Unbound not giving ANSWER SECTION for some hosts

Oliver_Psotta · July 19, 2018, 11:38am

Hi all,

I have the problem with Unbound Version 1.7.3, compiled on FreeBSD 11.2,
that it won't give the ANSWER SECTION for some hosts, like github.com.

For most hosts it will resolve properly and give this for example:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56138
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

But for github.com it will give this:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57234
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 9

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;github.com. IN A

;; AUTHORITY SECTION:
github.com. 169039 IN NS ns-1707.awsdns-21.co.uk.
github.com. 169039 IN NS ns-1283.awsdns-32.org.
github.com. 169039 IN NS ns4.p16.dynect.net.
github.com. 169039 IN NS ns2.p16.dynect.net.
github.com. 169039 IN NS ns-421.awsdns-52.com.
github.com. 169039 IN NS ns1.p16.dynect.net.
github.com. 169039 IN NS ns3.p16.dynect.net.
github.com. 169039 IN NS ns-520.awsdns-01.net.

;; ADDITIONAL SECTION:
ns1.p16.dynect.net. 43283 IN A 208.78.70.16
ns2.p16.dynect.net. 80767 IN A 204.13.250.16
ns3.p16.dynect.net. 80767 IN A 208.78.71.16
ns4.p16.dynect.net. 80767 IN A 204.13.251.16
ns-421.awsdns-52.com. 80479 IN A 205.251.193.165
ns-520.awsdns-01.net. 80479 IN A 205.251.194.8
ns-1707.awsdns-21.co.uk. 80479 IN A 205.251.198.171
ns-1707.awsdns-21.co.uk. 166614 IN AAAA 2600:9000:5306:ab00::1

;; Query time: 179 msec
;; SERVER: 192.168.20.38#53(192.168.20.38)
;; WHEN: Thu Jul 19 12:43:36 CEST 2018
;; MSG SIZE rcvd: 399

The unbound.conf is simple enough:
server:
  interface: 0.0.0.0
  access-control: 192.168.20.0/8 allow
  access-control: 192.168.179.0/8 allow
  private-address: 192.168.20.0/8
  private-address: 192.168.179.0/8
  verbosity: 1

forward-zone:
  name: "."
  forward-addr: 85.214.20.141 # Digitalcourage
  forward-addr: 46.182.19.48 # Digitalcourage
  forward-addr: 194.150.168.168 # AS250.net Foundation

This looks like a bug, for this unbound.conf works properly with
Unbound Version 1.5.10 on the same machine.

Hints to solve that are appreciated. Thanks!

Best regards
Oliver

Wouter · July 19, 2018, 12:04pm

Hi Oliver,

I see that this is a referral. The upstream service does not resolve
github properly and this is what they return for that query? Unbound
will then accept it and store it (I can imagine that this changed
between the older version and today), but it looks like this is
something that the forward-zone addresses are returning wrongly.

Best regards, Wouter

Wouter · July 19, 2018, 3:15pm

Hi (for the list),

After digging through logs, I didn't read the config that Oliver posted
carefully either. There is /8 in the access-control and
private-address. Causing unbound to allow too many hosts, and also
removing too many IP-addresses from answers. Turns out github's IP
address starts with 192 and so does 192.168.20.0/24, that is why the
github address gets removed when a /8 is used instead of a /24.

Best regards, Wouter