Unbound DNS not serving reverse lookup for internal addresses

Written by Claudio Kuenzler - 2 comments

Published on March 20th 2017 - Listed in Linux DNS

If you've read some recent posts (Get Unbound DNS lookups working in Ubuntu 16.04 Xenial, understand SERVFAIL and Unbound DNS server behind a VIP - solving reply from unexpected source) you know that I've set up a high available Unbound DNS resolver/cacher for internal networks.

But just a few days before rolling out definitively for all internal servers a problem came across: The reverse DNS lookups didn't work.

With the Unbound DNS resolver defined as nameserver in /etc/resolv.conf:

$ host 192.168.253.153
Host 153.253.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

$ host 10.161.206.153
Host 153.206.161.10.in-addr.arpa. not found: 3(NXDOMAIN)

The same command and the reverse lookup worked fine in a server still using the old standalone DNS servers. But why?

It's because of this, as found in the official documentation of unbound.conf:

The default zones are localhost, reverse 127.0.0.1 and ::1,  the  onion and  the AS112 zones. The AS112 zones are reverse DNS zones for private use and reserved IP addresses for which the  servers  on  the  internet cannot  provide correct answers. They are configured by default to give nxdomain (no reverse information) answers. The defaults can  be  turned off by specifying your own local-zone of that name, or using the 'nodefault' type.

So here we got the explanation. Unbound is by default configured to serve NXDOMAIN instead of serving the reserve dns information.

In order to change that behaviour, the internal IP addresses (see RFC1918), need to be defined in unbound.conf as local-zones in the server: section:

server:
        interface: 0.0.0.0
        interface-automatic: yes
        access-control: 10.0.0.0/16 allow
        access-control: 127.0.0.0/8 allow
        access-control: 172.16.0.0/12 allow
        access-control: 192.168.0.0/16 allow
        verbosity: 1
        domain-insecure: *
        root-hints: /var/lib/unbound/root.hints
        local-zone: "10.in-addr.arpa." nodefault
        local-zone: "16.172.in-addr.arpa." nodefault
        local-zone: "17.172.in-addr.arpa." nodefault
        local-zone: "18.172.in-addr.arpa." nodefault
        local-zone: "19.172.in-addr.arpa." nodefault
        local-zone: "20.172.in-addr.arpa." nodefault
        local-zone: "21.172.in-addr.arpa." nodefault
        local-zone: "22.172.in-addr.arpa." nodefault
        local-zone: "23.172.in-addr.arpa." nodefault
        local-zone: "24.172.in-addr.arpa." nodefault
        local-zone: "25.172.in-addr.arpa." nodefault
        local-zone: "26.172.in-addr.arpa." nodefault
        local-zone: "27.172.in-addr.arpa." nodefault
        local-zone: "28.172.in-addr.arpa." nodefault
        local-zone: "29.172.in-addr.arpa." nodefault
        local-zone: "30.172.in-addr.arpa." nodefault
        local-zone: "31.172.in-addr.arpa." nodefault
        local-zone: "168.192.in-addr.arpa." nodefault

forward-zone:
      name: "."
      forward-addr: domaincontroller1.example.com
      forward-addr: domaincontroller2.example.com
      forward-addr: domaincontroller3.example.com
      #forward-addr: 8.8.4.4        # Google
      #forward-addr: 8.8.8.8        # Google

Now that the RFC1918 networks are defined as local zones (and Unbound was restarted) I checked the reverse DNS lookup again on the same host using Unbound as DNS resolver:

$ host 192.168.253.153
153.253.168.192.in-addr.arpa domain name pointer olymp.localdomain.local.

$ host 10.161.206.153
153.253.168.192.in-addr.arpa domain name pointer domaincontroller1.example.com.

Add a comment

Comments (newest first)

nothanks from wrote on Jun 22nd, 2023:

So many moons later, but today we came across this exact issue and your post helped us fix these reverse lookups in unbound. Thank you for sharing!

gctwnl from wrote on Aug 11th, 2019:

Thank you! I have been puzzling over unbound and nsd all day and this was the final piece of the puzzle. I already had created a stub-zone for 2.168.192.in-addr.arpa but the local-zone item was the missing piece.