Unbound-1.4.7 fails to resolve on simple configuration

Andrew_Savchenko · December 8, 2010, 12:35am

Hello,

I'm trying to setup simple caching resolver using unbound-1.4.7, but
it fails to work and seems to fall into infinite loop. This is my
config:

server:
    interface: 0.0.0.0
    access-control: 127.0.0.1/32 allow
    verbosity: 5
    do-ip6: no

Then I run unbound-host kernel.org -C /etc/unbound/unbound.conf >
unbound.log 2>&1 to test. You can see what happens in the attached
file unbound.log. Program was terminated using ^C eventually. Running
unbound daemon gives the same result.

Unbound-1.4.7 is compiled on Gentoo with expat-2.0.1-r3,
libevent-1.4.14b-r1, openssl-1.0.0c, ldns-1.6.7 (with ssl support).
It was compiled without python and threads support (target system has
single core CPU without HT, thus no need for threads). However, I
tried to rebuild it with threads support and it still fails in the
same way.

Via tcpdump I can see all these packets sent (see unbound.log), but
no replies. Bind on the same host works without any problems. I tried
to stop bind during testing using unbound-host to exclude any
interference, but this does not help.

I tried to fetch the latest root hints from
ftp://FTP.INTERNIC.NET/domain/named.cache and add a path to config
file:
root-hints: "/etc/unbound/named.cache"
but this doesn't help a bit.

Of course, my final setup will be more complicated. It's a sore fact,
but more complicated things work, while simple resolver fails. When
I use nsd daemon for local zone it works well (for local zone
queries):

server:
    interface: 0.0.0.0
    access-control: 127.0.0.1/32 allow
    verbosity: 5
    do-ip6: no
    private-domain: "campus.local"
    do-not-query-localhost: no

stub-zone:
    name: "10.in-addr.arpa"
    name: "16.172.in-addr.arpa"
    name: "17.172.in-addr.arpa"
    name: "18.172.in-addr.arpa"
    name: "19.172.in-addr.arpa"
    name: "31.172.in-addr.arpa"
    name: "81.168.192.in-addr.arpa"
    name: "campus.local"
    stub-addr: 127.0.0.1@10053

And another note: without "do-not-query-localhost: no" option nsd
running on 127.0.0.1:10053 will not be queried, this is not so
obvious and it will be great to point it out somewhere in the
documentation.

With provider's dns or google open dns used as forwarders for "." zone
unbound works as well:

server:
    interface: 0.0.0.0
    access-control: 127.0.0.1/32 allow
    verbosity: 5
    do-ip6: no

forward-zone:
name: "."
forward-addr: 8.8.8.8

Output of unbound-host kernel.org -C /etc/unbound/unbound.conf >
unbound-forward.log 2>&1 is in the file unbound-forward.log.

But I want to use unbound's own resolver, and I have absolutely no
idea what to do now: either I hit some grave bug or I deeply
misunderstand how unbound should work. Any help will be appreciated.

Best regards,
Andrew Savchenko

(attachments)

unbound.log.bz2 (6.13 KB)
unbound-forward.log.bz2 (2.49 KB)

Wouter · December 8, 2010, 7:12am

Hi Andrew,

I'm trying to setup simple caching resolver using unbound-1.4.7, but
it fails to work and seems to fall into infinite loop. This is my
config:

Not an infinite loop: waiting for data, and getting timeouts.

server:
    interface: 0.0.0.0
    access-control: 127.0.0.1/32 allow
    verbosity: 5
    do-ip6: no

This config should resolve names.

Then I run unbound-host kernel.org -C /etc/unbound/unbound.conf >
unbound.log 2>&1 to test. You can see what happens in the attached
file unbound.log. Program was terminated using ^C eventually. Running
unbound daemon gives the same result.

Via tcpdump I can see all these packets sent (see unbound.log), but
no replies. Bind on the same host works without any problems. I tried
to stop bind during testing using unbound-host to exclude any
interference, but this does not help.

So, unbound tries to send queries to root servers. But it never
receives replies. There is thus some sort of over-active firewall, that
blocks queries towards the DNS root servers. (it does not block queries
to google DNS, apparently, so the firewall does not make sense).

I tried to fetch the latest root hints from
ftp://FTP.INTERNIC.NET/domain/named.cache and add a path to config
file:
root-hints: "/etc/unbound/named.cache"
but this doesn't help a bit.

Of course, my final setup will be more complicated. It's a sore fact,
but more complicated things work, while simple resolver fails. When
I use nsd daemon for local zone it works well (for local zone
queries):

Yes because then queries to campus.local do not require the root DNS
servers. Those root servers are still unreachable.

And another note: without "do-not-query-localhost: no" option nsd
running on 127.0.0.1:10053 will not be queried, this is not so
obvious and it will be great to point it out somewhere in the
documentation.

Thanks for that.

But I want to use unbound's own resolver, and I have absolutely no
idea what to do now: either I hit some grave bug or I deeply
misunderstand how unbound should work. Any help will be appreciated.

Your network has strange firewalls. If you dig @<address of root

+dnssec +cdflag then you send the exact packet that unbound is

also sending out.

Best regards,
Wouter