Maintained by: NLnet Labs

[Unbound-users] Disabling EDNS0?

Michael Tokarev
Sat Oct 25 08:24:07 CEST 2014


On 10/15/2014 01:36 PM, Michael Tokarev wrote:
> On 15.10.2014 10:48, Jelte Jansen wrote:
>> On 10/14/2014 09:13 PM, Michael Tokarev wrote:
>>> Hello.
>>>
>>> It looks like a there's a common problem in various networks, -- some
>>> resolvers does not understand EDNS0 OPT record at the end of the DNS
>>> query packet and returns either NXDOMAIN or NODATA response to *any*
>>> such query, no matter if the domain in question exists or not.
>>
>> I guess you mean authoritative servers, not resolvers?
> 
> No, I mean resolvers.  The 'dns server' setting which is being sent over
> dhcp, -- some distributions use this information and make it available
> to unbound as `unbound-control forward <ip.add.re.ss>'.
> 
> At least one network I come across here redirects outgoing port 53 to
> the local resolver, so it isn't really possible to get it to work
> even after disabling explicit forwarding.
> 
> So the talk is about broken recursive resolvers (mostly in various
> SOHO routers), not about certain domains.
> 
> (The talk is about Dusseldorf, DE -- I'm at linuxcon right now, and
> the wifi network in the DCC is of this kind, with broken DNS resolver.
> I found many other wifi networks around the city share the same
> brokeness -- so it looks like some local telecom issue.)
> 
> []
>> But I'd rather see we try to get those broken domains fixed. Note that
>> they do not need to support EDNS0, they just need to follow the RFCs
>> instead of giving false answers.
> 
> As a user I just had to disable unbound (which I used for local dns
> caching), because I really needed the thing to work, I don't have
> any time to fight with this prob at the conference.

So I ended up throwing away unbound which gave me so many headaches
and installing dnsmasq.  It is not as nice and all, but it has a
huge advantage over unbound: it actually works, while unbound, with
all its bells and whistles, does not.

Thanks,

/mjt

>> Note that any reasonably modern resolver would be adding EDNS0 by
>> default, so if they are responding badly to it they should have a lot
>> more problems.
> 
> Apparently, with so many people arond me, I was the only one in here
> who had this prob ;)