Getting Refused from stub-zone authoritative query record

George (Yorgos) Thessalonikefs george at nlnetlabs.nl
Fri Dec 9 15:40:32 UTC 2022 

Hi,

I don't see this as an Unbound issue; NSD just returns REFUSED to such 
queries.
There seems to be something off with your NSD configuration. Maybe an 
'allow-query:' option or the zone you are requesting is not loaded in NSD.
I would first try to solve that issue with just 'dig' from the same 
Unbound machine. When you manage to get an answer with dig, try then 
with Unbound.

But as I see this may only be related to NSD, asking in that mailing 
list may get you further 
(https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users).

Best regards,
-- Yorgos


On 08/12/2022 14:08, info--- via Unbound-users wrote:
> 2 Unbound
> [dns1 with separate VPS||VM port 53 ]
> and
> [dns2 with separate VPS||VM port 53]
> 
> Both dns1 & dns2 have global IPs with a local alias on the same 
> interface igb0 and local IP subnet is on same as the 2 NSD.
> 
> access-control: allow_snoop = I changed it from allow for testing 
> neither works and access-control I added local IP.
> 
> 2 NSD
> [ns1 with separate VPS||VM port 53]
> and
> [ns2 with separate VPS||VM port 53]
> 
> ns1 (Master) sockstat -l
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
> nsd      nsd        40026 5  udp4   192.168.200.200:53    *:*
> nsd      nsd        40026 6  tcp4   192.168.200.200:53    *:*
> nsd      nsd        40026 7  udp4   192.168.2.136:53      *:*
> nsd      nsd        40026 8  tcp4   192.168.2.136:53      *:*
> nsd      nsd        40026 10 tcp4   127.0.0.1:8952        *:*
> nsd      nsd        10706 10 tcp4   127.0.0.1:8952        *:*
> 
> ns2 (Slave) sockstat -l
> USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
> nsd      nsd        33332 5  udp4   192.168.200.220:53    *:*
> nsd      nsd        33332 6  tcp4   192.168.200.220:53    *:*
> nsd      nsd        33332 7  udp4   192.168.2.147:53      *:*
> nsd      nsd        33332 8  tcp4   192.168.2.147:53      *:*
> nsd      nsd        33332 10 tcp4   127.0.0.1:8952        *:*
> nsd      nsd        24639 10 tcp4   127.0.0.1:8952        *:*
> 
> 
> I am using stub-zone on the unbounds (dns1 & dns2) to connect to the ns1 
> (master) and while all the zone-file (ns1/ns2) seems to be working/no 
> error via nsd-checkzone I can't get a reply of the records. Below are 
> the logs from unbound.log.
> 
> Dec 07 23:29:49 unbound[495:0] debug: Incoming reply addr = ip4 
> 192.168.200.200 port 53 (len 16)
> Dec 07 23:29:49 unbound[495:0] debug: lookup size is 1 entries
> Dec 07 23:29:49 unbound[495:0] debug: received udp reply.
> Dec 07 23:29:49 unbound[495:0] debug: udp message[53:0] 
> 46F380050001000000000001036E73310A6A6541686F6C64496E6703634F4D000006000100002904D0000080000006000F00020014 
> 
> Dec 07 23:29:49 unbound[495:0] debug: outnet handle udp reply
> Dec 07 23:29:49 unbound[495:0] debug: measured roundtrip at 2 msec
> Dec 07 23:29:49 unbound[495:0] debug: svcd callbacks start
> Dec 07 23:29:49 unbound[495:0] debug: good 0x20-ID in reply qname
> Dec 07 23:29:49 unbound[495:0] debug: worker svcd callback for qstate 
> 0x804ae7150
> Dec 07 23:29:49 unbound[495:0] debug: mesh_run: start
> Dec 07 23:29:49 unbound[495:0] debug: iterator[module 1] operate: 
> extstate:module_wait_reply event:module_event_reply
> Dec 07 23:29:49 unbound[495:0] info: iterator operate: query 
> example.com. SOA IN
> Dec 07 23:29:49 unbound[495:0] debug: process_response: new external 
> response event
> Dec 07 23:29:49 unbound[495:0] info: scrub for example.com. NS IN
> Dec 07 23:29:49 unbound[495:0] info: response for example.com. SOA IN
> Dec 07 23:29:49 unbound[495:0] info: reply from <example.com.> 
> 192.168.200.200#53
> Dec 07 23:29:49 unbound[495:0] info: incoming scrubbed packet: ;; 
> ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 0
> ;; flags: qr ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> ;; QUESTION SECTION:
> example.com.     IN      SOA
> 
> ;; ANSWER SECTION:
> 
> ;; AUTHORITY SECTION:
> 
> ;; ADDITIONAL SECTION:
> ;; MSG SIZE  rcvd: 36
> 
> Dec 07 23:29:49 unbound[495:0] debug: iter_handle processing q with 
> state QUERY RESPONSE STATE
> Dec 07 23:29:49 unbound[495:0] info: query response was THROWAWAY
> Dec 07 23:29:49 unbound[495:0] debug: iter_handle processing q with 
> state QUERY TARGETS STATE
> Dec 07 23:29:49 unbound[495:0] info: processQueryTargets: example.com. 
> SOA IN
> Dec 07 23:29:49 unbound[495:0] debug: processQueryTargets: targetqueries 
> 0, currentqueries 0 sentcount 5
> Dec 07 23:29:49 unbound[495:0] info: DelegationPoint<example.com.>: 0 
> names (0 missing), 1 addrs (0 result, 0 avail) parentNS
> Dec 07 23:29:49 unbound[495:0] debug:    ip4 192.168.200.200 port 53 
> (len 16)
> Dec 07 23:29:49 unbound[495:0] debug: rpz: iterator module callback: 
> have_rpz=0
> Dec 07 23:29:49 unbound[495:0] debug: No more query targets, attempting 
> last resort
> Dec 07 23:29:49 unbound[495:0] debug: configured stub or forward servers 
> failed -- returning SERVFAIL
> Dec 07 23:29:49 unbound[495:0] debug: store error response in message cache
> Dec 07 23:29:49 unbound[495:0] debug: return error response SERVFAIL
> Dec 07 23:29:49 unbound[495:0] debug: mesh_run: iterator module exit 
> state is module_finished
> Dec 07 23:29:49 unbound[495:0] debug: validator[module 0] operate: 
> extstate:module_wait_module event:module_event_moddone
> Dec 07 23:29:49 unbound[495:0] info: validator operate: query 
> example.com. SOA IN
> Dec 07 23:29:49 unbound[495:0] debug: validator: nextmodule returned
> Dec 07 23:29:49 unbound[495:0] debug: cannot validate non-answer, rcode 
> SERVFAIL
> Dec 07 23:29:49 unbound[495:0] debug: mesh_run: validator module exit 
> state is module_finished
> Dec 07 23:29:49 unbound[495:0] error: SERVFAIL <example.com. SOA IN>: 
> all the configured stub or forward servers failed, at zone example.com. 
> from 192.168.200.200 got REFUSED
> Dec 07 23:29:49 unbound[495:0] debug: comm point stop listening 27
> Dec 07 23:29:49 unbound[495:0] debug: comm point start listening 27 
> (30000 msec)
> Dec 07 23:29:49 unbound[495:0] debug: startlistening 27 mode w
> Dec 07 23:29:49 unbound[495:0] debug: query took 1.336436 sec
> Dec 07 23:29:49 unbound[495:0] reply: 192.168.200.162 example.com. SOA 
> IN SERVFAIL 1.336436 0 36
> Dec 07 23:29:49 unbound[495:0] info: mesh_run: end 0 recursion states (0 
> with reply, 0 detached), 0 waiting replies, 1 recursion replies sent, 0 
> replies dropped, 0 states jostled out
> 
> I am also using dnstop to get some statistics in NSD (ns1 =master), 
> query seems to me like is coming into the stub-zones / ns1 (master)... 
> yet the reply getting refused in unbound. The unbound works for zones 
> outside of my stub-zones for example drill -A google.com works fine with 
> DNSSEC via forward-addr.
> 
> I can't get the stub-zones authoritative to work.
> 
> Any help will be greatly appreciated, I am using OS FreeBSD.

More information about the Unbound-users mailing list