kresd always returning SERVFAIL
Hi, I am recently experiencing a complete breakage of my instance of the knot resolver daemon after it has worked perfectly for a long time.
It is unclear to me if the issues are related to the latest update to the 5.5.3 release or to some other change in my networking environment.
I have the knot resolver daemon working on an ARM64 system with the armbian OS. The knot resolver binary is from http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_11/
In the latest days, kresd cannot start properly, so that when I query systemctl
for the status of kresd@0
, I get
Sep 25 19:54:12 xxx kresd[1850]: [taupd ] active refresh failed for . with rcode: 2
Sep 25 19:54:12 xxx kresd[1850]: [timesk] cannot resolve '.' NS
If I enable the debug, I get flooded with messages. For the most part they look like repetitions of sequences similar to
Sep 25 20:09:11 xxx kresd[2256]: [select][65538.02] => id: '58484' choosing from addresses: 13 v4 + 13 v6; names to resolve: 0 v4 + 0 v6; force_resolve: 0; NO6: IPv6 is OK
Sep 25 20:09:11 xxx kresd[2256]: [select][65538.02] => id: '58484' choosing: 'K.ROOT-SERVERS.NET.'@'193.0.14.129#00053' with timeout 25 ms zone cut: '.'
Sep 25 20:09:11 xxx kresd[2256]: [select][65538.02] => id: '59806' noting selection error: 'D.ROOT-SERVERS.NET.'@'199.7.91.13#00053' zone cut: '.' error: 6 SERVFAIL
Sep 25 20:09:11 xxx kresd[2256]: [iterat][65538.02] <= rcode: SERVFAIL
...until I get to
Sep 25 20:09:11 xxx kresd[2256]: [resolv][65538.00] => too many failures in a row, bail out (mitigation for NXNSAttack CVE-2020-12667)
Changes that I have recently experienced in my setup include:
- Update to the knot resolver release 5.5.3. Not easy to test downgrading as I cannot found previous releases on http://download.opensuse.org/repositories/home:/CZ-NIC:/knot-resolver-latest/Debian_11/
- Update of the ARM machine to kernel 5.19.10-rockchip64
- Update of my ISP from Wind 3 (Italy) to Vodafone (Italy), both on fiber.
It looks like there are no major networking problems. The machine running kresd can ping outside and resolve via kdig using public nameservers such as quad9 or google. For sure the new vodafone ISP is nasty. Does not let you set the DNS on its router, nor publish a different NS via the DHCP server on its router, nor select a ssid without the word "vodafone" in it, but it would appear strange to me if it ended up mangling trafic to the point of blocking a private caching nameserver from operating.
Any clue?