<div dir="ltr"><div>Hello,</div><div>We install unbound as a local caching DNS server on all our hosts. By 
doing this, we prevent our AD DNS servers from getting pounded by 
requests. It's been working well for the most part. But on one host, sometimes unbound will not resolve a cname for a host which exists in another domain. Often DNS lookups work, but infrequently they don't, just on this particular CNAME. I'm wondering why- can you give me any clues? I've added what I know, below. Let me know if I've missed anything. Thanks.<br></div><br>We have two domains. Let's call them <a href="http://ouroffice.com">ouroffice.com</a> and <a href="http://ouroffice.hk">ouroffice.hk</a>. The problem is on an Asian host. Here's their /etc/resolv.conf; note that 10.20.80.12 and .13 are local DNS/AD servers:<br><div><pre>domain <a href="http://ouroffice.hk">ouroffice.hk</a><br>search <a href="http://ouroffice.hk">ouroffice.hk</a> <a href="http://ouroffice.com">ouroffice.com</a><br>nameserver 127.0.0.1<br>nameserver 10.20.80.12<br>nameserver 10.20.80.13<br># failover control<br>options timeout:2 attempts:2</pre></div>


<div><pre></pre></div>I have logging turned up on unbound and here is what a successful query looks like:<br><br><span style="font-family:monospace">2021-10-20T03:30:50.341449+08:00 host1shortname unbound: [43588:0] info: resolving <a href="http://Some-file_transfer_server.ouroffice.hk">Some-file_transfer_server.ouroffice.hk</a>. A IN<br>2021-10-20T03:30:50.341466+08:00 host1shortname unbound: [43588:0] info: use stub <a href="http://ouroffice.hk">ouroffice.hk</a>. NS IN<br>2021-10-20T03:30:50.341470+08:00 host1shortname unbound: [43588:0] info: use stub <a href="http://ouroffice.hk">ouroffice.hk</a>. NS IN<br>2021-10-20T03:30:50.341765+08:00 host1shortname unbound: [43588:0] info: response for <a href="http://Some-file_transfer_server.ouroffice.hk">Some-file_transfer_server.ouroffice.hk</a>. A IN<br>2021-10-20T03:30:50.341773+08:00 host1shortname unbound: [43588:0] info: reply from <<a href="http://ouroffice.hk">ouroffice.hk</a>.> 10.20.80.13#53<br>2021-10-20T03:30:50.341777+08:00 host1shortname unbound: [43588:0] info: query response was CNAME<br>2021-10-20T03:30:50.341789+08:00 host1shortname unbound: [43588:0] info: resolving <a href="http://Some-file_transfer_server.ouroffice.hk">Some-file_transfer_server.ouroffice.hk</a>. A IN<br>2021-10-20T03:30:50.341951+08:00 host1shortname unbound: [43588:0] info: response for <a href="http://Some-file_transfer_server.ouroffice.hk">Some-file_transfer_server.ouroffice.hk</a>. A IN<br>2021-10-20T03:30:50.341956+08:00 host1shortname unbound: [43588:0] info: reply from <.> 10.20.80.13#53<br>2021-10-20T03:30:50.341959+08:00 host1shortname unbound: [43588:0] info: query response was NXDOMAIN ANSWER<br>2021-10-20T03:30:50.342138+08:00 host1shortname unbound: [43588:0] info: resolving <a href="http://Some-file_transfer_server.ouroffice.com">Some-file_transfer_server.ouroffice.com</a>. A IN<br>2021-10-20T03:30:50.342268+08:00 host1shortname unbound: [43588:0] info: response for <a href="http://Some-file_transfer_server.ouroffice.com">Some-file_transfer_server.ouroffice.com</a>. A IN<br>2021-10-20T03:30:50.342273+08:00 host1shortname unbound: [43588:0] info: reply from <.> 10.20.80.13#53<br>2021-10-20T03:30:50.342276+08:00 host1shortname unbound: [43588:0] info: query response was CNAME<br>2021-10-20T03:30:50.342281+08:00 host1shortname unbound: [43588:0] info: resolving <a href="http://Some-file_transfer_server.ouroffice.com">Some-file_transfer_server.ouroffice.com</a>. A IN<br>2021-10-20T03:30:50.342421+08:00 host1shortname unbound: [43588:0] info: response for <a href="http://Some-file_transfer_server.ouroffice.com">Some-file_transfer_server.ouroffice.com</a>. A IN<br>2021-10-20T03:30:50.342428+08:00 host1shortname unbound: [43588:0] info: reply from <.> 10.20.80.12#53<br>2021-10-20T03:30:50.342432+08:00 host1shortname unbound: [43588:0] info: query response was ANSWER<br>2021-10-20T03:30:50.342646+08:00 host1shortname unbound: [43588:0] info: resolving <a href="http://ahost2.ouroffice.com">ahost2.ouroffice.com</a>. AAAA IN<br>2021-10-20T03:30:50.342768+08:00 host1shortname unbound: [43588:0] info: response for <a href="http://ahost2.ouroffice.com">ahost2.ouroffice.com</a>. AAAA IN<br>2021-10-20T03:30:50.342774+08:00 host1shortname unbound: [43588:0] info: reply from <.> 10.20.80.12#53<br>2021-10-20T03:30:50.342777+08:00 host1shortname unbound: [43588:0] info: query response was nodata ANSWER<br>2021-10-20T03:30:50.342852+08:00 host1shortname unbound: [43588:0] info: resolving <a href="http://ahost2.ouroffice.com">ahost2.ouroffice.com</a>. MX IN<br>2021-10-20T03:30:50.342940+08:00 host1shortname unbound: [43588:0] info: response for <a href="http://ahost2.ouroffice.com">ahost2.ouroffice.com</a>. MX IN<br>2021-10-20T03:30:50.342945+08:00 host1shortname unbound: [43588:0] info: reply from <.> 10.20.80.12#53<br>2021-10-20T03:30:50.342947+08:00 host1shortname unbound: [43588:0] info: query response was nodata ANSWER</span><br><br>Here is a failed lookup:<br><br><span style="font-family:monospace">2021-10-20T21:23:06.724658+08:00 host1shortname unbound: [43588:0] info: resolving <a href="http://Some-file_transfer_server.ouroffice.hk">Some-file_transfer_server.ouroffice.hk</a>. A IN<br>2021-10-20T21:23:06.724669+08:00 host1shortname unbound: [43588:0] info: use stub <a href="http://ouroffice.hk">ouroffice.hk</a>. NS IN<br>2021-10-20T21:23:06.724673+08:00 host1shortname unbound: [43588:0] info: use stub <a href="http://ouroffice.hk">ouroffice.hk</a>. NS IN<br>2021-10-20T21:23:06.724994+08:00 host1shortname unbound: [43588:0] info: response for <a href="http://Some-file_transfer_server.ouroffice.hk">Some-file_transfer_server.ouroffice.hk</a>. A IN<br>2021-10-20T21:23:06.725002+08:00 host1shortname unbound: [43588:0] info: reply from <<a href="http://ouroffice.hk">ouroffice.hk</a>.> 10.20.80.13#53<br>2021-10-20T21:23:06.725005+08:00 host1shortname unbound: [43588:0] info: query response was CNAME<br>2021-10-20T21:23:06.725012+08:00 host1shortname unbound: [43588:0] info: resolving <a href="http://Some-file_transfer_server.ouroffice.hk">Some-file_transfer_server.ouroffice.hk</a>. A IN<br>2021-10-20T21:23:06.725174+08:00 host1shortname unbound: [43588:0] info: response for <a href="http://Some-file_transfer_server.ouroffice.hk">Some-file_transfer_server.ouroffice.hk</a>. A IN<br>2021-10-20T21:23:06.725185+08:00 host1shortname unbound: [43588:0] info: reply from <.> 10.20.80.12#53<br>2021-10-20T21:23:06.725188+08:00 host1shortname unbound: [43588:0] info: query response was NXDOMAIN ANSWER</span><br><br>Here is our unbound.conf:<br><br><span style="font-family:monospace">#============================================================================<br>server:<br>        verbosity: 0<br>        statistics-interval: 600<br>        statistics-cumulative: no<br>        extended-statistics: yes<br>        num-threads: 4<br>        interface: 127.0.0.1<br>        interface-automatic: no<br>        cache-min-ttl: 60<br>        cache-max-ttl: 1800<br>        cache-max-negative-ttl: 1800<br>        do-ip6: no<br>        do-udp: yes<br>        do-tcp: yes<br>        access-control: <a href="http://127.0.0.0/8">127.0.0.0/8</a> allow_snoop<br>        access-control: <a href="http://10.0.0.0/8">10.0.0.0/8</a> deny<br>        chroot: ""<br>        username: "unbound"<br>        directory: "/etc/unbound"<br>        use-syslog: yes<br>        log-time-ascii: yes<br>        pidfile: "/var/run/unbound/unbound.pid"<br>        harden-glue: no<br>        harden-dnssec-stripped: no<br>        harden-below-nxdomain: no<br>        harden-referral-path: no<br>        unwanted-reply-threshold: 10000000<br>        prefetch: yes<br>        prefetch-key: yes<br>        rrset-roundrobin: yes<br>        minimal-responses: yes<br>        module-config: "validator iterator"<br>        trusted-keys-file: /etc/unbound/keys.d/*.key<br>        auto-trust-anchor-file: "/var/lib/unbound/root.key"<br>        # Ignore chain of trust. Domain is treated as insecure.<br>        domain-insecure: "<a href="http://ouroffice.com">ouroffice.com</a>"<br>        domain-insecure: "<a href="http://ouroffice.hk">ouroffice.hk</a>"<br>        val-override-date: "0"<br>        val-clean-additional: yes<br>        val-permissive-mode: no<br>        val-log-level: 1<br>        include: /etc/unbound/local.d/*.conf<br>python:<br>remote-control:<br>        control-enable: yes<br>        server-key-file: "/etc/unbound/unbound_server.key"<br>        server-cert-file: "/etc/unbound/unbound_server.pem"<br>        control-key-file: "/etc/unbound/unbound_control.key"<br>        control-cert-file: "/etc/unbound/unbound_control.pem"<br># Stub and Forward zones<br>include: /etc/unbound/conf.d/*.conf<br><br># Stub zones.<br><br>stub-zone:<br>        name: "<a href="http://ouroffice.hk">ouroffice.hk</a>"<br>        stub-addr: 10.20.80.12<br>        stub-addr: 10.20.80.13<br>        stub-prime: no<br>        stub-first: no<br>#1.6    stub-ssl-upstream: no<br><br># Forward zones<br>forward-zone:<br>        name: "."<br>        forward-addr: 10.20.80.12<br>        forward-addr: 10.20.80.13<br>#1.6    forward-first: yes<br>#1.6    forward-ssl-upstream: no<br>#============================================================================</span><br><br>Here is an included local.conf file from /etc/unbound/local.d/*.conf:<br><br><span style="font-family:monospace">local-zone: "10.in-addr.arpa." nodefault<br>domain-insecure: "10.in-addr.arpa."<br>local-zone: "16.172.in-addr.arpa." nodefault<br>domain-insecure: "16.172.in-addr.arpa."<br>local-zone: "17.172.in-addr.arpa." nodefault<br>domain-insecure: "17.172.in-addr.arpa."<br>local-zone: "18.172.in-addr.arpa." nodefault<br>domain-insecure: "18.172.in-addr.arpa."<br>local-zone: "19.172.in-addr.arpa." nodefault<br>domain-insecure: "19.172.in-addr.arpa."<br>local-zone: "20.172.in-addr.arpa." nodefault<br>domain-insecure: "20.172.in-addr.arpa."<br>local-zone: "21.172.in-addr.arpa." nodefault<br>domain-insecure: "21.172.in-addr.arpa."<br>local-zone: "22.172.in-addr.arpa." nodefault<br>domain-insecure: "22.172.in-addr.arpa."<br>local-zone: "23.172.in-addr.arpa." nodefault<br>domain-insecure: "23.172.in-addr.arpa."<br>local-zone: "24.172.in-addr.arpa." nodefault<br>domain-insecure: "24.172.in-addr.arpa."<br>local-zone: "25.172.in-addr.arpa." nodefault<br>domain-insecure: "25.172.in-addr.arpa."<br>local-zone: "26.172.in-addr.arpa." nodefault<br>domain-insecure: "26.172.in-addr.arpa."<br>local-zone: "27.172.in-addr.arpa." nodefault<br>domain-insecure: "27.172.in-addr.arpa."<br>local-zone: "28.172.in-addr.arpa." nodefault<br>domain-insecure: "28.172.in-addr.arpa."<br>local-zone: "29.172.in-addr.arpa." nodefault<br>domain-insecure: "29.172.in-addr.arpa."<br>local-zone: "30.172.in-addr.arpa." nodefault<br>domain-insecure: "30.172.in-addr.arpa."<br>local-zone: "31.172.in-addr.arpa." nodefault<br>domain-insecure: "31.172.in-addr.arpa."<br>local-zone: "168.192.in-addr.arpa." nodefault<br>domain-insecure: "168.192.in-addr.arpa."</span><br>-- <br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">-Mike Schwager</div></div>