NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.17k stars 361 forks source link

Unbound local-zone or local-data doesn't work if the domain starts with number #966

Open presci opened 1 year ago

presci commented 1 year ago

Unbound local-zone & local-data doesn't work if the domain starts with number While I was in the process of setting up a blocklist on Unbound, I encountered an error. It seems that Unbound disregards the configuration once it encounters a local-zone starting with two numbers. Here is an example:

To reproduce Steps to reproduce the behavior:

  1. Add following lines to the Unbound conf
    local-zone: "adserver1.example.com" always_nxdomain   # works
    local-zone: "adserver2.example.com" always_nxdomain  # works
    local-zone: "adserver3.example.com" always_nxdomain  # works
    local-zone: "1-23a.com" always_nxdomain  # works
    local-zone: "1-23b.com" always_nxdomain  # works
    local-zone: "1f23b.com" always_nxdomain  # works
    local-zone: "1g23.com" always_nxdomain  # works
    local-zone: "1234.com" always_nxdomain  # doesn't works
    local-zone: "123a.com" always_nxdomain  # doesn't works
    local-zone: "12322.com" always_nxdomain  # doesn't works
    local-zone: "12g3.com" always_nxdomain  # doesn't work 
  2. drill gets the ip address for 12345.com 123a.com 12322.com & 12g3.com
  3. if there is any other domain that starts with a letter i.e. local-zone: "yahoo.com" always_nxdomain after the non working domain list. It would be ignored
  4. drill result on above
    
    $> drill g041353e6dd.com
    ;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 27937
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 
    ;; QUESTION SECTION:
    ;; g041353e6dd.com.    IN    A

;; ANSWER SECTION:

;; AUTHORITY SECTION: com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1700198534 1800 900 604800 86400

$> drill 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 5108 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl. IN A

;; ANSWER SECTION: 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl. 300 IN A 104.21.8.115 041f1df40782e9ab9f0488a1d503a7a2.nitospax.pl. 300 IN A 172.67.188.115

**Expected behavior**
Should return NX_DOMAIN on all the domains that user wish to block that starts with number.

**System:**
 - Unbound version: Version 1.18.0
 - OS: Freebsd
 - `unbound -V` output:

Version 1.18.0

Configure line: --with-libexpat=/usr/local --with-ssl=/usr --enable-dnscrypt --disable-dnstap --with-libnghttp2 --with-dynlibmodule --enable-ecdsa --disable-event-api --enable-gost --with-libevent --disable-subnet --disable-tfo-client --disable-tfo-server --with-pthreads --prefix=/usr/local --localstatedir=/var --mandir=/usr/local/man --infodir=/usr/local/share/info/ --build=aarch64-portbld-freebsd13.2 Linked libs: libevent 2.1.12-stable (it uses kqueue), OpenSSL 1.1.1t-freebsd 7 Feb 2023 Linked modules: dns64 dynlib respip validator iterator DNSCrypt feature available

BSD licensed, see LICENSE in source package for details. Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues


**Additional information**
I have tried adding the local-zone and local-data to external conf & tried to import it same result.
gthess commented 1 year ago

I could not reproduce this. I also don't see a reason for that behavior in the code either. Are you sure that you are editing a configuration file that is read by the running Unbound? If so, maybe you have conflicting configuration later on in the file?

presci commented 12 months ago

Here is my unbound.conf ` server: interface: 0.0.0.0

access-control: 192.168.0.0/24 allow
access-control: 127.0.0.1 allow
access-control: ::1 allow
access-control: 0.0.0.0/0 deny
access-control: ::/0 deny

pidfile: "/var/run/unbound.pid"
use-syslog: yes
verbosity: 1 
log-queries: yes
log-replies: yes

local-zone: "adserver.example.com" always_nxdomain
local-zone: "adserver1.example.com" always_nxdomain
local-zone: "adserver2.example.com" always_nxdomain
local-zone: "adserver3.example.com" always_nxdomain
local-zone: "1-23a.com" always_nxdomain
local-zone: "1-23b.com" always_nxdomain
local-zone: "1f23b.com" always_nxdomain
local-zone: "12g3.com" always_nxdomain
local-zone: "1g23.com" always_nxdomain
local-zone: "1234.com" always_nxdomain
local-zone: "123a.com" always_nxdomain
local-zone: "12322.com" always_nxdomain

` @gthess

gthess commented 11 months ago

I still can't reproduce it. I get NXDOMAIN on all those local zones. Could you try unbound-control list_local_zones on a running Unbound instance and see if you get all your zones (and some more from default configuration) back? You would need:

remote-control:
    control-enable: yes

in your configuration. If you get an error that remote control is not setup you could run unbound-control-setup to generate the appropriate default keys.