Unbound can't resolve certain domains
Robert Senger
robert.senger at lists.microscopium.de
Thu Oct 17 19:06:48 UTC 2019
The point why I was asking about dnssec is that dnssec queries more
often use tcp rather than udp, just because of query size. So, if your
unbound is unable to send tcp queries (for whatever reason), it may
fail for some domains (those that require tcp queries for resolving),
and succeed for others. This _may_ be the reason for the network error.
R.
Am Donnerstag, den 17.10.2019, 20:35 +0330 schrieb Javad Kouhi:
> Thank you for the hint.
>
> internetsociety.org works fine. But I just noticed many of the
> DNSSEC-enabled
> domains don't work. Also, some domains that don't use DNSSEC don't
> work.
> lucidsolutions.co.nz is an example.
>
> On Thu, Oct 17, 2019 at 4:06 PM Robert Senger
> <robert.senger at lists.microscopium.de> wrote:
> >
> > Hint: freebsd.org is dnssec enabled, google.com is not.
> >
> > Can you resolve other dnssec enabled domains, e.g.
> > internetsociety.org?
> >
> > R.
> >
> > Am Donnerstag, den 17.10.2019, 15:29 +0330 schrieb Javad Kouhi via
> > Unbound-users:
> > > Hello, unbound-users.
> > >
> > > I'm using Unbound 1.8.1 on FreeBSD 12.0-RELEASE. It works fine
> > > with
> > > the majority of domains, but it can't resolve one particular
> > > domain,
> > > FreeBSD.org. Everything else works perfectly. I'm able to resolve
> > > the
> > > FreeBSD.org domain when using another nameserver (8.8.8.8 for
> > > example).
> > >
> > > ~ # cat /etc/resolv.conf
> > > nameserver 127.0.0.1
> > > ========================
> > > ~ # drill google.com
> > > ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 26913
> > > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
> > > ADDITIONAL: 0
> > > ;; QUESTION SECTION:
> > > ;; google.com. IN A
> > >
> > > ;; ANSWER SECTION:
> > > google.com. 126 IN A 216.58.206.206
> > >
> > > ;; AUTHORITY SECTION:
> > >
> > > ;; ADDITIONAL SECTION:
> > >
> > > ;; Query time: 1 msec
> > > ;; SERVER: 127.0.0.1
> > > ;; WHEN: Thu Oct 17 13:58:11 2019
> > > ;; MSG SIZE rcvd: 44
> > > ==========================
> > > ~ # drill freebsd.org
> > > Error: error sending query: Could not send or receive, because of
> > > network
> > > error
> > > ==========================
> > > ~ # echo "nameserver 8.8.8.8" > /etc/resolv.conf
> > >
> > > ~ # drill freebsd.org
> > > ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41634
> > > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0,
> > > ADDITIONAL: 0
> > > ;; QUESTION SECTION:
> > > ;; freebsd.org. IN A
> > >
> > > ;; ANSWER SECTION:
> > > freebsd.org. 3454 IN A 96.47.72.84
> > >
> > > ;; AUTHORITY SECTION:
> > >
> > > ;; ADDITIONAL SECTION:
> > >
> > > ;; Query time: 45 msec
> > > ;; SERVER: 8.8.8.8
> > > ;; WHEN: Thu Oct 17 14:00:02 2019
> > > ;; MSG SIZE rcvd: 45
> > >
> > > It works when I change the nameserver to 8.8.8.8. It's strange
> > > because
> > > other domains work fine with local unbound, it's just the
> > > FreeBSD.org.
> > >
> > > This is my config (generated by local-unbound-setup):
> > > ~ # cat /etc/unbound/unbound.conf /etc/unbound/lan-zones.conf
> > > /etc/unbound/control.conf
> > > # This file was generated by local-unbound-setup.
> > > # Modifications will be overwritten.
> > > server:
> > > username: unbound
> > > directory: /var/unbound
> > > chroot: /var/unbound
> > > pidfile: /var/run/local_unbound.pid
> > > auto-trust-anchor-file: /var/unbound/root.key
> > > interface: 0.0.0.0
> > > access-control: 10.8.0.0/16 allow
> > >
> > > include: /var/unbound/lan-zones.conf
> > > include: /var/unbound/control.conf
> > > # This file was generated by local-unbound-setup.
> > > # Modifications will be overwritten.
> > > server:
> > > # Unblock reverse lookups for LAN addresses
> > > unblock-lan-zones: yes
> > > insecure-lan-zones: yes
> > > # This file was generated by local-unbound-setup.
> > > # Modifications will be overwritten.
> > > remote-control:
> > > control-enable: yes
> > > control-interface: /var/run/local_unbound.ctl
> > > control-use-cert: no
> >
> > --
> > Robert Senger
> >
> >
--
Robert Senger
More information about the Unbound-users
mailing list