Not resolving some top level domain

Franky_Yustanto · February 27, 2017, 10:22am

Hi,

Unbound not resolving some domain, but it’s works on bind.
I have update the root.hint with this wget ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/etc/root.hints
Here is the example :

UNBOUND SERVER :

[root@ns1smg ~]# dig @localhost +trace polri.go.id

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @localhost +trace polri.go.id

; (2 servers found)

;; global options: +cmd

;; Received 12 bytes from ::1#53(::1) in 1 ms

BIND SERVER :

[root@ns2smg ~]# dig @localhost +trace polri.go.id

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @localhost +trace polri.go.id

; (2 servers found)

;; global options: +cmd

. 501653 IN NS e.root-servers.net.

. 501653 IN NS a.root-servers.net.

. 501653 IN NS l.root-servers.net.

. 501653 IN NS b.root-servers.net.

. 501653 IN NS i.root-servers.net.

. 501653 IN NS c.root-servers.net.

. 501653 IN NS d.root-servers.net.

. 501653 IN NS f.root-servers.net.

. 501653 IN NS h.root-servers.net.

. 501653 IN NS m.root-servers.net.

. 501653 IN NS k.root-servers.net.

. 501653 IN NS j.root-servers.net.

. 501653 IN NS g.root-servers.net.

;; Received 508 bytes from ::1#53(::1) in 10 ms

id. 172800 IN NS a.dns.id.

id. 172800 IN NS b.dns.id.

id. 172800 IN NS c.dns.id.

id. 172800 IN NS e.dns.id.

id. 172800 IN NS sec3.apnic.net.

;; Received 289 bytes from 2001:503:c27::2:30#53(2001:503:c27::2:30) in 310 ms

go.id. 43200 IN NS b.dns.id.

go.id. 43200 IN NS c.dns.id.

go.id. 43200 IN NS d.dns.id.

go.id. 43200 IN NS e.dns.id.

;; Received 189 bytes from 202.155.30.227#53(202.155.30.227) in 28 ms

polri.go.id. 43200 IN NS ns2.polri.go.id.

polri.go.id. 43200 IN NS ns4.polri.go.id.

polri.go.id. 43200 IN NS ns3.polri.go.id.

polri.go.id. 43200 IN NS ns1.polri.go.id.

;; Received 165 bytes from 103.19.177.177#53(103.19.177.177) in 192 ms

polri.go.id. 38400 IN A 120.29.225.249

;; Received 45 bytes from 120.29.231.231#53(120.29.231.231) in 13 ms

Any idea what is the issue ? this 2 server are in the same subnet.
I’ve double check that no routing issue.
Thank you in advanced.

Regards,
Franky

Carsten_Strotmann1 · February 27, 2017, 10:38am

Hello Franky,

Hi,

Unbound not resolving some domain, but it's works on bind.
I have update the root.hint with this wget
ftp://FTP.INTERNIC.NET/domain/named.cache -O /var/unbound/etc/root.hints
Here is the example :

*UNBOUND SERVER :*

[root@ns1smg ~]# dig @localhost +trace polri.go.id <http://polri.go.id>

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @localhost +trace
polri.go.id <http://polri.go.id>

; (2 servers found)

;; global options: +cmd

;; Received 12 bytes from ::1#53(::1) in 1 ms

*BIND SERVER :*

[root@ns2smg ~]# dig @localhost +trace polri.go.id <http://polri.go.id>

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @localhost +trace
polri.go.id <http://polri.go.id>

; (2 servers found)

;; global options: +cmd

.501653INNSe.root-servers.net <http://e.root-servers.net>.

.501653INNSa.root-servers.net <http://a.root-servers.net>.

.501653INNSl.root-servers.net <http://l.root-servers.net>.

.501653INNSb.root-servers.net <http://b.root-servers.net>.

.501653INNSi.root-servers.net <http://i.root-servers.net>.

.501653INNSc.root-servers.net <http://c.root-servers.net>.

.501653INNSd.root-servers.net <http://d.root-servers.net>.

.501653INNSf.root-servers.net <http://f.root-servers.net>.

.501653INNSh.root-servers.net <http://h.root-servers.net>.

.501653INNSm.root-servers.net <http://m.root-servers.net>.

.501653INNSk.root-servers.net <http://k.root-servers.net>.

.501653INNSj.root-servers.net <http://j.root-servers.net>.

.501653INNSg.root-servers.net <http://g.root-servers.net>.

;; Received 508 bytes from ::1#53(::1) in 10 ms

id.172800INNSa.dns.id <http://a.dns.id>.

id.172800INNSb.dns.id <http://b.dns.id>.

id.172800INNSc.dns.id <http://c.dns.id>.

id.172800INNSe.dns.id <http://e.dns.id>.

id.172800INNSsec3.apnic.net <http://sec3.apnic.net>.

;; Received 289 bytes from 2001:503:c27::2:30#53(2001:503:c27::2:30) in
310 ms

go.id <http://go.id>.43200INNSb.dns.id <http://b.dns.id>.

go.id <http://go.id>.43200INNSc.dns.id <http://c.dns.id>.

go.id <http://go.id>.43200INNSd.dns.id <http://d.dns.id>.

go.id <http://go.id>.43200INNSe.dns.id <http://e.dns.id>.

;; Received 189 bytes from 202.155.30.227#53(202.155.30.227) in 28 ms

polri.go.id <http://polri.go.id>.43200INNSns2.polri.go.id
<http://ns2.polri.go.id>.

polri.go.id <http://polri.go.id>.43200INNSns4.polri.go.id
<http://ns4.polri.go.id>.

polri.go.id <http://polri.go.id>.43200INNSns3.polri.go.id
<http://ns3.polri.go.id>.

polri.go.id <http://polri.go.id>.43200INNSns1.polri.go.id
<http://ns1.polri.go.id>.

;; Received 165 bytes from 103.19.177.177#53(103.19.177.177) in 192 ms

polri.go.id <http://polri.go.id>.38400INA120.29.225.249

;; Received 45 bytes from 120.29.231.231#53(120.29.231.231) in 13 ms

Any idea what is the issue ? this 2 server are in the same subnet.
I've double check that no routing issue.
Thank you in advanced.

Regards,
Franky

dig +trace requites a local DNS server that allows cache snooping, which
Unbound does not allow (a security feature).

See
<https://docs.menandmice.com/pages/viewpage.action?pageId=6361009>
for an discussion on this issue.

Best regards

Carsten

Franky_Yustanto · February 27, 2017, 11:04am

Hi Carsten,

Thank you for your information.
But the real issue is unbound unable to resolv an .id domain.
Any other solutions ?

Regards,
Franky

Carsten_Strotmann1 · February 27, 2017, 11:54am

Hello Franky,

Hi Carsten,

Thank you for your information.
But the real issue is unbound unable to resolv an .id domain.
Any other solutions ?

does not seem to be a general Unbound issue, my Unbound resolves the .id
domain without issues.

$ dig polri.go.id

; <<>> DiG 9.10.4-P6-RedHat-9.10.4-4.P6.fc25 <<>> polri.go.id
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10130
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;polri.go.id. IN A

;; ANSWER SECTION:
polri.go.id. 38400 IN A 120.29.225.249

;; Query time: 2812 msec
;; SERVER: 2a01:198:2b6::22#53(2a01:198:2b6::22)
;; WHEN: Mo Feb 27 12:49:18 CET 2017
;; MSG SIZE rcvd: 56

However the domain "polri.go.id" has several errors, see

<https://zonemaster.net/test/774bd160515887e1>
and
<http://dnsviz.net/d/polri.go.id/dnssec/>

If you have issues resolving this domain, it is a problem of this
domain, not of the Unbound DNS resolver.

Best regards

Carsten

Viktor_Dukhovni · February 27, 2017, 11:40pm

It so happens that just yesterday I reported problems with IPv4 DNS
to the owners of polri.go.id:

    $ dig +noall +ans +nocl +nottl -t mx polri.go.id
    polri.go.id. MX 0 mailprotection1.polri.go.id.
    polri.go.id. MX 10 mailprotection2.polri.go.id.
    polri.go.id. MX 20 mailprotection3.polri.go.id.

has DNSSEC-related problems as shown at:

http://dnsviz.net/d/_25._tcp.mailprotection1.polri.go.id/dnssec/

The same can be verified with command-line DNS lookup utilities such
as "dig":

    $ dig +noall +ans +nocl +nottl -t ns polri.go.id
    polri.go.id. NS ns1.polri.go.id.
    polri.go.id. NS ns2.polri.go.id.
    polri.go.id. NS ns3.polri.go.id.
    polri.go.id. NS ns4.polri.go.id.

Queries to these nameservers for TLSA records fail:

    @ns1.polri.go.id.[120.29.230.230]
    ; <<>> DiG 9.11.0-P3 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit +norecur -t tlsa _25._tcp.mailprotection1.polri.go.id @120.29.230.230
    ;; connection timed out; no servers could be reached

...

and yet queries for the same name with the record type changed to
"A" correctly return an answer showing that no such name exists:

    @ns1.polri.go.id.[120.29.230.230]
    ; <<>> DiG 9.11.0-P3 <<>> +dnssec +noall +cmd +comment +qu +ans +auth +nocl +nottl +nosplit -4 +norecur -t a _25._tcp.mailprotection1.polri.go.id @120.29.230.230
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10894
    ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
    ;_25._tcp.mailprotection1.polri.go.id. IN A
    polri.go.id. SOA ns1.polri.go.id. lifin.polri.go.id. 3592 10800 600 2419200 900
    mailprotection1.polri.go.id. NSEC mailprotection2.polri.go.id. A RRSIG NSEC

...

This looks like a misconfigured Arbor Networks firewall, that blocks
various DNS lookups over IPv4 (but not IPv6). This is bad, since
many resolvers don't yet have IPv6 connectivity. In addition to
potential impact on email delivery see also:

https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-06

for why filtering of RRtypes is generally wrong. Please address
this problem to ensure that email to uspta.org arrives reliably in
a timely manner.