drill -p 53530 rt1.home.arpa
# cat /var/unbound/etc/dot.conf server: do-not-query-localhost: no# Forward zonesforward-zone: name: "." forward-addr: 10.0.254.2@53forward-zone: name: "home.arpa" forward-addr: 127.0.0.1@53530
IP address of the authoritative DNS server for this domain, e.g. '192.168.100.100'. To use a nondefault port for communication, append an '@' with the port number.
tcpdump the packets ...
length 67: (tos 0x0, ttl 64, id 29113, offset 0, flags [none], proto UDP (17), length 63, bad cksum 0 (->af3)!) 127.0.0.1.39558 > 127.0.0.1.53530: [bad udp cksum 0xfe3e -> 0x2095!] UDP, length 35length 83: (tos 0x0, ttl 64, id 64085, offset 0, flags [none], proto UDP (17), length 79, bad cksum 0 (->8246)!)
rt1.home.arpa. 86400 IN A 192.168.31.1
drill -p 53530 doest-exist.rt1.home.arpa
rt1.home.arpa. 3600 IN SOA ns1.rt1.home.arpa. admin.srv1.home.arpa. 2304110436 21600 3600 3542400 3600
length 74: (tos 0x0, ttl 64, id 21684, offset 0, flags [none], proto UDP (17), length 70, bad cksum 0 (->27f1)!) 127.0.0.1.22926 > 127.0.0.1.53: [bad udp cksum 0xfe45 -> 0xbd2d!] 48201+ A? arch.srv1.home.arpa. (42)length 90: (tos 0x0, ttl 64, id 26192, offset 0, flags [none], proto UDP (17), length 86, bad cksum 0 (->1645)!) 127.0.0.1.53 > 127.0.0.1.22926: [bad udp cksum 0xfe55 -> 0x76c3!] 48201* q: A? arch.srv1.home.arpa. 1/0/0 arch.srv1.home.arpa. A 192.168.50.253 (58)
length 77: (tos 0x0, ttl 64, id 27142, offset 0, flags [none], proto UDP (17), length 73, bad cksum 0 (->129c)!) 127.0.0.1.50527 > 127.0.0.1.53: [bad udp cksum 0xfe48 -> 0x9789!] 26298+ A? doesnt-exist.srv2.home.arpa. (45)length 136: (tos 0x0, ttl 64, id 23218, offset 0, flags [none], proto UDP (17), length 132, bad cksum 0 (->21b5)!) 127.0.0.1.53 > 127.0.0.1.50527: [bad udp cksum 0xfe83 -> 0xe7fd!] 26298 NXDomain* q: A? doesnt-exist.srv2.home.arpa. 0/1/0 ns: home.arpa. SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 (104)
length 63: (tos 0x0, ttl 64, id 19475, offset 0, flags [none], proto UDP (17), length 59, bad cksum 0 (->309d)!) 127.0.0.1.41417 > 127.0.0.1.53: [bad udp cksum 0xfe3a -> 0x25ed!] 5216+ A? rt1.home.arpa. (31)length 122: (tos 0x0, ttl 64, id 11664, offset 0, flags [none], proto UDP (17), length 118, bad cksum 0 (->4ee5)!) 127.0.0.1.53 > 127.0.0.1.41417: [bad udp cksum 0xfe75 -> 0x8461!] 5216 NXDomain* q: A? rt1.home.arpa. 0/1/0 ns: home.arpa. SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 (90)
Could you try a domain override instead? I don't use Unbound much, so I'm guessing.
Domain overrides has been superseded by Query Forwarding. Query forwarding also allows you to forward every single request.
Loopback 2023-04-16T15:23:42 127.0.0.1:53 127.0.0.1:21181 udp let out anything from firewall host itselfLoopback 2023-04-16T15:23:42 127.0.0.1:21181 127.0.0.1:53 udp let out anything from firewall host itself
Loopback 2023-04-16T15:52:42 127.0.0.1:53530 127.0.0.1:7476 udp let out anything from firewall host itselfLoopback 2023-04-16T15:52:42 127.0.0.1:7476 127.0.0.1:53530 udp let out anything from firewall host itself
home.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800
drill -p 5353 @::1 google.com
Does Unbound have any IPv6 listen address active? Could you switch to 127.0.0.1 instead?
Edit: thnking about that idea - do you have unbound configured for specific interfaces only? Could you change that back to "Any (recommended)"?
Remove all the network interfaces to let it switch back to "any" or "all" however that is phrased - just for a test, please.
# dig +short version.bind chaos txt"unbound 1.17.1"# drill rt1.home.arpa;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 43511;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION:;; rt1.home.arpa. IN A;; ANSWER SECTION:;; AUTHORITY SECTION:home.arpa. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800;; ADDITIONAL SECTION:;; Query time: 0 msec;; SERVER: 127.0.0.1;; WHEN: Mon Apr 17 00:10:31 2023;; MSG SIZE rcvd: 90
# dig +short version.bind chaos txt -p 53530"9.16.36"# drill -p 53530 rt1.home.arpa;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 34820;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:;; rt1.home.arpa. IN A;; ANSWER SECTION:rt1.home.arpa. 86400 IN A 192.168.31.1;; AUTHORITY SECTION:;; ADDITIONAL SECTION:;; Query time: 0 msec;; SERVER: 127.0.0.1;; WHEN: Mon Apr 17 00:10:53 2023;; MSG SIZE rcvd: 47
Unbound DNS cluster with BIND or NSD master serverUnbound is the perfect front line soldier for DNS queries from LAN clients. It is fast, reliable, stable and very secure. BIND (named) or NSD (Name Server Daemon) can be kept on the back end network to be an authoritative DNS to the Unbound cluster. This way you keep your primary DNS data segregated and unencumbered on the BIND or NSD server while the Unbound cluster servers do the resolving, caching and validation of zones for clients.The idea is to have a few Unbound validating, recursive and caching DNS servers which LAN clients can query. Then use BIND (named) as an authoritative server which can resolve internal LAN names only. LAN clients will NEVER access the BIND DNS server and BIND will never go out to the Internet. BIND's only job is to serve internal names to the Unbound DNS server cluster. The Unbound cluster will serve all LAN clients. If Unbound needs to resolve a private ip it will ask the BIND server for ips and then cache the response. If the client needs an external ip, lets say from google.com or cnn.com, Unbound will recursively query the Internet root DNS servers and cache the response.
Lets say our private NSD or BIND server is authoritative for this internal LAN domain:home.lanWe need to tell the Unbound cluster servers that if they are looking for the private home.lan domain to ask the authoritative DNS server, otherwise go check with the root DNS servers. The NSD server's ip is 10.0.0.111 as in the ASCII diagram.Pay special attention to the stub-zone directive we are using. Stub-zone is only used to point queries to an authoritative server like a NSD dns server. The forward-zone directive can only be used to point queries to a resolving dns server like OpenDNS.com or you local ISP's caching server. The two are not interchangeable.
## Add this to the bottom of example #2's unbound.conf configuration## Check out our NSD Tutorial at https://calomel.org/nsd_dns.html # This local-zone line will tell unbound that private addresses like # 10.0.0.0/8 can send queries to a stub zone authoritative server like NSD. local-zone: "10.in-addr.arpa." nodefault # This is the FORWARD lookup stub zone pointing to the NSD authoritative # server. When a client queries for firewall.home.lan the question is sent # to the NSD server located at 10.0.0.111 and NSD returns the answer # "10.0.0.1". stub-zone: name: "home.lan" stub-addr: 10.0.0.111 # This is the REVERSE (rDNS) dns lookup for the home.lan zone. When a client # asks for the hostname belonging to the ip address 10.0.0.1 the NSD # authoritative server at 10.0.0.111 will send back the answer # "firewall.home.lan". stub-zone: name: "10.in-addr.arpa." stub-addr: 10.0.0.111
That's about it. A client asking for an internal dns hostname like, laptop.home.lan.lan will make Unbound query the NSD server (10.0.0.111); the answer will be cached by Unbound for later queries. Any other queries for external hostnames (calomel.org for example) from LAN clients will have Unbound go to Internet servers for the answer. Clients can now query the Unbound cluster for any hostnames they want and we do not have to worry about our primary NSD dns servers being abused or overloaded. This setup is mainly designed to segregate the authoritative server off by itself and keep the primary DNS configuration safe.