Unbound won't return firewall's own ip



  • Unbound seems to be working in that I can ping the various machines, including themselves, even though their /etc/host files are empty.  So they are apparently querying the firewall for nameservice, which is what I want.

    But I can't ping the firewall itself, though I put in a host-override entry for it.  Since ping is asking 192.168.0.98 for the address of "firewall", unbound should have to look it up the same as it looks up any other address.  But it's not returning its address to ping.

    Any ideas why not?


  • LAYER 8 Global Moderator

    Not from the info you have given no..  If you created a host override then that should be returned.. And is simple enough to verify… Just query pfsense via your fav dns tool, nslookup, dig, drill, host..

    So my pfsense is called pfsense.local.lan - when I query it.. The IP is returned..

    user@clean:~$ dig pfsense.local.lan

    ; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> pfsense.local.lan
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1541
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pfsense.local.lan.            IN      A

    ;; ANSWER SECTION:
    pfsense.local.lan.      3600    IN      A      192.168.9.253

    ;; Query time: 3 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Wed Feb 10 16:39:07 CST 2016
    ;; MSG SIZE  rcvd: 62

    user@clean:~$

    I would suggest you post up your host override you created, and then what you get returned from your query.  A common mistake I have seen is users putting the override into the forwarder when they are using the resolver, or vise versa.



  • Thanks for responding!  I goofed up something for sure, but I've absolutely no clue what and the docs aren't helpful.

    I didn't put the overrides into forward, thank goodness, but XP's nslookup goes out to the second nameserver rather than the firewall, and of course can't find anything.

    My domain override is

    example.org  192.168.0.98  make the firewall the local nameserver

    and the host overrides are

    bigcat  example.org  192.168.0.31  Opteron

    firewall  example.org  192.168.0.98  firewall

    fserver  example.org  192.168.0.96  fileserver

    lapcat  example.org  192.168.0.21  Lapcat

    m401  example.org  192.168.0.97  M401 printer

    modem  example.org  192.168.0.99  modem

    momcat  example.org  192.168.0.11  Momcat

    server  example.org  192.168.0.1  webserver

    slowcat  example.org  192.168.0.7  Slowcat


  • LAYER 8 Global Moderator

    "but XP's nslookup goes out to the second nameserver"

    And how is that anything to do with pfsense or unbound??  Why would you hand out a 2nd name server to your clients that can not resolve your local stuff, and then complain when you can not resolve your local stuff??

    Simple solution - just point your clients to 1 dns server pfsense..  Then you do not worry if your client uses a different one because they can not..



  • @johnpoz:

    "but XP's nslookup goes out to the second nameserver"

    And how is that anything to do with pfsense or unbound??  Why would you hand out a 2nd name server to your clients that can not resolve your local stuff, and then complain when you can not resolve your local stuff??

    Simple solution - just point your clients to 1 dns server pfsense..  Then you do not worry if your client uses a different one because they can not..

    I had two listed when I was using /etc/host tables for local addresses, so that if one nameserver was down there was a fallback.  They're meant to be queried in the order listed.  I just now removed the second one from the list, but that didn't improve anything.

    Lookup requests still ignore the domain override, so I can't imagine what's going on.

    [slowcat:root]~> nslookup firewall
    Server: 4.2.2.1
    Address: 4.2.2.1#53

    Non-authoritative answer:
    Name: firewall
    Address: 104.239.213.7
    Name: firewall
    Address: 198.105.254.11

    [slowcat:root]~> host firewall
    firewall has address 104.239.213.7
    firewall has address 198.105.254.11
    Host firewall not found: 3(NXDOMAIN)

    [slowcat:root]~> nslookup 192.168.0.6
    Server: 4.2.2.1
    Address: 4.2.2.1#53

    ** server can't find 6.0.168.192.in-addr.arpa: NXDOMAIN

    9:29 Thu, 11 Feb                                                                                                           
    [slowcat:root]~> host slowcat.example.org

    Host slowcat.example.org not found: 3(NXDOMAIN)



  • I've fiddled with every setting that even seems plausible, but the boxes on the lan might as well not exist as far as unbound is concerned.

    Is anyone getting nameservice for their lan boxes from their pfsense box?


  • LAYER 8 Global Moderator

    "They're meant to be queried in the order listed."

    That is not exactly what happens, nor was it ever stated by MS that is what happens… That is what some users assume..  But has never ever been the case..

    I would suggest you read over
    https://technet.microsoft.com/en-us/library/dd197552(v=ws.10).aspx

    And what you will find is windows like to ask the server that answers faster, and will also NOT ask a server that didn't answer a previous query or sent bx NX, etc..  So you can really never be sure what dns server it is sending queries too, etc..  It is BAD practice to point to more than 1 dns server that can not provide you the same information.. If you have multiple local servers, great.. As long as they can all resolver your local domains for you..  If you don't have any local domains and you want to point to level 3, 4.2.2.2 is my fav, or google 8.8.8.8 or opendns that is fine - they all can resolve the same public domain.. So it doesn't really matter who you ask for www.pfsense.org for example.

    Dude really... How is this a test of unbound????

    nslookup firewall
    Server:      4.2.2.1
    Address:  4.2.2.1#53

    You clearly are asking 4.2.2.1 which a Level3 name server open to the public… How and the heck is it going to resolve firewall???

    what part do you not understand about doing queries to pfsense, to resolve stuff pfsense knows about!

    I have lots of hosts that pfsense resolves..

    Why don't you actually query pfsense IP that unbound is listening on...  If you want to get an answer from it..

    [slowcat:root]~> nslookup 192.168.0.6
    Server:      4.2.2.1
    Address:  4.2.2.1#53

    ** server can't find 6.0.168.192.in-addr.arpa: NXDOMAIN

    no shit 4.2.2.1 isn't going to have a clue how to do a PTR for a rfc1918 address.

    See attached list of my over rides in pfsense.. And then doing queries – notice the server that nslookup is asking is 192.168.9.253, my pfsense server running unbound listening on my lan interface.

    Notice if I ask 4.2.2.1 about my pfsense on local.lan he doesn't have a freaking clue either ;)

    Last login: Fri Feb 12 06:00:23 2016 from i5-w7.local.lan
    user@clean:~$ dig @4.2.2.1 pfsense.local.lan

    ; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> @4.2.2.1 pfsense.local.lan
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46956
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 8192
    ;; QUESTION SECTION:
    ;pfsense.local.lan.            IN      A

    ;; AUTHORITY SECTION:
    .                      77056  IN      SOA    a.root-servers.net. nstld.verisi                                                                            gn-grs.com. 2016021201 1800 900 604800 86400

    ;; Query time: 16 msec
    ;; SERVER: 4.2.2.1#53(4.2.2.1)
    ;; WHEN: Fri Feb 12 14:49:45 CST 2016
    ;; MSG SIZE  rcvd: 121

    user@clean:~$






  • @johnpoz:

    "They're meant to be queried in the order listed."

    That is not exactly what happens, nor was it ever stated by MS that is what happens… That is what some users assume..  But has never ever been the case..

    I would suggest you read over
    https://technet.microsoft.com/en-us/library/dd197552(v=ws.10).aspx

    I actually have read that, and it says

    The DNS Client service queries the DNS servers in the following order:

    The DNS Client service sends the name query to the first DNS server on the preferred adapter’s list of DNS servers [emphases added] and waits one second for a response. [then tries 3 times more, with greater spread and wait  before finally timing out]

    Both XP and 7 call the first DNS server the "preferred" server, and under TCP/IP Advanced say "DNS server addresses, in order of use".  So I really wasn't inventing it  ;)

    More importantly, in this case, unless I have an outside server listed I don't get anything back because unbound isn't forwarding anything no matter what combination of interfaces I choose.  Without a pointer to an outside nameserver, I can get nothing but LAN addresses.  And I can't get the firewall's own address even though it's in the override list.  I'm at a loss to know what else to try, because the setup I have should work.


  • LAYER 8 Global Moderator

    Why would it forward??  Its default mode is resolve…  Did you put it into forwarding mode??  That is a different problem then answer your queries for local stuff..

    Here is the part you need to understand about the query method of windows
    3. "the DNS Client service sends the query to all DNS servers on all adapters that are still under consideration and waits another two seconds for a response."

    "if it has not received a response from any DNS server on a specified adapter, then for the next 30 seconds, the DNS Client service responds to all queries destined for servers on that adapter with a timeout and does not query those servers"

    "If at any point the DNS Client service receives a negative response from a server, it removes every server on that adapter from consideration during this search."

    Also you need to read this which gives better examples of where a query might go
    http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx

    The client tries to resolve a name and DNS1 times-out but DNS2 answers. The next query that this client tries to resolve is going to go DNS2 first before being retried in DNS1, because DNS2 would have a higher priority than DNS1.

    Configure the clients to point to more than one DNS server for fault-tolerance. Do not list more than one server to overcome disjoint DNS namespaces, and if you are going to do so, understand the risks and consequences.

    Why don't you watch what it queries via a sniff!!  You can not be sure that its actually doing a query to the one listed first… You just can not...  And using 2 different servers, 1 local that resolves local stuff and one that does not resolve local stuff is going to cause you pain..  That is disjointed namespace..

    As to unbound not resolving public stuff or local have to do with you doing queries to 4.2.2.1????  How does that show anyone that unbound is not working???

    Out of the box, and even from your screenshot unbound is not in forwarder mode, its a resolver.. So its going to work its way down from roots to find the authoritative server for what your looking for so it can query it directly for the record you looking for.. If you have outbound 53 blocked to the internet other than to specific nameservers or address space, then the resolver is not going to work.. If your isp forces you to use their dns then resolver mode is not going to work..

    Why do you sniff on your wan where unbound will do its queries when you ask it for something so you can see what is happening..


Log in to reply