Irregular DNS lookup failures

Michael Schwager mschwage at gmail.com
Wed Oct 27 15:17:50 UTC 2021 

Hello,
We install unbound as a local caching DNS server on all our hosts. By doing
this, we prevent our AD DNS servers from getting pounded by requests. It's
been working well for the most part. But on one host, sometimes unbound
will not resolve a cname for a host which exists in another domain. Often
DNS lookups work, but infrequently they don't, just on this particular
CNAME. I'm wondering why- can you give me any clues? I've added what I
know, below. Let me know if I've missed anything. Thanks.

We have two domains. Let's call them ouroffice.com and ouroffice.hk. The
problem is on an Asian host. Here's their /etc/resolv.conf; note that
10.20.80.12 and .13 are local DNS/AD servers:

domain ouroffice.hk
search ouroffice.hk ouroffice.com
nameserver 127.0.0.1
nameserver 10.20.80.12
nameserver 10.20.80.13
# failover control
options timeout:2 attempts:2

I have logging turned up on unbound and here is what a successful query
looks like:

2021-10-20T03:30:50.341449+08:00 host1shortname unbound: [43588:0] info:
resolving Some-file_transfer_server.ouroffice.hk. A IN
2021-10-20T03:30:50.341466+08:00 host1shortname unbound: [43588:0] info:
use stub ouroffice.hk. NS IN
2021-10-20T03:30:50.341470+08:00 host1shortname unbound: [43588:0] info:
use stub ouroffice.hk. NS IN
2021-10-20T03:30:50.341765+08:00 host1shortname unbound: [43588:0] info:
response for Some-file_transfer_server.ouroffice.hk. A IN
2021-10-20T03:30:50.341773+08:00 host1shortname unbound: [43588:0] info:
reply from <ouroffice.hk.> 10.20.80.13#53
2021-10-20T03:30:50.341777+08:00 host1shortname unbound: [43588:0] info:
query response was CNAME
2021-10-20T03:30:50.341789+08:00 host1shortname unbound: [43588:0] info:
resolving Some-file_transfer_server.ouroffice.hk. A IN
2021-10-20T03:30:50.341951+08:00 host1shortname unbound: [43588:0] info:
response for Some-file_transfer_server.ouroffice.hk. A IN
2021-10-20T03:30:50.341956+08:00 host1shortname unbound: [43588:0] info:
reply from <.> 10.20.80.13#53
2021-10-20T03:30:50.341959+08:00 host1shortname unbound: [43588:0] info:
query response was NXDOMAIN ANSWER
2021-10-20T03:30:50.342138+08:00 host1shortname unbound: [43588:0] info:
resolving Some-file_transfer_server.ouroffice.com. A IN
2021-10-20T03:30:50.342268+08:00 host1shortname unbound: [43588:0] info:
response for Some-file_transfer_server.ouroffice.com. A IN
2021-10-20T03:30:50.342273+08:00 host1shortname unbound: [43588:0] info:
reply from <.> 10.20.80.13#53
2021-10-20T03:30:50.342276+08:00 host1shortname unbound: [43588:0] info:
query response was CNAME
2021-10-20T03:30:50.342281+08:00 host1shortname unbound: [43588:0] info:
resolving Some-file_transfer_server.ouroffice.com. A IN
2021-10-20T03:30:50.342421+08:00 host1shortname unbound: [43588:0] info:
response for Some-file_transfer_server.ouroffice.com. A IN
2021-10-20T03:30:50.342428+08:00 host1shortname unbound: [43588:0] info:
reply from <.> 10.20.80.12#53
2021-10-20T03:30:50.342432+08:00 host1shortname unbound: [43588:0] info:
query response was ANSWER
2021-10-20T03:30:50.342646+08:00 host1shortname unbound: [43588:0] info:
resolving ahost2.ouroffice.com. AAAA IN
2021-10-20T03:30:50.342768+08:00 host1shortname unbound: [43588:0] info:
response for ahost2.ouroffice.com. AAAA IN
2021-10-20T03:30:50.342774+08:00 host1shortname unbound: [43588:0] info:
reply from <.> 10.20.80.12#53
2021-10-20T03:30:50.342777+08:00 host1shortname unbound: [43588:0] info:
query response was nodata ANSWER
2021-10-20T03:30:50.342852+08:00 host1shortname unbound: [43588:0] info:
resolving ahost2.ouroffice.com. MX IN
2021-10-20T03:30:50.342940+08:00 host1shortname unbound: [43588:0] info:
response for ahost2.ouroffice.com. MX IN
2021-10-20T03:30:50.342945+08:00 host1shortname unbound: [43588:0] info:
reply from <.> 10.20.80.12#53
2021-10-20T03:30:50.342947+08:00 host1shortname unbound: [43588:0] info:
query response was nodata ANSWER

Here is a failed lookup:

2021-10-20T21:23:06.724658+08:00 host1shortname unbound: [43588:0] info:
resolving Some-file_transfer_server.ouroffice.hk. A IN
2021-10-20T21:23:06.724669+08:00 host1shortname unbound: [43588:0] info:
use stub ouroffice.hk. NS IN
2021-10-20T21:23:06.724673+08:00 host1shortname unbound: [43588:0] info:
use stub ouroffice.hk. NS IN
2021-10-20T21:23:06.724994+08:00 host1shortname unbound: [43588:0] info:
response for Some-file_transfer_server.ouroffice.hk. A IN
2021-10-20T21:23:06.725002+08:00 host1shortname unbound: [43588:0] info:
reply from <ouroffice.hk.> 10.20.80.13#53
2021-10-20T21:23:06.725005+08:00 host1shortname unbound: [43588:0] info:
query response was CNAME
2021-10-20T21:23:06.725012+08:00 host1shortname unbound: [43588:0] info:
resolving Some-file_transfer_server.ouroffice.hk. A IN
2021-10-20T21:23:06.725174+08:00 host1shortname unbound: [43588:0] info:
response for Some-file_transfer_server.ouroffice.hk. A IN
2021-10-20T21:23:06.725185+08:00 host1shortname unbound: [43588:0] info:
reply from <.> 10.20.80.12#53
2021-10-20T21:23:06.725188+08:00 host1shortname unbound: [43588:0] info:
query response was NXDOMAIN ANSWER

Here is our unbound.conf:

#============================================================================
server:
        verbosity: 0
        statistics-interval: 600
        statistics-cumulative: no
        extended-statistics: yes
        num-threads: 4
        interface: 127.0.0.1
        interface-automatic: no
        cache-min-ttl: 60
        cache-max-ttl: 1800
        cache-max-negative-ttl: 1800
        do-ip6: no
        do-udp: yes
        do-tcp: yes
        access-control: 127.0.0.0/8 allow_snoop
        access-control: 10.0.0.0/8 deny
        chroot: ""
        username: "unbound"
        directory: "/etc/unbound"
        use-syslog: yes
        log-time-ascii: yes
        pidfile: "/var/run/unbound/unbound.pid"
        harden-glue: no
        harden-dnssec-stripped: no
        harden-below-nxdomain: no
        harden-referral-path: no
        unwanted-reply-threshold: 10000000
        prefetch: yes
        prefetch-key: yes
        rrset-roundrobin: yes
        minimal-responses: yes
        module-config: "validator iterator"
        trusted-keys-file: /etc/unbound/keys.d/*.key
        auto-trust-anchor-file: "/var/lib/unbound/root.key"
        # Ignore chain of trust. Domain is treated as insecure.
        domain-insecure: "ouroffice.com"
        domain-insecure: "ouroffice.hk"
        val-override-date: "0"
        val-clean-additional: yes
        val-permissive-mode: no
        val-log-level: 1
        include: /etc/unbound/local.d/*.conf
python:
remote-control:
        control-enable: yes
        server-key-file: "/etc/unbound/unbound_server.key"
        server-cert-file: "/etc/unbound/unbound_server.pem"
        control-key-file: "/etc/unbound/unbound_control.key"
        control-cert-file: "/etc/unbound/unbound_control.pem"
# Stub and Forward zones
include: /etc/unbound/conf.d/*.conf

# Stub zones.

stub-zone:
        name: "ouroffice.hk"
        stub-addr: 10.20.80.12
        stub-addr: 10.20.80.13
        stub-prime: no
        stub-first: no
#1.6    stub-ssl-upstream: no

# Forward zones
forward-zone:
        name: "."
        forward-addr: 10.20.80.12
        forward-addr: 10.20.80.13
#1.6    forward-first: yes
#1.6    forward-ssl-upstream: no
#============================================================================

Here is an included local.conf file from /etc/unbound/local.d/*.conf:

local-zone: "10.in-addr.arpa." nodefault
domain-insecure: "10.in-addr.arpa."
local-zone: "16.172.in-addr.arpa." nodefault
domain-insecure: "16.172.in-addr.arpa."
local-zone: "17.172.in-addr.arpa." nodefault
domain-insecure: "17.172.in-addr.arpa."
local-zone: "18.172.in-addr.arpa." nodefault
domain-insecure: "18.172.in-addr.arpa."
local-zone: "19.172.in-addr.arpa." nodefault
domain-insecure: "19.172.in-addr.arpa."
local-zone: "20.172.in-addr.arpa." nodefault
domain-insecure: "20.172.in-addr.arpa."
local-zone: "21.172.in-addr.arpa." nodefault
domain-insecure: "21.172.in-addr.arpa."
local-zone: "22.172.in-addr.arpa." nodefault
domain-insecure: "22.172.in-addr.arpa."
local-zone: "23.172.in-addr.arpa." nodefault
domain-insecure: "23.172.in-addr.arpa."
local-zone: "24.172.in-addr.arpa." nodefault
domain-insecure: "24.172.in-addr.arpa."
local-zone: "25.172.in-addr.arpa." nodefault
domain-insecure: "25.172.in-addr.arpa."
local-zone: "26.172.in-addr.arpa." nodefault
domain-insecure: "26.172.in-addr.arpa."
local-zone: "27.172.in-addr.arpa." nodefault
domain-insecure: "27.172.in-addr.arpa."
local-zone: "28.172.in-addr.arpa." nodefault
domain-insecure: "28.172.in-addr.arpa."
local-zone: "29.172.in-addr.arpa." nodefault
domain-insecure: "29.172.in-addr.arpa."
local-zone: "30.172.in-addr.arpa." nodefault
domain-insecure: "30.172.in-addr.arpa."
local-zone: "31.172.in-addr.arpa." nodefault
domain-insecure: "31.172.in-addr.arpa."
local-zone: "168.192.in-addr.arpa." nodefault
domain-insecure: "168.192.in-addr.arpa."
-- 
-Mike Schwager
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20211027/4f79fd21/attachment.htm>

More information about the Unbound-users mailing list