Maintained by: NLnet Labs

Unbound does not response a forwarded query

Adrian Zhang
Tue Feb 28 15:57:25 CET 2017


Hey Wouter,


Thanks for further suggestion which is really help. intra is for sure not signed and there is no domain-incure settings.
Run dig +cdflag on client can get correct answer. 


Once I create domain-insecure setting in unbound.conf, it works!


Replay the full picture:


Windows Server version: Windows Server 2012 R2 Standard Edition, pure clean initial installation with AD and DNS. Double DCs.
Unbound is used as DNS routing, forwarding domain which created on Windows AD and DNS.


The first stage, I create Windows AD with DNS and domain was set as standard model like intra.my-domain.com., at this stage, Unbound forwarding works from client point of view.
Second stage, I reinstall Windows AD with DNS and domain was set as private model like mine.intra. , at this stage, from client point of view, Unbound forwarding failed until setting domain-insecure: "mine.intra" in unbound.conf.


This case tells me, Windows AD set private domain into not-signed or insecure model but set standard domain into secure model by default. Which is root cause.


Thank you agin for your efficient and quick help, Wouter.


Cheers,


Adrian




------------------ Original ------------------
From:  "W.C.A. Wijngaards via Unbound-users"<unbound-users at unbound.net>;
Date:  Tue, Feb 28, 2017 07:52 PM
To:  "unbound-users"<unbound-users at unbound.net>; 

Subject:  Re: Unbound does not response a forwarded query

 
Hi Adrian,

Looks like it could be SERVFAIL because of DNSSEC.  Is intra not signed,
but you don't have domain-insecure: "intra" ?  Or is there some other
DNSSEC failure?  dig +cdflag, or get validation error from unbound logs.

Best regards, Wouter

On 28/02/17 10:46, Adrian Zhang via Unbound-users wrote:
> Hey Wouter,
> 
> Thanks a lot for solution. I create "." forwarding settings in
> unbound.conf and restart the Unbound service, unfortunately client still
> can not receive the response from Unbound.
> 
> on client:
> 
> $ dig file.mine.intra @IP_OF_Unbound                                    
>                                     [2270](s021){return: 0}
> 
> ; <<>> DiG 9.8.3-P1 <<>> file.mine.intra @IP_OF_Unbound
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20813
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
> 
> ;; QUESTION SECTION:
> ;file.mine.intra.INA
> 
> ;; Query time: 9 msec
> ;; SERVER: 10.3.3.6#53(10.3.3.6)
> ;; WHEN: Tue Feb 28 17:05:50 2017
> ;; MSG SIZE  rcvd: 34
> 
> 
> on Unbound server (after receive one query from client):
> unbound-control dump_cache|grep unicc.intra
> mine.intra.86200INSOAdc2.mine.intra. hostmaster.mine.intra. 65 900 600
> 86400 3600
> file.mine.intra.86095INA10.3.3.50
> 
> Best,
> 
> Adrian
>  
> ------------------ Original ------------------
> *From: * "W.C.A. Wijngaards via Unbound-users"<unbound-users at unbound.net>;
> *Date: * Tue, Feb 28, 2017 04:50 PM
> *To: * "unbound-users"<unbound-users at unbound.net>;
> *Subject: * Re: Unbound does not response a forwarded query
>  
> Hi Adrian,
> 
> Unbound waits until the root has done.  But you do not allow these
> queries to be done.
> 
> You can stop unbound from querying the root NS by setting a forward zone
> for the root (".") to somewhere.
> 
> Best regards, Wouter
> 
> On 28/02/17 06:16, Adrian Zhang via Unbound-users wrote:
>> When I check Unbound cache, it shows
>>
>> unbound-control dump_cache|grep mine.intra
>> file.mine.intra.86387INA10.3.3.50
>> msg file.mine.intra. IN A 33152 1 47 1 1 0 0
>> file.mine.intra. IN A 0
>>
>> 3 records about file.mine.intra are generated by one client query.
>>
>> Adrian
>>
>> ------------------ Original ------------------
>> *From: * "Adrian Zhang via Unbound-users"<unbound-users at unbound.net>;
>> *Date: * Tue, Feb 28, 2017 10:59 AM
>> *To: * "unbound-users"<unbound-users at unbound.net>;
>> *Subject: * Unbound does not response a forwarded query
>> 
>> Hi there,
>>
>> I am using unbound to forward mine.intra which is a private domain of
>> Microsoft Windows Active Directory due to DNS server on Windows server
>> has the record.
>>
>> first of all, there is a record file.mine.intra created on DNS server on
>> Windows, and works for clients via running "dig file.mine.intra
>> @IP-OF-WINDOWS".
>> Second, create forward configuration in unbound.conf and restart
>> Unbound, details are listed below. But Unbound is not able to response
>> to client which run "dig file.mine.intra at IP-OF-UNBOUND"
>> forward-zone:
>>         name: "mine.intra."
>>         forward-addr: 10.3.3.21
>>         forward-addr: 10.3.3.22
>>         forward-first: no
>> (10.3.3.21 is dc1 of mine.intra, 10.3.3.22 is dc2 of mine.intra.)
>> Finally, I use tcpdump -w to catch packages and save to a file to see
>> that happens. Then using Wireshark to open capture file I get below
> result.
>> Time          source.            Dest.               Protocol.         
>>  Length.        Info.
>> 7.841795   client_ip.          Unbound_ip.     DNS                  76 
>>             Standard query 0xb80a A file.mine.intra
>> 7.842781   Unbound_ip      Windows_ip.     DNS                  87     
>>         Standard query 0xdece A file.mine.intra OPT
>> 7.843769.  ReltekU_e9:..   Broadcast         ARP                   60 
>>            Who has IP_OF_Unbound? Tell IP_OF_Windows
>> 7.843788.  ReltekU_64..    ReltekU_e9:..    ARP                   42   
>>          IP_OF_Unbound is at 52:54:00:64:37:c7
>> 7.844291.  Windows_ip.     Unbound_ip.     DNS                  103   
>>        Standard query response 0xdece A file.mine.intra  A  10.3.3.50 OPT
>> 7.844761.  Unbound_ip.     192.8.128.30.   DNS                  70     
>>       Standard query 0x8762 NS <ROOT> OPT
>>
>> Clearly Windows response the query but Unbound do not receive it and
>> forward response to client, however it continually query ROOT DNS. BTW,
>> these is also standard private domain forwarding settings (same format
>> like above) in the same unbound.conf and works well, such as
>> my-private-domain.com forwarded to a BIND server.
>>
>> Why this happens and how to make Unbound response client if query a host
>> in xxx.intra?
>>
>> Thanks in advance.
>>
>> Adrian
> 
> 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20170228/409e7bc8/attachment-0001.html>