Unbound returns incorrect results
Юрий Иванов
format_hub at outlook.com
Fri Apr 17 13:13:01 UTC 2020
Thanks for reply.
I see but this how looks query to mysite.net:
:~$ dig @1.204.196.130 mysite.net
; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @1.204.196.130 mysite.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4437
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mysite.net. IN A
;; ANSWER SECTION:
mysite.net. 10800 IN A 1.2.25.159
;; AUTHORITY SECTION:
mysite.net. 10800 IN NS ns2.mysite.net.
mysite.net. 10800 IN NS ns4.mysite.net.
mysite.net. 10800 IN NS ns1.mysite.net.
;; ADDITIONAL SECTION:
ns1.mysite.net. 10800 IN A 1.204.196.130
ns2.mysite.net. 10800 IN A 1.2.25.199
ns4.mysite.net. 10800 IN A 1.204.196.200
;; Query time: 0 msec
;; SERVER: 1.204.196.130#53(1.204.196.130)
;; WHEN: Птн апр 17 15:59:26 EEST 2020
;; MSG SIZE rcvd: 160
cache returns
:~$ dig @1.204.196.202 mysite.net
; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @1.204.196.202 mysite.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2039
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mysite.net. IN A
;; ANSWER SECTION:
mysite.net. 2298 IN A 1.204.196.203
;; Query time: 0 msec
;; SERVER: 1.204.196.202#53(1.204.196.202)
;; WHEN: Птн апр 17 16:11:35 EEST 2020
;; MSG SIZE rcvd: 58
My zone doesnt have this IP binded to 203
[root at ns1 named]# grep 203 mysite.net
forum IN A 1.204.196.203
lang IN A 1.204.196.203
Thanks in advance.
________________________________
От: Unbound-users <unbound-users-bounces at lists.nlnetlabs.nl> от имени Wouter Wijngaards via Unbound-users <unbound-users at lists.nlnetlabs.nl>
Отправлено: 17 апреля 2020 г. 15:46
Кому: unbound-users at lists.nlnetlabs.nl <unbound-users at lists.nlnetlabs.nl>
Тема: Re: Unbound returns incorrect results
Hi,
On 17/04/2020 14:34, Юрий Иванов via Unbound-users wrote:
> Hi
> My unbound returns incorrect results
>
> Unboud returns .203 IP
Unbound looks up the target of the CNAME by itself, this is necessary
for security reasons for caching the correct data for that name. The
lookup for that returned the .203 IP. So that is the correct answer.
The original server was not returning the correct information. It must
return the same IP address for 'mysite.net' as when the DNS is queried
directly for the name. For security reasons, unbound queries for all
CNAME answers for the target name, to look it up directly, to make sure
it gets the correct information in cache.
In the print out you are missing a direct dig query for the 'mysite.net'
record, that would (apparantly because unbound finds it) return the .203
IP address. If I query for the names over here I get different results.
Since you say it was half a year ago .203, perhaps the .203 is still
there and returned for direct lookups for 'mysite.net' and this causes
it. If so, fix it so that the authoritative servers for 'mysite.net'
return the .203 answer for the name mysite.net.
Best regards, Wouter
> suser at gong:~$ dig @1.204.196.202 www.mysite.net<http://www.mysite.net>
>
> ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @1.204.196.202 www.mysite.net<http://www.mysite.net>
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2722
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.mysite.net. IN A
>
> ;; ANSWER SECTION:
> www.mysite.net<http://www.mysite.net>. 4275 IN CNAME mysite.net.
> mysite.net. 5048 IN A 1.204.196.203
>
>
> But my authoritative DNS server returns:
>
> suser at gong:~$ dig @1.204.196.130 www.mysite.net<http://www.mysite.net>
>
> ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @1.204.196.130 www.mysite.net<http://www.mysite.net>
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58582
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;www.mysite.net. IN A
>
> ;; ANSWER SECTION:
> www.mysite.net<http://www.mysite.net>. 10800 IN CNAME mysite.net.
> mysite.net. 10800 IN A 1.2.25.159
>
> ;; AUTHORITY SECTION:
> mysite.net. 10800 IN NS ns4.mysite.net.
> mysite.net. 10800 IN NS ns1.mysite.net.
> mysite.net. 10800 IN NS ns2.mysite.net.
>
> ;; ADDITIONAL SECTION:
> ns1.mysite.net. 10800 IN A 1.204.196.130
> ns2.mysite.net. 10800 IN A 1.2.25.199
> ns4.mysite.net. 10800 IN A 1.204.196.200
>
> ;; Query time: 0 msec
> ;; SERVER: 1.204.196.130#53(1.204.196.130)
> ;; WHEN: Птн апр 17 15:30:39 EEST 2020
> ;; MSG SIZE rcvd: 178
>
> and google returns correct records:
>
> suser at gong:~$ dig @8.8.8.8 www.mysite.net<http://www.mysite.net>
>
> ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @8.8.8.8 www.mysite.net<http://www.mysite.net>
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6220
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;www.mysite.net. IN A
>
> ;; ANSWER SECTION:
> www.mysite.net<http://www.mysite.net>. 1842 IN CNAME mysite.net.
> mysite.net. 1842 IN A 1.2.25.159
>
> ;; Query time: 46 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Птн апр 17 15:30:05 EEST 2020
> ;; MSG SIZE rcvd: 76
>
>
> This 1.204.196.203 was valid IP about half a year ago.
> Can't find where it comes from.
> This is new clean unbound setup installed two days ago.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200417/55d4e428/attachment-0001.htm>
More information about the Unbound-users
mailing list