Mysterious repeated unbound lookup

chriss

Greets all

I have a repeated unbound lookup on a domain that results in a SERVFAIL every 30 seconds.
It seems that the unbound lookup is being triggered by postfix-tlspol, but I’m not certain.
I don’t see any reference to this domain in any other part of mailcow: postfix, dovecot, rspamd
There are no mails pending in queuemanager.
It’s a foreign domain, not local to my mailcow instance or anything within my sphere of operations.

I am at a loss as to finding the source of why or where this domain is trying to get resolved. The failures are logged every 30 seconds like clockwork.

tlspol warning:
postfix-tlspol-mailcow-1  | Mar  2 07:15:34.054 WARN  DNS error during MX lookup for "FAILDOMAIN.com": SERVFAIL

unbound error:
unbound-mailcow-1  | [1772428533] unbound[19:0] error: SERVFAIL <FAILDOMAIN.com. MX IN>: all servers for this domain failed, at zone FAILDOMAIN.com. no server to query nameserver addresses not usable
unbound-mailcow-1  | [1772428533] unbound[19:0] error: SERVFAIL <_mta-sts.FAILDOMAIN.com. TXT IN>: all servers for this domain failed, at zone FAILDOMAIN.com. no server to query nameserver addresses not usable

It’s a quite specific domain name, with no tangible presence in internet search results, so I’ve anonymized the domain name in the logs in case this is an attempt at a targeted attack.

Does anyone have any ideas where I should look to find the source of this?

Thanks

DocFraggle

chriss You could tune the verbosity of the unbound log via data/conf/unbound/unbound.conf

https://manpages.debian.org/bullseye/unbound/unbound.conf.5.en.html#verbosity:

Maybe you can trace the client/process which is doing the lookups this way

chriss

DocFraggle
Good idea! Thanks, I’ll look into that.