Forwarding to another resolver

Petr Menšík pemensik at redhat.com
Mon Jun 3 14:33:38 UTC 2024 

Hi Ray!

It seems you have defined local zone ratmouse.ts.net in your unbound. 
That also means it is authoritative for it and authoritative answers 
override those, which might be obtained by forwarding.

Because local-data does not specify ds1.ratmouse.ts.net, it seems 
correct to respond with nxdomain. Your unbound does not specify any 
subzone delegation. That means what unbound does not know, that does not 
exist, in this zone. Defining both authoritative zone and forwarding 
zone for the same name is configuration error, because forwarding gets 
ignored then.

If you need it this way, try local-zone transparent or typetransparent 
type. That should allow resolution of non-existent names inside this 
zone. Of course unbound supporting it is required.

I would recommend using forward-zone or stub-zone for the ratmouse 
domain and placing server address outside of this zone. For example at 
ratmouse-ns.ts.net defined in a separate zone. Would make it more clear 
which server is authoritative for which zone and data.

Cheers,
Petr

On 24. 05. 24 17:01, RayG via Unbound-users wrote:
> I am trying to use TailScale and I wanted Unbound to resolve TailScale DNS
> names.
>
> TailScale has its own mini DNS server which when queried directly works just
> fine:
>
> dig ds1.ratmouse.ts.net. @100.100.100.100
>
> ; <<>> DiG 9.17.14 <<>> ds1.ratmouse.ts.net. @100.100.100.100 ;; global
> options: +cmd ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57681 ;; flags: qr aa rd
> ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ds1.ratmouse.ts.net.          IN      A
>
> ;; ANSWER SECTION:
> ds1.ratmouse.ts.net.   600     IN      A       100.102.208.83
>
> ;; Query time: 4 msec
> ;; SERVER: 100.100.100.100#53(100.100.100.100) (UDP) ;; WHEN: Wed May 22
> 14:13:34 GMT Summer Time 2024 ;; MSG SIZE  rcvd: 74
>
> When I try to do that via Unbound I get NXDOMAIN
>
> 22/05/2024 14:15:07 C:\Program Files\Unbound\unbound.exe[5756:0] query:
> 127.0.0.1 ds1.ratmouse.ts.net. A IN
> 22/05/2024 14:15:07 C:\Program Files\Unbound\unbound.exe[5756:0] reply:
> 127.0.0.1 ds1.ratmouse.ts.net. A IN NXDOMAIN 0.000000 1 109
>
> dig ds1.ratmouse.ts.net.
>
> ; <<>> DiG 9.17.14 <<>> ds1.ratmouse.ts.net.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55170 ;; flags: qr aa
> rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;ds1.ratmouse.ts.net.          IN      A
>
> ;; AUTHORITY SECTION:
> ratmouse.ts.net.       3600    IN      SOA     localhost. nobody1.invalid. 1
> 3600 1200 604800 10800
>
> ;; Query time: 4 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed May 22 14:15:07 GMT
> Summer Time 2024 ;; MSG SIZE  rcvd: 109
>
> This is the configuration for the forwarding, is there anything I am doing
> wrong or have forgotten to include?
>
> server:
>       private-domain: "ratmouse.ts.net."
>       domain-insecure: "ratmouse.ts.net."
>
>       local-zone: "ratmouse.ts.net." static
>       local-data: "ratmouse.ts.net. IN NS localhost."
>       local-data: "ratmouse.ts.net. IN SOA localhost. nobody1.invalid. 1 3600
> 1200 604800 10800"
>       local-data: "ratmouse.ts.net. IN A 100.100.100.100"
>
> forward-zone:
>       name: "ratmouse.ts.net."
>       forward-addr: 100.100.100.100 at 53
>       forward-first: yes
>       forward-tls-upstream: no
>       forward-tcp-upstream: no
>
> Thanks
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list