unbound and nsd on the same machine - what am I missing?

bofh · April 28, 2020, 6:29am

I’m running nsd and unbound on my OpenBSD server.

nsd is listening on 127.0.0.1:53 and is master for two internal zones:
example.com
10.10.10.in-addr.arpa

-----unbound.conf-----
unbound is listening on 10.10.10.1:53
server:
interface 10.10.10.1
interface: ::1
access-control: 0.0.0.0/0 refuse
access-control: 10.10.10.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow

hide-identity: yes
hide-version: yes

do-not-query-localhost: no # I was really surprised this was needed
local-zone: “10.10.10.in-addr.arpa” nodefault # is this needed?

stub-zone:
name: “example.com”
stub-addr: 127.0.0.1

stub-zone:
name: “10.10.10.in-addr.arpa.”
stub-addr: 127.0.0.1

Mike_Kazantsev · April 28, 2020, 6:47am

I'm running nsd and unbound on my OpenBSD server.

...

local-zone: "10.10.10.in-addr.arpa" nodefault # is this needed?

^^^ I think this line is the issue.

Recently setting up unbound myself, did same thing iirc, and this
overrides stub zones, making it into a "local" zone.

Which I think is also why you get this mismatching behavior between
10.10.10.in-addr.arpa and example.com stub zones (which one of them is
not).

stub-zone:
    name: "example.com"
    stub-addr: 127.0.0.1

stub-zone:
    name: "10.10.10.in-addr.arpa."
    stub-addr: 127.0.0.1

...

What am I missing to get results for the reverse lookup?

Small footnote - I'm not an expert by any means, just pretty sure had
the same confusion with initial config.

bofh · April 28, 2020, 6:53am

Tried it with and without

local-zone: “10.10.10.in-addr.arpa” nodefault # is this needed?

Still can’t do reverse lookup of the 10.10.10.* IP addresses.

Thanks.

Mike_Kazantsev · April 28, 2020, 7:36am

Oh well, and guess "nodefault" might be a bit different from "static"
I've used in these lines.

10.in-addr.arpa. stub-zone works in my config without that local-zone
line, so pretty sure it's not needed anyway.

Do have "private-address: 10.0.0.0/8" line though, wonder if maybe you
also need something similar, though iirc it's documented as being
relevant for filtering results in A/AAAA queries.

Also can suggest confirming that nsd does not get queried via
tcpdump, its logs or e.g. in `strace -p $(pgrep -x unbound)`,
as well as temporary enabling verbose logging (i.e. debug lines,
which can tell why unbound does something).

bofh · April 28, 2020, 5:37pm

I took out local-zone: 10.10.10.in-addr.arpa and no changes.

I added private-address: 10.10.10.0/24 and no changes.
I changed private-address to 10.0.0.0/8 and I can’t look up hosts on my internal network any more (both reverse and forward lookups failed).

This is driving me nuts…
Does anyone have a simple working config that they are willing to share, with unbound and bind or unbound and nsd on the same server? In a private address space.

Thank you so much.

jan · April 28, 2020, 6:53pm

Hi,

If you are using a stub-zone for any of the as112 zones (incl. rfc-1918 zones) You must do one of three things.

jan · April 28, 2020, 7:29pm

Oops, In B.2 It should be “local-zone: <AS112 .arpa zone> nodefault”.

Sorry,

Jan.

bofh · April 28, 2020, 9:55pm

B1 worked!

Thank you very much.