL 4.015634 0 45 [1681415385] local-unbound[48019:0] info: ::1 bugs.freebsd.org. A IN SERVFAIL 4.015634 0 45 [1681415385] local-unbound[48019:0] info: ::1 bugs.freebsd.org. A IN SERVFAIL 9.017518 0 45 [1681415385] local-unbound[48019:0] info: ::1 bugs.freebsd.org. A IN SERVFAIL 9.018429 0 45 [1681415385] local-unbound[48019:0] info: ::1 bugs.freebsd.org. AAAA IN [1681415385] local-unbound[48019:0] info: ::1 bugs.freebsd.org. AAAA IN DNSSEC is nice to have, but I really want to have a stable local resolver. How to achieve this? If I suffer from some packet loss on a weak 802.11 connections - is there any way to make unbound more patient?
Can you try to create /var/unbound/conf.d/pr270824.conf with the following contents: server: do-udp: no This should improve matters if the problem is caused by packet loss.
Hi, did disabling UDP help?
Hard to tell, the day before you commented I have left the problematic environment in question. Will try to reproduce the problem another way (with weak WiFi connectivity).
If you ever get the chance to test this, please note that instead of turning "do-udp" off, you should turn "tcp-upstream" on: server: tcp-upstream: yes
Thank you for responding. So now I am on a somewhat unstable wifi (ICMP rtt to the router jumps sometimes to over 3000 ms but then it usually drops to normal 1-3 ms), and sometimes it loses packets. Even with "tcp-upstream: yes" I get lots of [1705549335] local-unbound[16470:0] error: SERVFAIL <0.freebsd.pool.ntp.org. AAAA IN>: exceeded the maximum number of sends [1705549335] local-unbound[16470:0] info: ::1 0.freebsd.pool.ntp.org. AAAA IN SERVFAIL 0.000000 0 51 [1705549336] local-unbound[16470:0] info: ::1 2.freebsd.pool.ntp.org. A IN [1705549336] local-unbound[16470:0] error: SERVFAIL <2.freebsd.pool.ntp.org. A IN>: exceeded the maximum number of sends [1705549336] local-unbound[16470:0] info: ::1 2.freebsd.pool.ntp.org. A IN SERVFAIL 0.000000 0 51 [1705549336] local-unbound[16470:0] info: ::1 2.freebsd.pool.ntp.org. A IN [1705549336] local-unbound[16470:0] error: SERVFAIL <2.freebsd.pool.ntp.org. A IN>: exceeded the maximum number of sends [1705549336] local-unbound[16470:0] info: ::1 2.freebsd.pool.ntp.org. A IN SERVFAIL 0.000000 0 51 [1705549336] local-unbound[16470:0] info: ::1 2.freebsd.pool.ntp.org. AAAA IN [1705549336] local-unbound[16470:0] error: SERVFAIL <2.freebsd.pool.ntp.org. AAAA IN>: exceeded the maximum number of sends [1705549336] local-unbound[16470:0] info: ::1 2.freebsd.pool.ntp.org. AAAA IN SERVFAIL 0.000000 0 51 [1705549336] local-unbound[16470:0] info: ::1 2.freebsd.pool.ntp.org. AAAA IN [1705549336] local-unbound[16470:0] error: SERVFAIL <2.freebsd.pool.ntp.org. AAAA IN>: exceeded the maximum number of sends [1705549336] local-unbound[16470:0] info: ::1 2.freebsd.pool.ntp.org. AAAA IN SERVFAIL 0.000000 0 51 (and other websites, like detectportal.firefox.com) This happens after the connection backs to normal and the router is reachable with a reasonable ping time. Restarting unbound helps immediately. in the meantime I am running FreeBSD 15.0-CURRENT #10 main-n267042-488e8a7faca5
This is even worse now, with a stable wired Ethernet connection instead of a broken wifi [1705570789] local-unbound[53087:0] error: SERVFAIL <www.duckduckgo.com. A IN>: exceeded the maximum number of sends [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. A IN SERVFAIL 0.000000 0 47 [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. A IN [1705570789] local-unbound[53087:0] error: SERVFAIL <www.duckduckgo.com. A IN>: exceeded the maximum number of sends [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. A IN SERVFAIL 0.000000 0 47 [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. AAAA IN [1705570789] local-unbound[53087:0] error: SERVFAIL <www.duckduckgo.com. AAAA IN>: exceeded the maximum number of sends [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. AAAA IN SERVFAIL 0.000000 0 47 [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. AAAA IN [1705570789] local-unbound[53087:0] error: SERVFAIL <www.duckduckgo.com. AAAA IN>: exceeded the maximum number of sends [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. AAAA IN SERVFAIL 0.000000 0 47 some sites do resolve though (cached?)
Example of a failure followed by normal resolution: [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. AAAA IN [1705570789] local-unbound[53087:0] error: SERVFAIL <www.duckduckgo.com. AAAA IN>: exceeded the maximum number of sends [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. AAAA IN SERVFAIL 0.000000 0 47 [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. AAAA IN [1705570789] local-unbound[53087:0] error: SERVFAIL <www.duckduckgo.com. AAAA IN>: exceeded the maximum number of sends [1705570789] local-unbound[53087:0] info: ::1 www.duckduckgo.com. AAAA IN SERVFAIL 0.000000 0 47 [1705570795] local-unbound[53087:0] info: ::1 normandy.cdn.mozilla.net. A IN [1705570795] local-unbound[53087:0] info: ::1 normandy.cdn.mozilla.net. A IN NOERROR 0.103757 0 116 [1705570795] local-unbound[53087:0] info: ::1 normandy.cdn.mozilla.net. AAAA IN [1705570795] local-unbound[53087:0] info: ::1 normandy.cdn.mozilla.net. AAAA IN NOERROR 0.037772 0 178 [1705570796] local-unbound[53087:0] info: ::1 r3.o.lencr.org. A IN