Unbound returns incorrect results

Wouter Wijngaards wouter at nlnetlabs.nl
Fri Apr 17 13:19:14 UTC 2020 

Hi,

So your server has the correct .159 answer for mysite.net.  But unbound
must have had this lookup value from somewhere.  That returned .203 and
is also a name server for mysite.net.

You can check the other nameservers for mysite.net for their response.
Or have unbound with verbosity 4 (or more) and that prints the
individual answers as unbound receives it.  Start unbound again to make
it perform a new lookup and get the logs, then search for the .203
address and see where unbound got it from.  (which is then one of the
nameservers for mysite.net).

Best regards, Wouter

On 17/04/2020 15:13, Юрий Иванов wrote:
> Thanks for reply.
> I see but this how looks query to mysite.net:
> 
> :~$ dig @1.204.196.130 mysite.net    
> 
> ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @1.204.196.130 mysite.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4437
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;mysite.net.                 IN      A
> 
> ;; ANSWER SECTION:
> mysite.net.          10800   IN      A       1.2.25.159
> 
> ;; AUTHORITY SECTION:
> mysite.net.          10800   IN      NS      ns2.mysite.net.
> mysite.net.          10800   IN      NS      ns4.mysite.net.
> mysite.net.          10800   IN      NS      ns1.mysite.net.
> 
> ;; ADDITIONAL SECTION:
> ns1.mysite.net.      10800   IN      A       1.204.196.130
> ns2.mysite.net.      10800   IN      A       1.2.25.199
> ns4.mysite.net.      10800   IN      A       1.204.196.200
> 
> ;; Query time: 0 msec
> ;; SERVER: 1.204.196.130#53(1.204.196.130)
> ;; WHEN: Птн апр 17 15:59:26 EEST 2020
> ;; MSG SIZE  rcvd: 160
> 
> cache returns
> :~$ dig @1.204.196.202 mysite.net              
> 
> ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @1.204.196.202 mysite.net
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2039
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;mysite.net.                 IN      A
> 
> ;; ANSWER SECTION:
> mysite.net.          2298    IN      A       1.204.196.203
> 
> ;; Query time: 0 msec
> ;; SERVER: 1.204.196.202#53(1.204.196.202)
> ;; WHEN: Птн апр 17 16:11:35 EEST 2020
> ;; MSG SIZE  rcvd: 58
> 
> My zone doesnt have this IP binded to 203
> 
> [root at ns1 named]# grep 203 mysite.net  
> forum                   IN      A      1.204.196.203
> lang                    IN      A      1.204.196.203
> 
> Thanks in advance.
> ------------------------------------------------------------------------
> *От:* Unbound-users <unbound-users-bounces at lists.nlnetlabs.nl> от имени
> Wouter Wijngaards via Unbound-users <unbound-users at lists.nlnetlabs.nl>
> *Отправлено:* 17 апреля 2020 г. 15:46
> *Кому:* unbound-users at lists.nlnetlabs.nl <unbound-users at lists.nlnetlabs.nl>
> *Тема:* Re: Unbound returns incorrect results
>  
> Hi,
> 
> On 17/04/2020 14:34, Юрий Иванов via Unbound-users wrote:
>> Hi
>> My unbound returns incorrect results
>> 
>> Unboud returns .203 IP
> 
> Unbound looks up the target of the CNAME by itself, this is necessary
> for security reasons for caching the correct data for that name.  The
> lookup for that returned the .203 IP.  So that is the correct answer.
> 
> The original server was not returning the correct information.  It must
> return the same IP address for 'mysite.net' as when the DNS is queried
> directly for the name.  For security reasons, unbound queries for all
> CNAME answers for the target name, to look it up directly, to make sure
> it gets the correct information in cache.
> 
> In the print out you are missing a direct dig query for the 'mysite.net'
> record, that would (apparantly because unbound finds it) return the .203
> IP address.  If I query for the names over here I get different results.
>  Since you say it was half a year ago .203, perhaps the .203 is still
> there and returned for direct lookups for 'mysite.net' and this causes
> it.  If so, fix it so that the authoritative servers for 'mysite.net'
> return the .203 answer for the name mysite.net.
> 
> Best regards, Wouter
> 
>> suser at gong:~$ dig @1.204.196.202 www.mysite.net <http://www.mysite.net>
>> 
>> ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @1.204.196.202 www.mysite.net <http://www.mysite.net>
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2722
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;www.mysite.net.             IN      A
>> 
>> ;; ANSWER SECTION:
>> www.mysite.net <http://www.mysite.net>.      4275    IN      CNAME  
> mysite.net.
>> mysite.net.          5048    IN      A       1.204.196.203
>> 
>> 
>> But my authoritative DNS server returns:
>> 
>> suser at gong:~$ dig @1.204.196.130 www.mysite.net <http://www.mysite.net>      
>> 
>> ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @1.204.196.130 www.mysite.net <http://www.mysite.net>
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58582
>> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;www.mysite.net.             IN      A
>> 
>> ;; ANSWER SECTION:
>> www.mysite.net <http://www.mysite.net>.      10800   IN      CNAME  
> mysite.net.
>> mysite.net.          10800   IN      A       1.2.25.159
>> 
>> ;; AUTHORITY SECTION:
>> mysite.net.          10800   IN      NS      ns4.mysite.net.
>> mysite.net.          10800   IN      NS      ns1.mysite.net.
>> mysite.net.          10800   IN      NS      ns2.mysite.net.
>> 
>> ;; ADDITIONAL SECTION:
>> ns1.mysite.net.      10800   IN      A       1.204.196.130
>> ns2.mysite.net.      10800   IN      A       1.2.25.199
>> ns4.mysite.net.      10800   IN      A       1.204.196.200
>> 
>> ;; Query time: 0 msec
>> ;; SERVER: 1.204.196.130#53(1.204.196.130)
>> ;; WHEN: Птн апр 17 15:30:39 EEST 2020
>> ;; MSG SIZE  rcvd: 178
>> 
>> and google returns correct records:
>> 
>> suser at gong:~$ dig @8.8.8.8 www.mysite.net <http://www.mysite.net>      
>> 
>> ; <<>> DiG 9.11.5-P4-5.1ubuntu2.1-Ubuntu <<>> @8.8.8.8 www.mysite.net <http://www.mysite.net>
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6220
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 512
>> ;; QUESTION SECTION:
>> ;www.mysite.net.             IN      A
>> 
>> ;; ANSWER SECTION:
>> www.mysite.net <http://www.mysite.net>.      1842    IN      CNAME  
> mysite.net.
>> mysite.net.          1842    IN      A       1.2.25.159
>> 
>> ;; Query time: 46 msec
>> ;; SERVER: 8.8.8.8#53(8.8.8.8)
>> ;; WHEN: Птн апр 17 15:30:05 EEST 2020
>> ;; MSG SIZE  rcvd: 76
>> 
>> 
>> This 1.204.196.203 was valid IP about half a year ago.
>> Can't find where it comes from.
>> This is new clean unbound setup installed two days ago.

More information about the Unbound-users mailing list