Dmitry Morozovsky
2014-Jun-29 11:28 UTC
stable/10: unbound refuses to forward some DNS queries
Dear colleagues,
after upgrading my home file server to stable/10 I found that after turning on
local unbound reverse DNS queries for my RFC1918 zone stop working:
root at hamster:/# host 192.168.33.1
1.33.168.192.in-addr.arpa domain name pointer jennie.wpub.woozle.net.
root at hamster:/# host 192.168.33.1 127.1
Using domain server:
Name: 127.1
Address: 127.0.0.1#53
Aliases:
Host 1.33.168.192.in-addr.arpa not found: 3(NXDOMAIN)
Moreover, turning on unbound verbosity, I do not actually see right queries in
outgoing interface:
root at hamster:/# tcpdump -nvvilo0 port 53
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 65535
bytes
15:18:39.304353 IP (tos 0x0, ttl 64, id 4862, offset 0, flags [none], proto UDP
(17), length 71, bad cksum 0 (->69a6)!)
127.0.0.1.13508 > 127.0.0.1.53: [bad udp cksum 0xfe46 -> 0xaf70!]
52525+ PTR? 1.33.168.192.in-addr.arpa. (43)
15:18:39.304400 IP (tos 0x0, ttl 64, id 4863, offset 0, flags [none], proto UDP
(17), length 130, bad cksum 0 (->696a)!)
127.0.0.1.53 > 127.0.0.1.13508: [bad udp cksum 0xfe81 -> 0x0ce5!]
52525 NXDomain* q: PTR? 1.33.168.192.in-addr.arpa. 0/1/0 ns:
168.192.in-addr.arpa. SOA localhost. nobody.invalid. 1 3600 1200 604800 10800
(102)
and no query to forward server.
configs are standard, generated by unbound setup script:
==> /var/unbound/forward.conf <=# Generated by local-unbound-setup
forward-zone:
name: .
forward-addr: 192.168.33.2
==> /var/unbound/unbound.conf <=# Generated by local-unbound-setup
server:
username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
auto-trust-anchor-file: /var/unbound/root.key
include: /var/unbound/forward.conf
Any hints? Or did I missed something trivial?
--
Sincerely,
D.Marck [DM5020, MCK-RIPE, DM3-RIPN]
[ FreeBSD committer: marck at FreeBSD.org ]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck at rinet.ru ***
------------------------------------------------------------------------
Konstantin Belousov
2014-Jun-29 14:59 UTC
stable/10: unbound refuses to forward some DNS queries
On Sun, Jun 29, 2014 at 03:28:26PM +0400, Dmitry Morozovsky wrote:> Dear colleagues, > > after upgrading my home file server to stable/10 I found that after turning on > local unbound reverse DNS queries for my RFC1918 zone stop working: > > root at hamster:/# host 192.168.33.1 > 1.33.168.192.in-addr.arpa domain name pointer jennie.wpub.woozle.net. > root at hamster:/# host 192.168.33.1 127.1 > Using domain server: > Name: 127.1 > Address: 127.0.0.1#53 > Aliases: > > Host 1.33.168.192.in-addr.arpa not found: 3(NXDOMAIN) > > Moreover, turning on unbound verbosity, I do not actually see right queries in > outgoing interface: > > root at hamster:/# tcpdump -nvvilo0 port 53 > tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes > 15:18:39.304353 IP (tos 0x0, ttl 64, id 4862, offset 0, flags [none], proto UDP (17), length 71, bad cksum 0 (->69a6)!) > 127.0.0.1.13508 > 127.0.0.1.53: [bad udp cksum 0xfe46 -> 0xaf70!] 52525+ PTR? 1.33.168.192.in-addr.arpa. (43) > 15:18:39.304400 IP (tos 0x0, ttl 64, id 4863, offset 0, flags [none], proto UDP (17), length 130, bad cksum 0 (->696a)!) > 127.0.0.1.53 > 127.0.0.1.13508: [bad udp cksum 0xfe81 -> 0x0ce5!] 52525 NXDomain* q: PTR? 1.33.168.192.in-addr.arpa. 0/1/0 ns: 168.192.in-addr.arpa. SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 (102) > > and no query to forward server. > > configs are standard, generated by unbound setup script: > > ==> /var/unbound/forward.conf <=> # Generated by local-unbound-setup > forward-zone: > name: . > forward-addr: 192.168.33.2 > > ==> /var/unbound/unbound.conf <=> # Generated by local-unbound-setup > server: > username: unbound > directory: /var/unbound > chroot: /var/unbound > pidfile: /var/run/local_unbound.pid > auto-trust-anchor-file: /var/unbound/root.key > > include: /var/unbound/forward.conf > > Any hints? Or did I missed something trivial?I think, yes, you are supposed to spend a hour reading the unbound.conf man page, without skipping of a single config option. Otherwise, making unbound(8) work as local caching resolver for the private network is impossible. The 'log-queries' and 'verbosity' would allow to see what is going on. For the fake home. TLD and 192.168/16 network, I have to tell unbound that the zones are not signed, and it is fine to forward RFC1918 addresses to the upstream. I use the following magic (for upstream forwarder 192.168.102.80). No idea if this could be simplified. domain-insecure: "home." domain-insecure: "168.192.in-addr.arpa." private-domain: "home." local-zone: "168.192.in-addr.arpa." transparent stub-zone: name: "168.192.in-addr.arpa." stub-addr: 192.168.102.80 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20140629/701e6ac1/attachment.sig>