unbound fails to do reverse look ups
Måns Nilsson
mansaxel at besserwisser.org
Sat Oct 18 18:17:16 UTC 2025
Subject: Re: unbound fails to do reverse look ups Date: Sat, Oct 18, 2025 at 05:23:14PM +0200 Quoting Carlo Wood via Unbound-users (unbound-users at lists.nlnetlabs.nl):
> Any ideas?
The DNS firewall blocks DNS traffic via TCP but not UDP If I had a
Eurocent every time a stupid firewall admin does that, I could devote
all my time to answering questions on mailing lists pro bono! :-) .
Since the refusing reply arrives fast, it probably is in the form of a
ICMP unreachable.
Looking at traffic on the machine while asking the question, using a
tool like tcpdump and writing to file, to filter in Wireshark later,
probably is the best way to check this hypothesis.
What you are looking for is a TCP RST or ICMP unreach packet, and it
just might, if it is a ICMP one, contain the ip address of the offender.
My speculation here is that you normally don't end up with large answers
that trigger re-query over TCP (when the reply is large enough so as to
trigger the Truncated bit being set and most resolver servers re-query
via TCP when this happens.) except when you look up reverses which are
signed. And the /8 delegations to RIR infrastructure typically are signed.
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE SA0XLR +46 705 989668
Yow! And then we could sit on the hoods of cars at stop lights!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20251018/d7b7c69e/attachment.bin>
More information about the Unbound-users
mailing list