Problem resolving private domains

user20 · October 25, 2010, 9:12am

Hello

we have Unbound 1.4.6 as caching resolver for our internal network which in turn forward queries to Bind 9.7 at the border. It works fine except for our remote location (VPN) which uses 10.2.0.0/16 as internal network.

We have set

private-domain: "domain1.de"
private-domain: "domain2.cz"

local-zone: "10.in-addr.arpa" nodefault
local-zone: "168.192.in-addr.arpa" nodefault

forward-zone:
name: "."
forward-addr: <IP-address-of-Bind97>

If have checked that Bind 9.7 can resolve both fine but Unbound only resolves "domain1.de" internal addresses correctly which are located in 10.1.0.0/16 and not "domain2.cz" which are at 10.2.0.0/16. For domain2.cz we always get timeout from Unbound despite the fact the Unbound has asked Bind and have got the correct result?

Thanks for any help

Andreas

Wouter · October 25, 2010, 9:33am

Hi Andreas,

What are the private-address: settings (esp. about 10.2/16)?
Is this about PTR queries or A queries?

Best regards,
Wouter

Stephane_Bortzmeyer · October 25, 2010, 9:50am

a message of 36 lines which said:

We have set

You did not show the settings of private-address (private-domain's
result depends on private-address).

despite the fact the Unbound has asked Bind and have got the correct
result?

How did you check? tcpdump?

user20 · October 25, 2010, 10:01am

Zitat von "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

What are the private-address: settings (esp. about 10.2/16)?
Is this about PTR queries or A queries?

Hello

First problem are A queries eg. "some.internal.domain1.de" works while "some.internal.doamin2.cz" are not working. But the PTR queries don't work either for 10.2.0.0/16.
As said the upstream Bind resolves both fine (checked by tcpdump) because it has internal.domain1.de and internal.domain2.cz as slave zones from the Windows DNS servers.

Regards

Andreas

Stephane_Bortzmeyer · October 25, 2010, 10:11am

Two persons asked you about the value of your private-address
variables...

user20 · October 25, 2010, 11:00am

Zitat von Stephane Bortzmeyer <bortzmeyer@nic.fr>:

a message of 36 lines which said:

We have set

You did not show the settings of private-address (private-domain's
result depends on private-address).

I was under the impression that setting private-domain was enough to allow RFC1918 addresses as result?

despite the fact the Unbound has asked Bind and have got the correct
result?

How did you check? tcpdump?

Yes, i can provide a dump with result from "dig" and the question/answer orginating from unbound. Both succeed with no obvious differences.

Regards

Andreas

user20 · October 25, 2010, 11:14am

Zitat von Stephane Bortzmeyer <bortzmeyer@nic.fr>:

Two persons asked you about the value of your private-address
variables...

It is not set at all eg. "default". So as far as i understand Unbound should not stripe RFC1918 in this case?

Regards

Andreas

user20 · October 25, 2010, 11:17am

Zitat von "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

What are the private-address: settings (esp. about 10.2/16)?
Is this about PTR queries or A queries?

Sorry, forgot the first question. The "private-address:" is not set at all, so Unbound should not stripe anything i guess?

Regards

Andreas

user20 · October 25, 2010, 2:37pm

Zitat von lst_hoe02@kwsoft.de:

Zitat von "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

What are the private-address: settings (esp. about 10.2/16)?
Is this about PTR queries or A queries?

Sorry, forgot the first question. The "private-address:" is not set at all, so Unbound should not stripe anything i guess?

May it be related to the fact that the .cz TLD is DNSSEC signed and the .de not? Both subdomains don't use DNSSEC until now and have no trust chain but that's the only difference i came up with...

Regards

Andreas

Wouter · October 25, 2010, 3:01pm

Hi Andreas,

user20 · October 25, 2010, 6:19pm

Zitat von "W.C.A. Wijngaards" <wouter@NLnetLabs.nl>:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andreas,

Zitat von lst_hoe02@kwsoft.de:

Sorry, forgot the first question. The "private-address:" is not set at
all, so Unbound should not stripe anything i guess?

May it be related to the fact that the .cz TLD is DNSSEC signed and the
.de not? Both subdomains don't use DNSSEC until now and have no trust
chain but that's the only difference i came up with...

Yes if your own domain is not signed, then you must give:
domain-insecure: "domain2.cz"

So that unbound understands that there is no DS record published in .cz
for domain2.cz.

Okay, with "domain-insecure: domain2.cz" it works. But it strikes me odd why the internal.domain2.cz is different from Unbound point of view then any other .cz domain? After all Unbound does forward all queries anyway to the upstream Bind. I guess it is best to list all private domains also as insecure domain in case the TLDs will be signed some day.

Many Thanks

Andreas