thr3ads.net - nsd users - [nsd-users] Unbound Problems (Reverse Direction) [Jul 2020]

If this information is useful, please help other people find it:
Share via:

Ken.Hendrickson at L3Harris.com

2020-Jul-10 00:34 UTC

[nsd-users] Unbound Problems (Reverse Direction)

The unbound-users at lists.nlnetlabs.nl mailing list is completely blocking me,
and preventing me from asking for help.  So I am posting my question again here,
even though it is really about unbound, and not about nsd.

NSD is working in both directions.
Unbound is only working in the forward direction.





Here is proof that both Unbound and NSD are working in the forward direction:
------------------------------------------------------------------------
7 Soekris2# nslookup nas2
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	nas2.Foo.Bar
Address: 172.24.10.2
------------------------------------------------------------------------





Here is proof that NSD is working in the reverse direction:
------------------------------------------------------------------------
8 Soekris2# nslookup > server 127.0.0.1Default server: 127.0.0.1
Address: 127.0.0.1#53> set port=53053
> 172.24.10.2Server:		127.0.0.1
Address:	127.0.0.1#53053

2.10.24.172.in-addr.arpa	name = nas2.foo.bar.
------------------------------------------------------------------------





But somehow, Unbound is not working in the reverse direction:
------------------------------------------------------------------------
6 Soekris2# nslookup 172.24.10.2
Server:		127.0.0.1
Address:	127.0.0.1#53

** server can't find 2.10.24.172.in-addr.arpa: NXDOMAIN
------------------------------------------------------------------------





Here is the relevant part of my unbound.conf:
------------------------------------------------------------------------
# Use nsd to resolve local names.
# Do not send these queries to the root servers.
stub-zone:
        name:      Foo.Bar.
        stub-addr: 127.0.0.1 at 53053
stub-zone:
        name:      10.24.172.in-addr.arpa.
        stub-addr: 127.0.0.1 at 53053
stub-zone:
        name:      20.24.172.in-addr.arpa.
        stub-addr: 127.0.0.1 at 53053
stub-zone:
        name:      30.24.172.in-addr.arpa.
        stub-addr: 127.0.0.1 at 53053
stub-zone:
        name:      2.168.192.in-arpa.arpa.
        stub-addr: 127.0.0.1 at 53053
stub-zone:
        name:      224.in-addr.arpa.
        stub-addr: 127.0.0.1 at 53053
stub-zone:
        name:      255.in-addr.arpa.
        stub-addr: 127.0.0.1 at 53053
------------------------------------------------------------------------





Any ideas?  What am I still doing wrong??



NSD is listening on port 53053, and works (as proved above) for resolving in the
reverse direction.

Why doesn't unbound work?



  

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of
the intended recipient and may contain material that is proprietary,
confidential, privileged or otherwise legally protected or restricted under
applicable government laws. Any review, disclosure, distributing or other use
without expressed permission of the sender is strictly prohibited. If you are
not the intended recipient, please contact the sender and delete all copies
without reading, printing, or saving.

Wouter Wijngaards

2020-Jul-10 09:31 UTC

head link

[nsd-users] Unbound Problems (Reverse Direction)

Hi Ken,

On 10/07/2020 02:34, Ken.Hendrickson--- via nsd-users
wrote:> The unbound-users at lists.nlnetlabs.nl mailing list is completely blocking
me,
> and preventing me from asking for help.  So I am posting my question again
here,
> even though it is really about unbound, and not about nsd.
The unbound list got spam subscriptions and requires moderator approval
before a new subscriber can send email.  This takes time, and has
already been resolved for you, i.e. that should be working now.  But let
me reply to your issue, because maybe that helps straight away.
> 
> NSD is working in both directions.
> Unbound is only working in the forward direction.
Nice to see that NSD is working!

I think you may need the unbound option unblock-lan-zones: yes and
perhaps also insecure-lan-zones: yes

Unbound blocks the lan zones by default.  It is to protect internet
servers from getting hit by traffic that is not really meant there.

Best regards, Wouter
> 
> 
> 
> 
> 
> Here is proof that both Unbound and NSD are working in the forward
direction:
> ------------------------------------------------------------------------
> 7 Soekris2# nslookup nas2
> Server:		127.0.0.1
> Address:	127.0.0.1#53
> 
> Non-authoritative answer:
> Name:	nas2.Foo.Bar
> Address: 172.24.10.2
> ------------------------------------------------------------------------
> 
> 
> 
> 
> 
> Here is proof that NSD is working in the reverse direction:
> ------------------------------------------------------------------------
> 8 Soekris2# nslookup 
>> server 127.0.0.1
> Default server: 127.0.0.1
> Address: 127.0.0.1#53
>> set port=53053
>> 172.24.10.2
> Server:		127.0.0.1
> Address:	127.0.0.1#53053
> 
> 2.10.24.172.in-addr.arpa	name = nas2.foo.bar.
> ------------------------------------------------------------------------
> 
> 
> 
> 
> 
> But somehow, Unbound is not working in the reverse direction:
> ------------------------------------------------------------------------
> 6 Soekris2# nslookup 172.24.10.2
> Server:		127.0.0.1
> Address:	127.0.0.1#53
> 
> ** server can't find 2.10.24.172.in-addr.arpa: NXDOMAIN
> ------------------------------------------------------------------------
> 
> 
> 
> 
> 
> Here is the relevant part of my unbound.conf:
> ------------------------------------------------------------------------
> # Use nsd to resolve local names.
> # Do not send these queries to the root servers.
> stub-zone:
>         name:      Foo.Bar.
>         stub-addr: 127.0.0.1 at 53053
> stub-zone:
>         name:      10.24.172.in-addr.arpa.
>         stub-addr: 127.0.0.1 at 53053
> stub-zone:
>         name:      20.24.172.in-addr.arpa.
>         stub-addr: 127.0.0.1 at 53053
> stub-zone:
>         name:      30.24.172.in-addr.arpa.
>         stub-addr: 127.0.0.1 at 53053
> stub-zone:
>         name:      2.168.192.in-arpa.arpa.
>         stub-addr: 127.0.0.1 at 53053
> stub-zone:
>         name:      224.in-addr.arpa.
>         stub-addr: 127.0.0.1 at 53053
> stub-zone:
>         name:      255.in-addr.arpa.
>         stub-addr: 127.0.0.1 at 53053
> ------------------------------------------------------------------------
> 
> 
> 
> 
> 
> Any ideas?  What am I still doing wrong??
> 
> 
> 
> NSD is listening on port 53053, and works (as proved above) for resolving
in the reverse direction.
> 
> Why doesn't unbound work?
> 
> 
> 
>   
> 
> CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use
of the intended recipient and may contain material that is proprietary,
confidential, privileged or otherwise legally protected or restricted under
applicable government laws. Any review, disclosure, distributing or other use
without expressed permission of the sender is strictly prohibited. If you are
not the intended recipient, please contact the sender and delete all copies
without reading, printing, or saving.
> 
> 
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
>

nsd users - Jul 2020 - Unbound Problems (Reverse Direction)

[nsd-users] Unbound Problems (Reverse Direction)

[nsd-users] Unbound Problems (Reverse Direction)