Maintained by: NLnet Labs

[Unbound-users] Unexpected results - Unbound results don't match external DNS

pcl-associates
Sun Jul 27 22:21:56 CEST 2014


Hello Carsten,

Chris and you nailed the problem.  I had unbound forwarding set up.  As soon as I turned that off, I got the following results (see below) - same as yours.

I've attached my unbound.conf - it is based on the calomel.org unbound.conf but with modifications and improvements.  :-)  It probably could use further improvement.  To be clear, I'm only using unbound for internal purposes - it does not serve the internet.

As I understand it, unbound becomes "authoritative" (only for your own network) when you define the machines on your local network within unbound as it will then return the private addresses of your local machines.

Thank you for your help!

Patrick




# dig  158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org.

; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> 158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46513
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;158.24.39.46.zen.spamhaus.org.	IN	A

;; ANSWER SECTION:
158.24.39.46.zen.spamhaus.org. 900 IN	A	127.0.0.11
158.24.39.46.zen.spamhaus.org. 900 IN	A	127.0.0.4

;; Query time: 25 msec
;; SERVER: 217.149.192.170#53(217.149.192.170)
;; WHEN: Sun Jul 27 20:22:08 CEST 2014
;; MSG SIZE  rcvd: 79


# dig 158.24.39.46.zen.spamhaus.org

; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> 158.24.39.46.zen.spamhaus.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1310
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;158.24.39.46.zen.spamhaus.org.	IN	A

;; ANSWER SECTION:
158.24.39.46.zen.spamhaus.org. 3408 IN	A	127.0.0.11
158.24.39.46.zen.spamhaus.org. 3408 IN	A	127.0.0.4

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 27 20:22:19 CEST 2014
;; MSG SIZE  rcvd: 90






On Jul 27, 2014, at 10:36 AM, Carsten Strotmann <unbound at strotmann.de> wrote:

> 
> Hello Patrick,
> 
> pcl-associates writes:
> 
>> Hi Carsten,
>> 
>> Unfortunately, the issue is not limited to nslookup.  Here's what I
>> get when I run the same dig command you did below.
> 
> Yes do not get what you've expected, but the dig output gives much
> better information (see below).
> 
>> Evidently
>> something isn't right because my results should match yours. 
> 
>> In a
>> separate email, Chris asked if I was using this as a forwarder or
>> resolver.  I am using it as an authoritative, validating, recursive
>> caching dns server as described here:
>> https://calomel.org/unbound_dns.html.
>> 
> 
> That page is a little outdated (covers Unbound 1.4.9, current is
> 1.4.22). Also, you are probably running Unbound as a validating,
> recursive caching DNS server, as Unbound is not designed to be an
> authoritative server (that would be a NSD or BIND 9 or PowerDNS
> ...). The calomel.org websites just defines these DNS terms.
> 
> Could you share your "unbound.conf" with this list?
> 
> You have a forwarding server if you have configuration lines with
> "forward-zone:" in your configuration. Usually it is recommended *NOT*
> to use forwarding (instead, let your Unbound talk directly to the
> authoritative DNS servers in the Internet), unless you have a good
> reason to do so (network topology or firewall-policy).
> 
>> # dig 158.24.39.46.zen.spamhaus.org.
>> 
>> ; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> 158.24.39.46.zen.spamhaus.org.
>> ;; global options: +cmd
>> ;; Got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22741
>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>> 
>> ;; OPT PSEUDOSECTION:
>> ; EDNS: version: 0, flags:; udp: 4096
>> ;; QUESTION SECTION:
>> ;158.24.39.46.zen.spamhaus.org.	IN	A
>> 
>> ;; AUTHORITY SECTION:
>> zen.spamhaus.org.	3546	IN	SOA	need.to.know.only. hostmaster.spamhaus.org. 1407271350 3600 600 432000 150
>> 
>> ;; Query time: 39 msec
>> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>> ;; WHEN: Sun Jul 27 15:52:37 CEST 2014
>> ;; MSG SIZE  rcvd: 122
>> 
> 
> Unlike with your nslookup response, which gave an IPv4 address record
> back, this response is actually a response saying that the requested
> domain name does not exist (NXDOMAIN). A very different response.
> 
> Let's try to ask on the the authoritative DNS servers for
> "zen.spamhaus.org". I see:
> 
> % dig  158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org. 
> 
> ; <<>> DiG 9.10.0-P1 <<>>
>  158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org.
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22021
> ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;158.24.39.46.zen.spamhaus.org. IN      A
> 
> ;; ANSWER SECTION:
> 158.24.39.46.zen.spamhaus.org. 900 IN   A       127.0.0.11
> 158.24.39.46.zen.spamhaus.org. 900 IN   A       127.0.0.4
> 
> ;; Query time: 26 msec
> ;; SERVER: 2001:7b8:3:1f:0:2:53:1#53(2001:7b8:3:1f:0:2:53:1)
> ;; WHEN: Sun Jul 27 19:33:46 CEST 2014
> ;; MSG SIZE  rcvd: 79
> 
> 
> -- 
> Carsten Strotmann
> Email: cas at strotmann.de
> Blog: strotmann.de
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140727/32377348/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound.conf.rtf
Type: text/rtf
Size: 12634 bytes
Desc: not available
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140727/32377348/attachment-0001.bin>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20140727/32377348/attachment-0003.html>