Unbound issues

Started by abulafia, September 11, 2021, 08:56:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 11, 2021, 08:56:20 PM Last Edit: September 11, 2021, 10:32:23 PM by abulafia
While running Unbound as a local resolver, I had come across three issues:

1. Unbound fails to resolve certain domains. I have no DNSBL in Unbound. Unbound only delivers the CNAME, but no A record. When using Unbound as DoT forwarder, it resolves the hostname normally.

2. Even though I have unchecked "Flush DNS cache during reload", the statistics and cache are cleared with every Unbound reload. This should not happen.

3. Unbound failing to start, see https://github.com/opnsense/core/issues/5150 -  I don't experience this anymore, though.

Has anyone experienced similar issues or could suggest possible (configuration) errors?
September 12, 2021, 03:01:37 PM #1
1. can you give an example please?
2. how did you check this (log? cache dump?) and this option has nothing to do with statistics afaik
September 14, 2021, 11:08:37 PM #2 Last Edit: September 15, 2021, 12:01:11 AM by abulafia
Thanks -

1. I was afraid of this question - it was a website for Germany's far-right party (I don't like them, I did not vote them, but I had to look up their site nonetheless). Need to reset Unbound to resolver mode to check.

I have also had these issues, I think, with Apple and Microsoft sites (though no DNSBL enabled).

I have Adguard Home as primary DNS on :53 which then forwards to unbound at 127.0.0.1:5553.

Response seen in Adguard Home e.g. for www.bing.com:

Quote
Response details
Status
Allowed
DNS server
127.0.0.1:5553
Elapsed
115 ms
Response code
NXDOMAIN
Rule(s)

www.bing.com
hl2guide

Response
CNAME: a-0001.a-afdentry.net.trafficmanager.net. (ttl=21600)

Later Adguard shows proper resolution:

Quote
Response details
Status
Allowed
Elapsed
0.06 ms
Response code
NOERROR
Rule(s)

    www.bing.com
hl2guide

Response
CNAME: a-0001.a-afdentry.net.trafficmanager.net. (ttl=60)
CNAME: www-bing-com.dual-a-0001.a-msedge.net. (ttl=60)
CNAME: dual-a-0001.a-msedge.net. (ttl=60)
A: 13.107.21.200 (ttl=60)
A: 204.79.197.200 (ttl=60)

2. Statistics got reset to zero and resolve times shot up again. So: No thorough checking.
September 15, 2021, 03:02:56 AM #3
Hi

Just my 2 cents here. I had some sites not resolving and it turned out to be Strict QNAME minimisation checked. Once I unchecked it all is good.
September 15, 2021, 07:38:09 PM #4 Last Edit: September 15, 2021, 07:40:30 PM by Fright
@abulafia
+1 to what @andrema2 said.
based on https://github.com/opnsense/core/issues/5150#issuecomment-894844062
you have qnameminstrict enabled. can you try without it?
(in short: with qnameminstrict enabled unbound stops trying to resolve a name when "broken" DNS server returns "wrong" response code on Empty Non-Terminal record query)
https://datatracker.ietf.org/doc/html/rfc7816
Quote2. Statistics got reset to zero and resolve times shot up again. So: No thorough checking.
IMHO the stats will be cleared in any case. and there is no way to save it on reload (and "Flush DNS cache during reload" option not related to this)
cache loading after reload can be checked with the
Code Select
unbound-control -c /var/unbound/unbound.conf dump_cache
command or by enabling debug logging and looking at where the unbound gets the results from (for the purity of the experiment, it is better to disable the "Prefetch Support" option at SERVICES: UNBOUND DNS: ADVANCED)
September 16, 2021, 06:35:39 PM #5
Thank you both! Indeed I have strict QNAME minimisation enabled.

Going on holiday this weekend so will only be able to follow up later, but thank you very much for the pointers!
Print
Go Up Pages1
User actions