Maintained by: NLnet Labs

[Unbound-users] Cannot reverse-resolve RFC1918 addresses

lst_hoe02 at
Tue Feb 14 10:19:46 CET 2012

Zitat von John Stäck <stack at>:

> Hi!
> I am having some issues getting unbound to do reverse-resolution of
> RFC1918 names, in this case (
> We got unbound set up as basically a local resolver cache, the config
> looks like this:
> server:
>   prefetch: yes
>   num-threads: 1
>   incoming-num-tcp: 256
>   outgoing-num-tcp: 256
>   statistics-interval: 60
> forward-zone:
>   name: "."
>   forward-addr:
>   forward-addr:
> The two forward-addr IP:s are our upstream recursive resolvers (which
> are set up to properly answer the RFC1918 stuff we need). When I ask
> them, I get a perfectly normal answer:
> $ dig @ -x +short
> But when I ask the unbound server, I get NXDOMAIN and a strange SOA:
> $ dig @ -x
> ; <<>> DiG 9.7.3 <<>> @ -x
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1244
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;	IN	PTR
>	10800	IN	SOA	localhost. nobody.invalid. 1 3600 1200
> 604800 10800
> (removed some useless extra info for brevity)
> Unbound is not doing any forwarded upstream requests for the failed
> query (according to packet traces), and one rather odd thing is that I
> get nothing whatsoever in the log for it (no matter what verbosity). I
> get the exact same answer for any RFC1918 address, while all other
> queries (regular or reverse) resolve normally and show up in the log.
> A-record lookups that return 10.X addresses work just fine, it is only
> PTR records that do not.
> I have been messing around with some other settings, such as various
> combinations of private-address / private-domain, and setting
> as a separate forward or stub zone. In no case do I
> see anything for those queries in the logs.
> None of it works. The only way I get any answer back (except NXDOMAIN)
> is if I specify data with local-data or local-data-ptr, but those
> queries are not logged either.
> Tested on unbound 1.4.16 on Ubuntu 11.10, as well as 1.4.14-2~bpo60+1
> on debian squeeze with the same result.
> Have I set things up incorrectly (especially with the
> private-address/-domain)? From what I understand, not having these
> statements should mean they are treated normally and not filtered out,
> but it doesn't seem to make any difference to this issue. What should
> I do to get this going? Thankful for any pointers in the right
> direction.


the default is to not do queries for AS112 zones (reverse RFC1918):

	# a number of locally served zones can be configured.
	# 	local-zone: <zone> <type>
	# 	local-data: "<resource record string>"
	# o deny serves local data (if any), else, drops queries.
	# o refuse serves local data (if any), else, replies with error.
	# o static serves local data, else, nxdomain or nodata answer.
	# o transparent gives local data, but resolves normally for other names
	# o redirect serves the zone data for any subdomain in the zone.
	# o nodefault can be used to normally resolve AS112 zones.
	# defaults are localhost address, reverse for and ::1
	# and nxdomain for AS112 zones. If you configure one of these zones
	# the default content is omitted, or you can omit it with 'nodefault'.

So if you need reverse lookup for RF1918 address space you have to  
configure something like

local-zone: "" nodefault

and if you use DNSSEC maybe also

domain-insecure: ""
domain-insecure: "your.internal.domain"