4

I am trying to configure NSD and Unbound to handle Internal DNS.

I have everything working for forward look ups but reverse looks ups are failing.

I am not sure what to do next, but looking at the dig (reverse) response, it has something to do with my specification of the reverse zone.

"10.in-addr.arpa" vs "57.142.10.in-addr.arpa"

please see the dig output and configuration files below

Dig forward(working):

dig pc01.example.com.au

; <<>> DiG 9.8.3-P1 <<>> pc01.example.com.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2821
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;pc01.example.com.au.         IN      A

;; ANSWER SECTION:
pc01.example.com.au. 79883    IN      A       10.142.57.50

;; AUTHORITY SECTION:
example.com.au.       79755   IN      NS      ns1.example.com.au.

;; ADDITIONAL SECTION:
ns1.example.com.au.   79755   IN      A       10.142.57.1

;; Query time: 0 msec
;; SERVER: 10.142.57.1#53(10.142.57.1)
;; WHEN: Tue Nov  1 12:36:38 2016
;; MSG SIZE  rcvd: 91

Dig reverse(not working):

dig -x 10.142.57.50

; <<>> DiG 9.8.3-P1 <<>> -x 10.142.57.50
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24368
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;50.57.142.10.in-addr.arpa.     IN      PTR

;; AUTHORITY SECTION:
10.in-addr.arpa.        10800   IN      SOA     localhost. nobody.invalid. 1 3600 1200 604800 10800

;; Query time: 1 msec
;; SERVER: 10.142.57.1#53(10.142.57.1)
;; WHEN: Tue Nov  1 12:38:25 2016
;; MSG SIZE  rcvd: 102

unbound.conf:

server:
        interface: 10.142.57.1
        interface: 127.0.0.1

        access-control: 0.0.0.0/0 refuse
        access-control: 10.142.57.0/24 allow
        access-control: 127.0.0.0/8 allow

        do-not-query-localhost: no
        hide-identity: yes
        hide-version: yes
        do-ip6: no

        auto-trust-anchor-file: "/var/unbound/etc/root.key"
        root-hints: "/var/unbound/etc/named.cache"

        local-zone: "57.142.10.in-addr.arpa." nodefault

        verbosity: 1

remote-control:
        control-enable: yes
        control-interface: 127.0.0.1

stub-zone:
        name: "example.com.au"
        stub-addr: 127.0.0.1@8053

stub-zone:
        name: "57.142.10.in-addr.arpa."
        stub-addr: 127.0.0.1@8053

nsd.conf:

server:

    server-count: 1 # use this number of cpu cores
    database: "/var/nsd/db/nsd.db"
    zonelistfile: "/var/nsd/db/zone.list"
    username: _nsd
    logfile: "/var/log/nsd.log"
    pidfile: "/var/nsd/run/nsd.pid"
    xfrdfile: "/var/nsd/run/xfrd.state"
    ip-address: 127.0.0.1
    port: 8053

remote-control:
    control-enable: yes

zone:
    name: example.com.au
    zonefile: example.com.au.forward

zone:
    name: 57.142.10.in-addr.arpa
    zonefile: example.com.au.reverse

example.com.au.forward:

$ORIGIN example.com.au.
$TTL 86400
;
@ IN SOA ns1.example.com.au. example.com.au. (
           2016110102  ; serial number
           28800       ; Refresh
           7200        ; Retry
           864000      ; Expire
           86400       ; Min TTL
           )
           IN     NS   ns1.example.com.au.
;
ns1      IN     A    10.142.57.1
pc01     IN     A    10.142.57.50
pc02     IN     A    10.142.57.51
server01 IN     A    10.142.57.254

example.com.au.reverse:

$ORIGIN 57.142.10.in-addr.arpa.
$TTL 86400
;
@ IN SOA ns1.example.com.au. admin.example.com.au. (
           2016110102  ; serial number
           28800       ; Refresh
           7200        ; Retry
           864000      ; Expire
           86400       ; Min TTL
           )
    IN NS ns1.example.com.au.
;
1   PTR ns1.example.com.au.
50  PTR pc01.example.com.au.
51  PTR pc02.example.com.au.
254 PTR server01.example.com.au.
Adz
  • 41
  • 4

1 Answers1

3

Unbound provides default built-in nothing-here replies for the following zones:

localhost.
127.in-addr.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
onion.
test.
invalid.
10.in-addr.arpa.
16.172.in-addr.arpa.
17.172.in-addr.arpa.
18.172.in-addr.arpa.
19.172.in-addr.arpa.
20.172.in-addr.arpa.
21.172.in-addr.arpa.
22.172.in-addr.arpa.
23.172.in-addr.arpa.
24.172.in-addr.arpa.
25.172.in-addr.arpa.
26.172.in-addr.arpa.
27.172.in-addr.arpa.
28.172.in-addr.arpa.
29.172.in-addr.arpa.
30.172.in-addr.arpa.
31.172.in-addr.arpa.
168.192.in-addr.arpa.
0.in-addr.arpa.
254.169.in-addr.arpa.
2.0.192.in-addr.arpa.
100.51.198.in-addr.arpa.
113.0.203.in-addr.arpa.
255.255.255.255.in-addr.arpa.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.
d.f.ip6.arpa.
8.e.f.ip6.arpa.
9.e.f.ip6.arpa.
a.e.f.ip6.arpa.
b.e.f.ip6.arpa.
8.b.d.0.1.0.0.2.ip6.arpa.
64.100.in-addr.arpa. to 127.100.in-addr.arpa.

This leads to the

10.in-addr.arpa.  10800  IN  SOA  localhost. nobody.invalid. 1 3600 1200 604800 10800

reply you are experiencing.

If you turn off this behaviour with the statement

local-zone: "10.in-addr.arpa." nodefault

the content of your reverse zone should be served.

aventurin
  • 211
  • 1
  • 2
  • 7