unbound appending internal domain to all DNS requests

Wed Oct 31 15:50:01 UTC 2018

Reading

http://man7.org/linux/man-pages/man5/resolv.conf.5.html

I am pretty sure the search list, if you don't set it, contains the
domain.  And the domain, if you don't set it, is set from the suffix of the
hostname.  So it seems quite awkward to avoid some search list.

Ndots (which defines how many dots in a name will cause an absolute query
to happen *first*) defaults to 1, so this name should cause an absolute
query first but if the response is negative, the stub resolver will move on
to the search list.

Gavin

On Wed, Oct 31, 2018, 7:15 AM Petr Špaček via Unbound-users <
unbound-users at nlnetlabs.nl wrote:

> Hello,
>
> On 30. 10. 18 20:14, Andrew Meyer via Unbound-users wrote:
> > Hello,
> > I am running unbound on CentOS 7 (latest) using Unbound 1.6.6.  While
> > doing a tcpdump to my destination DNS server I can see that unbound is
> > appending my internal zone to everything.
>
> I bet this is caused by client so I would recommend you to verify what
> queries Unbound receives from client side. Typically this is caused by
> messy `search` directive in resolv.conf or simialar config.
>
> Take away: Never ever use `search` directive.
>
> Petr Špaček  @  CZ.NIC
>
>
> >
> > Here is my config:
> > ]# cat /etc/unbound/unbound.conf|grep -v '#'
> > server:
> >
> > verbosity: 3
> >
> > statistics-interval: 0
> >
> > statistics-cumulative: no
> >
> > extended-statistics: yes
> >
> > num-threads: 4
> >
> >  interface: x.x.x.x
> >
> > interface-automatic: no
> >
> >  so-rcvbuf: 4m
> >
> >  so-sndbuf: 4m
> >
> > cache-max-negative-ttl: 10
> >
> > do-ip4: yes
> >
> > do-ip6: no
> >
> > do-udp: yes
> >
> > do-tcp: yes
> >
> > do-daemonize: yes
> >
> > access-control: 0.0.0.0/0 refuse
> > access-control: x.x.x.x/16 allow
> >
> > chroot: ""
> >
> > username: "unbound"
> >
> > directory: "/etc/unbound"
> >
> > logfile: "/var/log/unbound.log"
> >
> >
> > log-time-ascii: yes
> >
> > pidfile: "/var/run/unbound/unbound.pid"
> >
> > harden-glue: yes
> >
> > harden-dnssec-stripped: yes
> >
> > harden-below-nxdomain: yes
> >
> > harden-referral-path: yes
> >
> > use-caps-for-id: no
> >
> > unwanted-reply-threshold: 10000000
> >
> > do-not-query-localhost: yes
> >
> > prefetch: yes
> >
> > prefetch-key: yes
> >
> > rrset-roundrobin: yes
> >
> > minimal-responses: yes
> >
> > module-config: "iterator"
> >
> > trusted-keys-file: /etc/unbound/keys.d/*.key
> > auto-trust-anchor-file: "/var/lib/unbound/root.key"
> >
> > val-clean-additional: yes
> >
> > val-permissive-mode: no
> >
> > val-log-level: 1
> >
> > include: /etc/unbound/local.d/*.conf
> >
> > include: /etc/unbound/conf.d/*.conf
> >
> >
> > 19:12:51.822564 IP 10.1.6.247.49589 > 10.10.0.31.domain: 18798+% [1au]
> > A? grafana.example.com.example.net. (70)
> > 19:12:51.822735 IP 10.10.0.31.domain > 10.1.6.247.49589: 18798 NXDomain*
> > 0/1/1 (132)
> > 19:12:51.823203 IP 10.1.6.247.8795 > 10.10.0.31.domain: 14439+% [1au]
> > AAAA? grafana.example.com.example.net. (70)
> > 19:12:51.823280 IP 10.10.0.31.domain > 10.1.6.247.8795: 14439 NXDomain*
> > 0/1/1 (132)
> > 19:12:54.020532 IP 10.1.6.247.59429 > 10.10.0.31.domain: 3647+ A?
> > unbound01.stl1.example.net. (49)
> > 19:12:54.020640 IP 10.10.0.31.domain > 10.1.6.247.59429: 3647* 1/6/6 A
> > 10.1.6.247 (315)
> > 19:12:54.056951 IP 10.1.6.247.45906 > 10.10.0.31.domain: 52440+ A?
> > unbound01.stl1.example.net. (49)
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20181031/a79dba9a/attachment.htm>