Maintained by: NLnet Labs

[Unbound-users] SERVFAIL on available servers

Paul Wouters
Mon Mar 31 20:34:53 CEST 2014

On Mon, 31 Mar 2014, Dave Warren wrote:

> After the VPN has been interrupted, I see SERVFAIL from unbound for all 
> queries, despite the fact that the VPN is now available and I can query the 
> DNS servers across the VPN directly. If I wait, it will resolve itself 
> eventually. Restarting unbound resolves the problem immediately, so I think 
> it's a case of unbound caching that the NS are unresponsive and not trying 
> again.
> How do I confirm the problem and/or what can I do to encourage unbound to try 
> again? Or is there a way to tell unbound to always consider the NS 
> responsible for this zone to be available?

What libreswan/openswan does is when the VPN connection goes up or down,
it will signal unbound to flush the cache for that domain. That also
helps for domains that look different internal from external.

So the easy fix for you is on VPN up/down to run:

 	unbound-control flush_zone
 	unbound-control flush_requestlist