EFA Unbound and reverse DNS.

Questions and answers about how to do stuff
Post Reply
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

EFA Unbound and reverse DNS.

Post by henk »

The current EFA setup enables the Unbound DNS server. Dns queries are forwarded to our own dns server(s).Works fine.
However when I want to query local addresses or reverse dns it doesn't work on the EFA server. :?

Test dns forwarding on the EFA server

Code: Select all

dig test.uribl.com.multi.uribl.com txt +short
"permanent testpoint"
or

Code: Select all

dig  2.0.0.127.zen.spamhaus.org +short
127.0.0.4
127.0.0.2
127.0.0.10
But dig with any fqdn in my internal zone(s) fails. Same for reverse DNS

Code: Select all

dig sambaad.example.com +short
or reverse dns sambaad.example.com (172.16.1.117)

Code: Select all

dig -x 172.16.1.117  +short
Since every situation is different it's quite difficult to give an example that will fit all. I sure would like some info from those who have knowledge from Unbound and how they configured it. Please let me know.


The working setup: (No need to mention that the network/Zones must match your configuration :!: )

In my network I have 3 DNS servers.

1.The primary DNS, SAMBA4 AD server running Bind-9. Authoritative for Example.com and forwarding to The PFsense server.
2.The secondairy DNS and gateway: PFsense also running Unbound for DNS and forwarding to my providers DNS servers.
3.The EFA server forwarding everything to the first 2 DNS servers depending on the zones.

All servers have muliple interfaces in different zones but I will remove the other interfaces and zones from this example.
The Ip addresses are not the actual Ip's, but just for making sense in this example.

SAMBA4 AD requires to be the primary DNS server to function properly, since AD and DNS are very close related :roll:
It took me some time to get DNS working to resolve internal zones.

On all my internal networks IPv6 is disabled.
On the primary SAMBA4 AD Server Running BIND-9:

Code: Select all

acl internals {
    127/8;
    172.16.0.0/16;       AKA LAN Network
};
On the EFA server:

Code: Select all

cat /etc/resolv.conf
search example.com.
nameserver 127.0.0.1
nameserver 172.16.1.117 # SAMBA4 AD
nameserver 172.16.1.61 # PFSENSE

Forward all queries to the pfsense box

Code: Select all

cat /etc/unbound/conf.d/forwarders.conf
forward-zone:
name: "."
forward-addr: 172.16.1.61 # PFSENSE
forward-first: yes

Modifications in /etc/unbound/unbound.conf

# restrict DNS EFA
interface: 127.0.0.1
outgoing-interface: 172.16.1.115 # LAN Interface EFA
# Enable IPv4, "yes" or "no".
do-ip4: yes
# Enable IPv6, "yes" or "no".
do-ip6: no
control-interface: 127.0.0.1

# Forward zones
forward-zone:
name: "example.com"
forward-addr: 172.16.1.117 # SAMBA4 AD
forward-first: yes

server:
local-zone: "16.172.in-addr.arpa." nodefault

stub-zone:
name: "16.172.in-addr.arpa."
stub-addr: 172.16.1.117 # SAMBA4 AD

Restart Unbound and try:

Code: Select all

for i in $(seq 1 5); do dig +noall +answer +stats A sambaad.example.com | sed -n '1,2p'; done

Code: Select all

dig sambaad.example.com
or reverse dns sambaad.example.com (172.16.1.117)

Code: Select all

dig -x 172.16.1.117
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: EFA Unbound and reverse DNS.

Post by pdwalker »

Thank you. I was just thinking about setting this up a couple of minutes ago, but you've already done all the hard work of figuring it out.

Much appreciated!
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: EFA Unbound and reverse DNS. authoritative or not

Post by henk »

Usefull Note: There is a difference between forward zones and stub zones - stub zones will only work when connected to an authoritative DNS server directly. This would work for lookups from a BIND DNS server if it is providing authoritative DNS - but if you are referring queries to an unbound server in which internal lookups are forwarded on to another DNS server, then defining the referral as a stub zone in the machine here will not work. In that case it is necessary to define a forward zone as above, since forward zones can have daisy chain lookups onward to other DNS servers. i.e. forward zones can refer queries to recursive DNS servers. This distinction is important as you do not get any error messages indicating what the problem is if you use a stub zone inappropriately.

The link: https://wiki.archlinux.org/index.php/un ... ng_queries

Change from stub to forward zones:

Code: Select all

forward-zone:
      name: "example.com"
      forward-addr: 172.16.1.117               # SAMBA4 AD with Bind9 as dns
      forward-first: yes

forward-zone:
      name: "16.172.in-addr.arpa."
      forward-addr: 172.16.1.117                # SAMBA4 AD

server:
       local-zone: "16.172.in-addr.arpa." transparent
restart unbound:

Code: Select all

service unbound restart
Check dns:

Code: Select all

unbound-host -C /etc/unbound/unbound.conf -v sambaad.example.com
Aug 12 21:43:12 libunbound[11839:0] notice: init module 0: iterator
sambaad.example.com has address 172.16.1.117 (insecure)
sambaad.example.com has no IPv6 address (insecure)
sambaad.example.com has no mail handler record (insecure)
 
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: EFA Unbound and reverse DNS.

Post by shawniverson »

henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: EFA Unbound and reverse DNS.

Post by henk »

The blessings of conf.d to not touch the original unbound.conf provided by efa.

/etc/resolv.conf

Code: Select all

search example.com.
nameserver 127.0.0.1
/etc/unbound/conf.d/forwarders.conf

Code: Select all

forward-zone:
  name: "."
  forward-addr: 172.16.1.61      # Pfsense
  forward-first: yes
/etc/unbound/conf.d/unbound.conf

Code: Select all

# The server clause sets the main parameters.
server:
        interface: 127.0.0.1
        outgoing-interface: 172.16.1.115
        do-ip4: yes
        cache-min-ttl: 900
        hide-identity: yes
        hide-version: yes
        private-domain: "example.com"
        private-address: 172.16.0.0/16

        # control which clients are allowed to make (recursive) queries
        access-control: 127.0.0.0/8 allow

        local-zone: "16.172.in-addr.arpa." transparent

remote-control:
        control-interface: 127.0.0.1

# Forward zones
forward-zone:
      name: "example.com"
      forward-host: sambaad.example.com        # SAMBA AD 
      forward-first: yes

forward-zone:
      name: "16.172.in-addr.arpa."
      forward-host: sambaad.example.com        # SAMBA AD
      forward-first: yes
For those who want to add some or a lot unbound statistics to munin: https://www.unbound.net/documentation/h ... stics.html

Check stats:

Code: Select all

unbound-control stats_noreset 
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

bug-fix EFA Unbound and reverse DNS.

Post by henk »

Had some strange issues resolving some local dns names on EFA. The check: viewtopic.php?t=3032
As EFA uses 127.0.0.1 as nameserver, and Unbound uses conditional forwarding to the pfsense box or the samba4 box, it's strange that it works in this last example. ( there is no entry for samba4 in /etc/hosts)
Unbound should not be able to resolve the example.com dns names without the resolved IP from sambaad.example.com in the first place.

A restart of unbound will fix it, but it makes no sense. After some time, Unbound can not resolve sambaad.example.com. ( that makes sense)

This is a complete mystery for me. Sure like to know if someone can explain this. :think:

To fix this I changed the forwarder hostname to forwarder IP address, bypassing the resolve of sambaad.example.com.

Code: Select all

forward-addr: 172.16.1.117            # SAMBA AD
To check the dns sequence and caching, use tcpdump on the outgoing interface, and dig some local hosts and some outside your network.

Code: Select all

tcpdump -i eth1 port 53 -X

Code: Select all

dig sambaad.example.com
It sure improves resolving hostnames and eliminates the dns ping pong.
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
Post Reply