My unbound server responses with “recursion requested but not available”. What is causing it?
Also dig doesn’t work with the server’s DoH, though curl does. Though I’m guessing dig doesn’t support TLS 1.3.
WARNING: recursion requested but not available
$ dig @my.url.tld example.com
; <<>> DiG 9.18.17 <<>> @my.url.tld example.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46736
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;example.com. IN A
;; Query time: 4 msec
;; SERVER: 111.222.333.444#53(my.url.tld) (UDP)
;; WHEN: Tue Jul 25 16:42:37 UTC 2023
;; MSG SIZE rcvd: 46
$ dig @my.url.tld example.com +tls
; <<>> DiG 9.18.17 <<>> @my.url.tld example.com +tls
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 32538
;; flags: qr rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 18 (Prohibited)
;; QUESTION SECTION:
;example.com. IN A
;; Query time: 136 msec
;; SERVER: 111.222.333.444#853(my.url.tld) (TLS)
;; WHEN: Tue Jul 25 16:45:08 UTC 2023
;; MSG SIZE rcvd: 46
TLS error when using DoH
$ dig @my.url.tld example.com +https
;; Connection to 111.222.333.444#443(111.222.333.444) for example.com failed: TLS error.
;; Connection to 111.222.333.444#443(111.222.333.444) for example.com failed: TLS error.
;; Connection to 111.222.333.444#443(111.222.333.444) for example.com failed: TLS error.
DoH works with curl
$ curl --doh-url https://my.url.tld/dns-query https://example.com
<!doctype html>
<html>
...
</html>
Here are the configs:
unbound config
server:
num-threads: 4
interface: 127.0.0.1@53
interface: ::1@53
interface: eth0@53
interface: eth0@853
cache-min-ttl: 3600
edns-tcp-keepalive: yes
do-daemonize: no
username: "unbound"
chroot: ""
directory: "/etc/unbound"
pidfile: "/var/run/unbound/unbound.pid"
prefetch: yes
prefetch-key: yes
ede: yes
ede-serve-expired: yes
auto-trust-anchor-file: "/var/lib/unbound/root.key"
tls-system-cert: yes
tls-service-key: "/etc/unbound/my.url.tld.key"
tls-service-pem: "/etc/unbound/my.url.tld.crt"
tls-session-ticket-keys: "/etc/unbound/session-ticket-key.dat"
# This is backend
https-port: 53
http-notls-downstream: yes
# Fedora/RHEL: use system-wide crypto policies
tls-ciphers: "PROFILE=SYSTEM"
# Only ephemeral ports are allowed by SElinux
outgoing-port-permit: 32768-60999
# Zone signers must produce zones that allow this feature to work, but sometimes they do not.
# harden-algo-downgrade: no
# Not RFC, but there is a new draft.
harden-referral-path: yes
# We consider to enable this by default in later releases.
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
Caddy config
{
renew_interval 1d
auto_https disable_redirects
email user@email.com
skip_install_trust
}
https://my.url.tld:443 {
root * /var/www/html/
file_server
file_server /files/* {
root /var/www/
browse
}
reverse_proxy /vaultwarden/* http://[::1]:8000
reverse_proxy /dns-query h2c://[::1]:53
handle_path /syncthing/* {
reverse_proxy http://[::1]:8384
}
tls {
protocols tls1.3
alpn h3 h2
}
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
}
encode zstd gzip
}