stable/10: unbound refuses to forward some DNS queries
Konstantin Belousov
kostikbel at gmail.com
Sun Jun 29 14:59:12 UTC 2014
On Sun, Jun 29, 2014 at 03:28:26PM +0400, Dmitry Morozovsky wrote:
> Dear colleagues,
>
> after upgrading my home file server to stable/10 I found that after turning on
> local unbound reverse DNS queries for my RFC1918 zone stop working:
>
> root at hamster:/# host 192.168.33.1
> 1.33.168.192.in-addr.arpa domain name pointer jennie.wpub.woozle.net.
> root at hamster:/# host 192.168.33.1 127.1
> Using domain server:
> Name: 127.1
> Address: 127.0.0.1#53
> Aliases:
>
> Host 1.33.168.192.in-addr.arpa not found: 3(NXDOMAIN)
>
> Moreover, turning on unbound verbosity, I do not actually see right queries in
> outgoing interface:
>
> root at hamster:/# tcpdump -nvvilo0 port 53
> tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
> 15:18:39.304353 IP (tos 0x0, ttl 64, id 4862, offset 0, flags [none], proto UDP (17), length 71, bad cksum 0 (->69a6)!)
> 127.0.0.1.13508 > 127.0.0.1.53: [bad udp cksum 0xfe46 -> 0xaf70!] 52525+ PTR? 1.33.168.192.in-addr.arpa. (43)
> 15:18:39.304400 IP (tos 0x0, ttl 64, id 4863, offset 0, flags [none], proto UDP (17), length 130, bad cksum 0 (->696a)!)
> 127.0.0.1.53 > 127.0.0.1.13508: [bad udp cksum 0xfe81 -> 0x0ce5!] 52525 NXDomain* q: PTR? 1.33.168.192.in-addr.arpa. 0/1/0 ns: 168.192.in-addr.arpa. SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 (102)
>
> and no query to forward server.
>
> configs are standard, generated by unbound setup script:
>
> ==> /var/unbound/forward.conf <==
> # Generated by local-unbound-setup
> forward-zone:
> name: .
> forward-addr: 192.168.33.2
>
> ==> /var/unbound/unbound.conf <==
> # Generated by local-unbound-setup
> server:
> username: unbound
> directory: /var/unbound
> chroot: /var/unbound
> pidfile: /var/run/local_unbound.pid
> auto-trust-anchor-file: /var/unbound/root.key
>
> include: /var/unbound/forward.conf
>
> Any hints? Or did I missed something trivial?
I think, yes, you are supposed to spend a hour reading the unbound.conf
man page, without skipping of a single config option. Otherwise,
making unbound(8) work as local caching resolver for the private
network is impossible. The 'log-queries' and 'verbosity' would
allow to see what is going on.
For the fake home. TLD and 192.168/16 network, I have to tell
unbound that the zones are not signed, and it is fine to forward
RFC1918 addresses to the upstream.
I use the following magic (for upstream forwarder 192.168.102.80).
No idea if this could be simplified.
domain-insecure: "home."
domain-insecure: "168.192.in-addr.arpa."
private-domain: "home."
local-zone: "168.192.in-addr.arpa." transparent
stub-zone:
name: "168.192.in-addr.arpa."
stub-addr: 192.168.102.80
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20140629/701e6ac1/attachment.sig>
More information about the freebsd-stable
mailing list