Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Unbound DNS not serving reverse lookup for internal addresses
Monday - Mar 20th 2017 - by - (0 comments)

If you've read some recent posts (Get Unbound DNS lookups working in Ubuntu 16.04 Xenial, understand SERVFAIL and Unbound DNS server behind a VIP - solving reply from unexpected source) you know that I've set up a high available Unbound DNS resolver/cacher for internal networks.

But just a few days before rolling out definitively for all internal servers a problem came across: The reverse DNS lookups didn't work.

With the Unbound DNS resolver defined as nameserver in /etc/resolv.conf:

$ host 192.168.253.153
Host 153.253.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

$ host 10.161.206.153
Host 153.206.161.10.in-addr.arpa. not found: 3(NXDOMAIN)

The same command and the reverse lookup worked fine in a server still using the old standalone DNS servers. But why?

It's because of this, as found in the official documentation of unbound.conf:

The default zones are localhost, reverse 127.0.0.1 and ::1,  the  onion and  the AS112 zones. The AS112 zones are reverse DNS zones for private use and reserved IP addresses for which the  servers  on  the  internet cannot  provide correct answers. They are configured by default to give nxdomain (no reverse information) answers. The defaults can  be  turned off by specifying your own local-zone of that name, or using the 'nodefault' type.

So here we got the explanation. Unbound is by default configured to serve NXDOMAIN instead of serving the reserve dns information.

In order to change that behaviour, the internal IP addresses (see RFC1918), need to be defined in unbound.conf as local-zones in the server: section:

server:
        interface: 0.0.0.0
        interface-automatic: yes
        access-control: 10.0.0.0/16 allow
        access-control: 127.0.0.0/8 allow
        access-control: 172.16.0.0/12 allow
        access-control: 192.168.0.0/16 allow
        verbosity: 1
        domain-insecure: *
        root-hints: /var/lib/unbound/root.hints
        local-zone: "10.in-addr.arpa." nodefault
        local-zone: "16.172.in-addr.arpa." nodefault
        local-zone: "17.172.in-addr.arpa." nodefault
        local-zone: "18.172.in-addr.arpa." nodefault
        local-zone: "19.172.in-addr.arpa." nodefault
        local-zone: "20.172.in-addr.arpa." nodefault
        local-zone: "21.172.in-addr.arpa." nodefault
        local-zone: "22.172.in-addr.arpa." nodefault
        local-zone: "23.172.in-addr.arpa." nodefault
        local-zone: "24.172.in-addr.arpa." nodefault
        local-zone: "25.172.in-addr.arpa." nodefault
        local-zone: "26.172.in-addr.arpa." nodefault
        local-zone: "27.172.in-addr.arpa." nodefault
        local-zone: "28.172.in-addr.arpa." nodefault
        local-zone: "29.172.in-addr.arpa." nodefault
        local-zone: "30.172.in-addr.arpa." nodefault
        local-zone: "31.172.in-addr.arpa." nodefault
        local-zone: "168.192.in-addr.arpa." nodefault

forward-zone:
      name: "."
      forward-addr: domaincontroller1.example.com
      forward-addr: domaincontroller2.example.com
      forward-addr: domaincontroller3.example.com
      #forward-addr: 8.8.4.4        # Google
      #forward-addr: 8.8.8.8        # Google

Now that the RFC1918 networks are defined as local zones (and Unbound was restarted) I checked the reverse DNS lookup again on the same host using Unbound as DNS resolver:

$ host 192.168.253.153
153.253.168.192.in-addr.arpa domain name pointer olymp.localdomain.local.

$ host 10.161.206.153
153.253.168.192.in-addr.arpa domain name pointer domaincontroller1.example.com.


 

Add a comment

Show form to leave a comment

Comments (newest first):

No comments yet.

Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

7485 Days
until Death of Computers
Why?