nsd users - Jul 2018 - rcode: REFUSED with NSD behind Unbound

Hi guys!

I'm facing a problem with NSD behind Unbound. What I want to
achieve is to have Unbound acting as a resolver for my LAN but
with some stub-zones for my local zones.

My setup is the following:

* OpenBSD 6.3 - dns1.doe.com (master)
Unbound listening on 10.10.11.13 at 53
NSD listening on 10.10.11.13 at 5353

* OpenBSD 6.3 - dns2.doe.com (slave)
Unbound listening on 10.10.11.14 at 53
NSD listening on 10.10.11.14 at 5353

## Unbound

Here is my Unbound configuration :

server:
        interface: 10.10.11.13
        interface: 127.0.0.1
        interface: ::1

        verbosity: 5
        do-not-query-localhost: no

        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow_snoop
        access-control: 10.10.11.0/24 allow_snoop
        access-control: ::0/0 refuse
        access-control: ::1 allow_snoop

        hide-identity: yes
        hide-version: yes

        auto-trust-anchor-file: "/var/unbound/db/root.key"

local-zone: "11.10.10.in-addr.arpa" typetransparent

stub-zone:
        name: "11.10.10.in-addr.arpa"
        stub-addr: 10.10.11.13 at 5353

stub-zone:
        name: "doe.com"
        stub-addr: 10.10.11.13 at 5353

## NSD

Here is the NSD configuration :

server:
        hide-version: yes
        verbosity: 3
        database: "" # disable database
        logfile: "/var/log/nsd.log"

## bind to a specific address/port
        ip-address: 10.10.11.13 at 5353
        ip-address: 127.0.0.1 at 5353

remote-control:
        control-enable: yes
        control-port: 8953

## tsig key example
key:
        name: "dns01.doe.com"
        secret: "XXXXXXXXXXXXXXXXXXXXXXXXX"

pattern:
        name: "talktoslave"
        notify: 10.10.11.14 dns01.doe.com
        provide-xfr: 10.10.11.14 dns01.doe.com
        outgoing-interface: 10.10.11.13

zone:
        name: "11.10.10.in-addr.arpa"
        zonefile: "%s"
        include-pattern: "talktoslave"

zone:
        name: "doe.com-internal"
        zonefile: "%s"
        include-pattern: "talktoslave"

Now when I try to resolve john.doe.com :

$ dig @10.10.11.13 john.doe.com

; <<>> DiG 9.4.2-P2 <<>> @10.10.11.13 john.doe.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16717
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
ADDITIONAL: 0

;; QUESTION SECTION:
;john.doe.com.                 IN      A

;; Query time: 11 msec
;; SERVER: 10.10.11.13#53(10.10.11.13)
;; WHEN: Wed Jul 25 07:52:41 2018
;; MSG SIZE  rcvd: 31

And if I look into the logs I'm getting :

Jul 25 06:17:56 dns01 unbound: [39653:0] info: validator operate: query
john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>:
0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS
Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 2): 
john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 3): 
john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets:
john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>:
0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS
Jul 25 06:17:56 dns01 unbound: [39653:0] info: sending query: john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: mesh_run: end 1 recursion states
(1 with reply, 0 detached), 1 waiting replies, 1 recursion replies sent, 0
replies dropped, 0 states jostled out
Jul 25 06:17:56 dns01 unbound: [39653:0] info: average recursion processing time
0.006881 sec
Jul 25 06:17:56 dns01 unbound: [39653:0] info: histogram of recursion processing
times
Jul 25 06:17:56 dns01 unbound: [39653:0] info: [25%]=0 median[50%]=0 [75%]=0
Jul 25 06:17:56 dns01 unbound: [39653:0] info: lower(secs) upper(secs)
recursions
Jul 25 06:17:56 dns01 unbound: [39653:0] info:    0.004096    0.008192 1
Jul 25 06:17:56 dns01 unbound: [39653:0] info: 0RDd mod1 rep john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: iterator operate: query
john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: scrub for doe.com. NS IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: response for john.doe.com. A IN
Jul 25 06:17:56 dns01 unbound: [39653:0] info: reply from <doe.com.>
10.10.11.13#5353
Jul 25 06:17:56 dns01 unbound: [39653:0] info: incoming scrubbed packet: ;;
->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0 ;; flags: qr ;
QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0  ;; QUESTION SECTION:
john.doe.com.      IN      A  ;; ANSWER SECTION:  ;; AUTHORITY SECTION:  ;;
ADDITIONAL SECTION: ;; MSG SIZE  rcvd: 31
Jul 25 06:17:56 dns01 unbound: [39653:0] info: query response was THROWAWAY
Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets:
john.doe.com. A IN

Do you guys know why I get a "rcode: REFUSED" here?

Thanks,
-- 
Tristan

Hi Tristan,

In your nsd.conf you have a mistake in the zone name:

name: "doe.com-internal"

But that makes a zone "doe.com-internal" and not "doe.com". 
Unbound queries for doe.com and that zone is not hosted by the NSD instances and
thus this returned REFUSED.

Best regards, Wouter

On 25/07/18 14:19, Tristan Pilat wrote:
> Hi guys!
>
> I'm facing a problem with NSD behind Unbound. What I want to
> achieve is to have Unbound acting as a resolver for my LAN but
> with some stub-zones for my local zones.
>
> My setup is the following:
>
> * OpenBSD 6.3 - dns1.doe.com (master)
> Unbound listening on 10.10.11.13 at 53
> NSD listening on 10.10.11.13 at 5353
>
> * OpenBSD 6.3 - dns2.doe.com (slave)
> Unbound listening on 10.10.11.14 at 53
> NSD listening on 10.10.11.14 at 5353
>
> ## Unbound
>
> Here is my Unbound configuration :
>
> server:
>         interface: 10.10.11.13
>         interface: 127.0.0.1
>         interface: ::1
>
>         verbosity: 5
>         do-not-query-localhost: no
>
>         access-control: 0.0.0.0/0 refuse
>         access-control: 127.0.0.0/8 allow_snoop
>         access-control: 10.10.11.0/24 allow_snoop
>         access-control: ::0/0 refuse
>         access-control: ::1 allow_snoop
>
>         hide-identity: yes
>         hide-version: yes
>
>         auto-trust-anchor-file: "/var/unbound/db/root.key"
>
> local-zone: "11.10.10.in-addr.arpa" typetransparent
>
> stub-zone:
>         name: "11.10.10.in-addr.arpa"
>         stub-addr: 10.10.11.13 at 5353
>
> stub-zone:
>         name: "doe.com"
>         stub-addr: 10.10.11.13 at 5353
>
> ## NSD
>
> Here is the NSD configuration :
>
> server:
>         hide-version: yes
>         verbosity: 3
>         database: "" # disable database
>         logfile: "/var/log/nsd.log"
>
> ## bind to a specific address/port
>         ip-address: 10.10.11.13 at 5353
>         ip-address: 127.0.0.1 at 5353
>
> remote-control:
>         control-enable: yes
>         control-port: 8953
>
> ## tsig key example
> key:
>         name: "dns01.doe.com"
>         secret: "XXXXXXXXXXXXXXXXXXXXXXXXX"
>
> pattern:
>         name: "talktoslave"
>         notify: 10.10.11.14 dns01.doe.com
>         provide-xfr: 10.10.11.14 dns01.doe.com
>         outgoing-interface: 10.10.11.13
>
> zone:
>         name: "11.10.10.in-addr.arpa"
>         zonefile: "%s"
>         include-pattern: "talktoslave"
>
> zone:
>         name: "doe.com-internal"
>         zonefile: "%s"
>         include-pattern: "talktoslave"
>
> Now when I try to resolve john.doe.com :
>
> $ dig @10.10.11.13 john.doe.com
>
> ; <<>> DiG 9.4.2-P2 <<>> @10.10.11.13 john.doe.com
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16717
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;john.doe.com.                 IN      A
>
> ;; Query time: 11 msec
> ;; SERVER: 10.10.11.13#53(10.10.11.13)
> ;; WHEN: Wed Jul 25 07:52:41 2018
> ;; MSG SIZE  rcvd: 31
>
> And if I look into the logs I'm getting :
>
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: validator operate: query
john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info:
DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1
avail) parentNS
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 2): 
john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 3): 
john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets:
john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info:
DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1
avail) parentNS
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: sending query: john.doe.com.
A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: mesh_run: end 1 recursion
states (1 with reply, 0 detached), 1 waiting replies, 1 recursion replies sent,
0 replies dropped, 0 states jostled out
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: average recursion processing
time 0.006881 sec
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: histogram of recursion
processing times
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: [25%]=0 median[50%]=0
[75%]=0
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: lower(secs) upper(secs)
recursions
> Jul 25 06:17:56 dns01 unbound: [39653:0] info:    0.004096    0.008192 1
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: 0RDd mod1 rep john.doe.com.
A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: iterator operate: query
john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: scrub for doe.com. NS IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: response for john.doe.com. A
IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: reply from <doe.com.>
10.10.11.13#5353
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: incoming scrubbed packet: ;;
->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0 ;; flags: qr ;
QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0  ;; QUESTION SECTION:
john.doe.com.      IN      A  ;; ANSWER SECTION:  ;; AUTHORITY SECTION:  ;;
ADDITIONAL SECTION: ;; MSG SIZE  rcvd: 31
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: query response was THROWAWAY
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets:
john.doe.com. A IN
>
> Do you guys know why I get a "rcode: REFUSED" here?
>
> Thanks,

On 25/07/2018 14:19, Tristan Pilat wrote:

Hi Tristan,
> zone:
>         name: "doe.com-internal"
>         zonefile: "%s"
>         include-pattern: "talktoslave"
In your NSD config, you've defined a zone called
"doe.com-internal". So
when NSD receives a query for "doe.com", it doesn't know this
zone, and
returns a REFUSED response. Change that "name" parameter to
"doe.com".

Regards,
Anand