Not resolving some top level domain

Mon Feb 27 10:38:34 UTC 2017

Hello Franky,

On 27.02.2017 11:22, battossai via Unbound-users wrote:
> Hi,
> 
> 
> Unbound not resolving some domain, but it's works on bind.
> I have update the root.hint with this wget
> ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/etc/root.hints
> Here is the example :
> 
> *UNBOUND SERVER :*
> 
> [root at ns1smg ~]# dig @localhost +trace polri.go.id <http://polri.go.id>
> 
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @localhost +trace
> polri.go.id <http://polri.go.id>
> 
> ; (2 servers found)
> 
> ;; global options: +cmd
> 
> ;; Received 12 bytes from ::1#53(::1) in 1 ms
> 
> 
> 
> *BIND SERVER :*
> 
> [root at ns2smg ~]# dig @localhost +trace polri.go.id <http://polri.go.id>
> 
> 
> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @localhost +trace
> polri.go.id <http://polri.go.id>
> 
> ; (2 servers found)
> 
> ;; global options: +cmd
> 
> .501653INNSe.root-servers.net <http://e.root-servers.net>.
> 
> .501653INNSa.root-servers.net <http://a.root-servers.net>.
> 
> .501653INNSl.root-servers.net <http://l.root-servers.net>.
> 
> .501653INNSb.root-servers.net <http://b.root-servers.net>.
> 
> .501653INNSi.root-servers.net <http://i.root-servers.net>.
> 
> .501653INNSc.root-servers.net <http://c.root-servers.net>.
> 
> .501653INNSd.root-servers.net <http://d.root-servers.net>.
> 
> .501653INNSf.root-servers.net <http://f.root-servers.net>.
> 
> .501653INNSh.root-servers.net <http://h.root-servers.net>.
> 
> .501653INNSm.root-servers.net <http://m.root-servers.net>.
> 
> .501653INNSk.root-servers.net <http://k.root-servers.net>.
> 
> .501653INNSj.root-servers.net <http://j.root-servers.net>.
> 
> .501653INNSg.root-servers.net <http://g.root-servers.net>.
> 
> ;; Received 508 bytes from ::1#53(::1) in 10 ms
> 
> 
> id.172800INNSa.dns.id <http://a.dns.id>.
> 
> id.172800INNSb.dns.id <http://b.dns.id>.
> 
> id.172800INNSc.dns.id <http://c.dns.id>.
> 
> id.172800INNSe.dns.id <http://e.dns.id>.
> 
> id.172800INNSsec3.apnic.net <http://sec3.apnic.net>.
> 
> ;; Received 289 bytes from 2001:503:c27::2:30#53(2001:503:c27::2:30) in
> 310 ms
> 
> 
> go.id <http://go.id>.43200INNSb.dns.id <http://b.dns.id>.
> 
> go.id <http://go.id>.43200INNSc.dns.id <http://c.dns.id>.
> 
> go.id <http://go.id>.43200INNSd.dns.id <http://d.dns.id>.
> 
> go.id <http://go.id>.43200INNSe.dns.id <http://e.dns.id>.
> 
> ;; Received 189 bytes from 202.155.30.227#53(202.155.30.227) in 28 ms
> 
> 
> polri.go.id <http://polri.go.id>.43200INNSns2.polri.go.id
> <http://ns2.polri.go.id>.
> 
> polri.go.id <http://polri.go.id>.43200INNSns4.polri.go.id
> <http://ns4.polri.go.id>.
> 
> polri.go.id <http://polri.go.id>.43200INNSns3.polri.go.id
> <http://ns3.polri.go.id>.
> 
> polri.go.id <http://polri.go.id>.43200INNSns1.polri.go.id
> <http://ns1.polri.go.id>.
> 
> ;; Received 165 bytes from 103.19.177.177#53(103.19.177.177) in 192 ms
> 
> 
> polri.go.id <http://polri.go.id>.38400INA120.29.225.249
> 
> ;; Received 45 bytes from 120.29.231.231#53(120.29.231.231) in 13 ms
> 
> 
> Any idea what is the issue ? this 2 server are in the same subnet.
> I've double check that no routing issue.
> Thank you in advanced.
> 
> Regards,
> Franky
> 

dig +trace requites a local DNS server that allows cache snooping, which
Unbound does not allow (a security feature).

See
<https://docs.menandmice.com/pages/viewpage.action?pageId=6361009>
for an discussion on this issue.

Best regards

Carsten