Maintained by: NLnet Labs

[Unbound-users] Unbound periodically stops providing valid lookups

W.C.A. Wijngaards
Thu Sep 25 09:57:39 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Derrick,

On 09/24/2014 07:17 PM, Derrick Shields wrote:
> Synopsis: having issues where unbound stops responding properly to 
> lookups (doesn't report error, just gives bad info) until I restart
> it.

Can you give your configuration, especially the stub and forward parts
that you may have?  And if you have multiple, especially for "." and
"org.".

> Background:
> 
> I recently upgraded pfsense to 2.1 and switched to Unbound for the
> DNS resolver because I needed to do resolving directly instead of
> forwarding due to mail RBL service query overloading.  Had no
> problem getting Unbound to work initially, but after a day I
> started getting a lot of malformed MX record lookups on my mail
> server and when I queried the records I was seeing a lot of null mx
> records, but doing a lookup on an external DNS service showed
> normal MX records.  I disabled DNSSEC thinking it was related to
> that and the problem *seemed* to go away. However today the same
> problem started happening again and restarting the Unbound service
> has resolved.  When the problem happens, Unbound reports bad info
> for the lookup... below is a lookup for navyfederal.org MX and
> notice is returns a null MX

The difference is the org NS records.  When it goes wrong the org NS
records are changed to the bug-this stuff.  Unbound queries the fake
.org servers ran by this outfit and gets their (wildcarded) response
for every org domain.

The fix is that unbound should not pick up those NS records and
normally this happens with bailiwick filters and other scrub activity.
 However, this has not happened now.

Please tell me your configuration in more detail, if you have private
servers involved (I mean not unbound but other servers on your
network), do they have weird configuration (eg. host the .org or root
zone) ?

Best regards,
   Wouter


> 
>>> dig @192.168.100.1 -t mx navyfederal.org.
> 
> ; <<>> DiG 9.9.5-3-Ubuntu <<>> @192.168.100.1 -t mx
> navyfederal.org. ; (1 server found) ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17827 
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL:
> 1
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
> QUESTION SECTION: ;navyfederal.org.               IN      MX
> 
> ;; ANSWER SECTION: navyfederal.org.        261     IN      MX
> 0 .
> 
> ;; AUTHORITY SECTION: org.                    22284   IN      NS
> ns.buydomains.com. org.                    22284   IN      NS
> this-domain-for-sale.com.
> 
> ;; Query time: 0 msec ;; SERVER: 192.168.100.1#53(192.168.100.1) ;;
> WHEN: Wed Sep 24 12:29:47 EDT 2014 ;; MSG SIZE  rcvd: 125
> 
> 
> 
> 
> Restarting Unbound and repeating now gives:
> 
> 
>>> dig @192.168.100.1 -t mx navyfederal.org.
> 
> ; <<>> DiG 9.9.5-3-Ubuntu <<>> @192.168.100.1 -t mx
> navyfederal.org. ; (1 server found) ;; global options: +cmd ;; Got
> answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14040 
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL:
> 2
> 
> ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;;
> QUESTION SECTION: ;navyfederal.org.               IN      MX
> 
> ;; ANSWER SECTION: navyfederal.org.        300     IN      MX
> 10 navyfederal-org.mail.protection.outlook.com.
> 
> ;; AUTHORITY SECTION: navyfederal.org.        500     IN      NS
> ns1.navyfedcu.org. navyfederal.org.        500     IN      NS
> ns.navyfedcu.org. navyfederal.org.        500     IN      NS
> ns1.navyfederal.org.
> 
> ;; ADDITIONAL SECTION: ns1.navyfederal.org.    500     IN      A
> 4.31.59.245
> 
> ;; Query time: 41 msec ;; SERVER: 192.168.100.1#53(192.168.100.1) 
> ;; WHEN: Wed Sep 24 12:35:48 EDT 2014 ;; MSG SIZE  rcvd: 182
> 
> 
> 
> I'm not seeing anything obvious in the Unbound logs, so any help
> how to troubleshoot this is greatly appreciated.
> 
> 
> _______________________________________________ Unbound-users
> mailing list Unbound-users at unbound.net 
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUI8rqAAoJEJ9vHC1+BF+NMtAP/3pZrAzUZICLK/k14rv4R6dV
QrptfQNVS8pRAeB3s2pGRAYmKVku0Eg8FYI5kPtBcBggdY3yVvssLgF2faq0YSS1
/4J/VRXmgzs9XAPQo0ARfD9l3s0v0jwSkBCF/sJ2M25HOG5UyRtoVrEYSwLIWHP1
fsV3sXEVX/p65KhljrnNXvRdm7uLDiEh0F6vIw3aRbr8jK9YuT5aoXOIE3zjEyVW
2Xzk31ytYdc7bLO6JlyoBQV/gDIwR7y4MwOHWL/1jcOCklGrc9OKwkv0Rmq2lf6j
fCOW+4QY9D6XxeRp12HCHiAdD24YIlFMwahN0WUBroZ9G2IOXm+z5TNNhmavkQHh
ehyiRUVF1w2J5wGoOo/S0P51fHXQUhTOxJNBF5t4ADGm05jY7fWy6n50xkp5YciP
G9Uwodrk1enyyIot9JH2mhLBL/A6GFQKM6SkDrxFKwodGziHAZepoyeS/eru56gW
6go9jq7uqBHpIr2eOXARJSry1pzAljBv6Lo5vz2gXn3R80vihcM/LpmwTTIQ3Re3
nhyBerfz6KhH9AUGA6MyCvpNf2e4sUX0+fTV5KC/uEtD7eBzNHOYteWR3qFqBqd8
aFtUPgfAPD2uiyI7WaPyEqFoZ2bmG0d5H6CEUZcZl4jg/25Y0Tk2TilrIv19d5cy
U7R1WC5bHgc72fExS5cN
=fJtt
-----END PGP SIGNATURE-----