OPNsense Forum
Archive => 21.7 Legacy Series => Topic started by: tribeiro on December 08, 2021, 07:29:18 pm
-
Hey everyone,
Been trying to figure out why unbound is not resolving local.app.garden domains as it should.
local.app.garden resolves to 127.0.0.1 as a convenience given by garden.io tool. It helps developers by not having to add anything to their hosts file and develop locally on kubernetes.
For some reason our unbound server does not resolve correctly unless I add the +trace option:
root@OPNsense:~ # dig local.app.garden
; <<>> DiG 9.16.18 <<>> local.app.garden
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39432
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;local.app.garden. IN A
;; Query time: 48 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 08 13:25:44 EST 2021
;; MSG SIZE rcvd: 45
But now if I add +trace
root@OPNsense:~ # dig +trace local.app.garden
; <<>> DiG 9.16.18 <<>> +trace local.app.garden
;; global options: +cmd
. 86212 IN NS f.root-servers.net.
. 86212 IN NS a.root-servers.net.
. 86212 IN NS g.root-servers.net.
. 86212 IN NS k.root-servers.net.
. 86212 IN NS j.root-servers.net.
. 86212 IN NS c.root-servers.net.
. 86212 IN NS i.root-servers.net.
. 86212 IN NS h.root-servers.net.
. 86212 IN NS m.root-servers.net.
. 86212 IN NS d.root-servers.net.
. 86212 IN NS b.root-servers.net.
. 86212 IN NS e.root-servers.net.
. 86212 IN NS l.root-servers.net.
. 86212 IN RRSIG NS 8 0 518400 20211221170000 20211208160000 14748 . STJFmMkv7xJN+HC4h4OkpfwBdBdF7ChqeSr7TNhxm7MpjwNAMd6I7z/+ PQwnHEx0GUSQBWGBgktxpVSRYXk2AiqAaEOqWbLxxE6TfNO1CCFZwYKU jY+8BSo5p1JCtwQunLdkFOFNWw6TbV+g3FKKdt+AhYYH7ptjAssPFOtb b52ze73wfrB8fjbVFoFhk5tKSY8WAq0+zCsU/KGe8I57oQGuHh+Gy1qG mh/+B0DBY5LDPtD0s1Mi2IzTy1k9TUqm3EoataW12k51Q2wPfaO4seO8 wfBVz/9q1ehxxNLsN2ylzfKwTx7FnTVxumZAD/pQNDD/EG9m2HIgusXS 7w0lag==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
garden. 172800 IN NS dnsc.nic.garden.
garden. 172800 IN NS dns2.nic.garden.
garden. 172800 IN NS dns3.nic.garden.
garden. 172800 IN NS dns4.nic.garden.
garden. 172800 IN NS dnsa.nic.garden.
garden. 172800 IN NS dnsb.nic.garden.
garden. 172800 IN NS dns1.nic.garden.
garden. 172800 IN NS dnsd.nic.garden.
garden. 86400 IN DS 10669 8 2 BEF307F6FDB4589359FD64104E7F67667D762D52E11D58CC15C9CAE7 5DCC4A7A
garden. 86400 IN DS 49411 8 2 794AD2DB36FD39DECE1C4E95687D864128F4B87C27DA93F525E34834 CDF8D132
garden. 86400 IN RRSIG DS 8 1 86400 20211221170000 20211208160000 14748 . Wk/zN3wIJF5EQ/2Xhu6OhNKybEX7EFNhZkq1UxoH0JvgJZGupT4RORQD PF06UJYZIkTo1pDmJ9Z6g9TAeCkOhLtRKIFn6TigEm1VvNCuhnOpbkfE x/UQ8YNjgPKj3WhbYSdi1ksZX02mRQ+IekiLdMQfPA88z7brFNfc5Q32 UIvyjPyF+OZq52fBqJDbgO4upWzmH9+B462ofRG0ts2pTJ0wqPAHlfsN NzeAN+gQxya1+PI1ioSJnhWVcgPI3ZioXVoJLqFXpF/VugRP16IG63lN FTljqBRYWquBHe9lz7Yk2ojIy5KSesdUGpWhZD41OcV+RE+0Zeuuj2sn tqRPzA==
;; Received 852 bytes from 192.203.230.10#53(e.root-servers.net) in 3 ms
app.garden. 172800 IN NS kia.ns.cloudflare.com.
app.garden. 172800 IN NS andy.ns.cloudflare.com.
plba31bu9df7tnph2kc75pb6159l9kdp.garden. 3600 IN NSEC3 1 1 10 497E730B PR1VNQABCJTEBM1PUCPS65BQDR3HOSD1 NS SOA RRSIG DNSKEY NSEC3PARAM
plba31bu9df7tnph2kc75pb6159l9kdp.garden. 3600 IN RRSIG NSEC3 8 2 3600 20220109215343 20211205212024 45570 garden. pL8sD+5UhCIqXxnhd7tY8cP1b9o1wylQmTyvUnMNDRXD3pgPEwAwPSS3 sJs0lK6G3qJT3EGdZ3dPeOFYcqUaRv8aNFPy+huRnyHG5MOMzBZNdTsh 84EoVxKe+EBY1wGCSX7jwt6Id2oZHAaLqwsqO1I9q4ZnkDjqdZk6B5v2 QaRYSLT/pZ4NoqjDAcBWLrL+dL4KcvMjmaz3BMAinT4ckXntG5TUFtvj PgdA+G817+JY6S+9gfgyuzUMrmhkoRNUegRrKjj5pQgJ9soMHfshmHAx COukbvkbbT9bnVRDWdOTnYiVI/JypK4riAGojY4Oyghqoyx6agns4TRC 8c8pYw==
p9khl1md1l0p9bf6ibh7nn04umobuosl.garden. 3600 IN NSEC3 1 1 10 497E730B PLBA31BU9DF7TNPH2KC75PB6159L9KDP NS DS RRSIG
p9khl1md1l0p9bf6ibh7nn04umobuosl.garden. 3600 IN RRSIG NSEC3 8 2 3600 20220107032833 20211203024318 45570 garden. e3dHMz4BYB2du5WxudukM0uiYmJ2SMRoPI6TZvU0X1hfhctDyTSZ3hBC rpioPLVinKVkVEMqsgZqoBI/5sXAa8Sevuoy480MPRLZePFA3ejWm12/ 1EB8FNmYvA/F0Yk98Y3Juc04GbRXfjLljSppthrztGr5Qp1KsKelO5sd YIt95lYlbcltz2pV57872YkMG25IEOMz7RbdXlrsovVHM3Pe+WTbiemL ALghTlKYiDp3pqeqTSWlpmtsVt6WS0FYRl2Lj/Dzk5k1peEPtndMblA/ ufzatMm4rJUYqF+xK3L9lBkIxGhdZNKYhPDLkd1GI3XoGOAeP3wBEL3r ffvCGQ==
;; Received 854 bytes from 213.248.217.24#53(dns1.nic.garden) in 7 ms
local.app.garden. 86400 IN A 127.0.0.1
;; Received 61 bytes from 173.245.59.101#53(andy.ns.cloudflare.com) in 11 ms
It also works if I query directly the Cloudfare DNS, obviously:
root@OPNsense:~ # dig local.app.garden @kia.ns.cloudflare.com
; <<>> DiG 9.16.18 <<>> local.app.garden @kia.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25125
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;local.app.garden. IN A
;; ANSWER SECTION:
local.app.garden. 86400 IN A 127.0.0.1
;; Query time: 5 msec
;; SERVER: 108.162.192.179#53(108.162.192.179)
;; WHEN: Wed Dec 08 13:27:55 EST 2021
;; MSG SIZE rcvd: 61
Other than having DNSSEC enabled, everything else is default in my unbound config.
Any idea why this might be happening?
-
Hi
with "+trace" option enabled 'dig' can resolve name by itself (starting from root servers) as you can see.
(https://kb.isc.org/docs/aa-00208)
unbound will sanitize "127.0.0.1" result since "DNS Rebinding Checks" is enabled by default (System: Settings: Administration). i would keep it enabled. you can add host override(s) in unbound settings
-
Ah, that makes perfect sense (no pun intended)! :)
Thanks for keeping my sanity in check.