Unexpected results - Unbound results don't match external DNS

Patrick_PCL_Associat · July 27, 2014, 2:12am

Hi,
I don’t know if I’m expecting too much from unbound but for certain lookups I get a different result from unbound than I get from an external DNS server. For example:

Using Unbound:

# nslookup 158.24.39.46.zen.spamhaus.org.
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: 158.24.39.46.zen.spamhaus.org
Address: 92.242.144.50

Using External DNS:

# nslookup 158.24.39.46.zen.spamhaus.org [external DNS]
Server: [external DNS]
Address: [external DNS]#53

Non-authoritative answer:
Name: 158.24.39.46.zen.spamhaus.org
Address: 127.0.0.4
Name: 158.24.39.46.zen.spamhaus.org
Address: 127.0.0.11

I actually need unbound to provide the results as given by the external DNS - same format, same answer. The server uses the answer from the external server perfectly. It fails when it uses unbound. I don’t see any settings in unbound.conf that might resolve this issue. Did I miss anything? Or is Unbound not able to provide the same results due to the 127.0.0.x answer?

Thanks!

Patrick

Sonic · July 27, 2014, 3:32am

Unbound (as resolver) returns proper results here. I did notice that
querying Google's public DNS does not return expected results.

Are you using Unbound as a resolver or forwarder?

Also I think dig or drill would be much better tools than nslookup.

Chris

Carsten_Strotmann1 · July 27, 2014, 1:45pm

Hello Patrick,

pcl-associates writes:

Hi,

I don't know if I'm expecting too much from unbound but for certain
lookups I get a different result from unbound than I get from an
external DNS server. For example:

Unbound is all good here, you're expecting too much from
"nslookup". Unbound returns the correct answers, but "nslookup" fails to
ask the wanted questions to Unbound (and does not show the DNS
queries).

Please try to use the tools "dig" or "drill" to send the query to
Unbound, the output will either give you a clue or, if posted here, will
give the participants of this mailing list an idea what might be wrong.

Example (using my local Unbound instance):

% dig 158.24.39.46.zen.spamhaus.org.

; <<>> DiG 9.10.0-P1 <<>> 158.24.39.46.zen.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42320
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;158.24.39.46.zen.spamhaus.org. IN A

;; ANSWER SECTION:
158.24.39.46.zen.spamhaus.org. 900 IN A 127.0.0.11
158.24.39.46.zen.spamhaus.org. 900 IN A 127.0.0.4

;; Query time: 205 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 27 15:43:37 CEST 2014
;; MSG SIZE rcvd: 90

Patrick_PCL_Associat · July 27, 2014, 1:59pm

Hi Carsten,

Unfortunately, the issue is not limited to nslookup. Here’s what I get when I run the same dig command you did below. Evidently something isn’t right because my results should match yours. In a separate email, Chris asked if I was using this as a forwarder or resolver. I am using it as an authoritative, validating, recursive caching dns server as described here: https://calomel.org/unbound_dns.html.

# dig 158.24.39.46.zen.spamhaus.org.

; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> 158.24.39.46.zen.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22741
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;158.24.39.46.zen.spamhaus.org. IN A

;; AUTHORITY SECTION:
zen.spamhaus.org. 3546 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1407271350 3600 600 432000 150

;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 27 15:52:37 CEST 2014
;; MSG SIZE rcvd: 122

Sonic · July 27, 2014, 2:11pm

I use my personal setup that way (including DNSSEC), and although I
typically use drill from my Linux box, dig and nslookup also return
the proper results for your query from Unbound. Suggest you simplify
your unbound.conf and use the man page as a guide vs a third party
site.

Chris

Sonic · July 27, 2014, 2:18pm

Indeed - I bet this is your problem.

Looking at the Calomel site they list these private address ranges:

Sonic · July 27, 2014, 2:53pm

At least one problem if you've indeed followed that page, maybe not
your actual issue.

Patrick_PCL_Associat · July 27, 2014, 3:05pm

Chris,

Yes. Point well taken. I thought I had carefully reviewed the unbound.conf prior to installation but evidently I missed this one. In any case, I’ve fixed it in unbound.conf but after shutting down unbound and starting it again, I still get the same results:

# dig 158.24.39.46.zen.spamhaus.org.

; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> 158.24.39.46.zen.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 533
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;158.24.39.46.zen.spamhaus.org. IN A

;; AUTHORITY SECTION:
zen.spamhaus.org. 3600 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1407271455 3600 600 432000 150

;; Query time: 855 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 27 17:00:59 CEST 2014
;; MSG SIZE rcvd: 122

# nslookup 158.24.39.46.zen.spamhaus.org.
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can’t find 158.24.39.46.zen.spamhaus.org.: NXDOMAIN

Patrick

Sonic · July 27, 2014, 3:11pm

Again, works here and with several other Unbound servers I administer.
Maybe you have a firewall blocking access to a needed server. Or maybe
your ISP is hijacking your DNS requests. Or some other config issue.

Sonic · July 27, 2014, 3:17pm

Maybe setting Unbound up as forwarder to some other (not Google's in
this particular case) public DNS servers as a test case will help in
troubleshooting.

Carsten_Strotmann1 · July 27, 2014, 5:36pm

Hello Patrick,

pcl-associates writes:

Hi Carsten,

Unfortunately, the issue is not limited to nslookup. Here's what I
get when I run the same dig command you did below.

Yes do not get what you've expected, but the dig output gives much
better information (see below).

Evidently
something isn't right because my results should match yours.

In a
separate email, Chris asked if I was using this as a forwarder or
resolver. I am using it as an authoritative, validating, recursive
caching dns server as described here:
https://calomel.org/unbound_dns.html.

That page is a little outdated (covers Unbound 1.4.9, current is
1.4.22). Also, you are probably running Unbound as a validating,
recursive caching DNS server, as Unbound is not designed to be an
authoritative server (that would be a NSD or BIND 9 or PowerDNS
...). The calomel.org websites just defines these DNS terms.

Could you share your "unbound.conf" with this list?

You have a forwarding server if you have configuration lines with
"forward-zone:" in your configuration. Usually it is recommended *NOT*
to use forwarding (instead, let your Unbound talk directly to the
authoritative DNS servers in the Internet), unless you have a good
reason to do so (network topology or firewall-policy).

# dig 158.24.39.46.zen.spamhaus.org.

; <<>> DiG 9.9.4-rpz2.13269.14-P2 <<>> 158.24.39.46.zen.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22741
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;158.24.39.46.zen.spamhaus.org. IN A

;; AUTHORITY SECTION:
zen.spamhaus.org. 3546 IN SOA need.to.know.only. hostmaster.spamhaus.org. 1407271350 3600 600 432000 150

;; Query time: 39 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 27 15:52:37 CEST 2014
;; MSG SIZE rcvd: 122

Unlike with your nslookup response, which gave an IPv4 address record
back, this response is actually a response saying that the requested
domain name does not exist (NXDOMAIN). A very different response.

Let's try to ask on the the authoritative DNS servers for
"zen.spamhaus.org". I see:

% dig 158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org.

; <<>> DiG 9.10.0-P1 <<>>
158.24.39.46.zen.spamhaus.org. @a.ns.spamhaus.org.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22021
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;158.24.39.46.zen.spamhaus.org. IN A

;; ANSWER SECTION:
158.24.39.46.zen.spamhaus.org. 900 IN A 127.0.0.11
158.24.39.46.zen.spamhaus.org. 900 IN A 127.0.0.4

;; Query time: 26 msec
;; SERVER: 2001:7b8:3:1f:0:2:53:1#53(2001:7b8:3:1f:0:2:53:1)
;; WHEN: Sun Jul 27 19:33:46 CEST 2014
;; MSG SIZE rcvd: 79

Patrick_PCL_Associat · July 27, 2014, 8:21pm

Hello Carsten,

Chris and you nailed the problem. I had unbound forwarding set up. As soon as I turned that off, I got the following results (see below) - same as yours.

I’ve attached my unbound.conf - it is based on the calomel.org unbound.conf but with modifications and improvements. It probably could use further improvement. To be clear, I’m only using unbound for internal purposes - it does not serve the internet.

As I understand it, unbound becomes “authoritative” (only for your own network) when you define the machines on your local network within unbound as it will then return the private addresses of your local machines.

Thank you for your help!

Patrick

(attachments)

unbound.conf.rtf (12.3 KB)