Unbound does not forward query to NSD
Tom Hendrikx
tom at whyscream.net
Thu Mar 25 09:25:20 UTC 2021
Hi,
In your exmaple, dig will do the recursion by itself. To test your
unbound setup, you'll need to send a "dig mydomain.net" to your unbound
server, and then check the unbound logs for the route taken.
Kind regards,
Tom
On 24-03-2021 23:33, François RONVAUX via Unbound-users wrote:
> Hello,
>
>
> I have a server running both NSD and Unbound.
>
> The problem is that Unbound does not seem to redirect the queries for
> "mydomain.net <http://mydomain.net>" to NSD as it should.
>
>
> NSD listening interface : "ip_address_ns1" (this is the external
> interface facing Internet)
> NSD master authoritative zone : "mydomain.net <http://mydomain.net>"
> NSD master server of the zone : "ns1.mydomain.net <http://ns1.mydomain.net>"
>
>
>
> # Unbound config file.
> #=====================
> server:
> do-ip6: no
> do-ip4: yes
> do-tcp: yes
> do-udp: yes
>
> interface: 127.0.0.1
> port: 53
>
> verbosity: 1
> statistics-cumulative: yes
> extended-statistics: yes
>
> access-control: 0.0.0.0/0 <http://0.0.0.0/0> refuse
> access-control: 127.0.0.0/8 <http://127.0.0.0/8> allow
>
> hide-identity: yes
> hide-version: yes
>
> root-hints: "/var/unbound/db/root.hints"
> auto-trust-anchor-file: "/var/unbound/db/root.key"
> module-config: "validator iterator"
>
> harden-glue: yes
> harden-algo-downgrade: no
> harden-dnssec-stripped: yes
> harden-below-nxdomain: yes
> harden-referral-path: yes
> aggressive-nsec: yes
> use-caps-for-id: yes
> qname-minimisation: yes
> val-clean-additional: yes
>
> cache-min-ttl: 3600
> cache-max-ttl: 86400
> prefetch: yes
> prefetch-key: yes
>
> unwanted-reply-threshold: 10000
>
> do-not-query-localhost: no
>
> forward-zone:
> name: "mydomain.net <http://mydomain.net>."
> forward-addr: ip_address_ns1 # ns1.mydomain.net
> <http://ns1.mydomain.net>
> forward-addr: ip_address_ns2 # ns2.mydomain.net
> <http://ns2.mydomain.net>
>
> # End of File.
> #=============
>
>
>
> If I understand well the result of a "dig +trace mydomain.net
> <http://mydomain.net>", it seems that the query goes outside my server
> to the "." DNS servers and after ".net" DNS servers instead of going
> directly to "address_ip_ns1" or "address_ip_ns2" :
>
>
> root at ns1 [23:07:48]:~$ dig +trace mydomain.net <http://mydomain.net>
>
> ; <<>> dig 9.10.8-P1 <<>> +trace mydomain.net <http://mydomain.net>
> ;; global options: +cmd
> [...]
> . 518400 IN NS m.root-servers.net
> <http://m.root-servers.net>.
> ;; Received 1097 bytes from 198.41.0.4#53(198.41.0.4) in 12 ms
>
> [...]
> net. 172800 IN NS m.gtld-servers.net
> <http://m.gtld-servers.net>.
> ;; Received 1169 bytes from 199.7.83.42#53(l.root-servers.net
> <http://l.root-servers.net>) in 8 ms
>
> mydomain.net <http://mydomain.net>. 172800 IN NS
> ns1.mydomain.net <http://ns1.mydomain.net>.
> mydomain.net <http://mydomain.net>. 172800 IN NS
> ns2.mydomain.net <http://ns2.mydomain.net>.
> ;; Received 658 bytes from 192.31.80.30#53(d.gtld-servers.net
> <http://d.gtld-servers.net>) in 6 ms
>
> mydomain.net <http://mydomain.net>. 3600 IN A
> ip_address
> mydomain.net <http://mydomain.net>. 3600 IN NS
> ns1.mydomain.net <http://ns1.mydomain.net>.
> mydomain.net <http://mydomain.net>. 3600 IN NS
> ns2.mydomain.net <http://ns2.mydomain.net>.
> ;; Received 125 bytes from ip_address_ns1#53(ns1.mydomain.net
> <http://ns1.mydomain.net>) in 0 ms
>
>
> Do you have any suggestions ?
>
>
> Thanks in advance.
More information about the Unbound-users
mailing list