Help forwarding PTR queries from Unbound to Knot DNS

April_Conger · October 4, 2024, 8:49pm

Hi all,

I’m setting up Unbound in my home lab and am having trouble forwarding PTR queries to my Knot DNS server. My A queries for [econger.net](http://econger.net) work fine, but reverse lookups for the 10.0.0.0/24 range appear to follow the normal recursion path to the root servers, as indicated by my query logs.

Here is my test configuration:

remote-control:
control-enable: yes
control-interface: /run/unbound.ctl

server:
verbosity: 3
log-servfail: yes
auto-trust-anchor-file: “/var/lib/unbound/root.key”
qname-minimisation: yes
interface: 10.0.0.11
access-control: 10.0.0.0/16 allow
private-address: 10.0.0.0/24
private-domain: econger.net.
private-domain: 0.0.10.in-addr.arpa.

stub-zone:
name: “econger.net.”
stub-addr: 10.0.0.14

stub-zone:
name: “0.0.10.in-addr.arpa.”
stub-addr: 10.0.0.14

While the econger.net stub works fine, the 0.0.10.in-addr.arpa stub does not. I also tried configuring these as forward-zone entries using forward-addr, but I got the same result.

Here’s the error I see during reverse lookups:

root@raspy1:/etc/unbound# nslookup 10.0.0.1 10.0.0.11
** server can’t find 1.0.0.10.in-addr.arpa: NXDOMAIN

However, querying the same address directly from my Knot DNS server works fine:

root@raspy1:/etc/unbound# nslookup 10.0.0.1 10.0.0.14
1.0.0.10.in-addr.arpa name = fw1.econger.net.

I’m using Unbound version 1.19.2-1ubuntu3.2 on Ubuntu 24.04.1 on a Raspberry Pi 3 B+, and Knot DNS version 3.3.4-1.1build2 on the same hardware/OS combo.

Any advice on what might be wrong or how to resolve the issue would be greatly appreciated!

Thanks,
April

Grayhat · October 7, 2024, 7:07am

stub-zone:
name: "0.0.10.in-addr.arpa."
stub-addr: 10.0.0.14

did you try widening your zone to /24 and changing it to forward ?

An example

forward-zone:
name: "10.in-addr.arpa."
forward-addr: 10.0.0.14

HTH

pemensik · October 7, 2024, 2:49pm

I think you are hitting built-in empty zones for private AS112 address ranges. You can query local zone by:

dig @localhost +norec 10.in-addr.arpa soa

If it contains localhost, then unbound is serving own empty zone. You need to override 10.in-addr.arpa zone with you content. Local zone data is preferred over remote data. Easiest solution would be expanding it to whole 10.0.0.0/8, as have been already is recommeded.

You would have to create built-in NS entry pointing to 10.0.0.14.

10.in-addr.arpa. 600 IN NS your-ns-name.example.net.

Where your-ns-name.example.net. would be whatever 10.0.0.14 has as its name.

stub-zone:
  name: "10.in-addr.arpa."
  stub-addr: 10.0.0.14

Yorgos · October 7, 2024, 3:50pm

You would also need to unblock the reverse zone with something like

local-zone: 10.in-addr.arpa. transparent

if you want to use a subzone.
You can read about it at https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#unbound-conf-local-zone-type-nodefault

Best regards,
-- Yorgos