From owner-freebsd-stable@FreeBSD.ORG Sun Jun 29 14:59:12 2014 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6CD1B3A4 for ; Sun, 29 Jun 2014 14:59:12 +0000 (UTC) Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E89492F5A for ; Sun, 29 Jun 2014 14:59:11 +0000 (UTC) Received: from tom.home (kostik@localhost [127.0.0.1]) by kib.kiev.ua (8.14.9/8.14.9) with ESMTP id s5TEx5Fl010215 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 29 Jun 2014 17:59:05 +0300 (EEST) (envelope-from kostikbel@gmail.com) DKIM-Filter: OpenDKIM Filter v2.8.3 kib.kiev.ua s5TEx5Fl010215 Received: (from kostik@localhost) by tom.home (8.14.9/8.14.9/Submit) id s5TEx5jx010214; Sun, 29 Jun 2014 17:59:05 +0300 (EEST) (envelope-from kostikbel@gmail.com) X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f Date: Sun, 29 Jun 2014 17:59:05 +0300 From: Konstantin Belousov To: Dmitry Morozovsky Subject: Re: stable/10: unbound refuses to forward some DNS queries Message-ID: <20140629145905.GG93733@kib.kiev.ua> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="OqZxW6Yu4sgZZmrd" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,BAYES_00, DKIM_ADSP_CUSTOM_MED,FREEMAIL_FROM,NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on tom.home Cc: freebsd-stable@FreeBSD.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jun 2014 14:59:12 -0000 --OqZxW6Yu4sgZZmrd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 29, 2014 at 03:28:26PM +0400, Dmitry Morozovsky wrote: > Dear colleagues, >=20 > after upgrading my home file server to stable/10 I found that after turni= ng on=20 > local unbound reverse DNS queries for my RFC1918 zone stop working: >=20 > root@hamster:/# host 192.168.33.1 > 1.33.168.192.in-addr.arpa domain name pointer jennie.wpub.woozle.net. > root@hamster:/# host 192.168.33.1 127.1 > Using domain server: > Name: 127.1 > Address: 127.0.0.1#53 > Aliases: >=20 > Host 1.33.168.192.in-addr.arpa not found: 3(NXDOMAIN) >=20 > Moreover, turning on unbound verbosity, I do not actually see right queri= es in=20 > outgoing interface: >=20 > root@hamster:/# tcpdump -nvvilo0 port 53 > tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 65= 535 bytes > 15:18:39.304353 IP (tos 0x0, ttl 64, id 4862, offset 0, flags [none], pro= to UDP (17), length 71, bad cksum 0 (->69a6)!) > 127.0.0.1.13508 > 127.0.0.1.53: [bad udp cksum 0xfe46 -> 0xaf70!] 525= 25+ PTR? 1.33.168.192.in-addr.arpa. (43) > 15:18:39.304400 IP (tos 0x0, ttl 64, id 4863, offset 0, flags [none], pro= to UDP (17), length 130, bad cksum 0 (->696a)!) > 127.0.0.1.53 > 127.0.0.1.13508: [bad udp cksum 0xfe81 -> 0x0ce5!] 525= 25 NXDomain* q: PTR? 1.33.168.192.in-addr.arpa. 0/1/0 ns: 168.192.in-addr.a= rpa. SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 (102) >=20 > and no query to forward server. >=20 > configs are standard, generated by unbound setup script: >=20 > =3D=3D> /var/unbound/forward.conf <=3D=3D > # Generated by local-unbound-setup > forward-zone: > name: . > forward-addr: 192.168.33.2 >=20 > =3D=3D> /var/unbound/unbound.conf <=3D=3D > # Generated by local-unbound-setup > server: > username: unbound > directory: /var/unbound > chroot: /var/unbound > pidfile: /var/run/local_unbound.pid > auto-trust-anchor-file: /var/unbound/root.key >=20 > include: /var/unbound/forward.conf >=20 > Any hints? Or did I missed something trivial? I think, yes, you are supposed to spend a hour reading the unbound.conf man page, without skipping of a single config option. Otherwise,=20 making unbound(8) work as local caching resolver for the private network is impossible. The 'log-queries' and 'verbosity' would allow to see what is going on. For the fake home. TLD and 192.168/16 network, I have to tell unbound that the zones are not signed, and it is fine to forward RFC1918 addresses to the upstream. I use the following magic (for upstream forwarder 192.168.102.80). No idea if this could be simplified. domain-insecure: "home." domain-insecure: "168.192.in-addr.arpa." private-domain: "home." local-zone: "168.192.in-addr.arpa." transparent stub-zone: name: "168.192.in-addr.arpa." stub-addr: 192.168.102.80 --OqZxW6Yu4sgZZmrd Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJTsCm4AAoJEJDCuSvBvK1BTSAP/R9oR8TkWxpUow0ADujosj+m /WZfTDjm2Er32PD/K3JE4pRnQpmtl6tncJxnxWm/v9f4SJcVc2BgNYZWrXMd4bU5 xbbbeB88DmsokLKXc6bWnLDDpIBPzwslt3pq4zuJ483ubASWwXhfZkNzPufzldKY Y2Nfb4/sjs6NMa9xkaNWLcNKgB/W9u0u7HtSKq43Kn1JJBRowwiKEoKcEdCABT2D i1NLPOL3H9Ga89Cr2rXMY1W1SRnEbyStdS3tm8+KQRNCNIqwGPTNlJhK2dCk2Z4X +Ri0bdoOvR1aIZeiYoKiSzHR8pA7KAfI75H2hSPgpIFLgKsANJxh/tCPNGBnX+NK 0CCXq9UYcWrbDLuYFboqxX3dLat4mtpLav46K6nL8cbK9ZtBbavIMJIJse+IdSrE /0k7rTgNQAST1qKGxmIUtCgzM/9yS5vUjnE4Q29T4fm3+lFqrOMkIOAe3DR5OBh2 FD8GzRlX7nluu1mfry6/8AwCuNzW41Xs1yg20tt4GC1OWsJfQ5EsffFc2OD1Ejdc lpaaPaJB2bun4gOUryNWMrfAd8+BSZiPImJ06aVv9Wq819VefSYrC9zDUTw59xyU Qd0KxkjPEDEITNJ3J7yuCnUwsihsbXYlyGR9V1H/3reIUHJ2AaDwcd0T5Eu6eJnf FU2BPdnEGz4E6BRyCtE9 =ywam -----END PGP SIGNATURE----- --OqZxW6Yu4sgZZmrd--