Unbound/DES Resolver not returning result
Hi, I have a pfSense box setup in a data centre that is successfully going out on the WAN to resolve a nslookup request. The DNSResolver log is showing the request being made and the response being sent back to the interface 192.168.2.100.
Packet monitoring shows the full response coming in from the WAN. However the response sent back to the doesn't include the ANWSER. So I get "No answer" on the client but I can see the answer coming in from the WAN.
pfSense is running in a vmWare environment. I spotted a bad chk sum and turned off hardware check sum this removed the chk sum issue but made no difference to the result.
What am I missing ?
And what is the answer back in your packet capture. If for a rfc1918 answer then no out of the box unbound would not hand that back to the client.. You would have to setup that domain as a private domain or turn off that protection all together.
That would be rebinding protection.
Hi, thanks for responding. On the packet capture you can see below, on the WAN side, I see the response being sent to 184.108.40.206. Then on the LAN side I don't see the data. The timestamps are out as I ran the two captures sequentially.
15:24:54.891480 00:50:56:01:e8:ea > 00:50:56:84:15:8f, ethertype IPv4 (0x0800), length 99: (tos 0x0, ttl 64, id 38945, offset 0, flags [none], proto UDP (17), length 85)
192.168.16.100.7333 > 220.127.116.11.53: [udp sum ok] 36903+ [1au] A? nww.fqdn.com.uk. ar: . OPT UDPsize=4096 OK (57)
15:24:54.903587 00:50:56:84:15:8f > 00:50:56:01:e8:ea, ethertype IPv4 (0x0800), length 115: (tos 0x0, ttl 246, id 9179, offset 0, flags [DF], proto UDP (17), length 101)
18.104.22.168.53 > 192.168.16.100.7333: [udp sum ok] 36903 q: A? nww.fqdn.com.uk. 1/0/1 nww.fqdn.com.uk. A 10.149.131.179 ar: . OPT UDPsize=4096 OK (73)
15:25:35.820201 00:50:56:01:e7:f8 > 00:50:56:01:e8:ec, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 62, id 46095, offset 0, flags [none], proto UDP (17), length 74)
192.168.1.100.55310 > 192.168.2.100.53: [udp sum ok] 16307+ A? nww.fqdn.com.uk. (46)
15:25:35.833230 00:50:56:01:e8:ec > 00:50:56:01:e7:f8, ethertype IPv4 (0x0800), length 88: (tos 0x0, ttl 64, id 54630, offset 0, flags [none], proto UDP (17), length 74)
192.168.2.100.53 > 192.168.1.100.55310: [udp sum ok] 16307 q: A? nww.fqdn.com.uk. 0/0/0 (46)
And that is rfc1918.. Out of the box unbound will not send that on to the client that asked for it.. Since it could be a rebinding attack.. you to ether make fqdn.com.uk a private domain or you need to turn off rebinding protection.
So your just asking an upstream dns? A public domain should never return rfc1918 address - that is borked config!!! And screams of rebinding attack.
Thank you. I will check that out.
It's a DNS server on a private network that we don't control :(
Thank you that worked. I will also pass on your analysis to the DNS owner.
So if you are going to have lots of domains that you ask of an upstream nameserver, you could consider just turning off rebinding protection. Or your going to have to put in all the domains in unbound as private if you want it to return rfc1918 address to the clients asking unbound for this upstream domain.
This is a good reason to use non public valid tld for your internal domains. So for example yourdomain.lan - with a tld of lan you know for sure any domain in that is not public. And can set anything.lan to be private so unbound would return the rfc1918 address.
So is this domain publicly resolvable? And does it return rfc1918 to the public?? Or is this domain only resolve to local resources?
Hi, its a private domain within a large public sector organisation. We are linking into their MPLS network and then hooking up to their DNS servers.
but does the domain you are using - does it resolve on the public internet. Ie if I ask google dns for example would it resolve to this rfc1918 address?
If so that is borked… If can not resolve these rfc1918 if on the public then fine you can use whatever domain you want for your internal - but your resolvers/forwarders that will resolving need to make sure they are not doing rebind protection for the domains in question.
No,. it resolves to a private address on the MPLS network. Yes thanks have now turned off the rebind protection.