[nsd-users] Getting Refused from stub-zone authoritative query record
info at mail.jeaholding.com
info at mail.jeaholding.com
Sat Dec 10 19:01:44 UTC 2022
2 Unbound
[dns1 with separate VPS||VM port 53 ]
and
[dns2 with separate VPS||VM port 53]
Both dns1 & dns2 have global IPs with a local alias on the same
interface igb0 and local IP subnet is on same as the 2 NSD.
unbound access-control: allow_snoop = I changed it from allow for
testing neither works and access-control I added local IP. (DID not
help)
2 NSD
[ns1 with separate VPS||VM port 53]
and
[ns2 with separate VPS||VM port 53]
ns1 (Master) sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nsd nsd 40026 5 udp4 192.168.200.200:53 *:*
nsd nsd 40026 6 tcp4 192.168.200.200:53 *:*
nsd nsd 40026 7 udp4 192.168.2.136:53 *:*
nsd nsd 40026 8 tcp4 192.168.2.136:53 *:*
nsd nsd 40026 10 tcp4 127.0.0.1:8952 *:*
nsd nsd 10706 10 tcp4 127.0.0.1:8952 *:*
ns2 (Slave) sockstat -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
nsd nsd 33332 5 udp4 192.168.200.220:53 *:*
nsd nsd 33332 6 tcp4 192.168.200.220:53 *:*
nsd nsd 33332 7 udp4 192.168.2.147:53 *:*
nsd nsd 33332 8 tcp4 192.168.2.147:53 *:*
nsd nsd 33332 10 tcp4 127.0.0.1:8952 *:*
nsd nsd 24639 10 tcp4 127.0.0.1:8952 *:*
I am using stub-zone on the unbounds (dns1 & dns2) to connect to the
ns1 (master) and while all the zone-file (ns1/ns2) seems to be
working/no error via nsd-checkzone I can't get a reply of the records.
Below are the logs from unbound.log.
Dec 07 23:29:49 unbound[495:0] debug: Incoming reply addr = ip4
192.168.200.200 port 53 (len 16)
Dec 07 23:29:49 unbound[495:0] debug: lookup size is 1 entries
Dec 07 23:29:49 unbound[495:0] debug: received udp reply.
Dec 07 23:29:49 unbound[495:0] debug: udp message[53:0]
46F380050001000000000001036E73310A6A6541686F6C64496E6703634F4D000006000100002904D0000080000006000F00020014
Dec 07 23:29:49 unbound[495:0] debug: outnet handle udp reply
Dec 07 23:29:49 unbound[495:0] debug: measured roundtrip at 2 msec
Dec 07 23:29:49 unbound[495:0] debug: svcd callbacks start
Dec 07 23:29:49 unbound[495:0] debug: good 0x20-ID in reply qname
Dec 07 23:29:49 unbound[495:0] debug: worker svcd callback for qstate
0x804ae7150
Dec 07 23:29:49 unbound[495:0] debug: mesh_run: start
Dec 07 23:29:49 unbound[495:0] debug: iterator[module 1] operate:
extstate:module_wait_reply event:module_event_reply
Dec 07 23:29:49 unbound[495:0] info: iterator operate: query
example.com. SOA IN
Dec 07 23:29:49 unbound[495:0] debug: process_response: new external
response event
Dec 07 23:29:49 unbound[495:0] info: scrub for example.com. NS IN
Dec 07 23:29:49 unbound[495:0] info: response for example.com. SOA IN
Dec 07 23:29:49 unbound[495:0] info: reply from <example.com.>
192.168.200.200#53
Dec 07 23:29:49 unbound[495:0] info: incoming scrubbed packet: ;;
->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0
;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
example.com. IN SOA
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; MSG SIZE rcvd: 36
Dec 07 23:29:49 unbound[495:0] debug: iter_handle processing q with
state QUERY RESPONSE STATE
Dec 07 23:29:49 unbound[495:0] info: query response was THROWAWAY
Dec 07 23:29:49 unbound[495:0] debug: iter_handle processing q with
state QUERY TARGETS STATE
Dec 07 23:29:49 unbound[495:0] info: processQueryTargets: example.com.
SOA IN
Dec 07 23:29:49 unbound[495:0] debug: processQueryTargets:
targetqueries 0, currentqueries 0 sentcount 5
Dec 07 23:29:49 unbound[495:0] info: DelegationPoint<example.com.>: 0
names (0 missing), 1 addrs (0 result, 0 avail) parentNS
Dec 07 23:29:49 unbound[495:0] debug: ip4 192.168.200.200 port 53
(len 16)
Dec 07 23:29:49 unbound[495:0] debug: rpz: iterator module callback:
have_rpz=0
Dec 07 23:29:49 unbound[495:0] debug: No more query targets, attempting
last resort
Dec 07 23:29:49 unbound[495:0] debug: configured stub or forward
servers failed -- returning SERVFAIL
Dec 07 23:29:49 unbound[495:0] debug: store error response in message
cache
Dec 07 23:29:49 unbound[495:0] debug: return error response SERVFAIL
Dec 07 23:29:49 unbound[495:0] debug: mesh_run: iterator module exit
state is module_finished
Dec 07 23:29:49 unbound[495:0] debug: validator[module 0] operate:
extstate:module_wait_module event:module_event_moddone
Dec 07 23:29:49 unbound[495:0] info: validator operate: query
example.com. SOA IN
Dec 07 23:29:49 unbound[495:0] debug: validator: nextmodule returned
Dec 07 23:29:49 unbound[495:0] debug: cannot validate non-answer, rcode
SERVFAIL
Dec 07 23:29:49 unbound[495:0] debug: mesh_run: validator module exit
state is module_finished
Dec 07 23:29:49 unbound[495:0] error: SERVFAIL <example.com. SOA IN>:
all the configured stub or forward servers failed, at zone example.com.
from 192.168.200.200 got REFUSED
Dec 07 23:29:49 unbound[495:0] debug: comm point stop listening 27
Dec 07 23:29:49 unbound[495:0] debug: comm point start listening 27
(30000 msec)
Dec 07 23:29:49 unbound[495:0] debug: startlistening 27 mode w
Dec 07 23:29:49 unbound[495:0] debug: query took 1.336436 sec
Dec 07 23:29:49 unbound[495:0] reply: 192.168.200.162 example.com. SOA
IN SERVFAIL 1.336436 0 36
Dec 07 23:29:49 unbound[495:0] info: mesh_run: end 0 recursion states
(0 with reply, 0 detached), 0 waiting replies, 1 recursion replies sent,
0 replies dropped, 0 states jostled out
I am also using dnstop to get some statistics in NSD (ns1 =master),
query seems to me like is coming into the stub-zones / ns1 (master)...
The unbound works for zones outside of my stub-zones for example drill
-A google.com works fine with DNSSEC via forward-addr.
Someone in the unbound user group suggested I ask in the NSD user
mailing list and implied that it could be an issue with allow-query
option in the NSD.conf.
After reading the sample nsd.conf pattern section a statement in it
standout...
# If no master and slave access control elements are provided,
# this zone will not be served to/from other servers.
Does this mean that if I don't properly configure a pattern /
allow-query (aka access control) in nsd.conf I won't be able to query
zones outside of the ns1 & ns2 in my case?
Can someone provide some sample of how a properly configured pattern in
nsd.conf server could be done in my particular case with 2 unbound
VM/VPS and 2 NSD VM/VPS (I'll continue to play with this section in the
meantime just want to double check with an existing/working pattern).
Any help will be greatly appreciated.
More information about the nsd-users
mailing list