Unbound resolver and domain redirect not working - "FORMERR" on remote resolver



  • I have a pfsense 2.2.6 box which has been running dnsmasq / forwarder fine.

    I've tried setting up unbound / resolver to do the same thing, and it fails on domain overrides.

    Short: Domain Override fails on unbound but works on dnsmasq

    The remote network domain is t.local, so  I can see that in the dnsmasq parameters and this works correctly.
    –server=/t.local/192.168.128.100

    When I use resolver / unbound,  I see inside  /var/unbound/unbound.conf

    private-domain: "t.local"
    domain-insecure: "t.local"

    and inside  /var/unbound/domainoverrides.conf I see

    stub-zone:
            name: "t.local"
            stub-addr: 192.168.128.100
            stub-prime: no


    So the configuration looks fine.  But in practice it doesn't work.

    Here's a tcpdump of the lookup succeeding from dnsmasq.  This is done on the remote resolver at 192.168.128.100.

    17:31:IP 10.30.40.13.40784 > 192.168.128.100.53: 8933+ [1au] A? p3.t.local. (55)
    17:31:IP 192.168.128.100.53 > 10.30.40.13.40784: 8933 1/0/0 A 10.129.10.133 (60)

    Here's the same query via unbound

    17:29:IP 10.30.40.13.46129 > 192.168.128.100.53: 56287% [1au] A? p3.t.local. (55)
    17:29:IP 192.168.128.100.53 > 10.30.40.13.46129: 56287 FormErr 1/0/0 A 10.129.10.133 (60)
    17:29:IP 10.30.40.13.64324 > 192.168.128.100.53: 37062 A? p3.t.local. (44)
    17:29:IP 192.168.128.100.53 > 10.30.40.13.64324: 37062 FormErr 1/0/0 A 10.129.10.133 (60)
    17:29:IP 10.30.40.13.11900 > 192.168.128.100.53: 14199% [1au] A? p3.t.local. (55)
    17:29:IP 192.168.128.100.53 > 10.30.40.13.11900: 14199 FormErr 1/0/0 A 10.129.10.133 (60)
    17:29:IP 10.30.40.13.25182 > 192.168.128.100.53: 60535 A? p3.t.local. (44)
    ….this repeats ~10 times

    Now both DNS servers are looking at the same upstream resolver, which hasn't changed.  The path hasn't changed.  Why is unbound's request resulting in a FormErr ?  And the correct IP address is listed right there in the same line.

    Searching suggests that FORMERR means RCODE:1 which is    DNS Query Format Error.
    I remain unenlightened.

    What is wrong with unbound to make its queries unacceptable to the remote DNS server?



  • Problem found - turns out that unbound is not requesting recursion when talking to the remote resolver, but it is using EDNS to allow for larger replies.

    That should be okay, except the remote resolver was an older version of PowerDNS that was unhappy with this combination.

    I proved it using dig from a client talking to the remote resolver directly, by adding    +recurse    returned the bad "formerr" reply.

    Turns out theres a project to upgrade the powerDNS servers, to get things like SQL backend instead of text file support, so this is a work in progress.  We'll have to stay with dnsmasq / forwarder until the infrastructure is ready.