[nsd-users] rcode: REFUSED with NSD behind Unbound

Wouter Wijngaards wouter at nlnetlabs.nl
Wed Jul 25 12:31:20 UTC 2018


Hi Tristan,

In your nsd.conf you have a mistake in the zone name:

name: "doe.com-internal"

But that makes a zone "doe.com-internal" and not "doe.com".  Unbound queries for doe.com and that zone is not hosted by the NSD instances and thus this returned REFUSED.

Best regards, Wouter

On 25/07/18 14:19, Tristan Pilat wrote:
> Hi guys!
>
> I'm facing a problem with NSD behind Unbound. What I want to
> achieve is to have Unbound acting as a resolver for my LAN but
> with some stub-zones for my local zones.
>
> My setup is the following:
>
> * OpenBSD 6.3 - dns1.doe.com (master)
> Unbound listening on 10.10.11.13 at 53
> NSD listening on 10.10.11.13 at 5353
>
> * OpenBSD 6.3 - dns2.doe.com (slave)
> Unbound listening on 10.10.11.14 at 53
> NSD listening on 10.10.11.14 at 5353
>
> ## Unbound
>
> Here is my Unbound configuration :
>
> server:
>         interface: 10.10.11.13
>         interface: 127.0.0.1
>         interface: ::1
>
>         verbosity: 5
>         do-not-query-localhost: no
>
>         access-control: 0.0.0.0/0 refuse
>         access-control: 127.0.0.0/8 allow_snoop
>         access-control: 10.10.11.0/24 allow_snoop
>         access-control: ::0/0 refuse
>         access-control: ::1 allow_snoop
>
>         hide-identity: yes
>         hide-version: yes
>
>         auto-trust-anchor-file: "/var/unbound/db/root.key"
>
> local-zone: "11.10.10.in-addr.arpa" typetransparent
>
> stub-zone:
>         name: "11.10.10.in-addr.arpa"
>         stub-addr: 10.10.11.13 at 5353
>
> stub-zone:
>         name: "doe.com"
>         stub-addr: 10.10.11.13 at 5353
>
> ## NSD
>
> Here is the NSD configuration :
>
> server:
>         hide-version: yes
>         verbosity: 3
>         database: "" # disable database
>         logfile: "/var/log/nsd.log"
>
> ## bind to a specific address/port
>         ip-address: 10.10.11.13 at 5353
>         ip-address: 127.0.0.1 at 5353
>
> remote-control:
>         control-enable: yes
>         control-port: 8953
>
> ## tsig key example
> key:
>         name: "dns01.doe.com"
>         secret: "XXXXXXXXXXXXXXXXXXXXXXXXX"
>
> pattern:
>         name: "talktoslave"
>         notify: 10.10.11.14 dns01.doe.com
>         provide-xfr: 10.10.11.14 dns01.doe.com
>         outgoing-interface: 10.10.11.13
>
> zone:
>         name: "11.10.10.in-addr.arpa"
>         zonefile: "%s"
>         include-pattern: "talktoslave"
>
> zone:
>         name: "doe.com-internal"
>         zonefile: "%s"
>         include-pattern: "talktoslave"
>
> Now when I try to resolve john.doe.com :
>
> $ dig @10.10.11.13 john.doe.com
>
> ; <<>> DiG 9.4.2-P2 <<>> @10.10.11.13 john.doe.com
> ; (1 server found)
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16717
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;john.doe.com.                 IN      A
>
> ;; Query time: 11 msec
> ;; SERVER: 10.10.11.13#53(10.10.11.13)
> ;; WHEN: Wed Jul 25 07:52:41 2018
> ;; MSG SIZE  rcvd: 31
>
> And if I look into the logs I'm getting :
>
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: validator operate: query john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 2):  john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: use stub doe.com. NS IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: resolving (init part 3):  john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets: john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: DelegationPoint<doe.com.>: 0 names (0 missing), 1 addrs (0 result, 1 avail) parentNS
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: sending query: john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 1 recursion replies sent, 0 replies dropped, 0 states jostled out
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: average recursion processing time 0.006881 sec
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: histogram of recursion processing times
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: [25%]=0 median[50%]=0 [75%]=0
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: lower(secs) upper(secs) recursions
> Jul 25 06:17:56 dns01 unbound: [39653:0] info:    0.004096    0.008192 1
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: 0RDd mod1 rep john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: iterator operate: query john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: scrub for doe.com. NS IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: response for john.doe.com. A IN
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: reply from <doe.com.> 10.10.11.13#5353
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0 ;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0  ;; QUESTION SECTION: john.doe.com.      IN      A  ;; ANSWER SECTION:  ;; AUTHORITY SECTION:  ;; ADDITIONAL SECTION: ;; MSG SIZE  rcvd: 31
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: query response was THROWAWAY
> Jul 25 06:17:56 dns01 unbound: [39653:0] info: processQueryTargets: john.doe.com. A IN
>
> Do you guys know why I get a "rcode: REFUSED" here?
>
> Thanks,




More information about the nsd-users mailing list