DNS Resolver/Unbound not working for some DNS query



  • I recently setup pfsense DNS Resolver for a VMWare home lab. The Host Override works fine. However, the VMWare Data Protector software doesn’t recognize the DNS query result from DNS Resolver. It took me hours to figure it out, and then I disabled DNS Resolver and enabled DNS Forwarder and it worked.

    It seems that the VM VDP works with BIND or DNS Forwarder, or even Windows DNS, except unbound! There are some articles on the internet to approve that, so it’s not just me. Such as:

    http://www.binbert.com/blog/2015/11/vmware-data-protection-vdp-ipdns-could-not-be-resolved/

    https://communities.vmware.com/thread/564895

    And one of the persons mentioned in his post above:

    “As per my understanding UNBOUND server is a single purpose DNS server. There is no code to support Dynamic DNS updates, or zone transfers, etc. As it is not able to respond to “ANY” query,…”

    So, my question is:
    Why doesn’t unbound support the “ANY” DNS query, while others do? I hope there is an option in unbound to support this, so I don’t have to switch to other DNS solutions.



  • No idea about your question but if unbound isn't doing what you want, you could always install the bind package and use that.



  • @KOM said in DNS Resolver/Unbound not working for some DNS query:

    No idea about your question but if unbound isn't doing what you want, you could always install the bind package and use that.

    DNS Forwarder works fine for VMWare VDP, and it comes with pfsense, so I didn't bother to install BIND. I am just confused that why VDP is not compatible with unbound, but others are fine.
    Isn't DNS a simple straightforward translation between a domain and an IP? Shouldn't unbound support any DNS queries/protocols?



  • @shawn8888 said in DNS Resolver/Unbound not working for some DNS query:

    So, my question is:
    Why doesn’t unbound support the “ANY” DNS query, while others do? I hope there is an option in unbound to support this, so I don’t have to switch to other DNS solutions.

    Check out what unbound actually does - and doesn't.

    On the comparison page you will find :

    Some DNS features are relevant only to recursive servers, or to authoritative servers.

    Unbound belongs to the first category, and bind to the latter.

    pfSense is a firewall, so the default unbound resolver is just fine. pfSense isn't designed to be a "DNS 'zone' server", this needing bind.

    @shawn8888 said in DNS Resolver/Unbound not working for some DNS query:

    There is no code to support Dynamic DNS updates, or zone transfers

    In that case the "DNS" needs to work with zones. It would be a full fledged DNS name server.

    Btw : I'm using unbound - Resolver mode, and from one of my PC's hooked up to LAN I can :

    C:\Users>nslookup -q=ANY google.com
    Serveur :   pfsense.brit-hotel-fumel.net
    Address:  2001:470:1f13:5c0:2::1
    
    Réponse ne faisant pas autorité :
    google.com      internet address = 216.58.198.206
    google.com      AAAA IPv6 address = 2a00:1450:4007:809::200e
    google.com      MX preference = 10, mail exchanger = aspmx.l.google.com
    google.com      MX preference = 50, mail exchanger = alt4.aspmx.l.google.com
    google.com      MX preference = 40, mail exchanger = alt3.aspmx.l.google.com
    google.com      MX preference = 20, mail exchanger = alt1.aspmx.l.google.com
    google.com      MX preference = 30, mail exchanger = alt2.aspmx.l.google.com
    google.com      nameserver = ns2.google.com
    google.com      nameserver = ns4.google.com
    google.com      nameserver = ns1.google.com
    google.com      nameserver = ns3.google.com
    

    Running the same request from pfSense > console :

    [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: dig @127.0.0.1 google.com ANY +short
    10 aspmx.l.google.com.
    50 alt4.aspmx.l.google.com.
    40 alt3.aspmx.l.google.com.
    20 alt1.aspmx.l.google.com.
    30 alt2.aspmx.l.google.com.
    ns2.google.com.
    ns4.google.com.
    ns1.google.com.
    ns3.google.com.
    

    So, no issues for me.
    (I'm not using VMware ...)



  • @Gertjan said in DNS Resolver/Unbound not working for some DNS query:

    On the comparison page you will find :

    Some DNS features are relevant only to recursive servers, or to authoritative servers.

    Thank you for the informative reply!
    I am not a DNS expert, but from the wiki DNS page Feature matrix, I can tell that BIND seems have the most features and it's FREE! I don't know why pfsense ditched it and going to unbound.

    The VMWare VDP doesn't give me a lot of information about why unbound doesn't work with it. Here is the error it pops:

    VDP-DNS-Error.jpg

    Anyway, what's important is that the error can be solved by switching to a different DNS program like Dnsmasq.



  • @shawn8888 said in DNS Resolver/Unbound not working for some DNS query:

    I don't know why pfsense ditched it and going to unbound.

    The choice was made upstream : FreeBSD included unbound - just a program - by default.
    Netgate/pfSense could have changed that, but they didn't.
    For a server OS, or desktop OS, or a firewall/router, unbound is more then enough. A secured (TLS or DNSSEC) resolver with a rather small footprint. Just perfect. "Setttings" are rather limited, there is not much to do to get a situation that works well - and secure.
    Remember : before unbound, it was dnsmas the default resolv.... euh : forwarder. But a forwarder can't deliver what unbound delivers : DNSSEC.

    bind (named) focuses a whole other market : when you a dedicated server running on the Internet, hosted in a data center - a whole lot of domain names, and you want to be your own zone master for all these domains (so you have close to no relation with your domain registration anymore) then you need bind. Now you control your presence on the net from A to Z.
    bind, as postfix, is huge when it comes to setup.
    Encapsulating the settings in a GUI is a no-go

    But it exists as a package, and can replace unbound.
    It's up to you (reserve some spare time , you'l be needing it. The day you mange bind well, you can say that you know what "DNS" is.).


Log in to reply