prevent unbound from attempting to contact root servers?

James_Ralston · November 16, 2016, 8:21pm

I'm attempting to configure unbound to act as a local caching
resolver. I just want unbound to blindly forward all queries to our
local recursive resolvers. That's it.

This has been somewhat challenging, because unbound's defaults are
clearly not optimized for this use case.

First, I turned off DNSSEC, and added the forward zone information:

server:
module-config: "iterator"

    forward-zone:
            name: "."
            forward-addr: <our nameserver1 IP>
            forward-addr: <our nameserver2 IP>
            forward-addr: <our nameserver3 IP>

But that wasn't enough, because unbound was killing queries for (or
containing) RFC1918 addresses, which we use. So I had to add:

server:

   local-zone: "localhost." nodefault
   local-zone: "10.in-addr.arpa." nodefault
   local-zone: "127.in-addr.arpa." nodefault
   local-zone: "172.in-addr.arpa." nodefault
   local-zone: "192.in-addr.arpa." nodefault

So this seems to work.

BUT: when unbound starts, it attempts to discover the current root
nameservers. Unfortunately, it does this by attempting to send
queries directly to the root nameservers, instead of using the
forwarders. This fails, because only our recursive resolvers (the
ones I configured unbound to use as forwarders) are permitted to send
DNS queries to the Internet at large; all other outbound DNS traffic
is blocked. And unbound refuses to start (and refuses to answer
queries) until its attempts to reach the root nameservers time out,
which takes a good 20 seconds or so.

Moreover, after unbound is running and answering queries, it still
periodically attempts to contact the root nameservers directly.

I looked in the unbound.conf documentation to see if there was a way
to tell unbound to do one of the following:

1. Use the configured forwarders to learn the current root
nameservers, instead of attempting to contact them directly.

2. Don't attempt to learn the current root nameservers at all,
because unbound doesn't need to know them in this application.

But I could not find a way to accomplish either.

How can I prevent unbound from attempting to contact the root
nameservers directly?

Eduardo_Schoedler · November 16, 2016, 8:57pm

https://tools.ietf.org/html/rfc7706#appendix-B.2

James_Ralston · November 16, 2016, 10:10pm

Thanks, but the examples in RFC7706 are addressing setting up a
completely self-contained nameserver that performs its own recursive
resolution. I have the exact opposite situation: I want unbound to
use nothing *except* our existing recursive resolvers.

(I tested the configuration in Appendix B.2, and unbound still
attempts to send queries directly to the root nameservers.)

Any other ideas?

Tony_Finch · November 17, 2016, 10:59am

Point the root-hints at a file containing your local server addresses?

That might also not work properly since once Unbound has used the hints to
get the current root server addresses, it'll probably try to refresh
directly from the real root servers instead of your fake hints.

Tony.

Sonic · November 17, 2016, 1:49pm

On the systems where I'm using just 'module-config: "iterator"' there
is no root.hints or named.cache file and no attempt is made by unbound
to contact the root servers.

A_Schulze · November 17, 2016, 3:32pm

Sonic via Unbound-users:

module-config: "iterator"

On the systems where I'm using just 'module-config: "iterator"' there
is no root.hints or named.cache file and no attempt is made by unbound
to contact the root servers.

I use to let module-config to whatever is unbound's default. I don't mention it in unbound.conf
On a stupid forwarder without DNSSEC validation I use something like this:

forward-zone:
name: "."
forward-addr: 192.0.53.53

server:
   local-zone: "10.in-addr.arpa." transparent
   ip-address: 127.0.0.1
   do-ip6: no
   chroot: /chroot/unbound
   do-daemonize: no
   logfile: ""
   pidfile: ""

remote-control:
   control-enable: yes
   control-interface: /run/unbound.control-interface
   control-use-cert: no

Andreas

hdais · November 17, 2016, 4:40pm

I just want unbound to blindly forward all queries to our
local recursive resolvers. That's it.

I believe that Unbound is too intelligent to be dumb DNS forwarder,
and concluded that we should use a caching-forwarder-only software
(dnsmasq for example) if we want a such thing.

My favorite DNS caching forwarder is dnsdist configured to be
forwarder with packet cache like this:

-- dnsdist.conf
newServer({address="8.8.8.8", pool="dns"})
pc = newPacketCache(100000)
getPool("dns"):setCache(pc)
addAction(AllRule(), PoolAction("dns"))

hdais · November 17, 2016, 5:21pm

Oops. For this use case, periodical health checking for downstream server
(enabled by default) should be disabled:

-- dnsdist.conf
newServer({address="8.8.8.8", pool="dns"})
getServer(0):setUp() -- disable health check for 8.8.8.8
pc = newPacketCache(100000)
getPool("dns"):setCache(pc)
addAction(AllRule(), PoolAction("dns"))

Wouter · November 21, 2016, 10:52am

Hi James

https://tools.ietf.org/html/rfc7706#appendix-B.2

Thanks, but the examples in RFC7706 are addressing setting up a
completely self-contained nameserver that performs its own recursive
resolution. I have the exact opposite situation: I want unbound to
use nothing *except* our existing recursive resolvers.

(I tested the configuration in Appendix B.2, and unbound still
attempts to send queries directly to the root nameservers.)

This is a bug that was fixed a long time ago. Update your version of
unbound to stop this behaviour. If you already have the latest version,
some sort of bug is hitting you but not other users?

Best regards, Wouter