DNS Resolver and Domain Overrides

Soloam

My country is blocking piratbay via DNS. When I request thepiratebay.se the DNS kicks me to another IP. I could use other DNS, but these are a lot faster resolving for national IP's that for example google. So I set the DNS Overide so that the request stops on the DNS Resolver. But from what I can tell it seams that the DNS Resolver is ignoring my DNS Override

phil.davis

A Domain Override makes the DNS Resolver send requests for resolution of names in that domain to the specified IP. So it does not "stop at the DNS Resolver". When a client asks for "www.thepiratebay.se" then DNS Resolver is going to send the name resolution request to 199.27.135.8 for resolution. If 199.27.135.8 IP address is blocked somewhere then it will not be able to answer the resolver query.
If that is the problem, then I do not see how it worked with DNS Forwarder.

Host Overrides stop at the DNS Resolver and give a local answer straight away. But you have to put an entry for every name you want to use.

Soloam

The IP 199.27.135.8 is not blocked. The only thing that it's blocked is when I ask my internet provider DNS the ip for the DNS thepiratbay.se it returns me another ip that points to a page that displays a message informing that the website is blocked.

So I set thepiratbay.se in the DNS Override with the correct IP but the override is not working. It keeps bypassing the Override and sending the requests to the "General Setup" DNS. This was working with no problems in the "DNS Forwarder" stooped working when I made the switch to "DNS Resolver". It works localy when I set the DNS in the host file of windows.

I tryed turning off "DNSSEC Support" but with no success..

BBcan177

With "Unbound", you should not use "Forwarding Mode". The whole purpose of using Unbound is so that it resolves using the Root DNS servers and not use the DNS servers of your ISP or Google DNS for example.

You could also skip DNS resolution and type the IP address in the browser.

Soloam

Typing the Ip on the browser bar would work, but not in this specific website. thepiratbay is hosted on cloudflare, that uses the same IP to several websites. It needs the correct host name to know witch site we are requesting.

So from whtat you say, it's back to DNS Forwarder. What I what in the end is, use local DNS and if it fails, send the request. That was the result of "DNS Forwarder"

phil.davis

The Domain Overrides should end up in /var/unbound/domainoverrides.conf
Have a look in there and check that it has reasonable content.
After that, in DNS Resolver, Advanced Settings, you can set the "Log level verbosity". Then do "nslookup" from a client and see what comes in the DNS Resolver log. It might give some hints about why the resolver request is not being sent to where you expect.
So far I have only used Domain Overrides for internal domains, pointing to internal authoritative DNS servers, so I can't confirm if there is an issue with domain overrides to public DNS servers.

gjaltemba

@soloam:

Domain Overrides:

• Domain: thepiratebay.se
• IP: 199.27.135.8

I believe the entry should be in Host Override. 199.27.135.8 is a your target ip. Domain overrides specify the ip for a DNS server.

Soloam

/var/unbound/domainoverrides.conf

stub-zone:
	name: "thepiratebay.se"
	stub-addr: 199.27.135.8
	stub-prime: no

phil.davis

Yes, here are some nslookup results:

Non-authoritative answer:
Name:    thepiratebay.se
Addresses:  2400:cb00:2048:1::c71b:8708
          2400:cb00:2048:1::c71b:8608
          199.27.134.8
          199.27.135.8

Non-authoritative answer:
Name:    www.thepiratebay.se
Addresses:  2400:cb00:2048:1::c71b:8608
          2400:cb00:2048:1::c71b:8708
          199.27.134.8
          199.27.135.8

But maybe the DNS server for thepiratebay.se is at 199.27.135.8 as well as the web site itself.

gjaltemba

If it is then it is down at the moment

nslookup

server  199.27.134.8
Default server: 199.27.134.8
Address: 199.27.134.8#53
thepiratebay.se
;; connection timed out; no servers could be reached

cmb

@soloam:

/var/unbound/domainoverrides.conf

stub-zone:
	name: "thepiratebay.se"
	stub-addr: 199.27.135.8
	stub-prime: no

That's correct if 199.27.135.8 actually answered DNS queries. It doesn't. If it ever responded with that config, it was at a time when that IP actually resolved DNS, and it doesn't now. Nothing to do with DNS Resolver or Forwarder, that's just not a valid config.

Soloam

Hello all, the problem is solved, I changed the rule from Domain Overrides to Host Overrides and all started working again. I don't know what is wrong with Domain Overrides but now it's working

Thank You for all your help
Best Regards

GruensFroeschli

With a Domain Override you override the default DNS server with a specific one for a specific domain.

With Host Overrides you change the way you resolve domains locally.

Soloam

From what you say, it looks that what I would what is the Domain Override, but I had to change it. In the DNS Forwarder I had it working with the Domain Override. I'll try to find the problem so that I can get it back working with the Domain Override.

Thank You

cmb

With the domain override, you're telling it "to lookup queries for *.thepiratebay.se, use DNS server at 199.27.135.8". Since 199.27.135.8 doesn't reply to DNS, that doesn't work.

When you add a host override for thepiratebay.se with 199.27.135.8, that tells the system "resolve thepiratebay.se as 199.27.135.8". That overrides it locally without needing any other server for resolution.

The first, as 199.27.135.8 is currently configured, would never have worked because it doesn't reply to DNS.