Unbound not giving ANSWER SECTION for some hosts

Wouter Wijngaards wouter at nlnetlabs.nl
Thu Jul 19 15:15:04 UTC 2018 

Hi (for the list),

After digging through logs, I didn't read the config that Oliver posted
carefully either.  There is /8 in the access-control and
private-address.  Causing unbound to allow too many hosts, and also
removing too many IP-addresses from answers.  Turns out github's IP
address starts with 192 and so does 192.168.20.0/24, that is why the
github address gets removed when a /8 is used instead of a /24.

Best regards, Wouter


On 19/07/18 14:04, Wouter Wijngaards via Unbound-users wrote:
> Hi Oliver,
>
> I see that this is a referral.  The upstream service does not resolve
> github properly and this is what they return for that query?  Unbound
> will then accept it and store it (I can imagine that this changed
> between the older version and today), but it looks like this is
> something that the forward-zone addresses are returning wrongly.
>
> Best regards, Wouter
>
>
> On 19/07/18 13:38, Oliver Psotta via Unbound-users wrote:
>> Hi all,
>>
>> I have the problem with Unbound Version 1.7.3, compiled on FreeBSD 11.2,
>> that it won't give the ANSWER SECTION for some hosts, like github.com.
>>
>>
>> For most hosts it will resolve properly and give this for example:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56138
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>>
>>
>> But for github.com it will give this:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57234
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 9
>>
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;github.com.			IN	A
>>
>> ;; AUTHORITY SECTION:
>> github.com.		169039	IN	NS	ns-1707.awsdns-21.co.uk.
>> github.com.		169039	IN	NS	ns-1283.awsdns-32.org.
>> github.com.		169039	IN	NS	ns4.p16.dynect.net.
>> github.com.		169039	IN	NS	ns2.p16.dynect.net.
>> github.com.		169039	IN	NS	ns-421.awsdns-52.com.
>> github.com.		169039	IN	NS	ns1.p16.dynect.net.
>> github.com.		169039	IN	NS	ns3.p16.dynect.net.
>> github.com.		169039	IN	NS	ns-520.awsdns-01.net.
>>
>> ;; ADDITIONAL SECTION:
>> ns1.p16.dynect.net.	43283	IN	A	208.78.70.16
>> ns2.p16.dynect.net.	80767	IN	A	204.13.250.16
>> ns3.p16.dynect.net.	80767	IN	A	208.78.71.16
>> ns4.p16.dynect.net.	80767	IN	A	204.13.251.16
>> ns-421.awsdns-52.com.	80479	IN	A	205.251.193.165
>> ns-520.awsdns-01.net.	80479	IN	A	205.251.194.8
>> ns-1707.awsdns-21.co.uk. 80479	IN	A	205.251.198.171
>> ns-1707.awsdns-21.co.uk. 166614	IN	AAAA	2600:9000:5306:ab00::1
>>
>> ;; Query time: 179 msec
>> ;; SERVER: 192.168.20.38#53(192.168.20.38)
>> ;; WHEN: Thu Jul 19 12:43:36 CEST 2018
>> ;; MSG SIZE  rcvd: 399
>>
>>
>> The unbound.conf is simple enough:
>> server:
>> 	interface: 0.0.0.0
>> 	access-control: 192.168.20.0/8 allow 
>> 	access-control: 192.168.179.0/8 allow 
>> 	private-address: 192.168.20.0/8
>> 	private-address: 192.168.179.0/8
>> 	verbosity: 1
>>
>> forward-zone:
>> 	name: "."
>> 	forward-addr: 85.214.20.141		# Digitalcourage
>> 	forward-addr: 46.182.19.48		# Digitalcourage
>> 	forward-addr: 194.150.168.168	# AS250.net Foundation
>>
>>
>> This looks like a bug, for this unbound.conf works properly with
>> Unbound Version 1.5.10 on the same machine.
>>
>> Hints to solve that are appreciated. Thanks!
>>
>> Best regards
>> Oliver

More information about the Unbound-users mailing list