stable/10: unbound refuses to forward some DNS queries

Konstantin Belousov kostikbel at gmail.com
Sun Jun 29 14:59:12 UTC 2014


On Sun, Jun 29, 2014 at 03:28:26PM +0400, Dmitry Morozovsky wrote:
> Dear colleagues,
> 
> after upgrading my home file server to stable/10 I found that after turning on 
> local unbound reverse DNS queries for my RFC1918 zone stop working:
> 
> root at hamster:/# host 192.168.33.1
> 1.33.168.192.in-addr.arpa domain name pointer jennie.wpub.woozle.net.
> root at hamster:/# host 192.168.33.1 127.1
> Using domain server:
> Name: 127.1
> Address: 127.0.0.1#53
> Aliases:
> 
> Host 1.33.168.192.in-addr.arpa not found: 3(NXDOMAIN)
> 
> Moreover, turning on unbound verbosity, I do not actually see right queries in 
> outgoing interface:
> 
> root at hamster:/# tcpdump -nvvilo0 port 53
> tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
> 15:18:39.304353 IP (tos 0x0, ttl 64, id 4862, offset 0, flags [none], proto UDP (17), length 71, bad cksum 0 (->69a6)!)
>     127.0.0.1.13508 > 127.0.0.1.53: [bad udp cksum 0xfe46 -> 0xaf70!] 52525+ PTR? 1.33.168.192.in-addr.arpa. (43)
> 15:18:39.304400 IP (tos 0x0, ttl 64, id 4863, offset 0, flags [none], proto UDP (17), length 130, bad cksum 0 (->696a)!)
>     127.0.0.1.53 > 127.0.0.1.13508: [bad udp cksum 0xfe81 -> 0x0ce5!] 52525 NXDomain* q: PTR? 1.33.168.192.in-addr.arpa. 0/1/0 ns: 168.192.in-addr.arpa. SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 (102)
> 
> and no query to forward server.
> 
> configs are standard, generated by unbound setup script:
> 
> ==> /var/unbound/forward.conf <==
> # Generated by local-unbound-setup
> forward-zone:
>         name: .
>         forward-addr: 192.168.33.2
> 
> ==> /var/unbound/unbound.conf <==
> # Generated by local-unbound-setup
> server:
>         username: unbound
>         directory: /var/unbound
>         chroot: /var/unbound
>         pidfile: /var/run/local_unbound.pid
>         auto-trust-anchor-file: /var/unbound/root.key
> 
> include: /var/unbound/forward.conf
> 
> Any hints? Or did I missed something trivial?

I think, yes, you are supposed to spend a hour reading the unbound.conf
man page, without skipping of a single config option.  Otherwise, 
making unbound(8) work as local caching resolver for the private
network is impossible.  The 'log-queries' and 'verbosity' would
allow to see what is going on.

For the fake home. TLD and 192.168/16 network, I have to tell
unbound that the zones are not signed, and it is fine to forward
RFC1918 addresses to the upstream.

I use the following magic (for upstream forwarder 192.168.102.80).
No idea if this could be simplified.

	domain-insecure: "home."
	domain-insecure: "168.192.in-addr.arpa."
	private-domain: "home."
	local-zone: "168.192.in-addr.arpa." transparent
	stub-zone:
		name:	"168.192.in-addr.arpa."
		stub-addr:	192.168.102.80

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20140629/701e6ac1/attachment.sig>


More information about the freebsd-stable mailing list