Unbound does not response a forwarded query

W.C.A. Wijngaards wouter at nlnetlabs.nl
Tue Feb 28 11:52:37 UTC 2017 

Hi Adrian,

Looks like it could be SERVFAIL because of DNSSEC.  Is intra not signed,
but you don't have domain-insecure: "intra" ?  Or is there some other
DNSSEC failure?  dig +cdflag, or get validation error from unbound logs.

Best regards, Wouter

On 28/02/17 10:46, Adrian Zhang via Unbound-users wrote:
> Hey Wouter,
> 
> Thanks a lot for solution. I create "." forwarding settings in
> unbound.conf and restart the Unbound service, unfortunately client still
> can not receive the response from Unbound.
> 
> on client:
> 
> $ dig file.mine.intra @IP_OF_Unbound                                    
>                                     [2270](s021){return: 0}
> 
> ; <<>> DiG 9.8.3-P1 <<>> file.mine.intra @IP_OF_Unbound
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20813
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;file.mine.intra.INA
> 
> ;; Query time: 9 msec
> ;; SERVER: 10.3.3.6#53(10.3.3.6)
> ;; WHEN: Tue Feb 28 17:05:50 2017
> ;; MSG SIZE  rcvd: 34
> 
> 
> on Unbound server (after receive one query from client):
> unbound-control dump_cache|grep unicc.intra
> mine.intra.86200INSOAdc2.mine.intra. hostmaster.mine.intra. 65 900 600
> 86400 3600
> file.mine.intra.86095INA10.3.3.50
> 
> Best,
> 
> Adrian
>  
> ------------------ Original ------------------
> *From: * "W.C.A. Wijngaards via Unbound-users"<unbound-users at unbound.net>;
> *Date: * Tue, Feb 28, 2017 04:50 PM
> *To: * "unbound-users"<unbound-users at unbound.net>;
> *Subject: * Re: Unbound does not response a forwarded query
>  
> Hi Adrian,
> 
> Unbound waits until the root has done.  But you do not allow these
> queries to be done.
> 
> You can stop unbound from querying the root NS by setting a forward zone
> for the root (".") to somewhere.
> 
> Best regards, Wouter
> 
> On 28/02/17 06:16, Adrian Zhang via Unbound-users wrote:
>> When I check Unbound cache, it shows
>>
>> unbound-control dump_cache|grep mine.intra
>> file.mine.intra.86387INA10.3.3.50
>> msg file.mine.intra. IN A 33152 1 47 1 1 0 0
>> file.mine.intra. IN A 0
>>
>> 3 records about file.mine.intra are generated by one client query.
>>
>> Adrian
>>
>> ------------------ Original ------------------
>> *From: * "Adrian Zhang via Unbound-users"<unbound-users at unbound.net>;
>> *Date: * Tue, Feb 28, 2017 10:59 AM
>> *To: * "unbound-users"<unbound-users at unbound.net>;
>> *Subject: * Unbound does not response a forwarded query
>> 
>> Hi there,
>>
>> I am using unbound to forward mine.intra which is a private domain of
>> Microsoft Windows Active Directory due to DNS server on Windows server
>> has the record.
>>
>> first of all, there is a record file.mine.intra created on DNS server on
>> Windows, and works for clients via running "dig file.mine.intra
>> @IP-OF-WINDOWS".
>> Second, create forward configuration in unbound.conf and restart
>> Unbound, details are listed below. But Unbound is not able to response
>> to client which run "dig file.mine.intra at IP-OF-UNBOUND"
>> forward-zone:
>>         name: "mine.intra."
>>         forward-addr: 10.3.3.21
>>         forward-addr: 10.3.3.22
>>         forward-first: no
>> (10.3.3.21 is dc1 of mine.intra, 10.3.3.22 is dc2 of mine.intra.)
>> Finally, I use tcpdump -w to catch packages and save to a file to see
>> that happens. Then using Wireshark to open capture file I get below
> result.
>> Time          source.            Dest.               Protocol.         
>>  Length.        Info.
>> 7.841795   client_ip.          Unbound_ip.     DNS                  76 
>>             Standard query 0xb80a A file.mine.intra
>> 7.842781   Unbound_ip      Windows_ip.     DNS                  87     
>>         Standard query 0xdece A file.mine.intra OPT
>> 7.843769.  ReltekU_e9:..   Broadcast         ARP                   60 
>>            Who has IP_OF_Unbound? Tell IP_OF_Windows
>> 7.843788.  ReltekU_64..    ReltekU_e9:..    ARP                   42   
>>          IP_OF_Unbound is at 52:54:00:64:37:c7
>> 7.844291.  Windows_ip.     Unbound_ip.     DNS                  103   
>>        Standard query response 0xdece A file.mine.intra  A  10.3.3.50 OPT
>> 7.844761.  Unbound_ip.     192.8.128.30.   DNS                  70     
>>       Standard query 0x8762 NS <ROOT> OPT
>>
>> Clearly Windows response the query but Unbound do not receive it and
>> forward response to client, however it continually query ROOT DNS. BTW,
>> these is also standard private domain forwarding settings (same format
>> like above) in the same unbound.conf and works well, such as
>> my-private-domain.com forwarded to a BIND server.
>>
>> Why this happens and how to make Unbound response client if query a host
>> in xxx.intra?
>>
>> Thanks in advance.
>>
>> Adrian
> 
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20170228/9fad68f5/attachment.bin>

More information about the Unbound-users mailing list