Unbound does not resolve an us.to domain

cobrax2 · July 13, 2024, 09:37:58 AM

Hi
So i have a ddns domain, lets call it xxx.us.to. it gers updated fine to my ip with the inbuilt ddns client with the afraid.org site.
The problem is that if i try to access it from my network, it does not resolve. From other networks it works fine. From what i can see in the logs, when i try to ping it, unbound searches it as xxx.us.to.home.arpa. why would it think to add my local, nonexistent domain to it? i never told the system that this is my domain. Also, i have another ddns domain that gets updated via same builtin ddnsclient, xxx.nsupdate.info. this one gets resolved just fine...
Anything i can do?
Thanks

meyergru · July 13, 2024, 10:01:13 AM

Potentially, you have a local machine that has this name and takes its LAN IP via DHCP. Probably, you have set Unbound to use DHCP leases as names, such that locally, the IP gets resolved to the LAN IP?

Or you have a local override?

cobrax2 · July 13, 2024, 10:08:37 AM

The router itself is called 'xxx', but not us.to. And it started doing this only after i changed the lan addresses from 192.x to 10.x. yes, i have it set to register dhcp leases,but it had no problem until now
Edit: disabled leases, still the same

chemlud · July 13, 2024, 10:53:19 AM

I've seen such unbound requests for local hosts with .home.arpa added in the logs and never really understood what was going on in unbound.

What is set in System -> Settings -> General as the Domain?

cobrax2 · July 13, 2024, 11:09:57 AM

Well, now i set it to home.arpa. before, itwas something random,like xxdomain. And unbound added that to my us.to. so, whatever i put there gets added. Lol, just had an idea, ill try to put nothing
Edit: it wont let me, i have to put something lol

chemlud · July 13, 2024, 11:19:55 AM

The Domain was NOT .home.arpa but unbound added it to the search anyway? Correct?

meyergru · July 13, 2024, 11:33:47 AM

Quote from: cobrax2 on July 13, 2024, 10:08:37 AM
Edit: disabled leases, still the same

That alone will not help. The DNS entry still exists after that in /var/unbound/dhcpleases.conf, you have to delete the entry manually and restart unbound.

cobrax2 · July 13, 2024, 11:54:14 AM

Quote from: chemlud on July 13, 2024, 11:19:55 AM
The Domain was NOT .home.arpa but unbound added it to the search anyway? Correct?

No. Whatever domain i set, gets added by unbound. If i set domain 'xxxxx', it gets added.

cobrax2 · July 13, 2024, 11:55:24 AM

Quote from: meyergru on July 13, 2024, 11:33:47 AM
Quote from: cobrax2 on July 13, 2024, 10:08:37 AM
Edit: disabled leases, still the same

That alone will not help. The DNS entry still exists after that in /var/unbound/dhcpleases.conf, you have to delete the entry manually and restart unbound.

I have checked the 'flush dns on restart'. That is not enough either?
Also, i would not disable this dhcp names unless i cant find another solution, as this would make it impossible to find a pc in the lan with only its name, right?

meyergru · July 13, 2024, 12:31:59 PM

I would not say that - the machines in my network simply do not have names within official domains. Actually, they only have the name without any domain suffix. How I make them available from the outside is a completely different story.

Conceptually, these are different, too: Say, for instance, you have a docker VM in your network. All of its services reside on its DMZ IP, which gets referred to by, say "docker". In order to make the services available, you either use port-forwarding or a reverse proxy, which is externally available via a full domain name like 'www.xyz.com".

The mechanism for DHCP leases just creates a DNS entry for unbound upon lease. It stays around until that lease expires. Alas, even if you edit the lease to be a permanent reservation, the old DNS entry does not get deleted and still points to the initial IP. You can file a bug on github, if you like, but as I understand it, OpnSense move to KEA now from ISC DHCP and AFAIK, that bug exists there too.

cobrax2 · July 13, 2024, 01:41:49 PM

I did not have this issue for a year now. I had to change the lan adresses from 192x to 10x and only then thia issue appeared. So it must have a cause related to that, i think. Also, why did unbound chose this ddns domain to be added? I have 2 if them, the other one resolves fine. And us.to is not even the first of the two in the ddns client updater.

cobrax2 · July 13, 2024, 01:45:09 PM

Just had an idea. It looks like unbound can't solve ANY us.to domains! For example usac.us.to
What gives?

chemlud · July 13, 2024, 02:20:35 PM

Blocklists activated in unbound?

cobrax2 · July 13, 2024, 03:17:11 PM

Yes, but tried adding exception, also disabling completely, same

chemlud · July 13, 2024, 06:39:45 PM

Suricata @work?

Unbound does not resolve an us.to domain

cobrax2

July 13, 2024, 09:37:58 AM

meyergru

July 13, 2024, 10:01:13 AM #1

cobrax2

July 13, 2024, 10:08:37 AM #2 Last Edit: July 13, 2024, 10:10:17 AM by cobrax2

chemlud

July 13, 2024, 10:53:19 AM #3

cobrax2

July 13, 2024, 11:09:57 AM #4

chemlud

July 13, 2024, 11:19:55 AM #5

meyergru

July 13, 2024, 11:33:47 AM #6

cobrax2

July 13, 2024, 11:54:14 AM #7

cobrax2

July 13, 2024, 11:55:24 AM #8 Last Edit: July 13, 2024, 11:57:17 AM by cobrax2

meyergru

July 13, 2024, 12:31:59 PM #9 Last Edit: July 13, 2024, 12:37:55 PM by meyergru

cobrax2

July 13, 2024, 01:41:49 PM #10

cobrax2

July 13, 2024, 01:45:09 PM #11

chemlud

July 13, 2024, 02:20:35 PM #12

cobrax2

July 13, 2024, 03:17:11 PM #13

chemlud

July 13, 2024, 06:39:45 PM #14