search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.15k stars 359 forks source link

unbound stops redirecting queries to forward-zone dns server. #783

Open blackd opened 2 years ago

blackd commented 2 years ago

unbound stops redirecting queries to forward-zone dns server.

I'm using unbound as a main DNS server for my home network (.lan) and I have windows domain controller (home.lan) I have: 

forward-zone:
  name: "home.lan"
  forward-addr: 10.22.1.25

The problem is that unbound will redirect queries for the zone immediately after start for random interval of time usually less then 30 minutes and then stops.

here are logs from a successful query and unsuccessful one

To reproduce Reproducing my exact situation will be quite hard. But my guess is that having local zone .xyz and a forward zone that is anything.xyz will yield the same results.

Expected behavior unbound to always redirect queries for the forward-zone to the configured server.

System:

Configure line: --with-libexpat=/usr/local --with-ssl=/usr/local --enable-dnscrypt --disable-dnstap --with-libnghttp2 --enable-ecdsa --disable-event-api --enable-gost --with-libevent --with-pythonmodule=yes --with-pyunbound=yes ac_cv_path_SWIG=/usr/local/bin/swig LDFLAGS=-L/usr/local/lib --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd13.1 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1s 1 Nov 2022 Linked modules: dns64 python respip validator iterator DNSCrypt feature available



I hope you understand why I'm reluctant to publish my full configuration :)
rmatte commented 1 year ago

I can confirm that we are seeing this same behavior with version 1.15 of unbound. The forwarding works for a bit after startup and then just completely stops working (but will intermittently start working again for a few seconds here or there).

rmatte commented 1 year ago

We ended up having to switch it from a forward-zone to a stub-zone and then this random failure stopped happening and as far as we can tell unbound is still acting as a dns cache in front of consul as we expect it to, though we plan to conduct more testing to confirm.

There is definitely something fishy going on with unbound's handling of forward-zone forwarding. These random failures are abnormal, you'd expect it to just always fail or always work, not the random results that we're currently seeing. Seems like some kind of bug in the code.

blackd commented 1 year ago

stub-zone seams to work for me too.

unfortunately I have to retract the above. Long term it stops working again.

ShipeiXu commented 1 year ago

It looks like the forwarding is failing because the request is being sent with the dnssec flag.