Open kmadac opened 1 year ago
I reproduced this problem. There is a domain name in China, www.cscec.com. When it sends a cscec-ipv6.cscec.com resolution request to its authoritative server, the server responds with icmp host not unreachable. Observe the unbound log, and it is always resolving this domain (cscec-ipv6 .cscec.com). Eventually serverfail was responded. There is a problem with the authoritative server, but unbound is not robust enough.
I try to modify the code, in the file iterator/iter_resptype.c, in the response_type_from_server function, why do the following checks: if( (msg->rep->flags&BIT_RA) && !(msg->rep->flags&BIT_AA) && !rdset) { return RESPONSE_TYPE_REC_LAME; }
I don't think it makes sense. When I comment out this code, unbound can be parsed correctly. But there are still some problems. Need to continue analyzing the code.
Describe the bug I our specific internal infrastructure scenario we have following response from internal upstream DNS recusror:
Unfortunately ns1.gov.sk and ns2.gov.sk are not reachable in our infrastructure (those NS records are incorrectly leaking in some special cases, but I'm not able to change it as it is not under our control) and unbound returns SERVFAIL to client even correct A record is in ANSWER SECTION.
Here are unbound logs:
To reproduce Steps to reproduce the behavior: Forbid access to NS server IP addresses on firewall which are in particular DNS server response and try to resolve it via Unbound.
Expected behavior Send NOERROR response to client with A record without trying to contact NS servers as A record is already in response :
System:
unbound -V
output:Version 1.13.2
Configure line: --with-ssl=/usr/local --with-libexpat=/usr/local --disable-dnscrypt --disable-dnstap --with-libnghttp2 --enable-ecdsa --disable-event-api --enable-gost --with-libevent --with-pyunbound=yes --with-pythonmodule=yes LDFLAGS=-L/usr/local/lib ac_cv_path_SWIG=/usr/local/bin/swig --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=amd64-portbld-freebsd12.1 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1l 24 Aug 2021 Linked modules: dns64 python respip validator iterator
BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues
Additional information Add any other information that you may have gathered about the issue here.