Hi guys! I'm facing a problem with NSD behind Unbound. What I want to achieve is to have Unbound acting as a resolver for my LAN but with some stub-zones for my local zones. My setup is the following: * OpenBSD 6.3 - dns1.doe.com (master) Unbound listening on 10.10.11.13 at 53 NSD listening on 10.10.11.13 at 5353 * OpenBSD 6.3 - dns2.doe.com (slave) Unbound listening on 10.10.11.14 at 53 NSD listening on 10.10.11.14 at 5353 ## Unbound Here is my Unbound configuration : server: interface: 10.10.11.13 interface: 127.0.0.1 interface: ::1 verbosity: 5 do-not-query-localhost: no access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow_snoop access-control: 10.10.11.0/24 allow_snoop access-control: ::0/0 refuse access-control: ::1 allow_snoop hide-identity: yes hide-version: yes auto-trust-anchor-file: "/var/unbound/db/root.key" local-zone: "11.10.10.in-addr.arpa" typetransparent stub-zone: name: "11.10.10.in-addr.arpa" stub-addr: 10.10.11.13 at 5353 stub-zone: name: "doe.com" stub-addr: 10.10.11.13 at 5353 ## NSD Here is the NSD configuration : server: hide-version: yes verbosity: 3 database: "" # disable database logfile: "/var/log/nsd.log" ## bind to a specific address/port ip-address: 10.10.11.13 at 5353 ip-address: 127.0.0.1 at 5353 remote-control: control-enable: yes control-port: 8953 ## tsig key example key: name: "dns01.doe.com" secret: "XXXXXXXXXXXXXXXXXXXXXXXXX" pattern: name: "talktoslave" notify: 10.10.11.14 dns01.doe.com provide-xfr: 10.10.11.14 dns01.doe.com outgoing-interface: 10.10.11.13 zone: name: "11.10.10.in-addr.arpa" zonefile: "%s" include-pattern: "talktoslave" zone: name: "doe.com-internal" zonefile: "%s" include-pattern: "talktoslave" Now when I try to resolve john.doe.com : $ dig @10.10.11.13 john.doe.com ; <<>> DiG 9.4.2-P2 <<>> @10.10.11.13 john.doe.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16717 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;john.doe.com. IN A ;; Query time: 11 msec ;; SERVER: 10.10.11.13#53(10.10.11.13) ;; WHEN: Wed Jul 25 07:52:41 2018 ;; MSG SIZE rcvd: 31 And if I look into the logs I'm getting : Jul 25 06:17:56 dns01 unbound: [39653:0] info: validator operate: query john.doe.com. A IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving john.doe.com. A IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 2): john.doe.com. A IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 3): john.doe.com. A IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets: john.doe.com. A IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS Jul 25 06:17:56 dns01 unbound: [39653:0] info: sending query: john.doe.com. A IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 1 recursion replies sent, 0 replies dropped, 0 states jostled out Jul 25 06:17:56 dns01 unbound: [39653:0] info: average recursion processing time 0.006881 sec Jul 25 06:17:56 dns01 unbound: [39653:0] info: histogram of recursion processing times Jul 25 06:17:56 dns01 unbound: [39653:0] info: [25%]=0 median[50%]=0 [75%]=0 Jul 25 06:17:56 dns01 unbound: [39653:0] info: lower(secs) upper(secs) recursions Jul 25 06:17:56 dns01 unbound: [39653:0] info: 0.004096 0.008192 1 Jul 25 06:17:56 dns01 unbound: [39653:0] info: 0RDd mod1 rep john.doe.com. A IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: iterator operate: query john.doe.com. A IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: scrub for doe.com. NS IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: response for john.doe.com. A IN Jul 25 06:17:56 dns01 unbound: [39653:0] info: reply from <doe.com.> 10.10.11.13#5353 Jul 25 06:17:56 dns01 unbound: [39653:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0 ;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: john.doe.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; MSG SIZE rcvd: 31 Jul 25 06:17:56 dns01 unbound: [39653:0] info: query response was THROWAWAY Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets: john.doe.com. A IN Do you guys know why I get a "rcode: REFUSED" here? Thanks, -- Tristan
Wouter Wijngaards
2018-Jul-25 12:31 UTC
[nsd-users] rcode: REFUSED with NSD behind Unbound
Hi Tristan, In your nsd.conf you have a mistake in the zone name: name: "doe.com-internal" But that makes a zone "doe.com-internal" and not "doe.com". Unbound queries for doe.com and that zone is not hosted by the NSD instances and thus this returned REFUSED. Best regards, Wouter On 25/07/18 14:19, Tristan Pilat wrote:> Hi guys! > > I'm facing a problem with NSD behind Unbound. What I want to > achieve is to have Unbound acting as a resolver for my LAN but > with some stub-zones for my local zones. > > My setup is the following: > > * OpenBSD 6.3 - dns1.doe.com (master) > Unbound listening on 10.10.11.13 at 53 > NSD listening on 10.10.11.13 at 5353 > > * OpenBSD 6.3 - dns2.doe.com (slave) > Unbound listening on 10.10.11.14 at 53 > NSD listening on 10.10.11.14 at 5353 > > ## Unbound > > Here is my Unbound configuration : > > server: > interface: 10.10.11.13 > interface: 127.0.0.1 > interface: ::1 > > verbosity: 5 > do-not-query-localhost: no > > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow_snoop > access-control: 10.10.11.0/24 allow_snoop > access-control: ::0/0 refuse > access-control: ::1 allow_snoop > > hide-identity: yes > hide-version: yes > > auto-trust-anchor-file: "/var/unbound/db/root.key" > > local-zone: "11.10.10.in-addr.arpa" typetransparent > > stub-zone: > name: "11.10.10.in-addr.arpa" > stub-addr: 10.10.11.13 at 5353 > > stub-zone: > name: "doe.com" > stub-addr: 10.10.11.13 at 5353 > > ## NSD > > Here is the NSD configuration : > > server: > hide-version: yes > verbosity: 3 > database: "" # disable database > logfile: "/var/log/nsd.log" > > ## bind to a specific address/port > ip-address: 10.10.11.13 at 5353 > ip-address: 127.0.0.1 at 5353 > > remote-control: > control-enable: yes > control-port: 8953 > > ## tsig key example > key: > name: "dns01.doe.com" > secret: "XXXXXXXXXXXXXXXXXXXXXXXXX" > > pattern: > name: "talktoslave" > notify: 10.10.11.14 dns01.doe.com > provide-xfr: 10.10.11.14 dns01.doe.com > outgoing-interface: 10.10.11.13 > > zone: > name: "11.10.10.in-addr.arpa" > zonefile: "%s" > include-pattern: "talktoslave" > > zone: > name: "doe.com-internal" > zonefile: "%s" > include-pattern: "talktoslave" > > Now when I try to resolve john.doe.com : > > $ dig @10.10.11.13 john.doe.com > > ; <<>> DiG 9.4.2-P2 <<>> @10.10.11.13 john.doe.com > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16717 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, > ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;john.doe.com. IN A > > ;; Query time: 11 msec > ;; SERVER: 10.10.11.13#53(10.10.11.13) > ;; WHEN: Wed Jul 25 07:52:41 2018 > ;; MSG SIZE rcvd: 31 > > And if I look into the logs I'm getting : > > Jul 25 06:17:56 dns01 unbound: [39653:0] info: validator operate: query john.doe.com. A IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving john.doe.com. A IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS > Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 2): john.doe.com. A IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 3): john.doe.com. A IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets: john.doe.com. A IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS > Jul 25 06:17:56 dns01 unbound: [39653:0] info: sending query: john.doe.com. A IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 1 recursion replies sent, 0 replies dropped, 0 states jostled out > Jul 25 06:17:56 dns01 unbound: [39653:0] info: average recursion processing time 0.006881 sec > Jul 25 06:17:56 dns01 unbound: [39653:0] info: histogram of recursion processing times > Jul 25 06:17:56 dns01 unbound: [39653:0] info: [25%]=0 median[50%]=0 [75%]=0 > Jul 25 06:17:56 dns01 unbound: [39653:0] info: lower(secs) upper(secs) recursions > Jul 25 06:17:56 dns01 unbound: [39653:0] info: 0.004096 0.008192 1 > Jul 25 06:17:56 dns01 unbound: [39653:0] info: 0RDd mod1 rep john.doe.com. A IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: iterator operate: query john.doe.com. A IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: scrub for doe.com. NS IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: response for john.doe.com. A IN > Jul 25 06:17:56 dns01 unbound: [39653:0] info: reply from <doe.com.> 10.10.11.13#5353 > Jul 25 06:17:56 dns01 unbound: [39653:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0 ;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: john.doe.com. IN A ;; ANSWER SECTION: ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; MSG SIZE rcvd: 31 > Jul 25 06:17:56 dns01 unbound: [39653:0] info: query response was THROWAWAY > Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets: john.doe.com. A IN > > Do you guys know why I get a "rcode: REFUSED" here? > > Thanks,
On 25/07/2018 14:19, Tristan Pilat wrote: Hi Tristan,> zone: > name: "doe.com-internal" > zonefile: "%s" > include-pattern: "talktoslave"In your NSD config, you've defined a zone called "doe.com-internal". So when NSD receives a query for "doe.com", it doesn't know this zone, and returns a REFUSED response. Change that "name" parameter to "doe.com". Regards, Anand