Help Needed with Unbound

Yogesh_Sharma · January 22, 2019, 6:14pm

Hi Team,

I am new to Unbound and need some help.

I need to forward all of request to local dnsmasq running on 127.0.0.1@5353.

Once I do that, I see all lookup are suffixed with search string as present in /etc/resolv.conf and return server fail. If I do resolve by explicitly putting “.” (dot) at the end, even though I get server fail.

Version: 1.6.6

Config:

server:
verbosity: 1
username: root
interface: 127.0.0.1
port: 53
chroot: “”
do-ip4: yes
do-udp: yes
do-tcp: yes
hide-identity: yes
hide-version: yes
msg-cache-size: 50m
msg-cache-slabs: 4
rrset-cache-size: 100m
rrset-cache-slabs: 4
cache-min-ttl: 300
cache-max-negative-ttl: 300
access-control: 0.0.0.0/0 allow
logfile: “/var/log/unbound/unbound.log”
log-identity: root
log-queries: yes
log-replies: yes
pidfile: “/var/log/unbound/unbound.pid”
prefetch: yes

forward-zone:
name: “.”
forward-addr: 127.0.0.1@5353

2nd Question:

considering below forward-zone configuration, will all of name lookup will be forwarded to open dns servers (208.67.222.222/208.67.220.220) or it will send only those name server which are not part of example.com and example.org

forward-zone:
name: “.”
forward-addr: 208.67.222.222
forward-addr: 208.67.220.220

forward-zone:
name: “example.com”
forward-addr: 8.8.8.8

forward-zone:
name: “example.org”
forward-addr: 8.8.4.4

Thanks for help.

Yogesh_Sharma · January 23, 2019, 4:18am

Hi ,

Any suggestion.

Yogesh_Sharma · January 23, 2019, 5:15am

I am able to test 2nd scenario and all resolution will be done by dns server as mentioned in name: “.” (dot). Can some please guide how can we route few zones to specific dns server and rest all to google dns.

However, first one is still a problem, when I am using

forward-zone:
name: “.”
forward-addr: 127.0.0.1@5353

it appends search string from resolv.conf.

Eg: is search string is internal.localhost then All example.com name is changing to example.com.internal.localhost.

if I put example.com. (dot at the end) then it return server fail.

Ralph_Dolmans · January 23, 2019, 10:09am

Hi Yogesh,

I am able to test 2nd scenario and all resolution will be done by dns
server as mentioned in name: "." (dot). Can some please guide how can we
route few zones to specific dns server and rest all to google dns.

The most specific match will be used. So in your example all queries
except example.com, example.org and its subdomains will go to the "."
forward-zone.

However, first one is still a problem, when I am using

forward-zone:
name: "."
forward-addr: 127.0.0.1@5353

it appends search string from resolv.conf.

Eg: is search string is internal.localhost then All example.com
<http://example.com> name is changing to example.com.internal.localhost.

This is done by the client querying Unbound. Unbound itself does not use
your resolv.conf.

if I put example.com <http://example.com>. (dot at the end) then it
return server fail.

Check your Unbound logs to see why it is a SERVFAIL. My first guess is
that this is because your zone does not DNSSEC validate. In that case
you might want to have a look at the domain-insecure configuration option.

-- Ralph

hdais · January 23, 2019, 1:41pm

Hi,

You will need:

server:
do-not-query-localhost: no

to forward queries to dnsmasq listening on 127.0.0.1.

I don’t know why Unbound’s default config prohibits to query for localhost.
Is it some security protection?

Regards,
Daisuke Higashi

Yogesh_Sharma · January 24, 2019, 9:17am

Thank you Ralph. I will check and get back to you.

Yogesh_Sharma · January 25, 2019, 2:14pm

I will set this property and try.