Problems with global DNS over TLS?

G

Godless2021-06-02 15:22:25

Domain Name System

Godless, 2021-06-02 15:22:25

Good day!
Colleagues, there is some nonsense with DNS the last couple of days. In the desk, on the gateway, there is an unbound border DNS
with the following config of Upstream servers:

unbound forward zone

forward-zone:
        name: "."
#       forward-first: yes
        forward-ssl-upstream: yes

        #encrypted DNS over TLS servers

        #CloudFlare
        forward-addr: [email protected]
        forward-addr: [email protected]

        #Google
        forward-addr: [email protected]
        forward-addr: [email protected]

        #Quad9 (have TLS, but filter some malware domains)
        forward-addr: [email protected]
        forward-addr: [email protected]

        #Quadrant Information Security (no filter)
        forward-addr: [email protected]

        #https://cleanbrowsing.org/guides/dnsovertls
        forward-addr: [email protected]
        forward-addr: [email protected]

Duc here a couple of days falls off tyrnet due to lack of response from the CSN!
From all of us! How can this be?
There's a ton of this in the logs:

...... unbound: [28133:0] info: response for example.com. A IN
...... unbound: [28133:0] info: reply from <.> 12.159.2.159#853
...... unbound: [28133:0] info: query response was THROWAWAY

I read that THROWAWAY is not quite an error, it's a message that the server did not return a response and you need to try another one.
I tried to add servers without TLS, but there is no effect...
Unbound reload helps for a few minutes. Here the person also has some strange problems ...

UPD. The provider unsubscribed in the expected key - we have all the rules.
Disabled all @853 addresses, enabled only @53 - half a day the flight is normal.
What broke unbound out of the blue is a mystery. He worked in this configuration for 1.5 years "without a single break" ...