Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unbound resolver and domain redirect not working - "FORMERR" on remote resolver

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 1 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      Criggie
      last edited by

      I have a pfsense 2.2.6 box which has been running dnsmasq / forwarder fine.

      I've tried setting up unbound / resolver to do the same thing, and it fails on domain overrides.

      Short: Domain Override fails on unbound but works on dnsmasq

      The remote network domain is t.local, so  I can see that in the dnsmasq parameters and this works correctly.
      –server=/t.local/192.168.128.100

      When I use resolver / unbound,  I see inside  /var/unbound/unbound.conf

      private-domain: "t.local"
      domain-insecure: "t.local"

      and inside  /var/unbound/domainoverrides.conf I see

      stub-zone:
              name: "t.local"
              stub-addr: 192.168.128.100
              stub-prime: no

      So the configuration looks fine.  But in practice it doesn't work.

      Here's a tcpdump of the lookup succeeding from dnsmasq.  This is done on the remote resolver at 192.168.128.100.

      17:31:IP 10.30.40.13.40784 > 192.168.128.100.53: 8933+ [1au] A? p3.t.local. (55)
      17:31:IP 192.168.128.100.53 > 10.30.40.13.40784: 8933 1/0/0 A 10.129.10.133 (60)

      Here's the same query via unbound

      17:29:IP 10.30.40.13.46129 > 192.168.128.100.53: 56287% [1au] A? p3.t.local. (55)
      17:29:IP 192.168.128.100.53 > 10.30.40.13.46129: 56287 FormErr 1/0/0 A 10.129.10.133 (60)
      17:29:IP 10.30.40.13.64324 > 192.168.128.100.53: 37062 A? p3.t.local. (44)
      17:29:IP 192.168.128.100.53 > 10.30.40.13.64324: 37062 FormErr 1/0/0 A 10.129.10.133 (60)
      17:29:IP 10.30.40.13.11900 > 192.168.128.100.53: 14199% [1au] A? p3.t.local. (55)
      17:29:IP 192.168.128.100.53 > 10.30.40.13.11900: 14199 FormErr 1/0/0 A 10.129.10.133 (60)
      17:29:IP 10.30.40.13.25182 > 192.168.128.100.53: 60535 A? p3.t.local. (44)
      ….this repeats ~10 times

      Now both DNS servers are looking at the same upstream resolver, which hasn't changed.  The path hasn't changed.  Why is unbound's request resulting in a FormErr ?  And the correct IP address is listed right there in the same line.

      Searching suggests that FORMERR means RCODE:1 which is    DNS Query Format Error.
      I remain unenlightened.

      What is wrong with unbound to make its queries unacceptable to the remote DNS server?

      1 Reply Last reply Reply Quote 0
      • C
        Criggie
        last edited by

        Problem found - turns out that unbound is not requesting recursion when talking to the remote resolver, but it is using EDNS to allow for larger replies.

        That should be okay, except the remote resolver was an older version of PowerDNS that was unhappy with this combination.

        I proved it using dig from a client talking to the remote resolver directly, by adding    +recurse    returned the bad "formerr" reply.

        Turns out theres a project to upgrade the powerDNS servers, to get things like SQL backend instead of text file support, so this is a work in progress.  We'll have to stay with dnsmasq / forwarder until the infrastructure is ready.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.