• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unbound resolver and domain redirect not working - "FORMERR" on remote resolver

Scheduled Pinned Locked Moved DHCP and DNS
2 Posts 1 Posters 1.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    Criggie
    last edited by Jan 29, 2016, 11:34 PM Jan 27, 2016, 5:01 AM

    I have a pfsense 2.2.6 box which has been running dnsmasq / forwarder fine.

    I've tried setting up unbound / resolver to do the same thing, and it fails on domain overrides.

    Short: Domain Override fails on unbound but works on dnsmasq

    The remote network domain is t.local, so  I can see that in the dnsmasq parameters and this works correctly.
    –server=/t.local/192.168.128.100

    When I use resolver / unbound,  I see inside  /var/unbound/unbound.conf

    private-domain: "t.local"
    domain-insecure: "t.local"

    and inside  /var/unbound/domainoverrides.conf I see

    stub-zone:
            name: "t.local"
            stub-addr: 192.168.128.100
            stub-prime: no

    So the configuration looks fine.  But in practice it doesn't work.

    Here's a tcpdump of the lookup succeeding from dnsmasq.  This is done on the remote resolver at 192.168.128.100.

    17:31:IP 10.30.40.13.40784 > 192.168.128.100.53: 8933+ [1au] A? p3.t.local. (55)
    17:31:IP 192.168.128.100.53 > 10.30.40.13.40784: 8933 1/0/0 A 10.129.10.133 (60)

    Here's the same query via unbound

    17:29:IP 10.30.40.13.46129 > 192.168.128.100.53: 56287% [1au] A? p3.t.local. (55)
    17:29:IP 192.168.128.100.53 > 10.30.40.13.46129: 56287 FormErr 1/0/0 A 10.129.10.133 (60)
    17:29:IP 10.30.40.13.64324 > 192.168.128.100.53: 37062 A? p3.t.local. (44)
    17:29:IP 192.168.128.100.53 > 10.30.40.13.64324: 37062 FormErr 1/0/0 A 10.129.10.133 (60)
    17:29:IP 10.30.40.13.11900 > 192.168.128.100.53: 14199% [1au] A? p3.t.local. (55)
    17:29:IP 192.168.128.100.53 > 10.30.40.13.11900: 14199 FormErr 1/0/0 A 10.129.10.133 (60)
    17:29:IP 10.30.40.13.25182 > 192.168.128.100.53: 60535 A? p3.t.local. (44)
    ….this repeats ~10 times

    Now both DNS servers are looking at the same upstream resolver, which hasn't changed.  The path hasn't changed.  Why is unbound's request resulting in a FormErr ?  And the correct IP address is listed right there in the same line.

    Searching suggests that FORMERR means RCODE:1 which is    DNS Query Format Error.
    I remain unenlightened.

    What is wrong with unbound to make its queries unacceptable to the remote DNS server?

    1 Reply Last reply Reply Quote 0
    • C
      Criggie
      last edited by Jan 29, 2016, 11:34 PM

      Problem found - turns out that unbound is not requesting recursion when talking to the remote resolver, but it is using EDNS to allow for larger replies.

      That should be okay, except the remote resolver was an older version of PowerDNS that was unhappy with this combination.

      I proved it using dig from a client talking to the remote resolver directly, by adding    +recurse    returned the bad "formerr" reply.

      Turns out theres a project to upgrade the powerDNS servers, to get things like SQL backend instead of text file support, so this is a work in progress.  We'll have to stay with dnsmasq / forwarder until the infrastructure is ready.

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received