Unbound not using glue records

ryansun · Jul 22, 2024, 10:06 PM

My pfsense (pfsense.int.mydomain.com) runs both bind (port 54) and unbound (port 53). I've setup bind to serve zone mydomain.com as following:

$TTL 60s
;
$ORIGIN mydomain.com.

mydomain.com.	 IN  SOA ns1.mydomain.com. 	 zonemaster.mydomain.com. (
		3 ; serial
		1d ; refresh
		2h ; retry
		4w ; expire
		1h ; default_ttl
		)

;
; Zone Records
;
@ 	 IN NS 	ns1.mydomain.com.
int 	 IN NS  	node-2.int.mydomain.com. (Which runs another authoritative bind server)
int 	 IN NS  	node-3.int.mydomain.com.
node-2.int.mydomain.com. 	 IN AAAA  	[IPv6 ULA]
node-3.int.mydomain.com. 	 IN AAAA  	[IPv6 ULA]
ns1 	 IN AAAA  	[pfsense IPv6 ULA]
mysvc 	 IN CNAME  	node-1.int.mydomain.com.

Unbound is configured for domain override from mydomain.com to Bind on port 54.

When I query for AAAA record of node-1.int.mydomain.com from pfsense shell:

; <<>> DiG 9.18.20 <<>> AAAA node-1.int.mydomain.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61557
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;node-1.int.mydomain.com.              IN      AAAA

;; AUTHORITY SECTION:
int.mydomain.com.         51      IN      NS      node-2.int.mydomain.com.
int.mydomain.com.         51      IN      NS      node-3.int.mydomain.com.

;; ADDITIONAL SECTION:
node-2.int.mydomain.com. 51      IN      AAAA    ULA Redacted
node-3.int.mydomain.com. 51      IN      AAAA    ULA Redacted

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Jul 22 14:59:13 PDT 2024
;; MSG SIZE  rcvd: 143

When I specify the dns server in dig as dig @node-2.int.mydomain.com AAAA node-1.int.mydomain.com, I get dig: couldn't get address for 'node-2.int.mydomain.com': failure

Why isn't unbound using the glue records in bind?

johnpoz · Jul 22, 2024, 11:41 PM

@ryansun why would your redact a ula address?

snip from unbound.conf in /var/unbound/

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10

When you forward, which is what a domain override is - rebind protection would prevent rfc1918 or a ipv6 ula from being returned.. Notice the fd00::/8

You would have to set this domain as private. See the rebind protection info in the docs

https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections

ryansun · Jul 25, 2024, 6:41 AM

@johnpoz Thanks for the reply. I added both mydomain.com and int.mydomain.com both the error is the same. Regarding why I would redact ula address - although they are not routable, they are identifiable... If I post in multiple places and use the same ula (and assume the ula was randomly chosen) then people can link the two identities together

ryansun · Jul 25, 2024, 6:41 AM

I figured it out - I should not put my authoritative server under the domain override section because unbound put it in a forward zone and expects a dns resolver. Instead, I switched to a stub zone under custom configuration, which requires an authoritative dns server and unbound will perform recursive lookup itself.