1

By default, Unbound DNS server works by "classic" scheme: queries root servers for zone NS records, then queries NS'es for A/AAAA/...

Sometime (rarely) connectivity between my DNS and target NS'es is failed, but target NS'es are still available from various LookingGlasses and from Google/Level3 DNS, so "nslookup www.target.com 8.8.8.8" and "nslookup www.target.com 4.2.2.2" returns the correct answer.

How to setup Unbound to use public forwarders when (and only after) direct query to the target NS'es is failed? The following config works fine, but routes all queries immediately to forwarders, ignoring target NS'es at all:

forward-zone:
    name: "."
    forward-first: no
    forward-addr: 8.8.8.8
    forward-addr: 4.2.2.2
user2743554
  • 357
  • 3
  • 12
  • A recursive resolver doesn't ask root servers for NS records. The recursive resolver asks the root server for the same domain and record type which the client was asking for. And the recursive resolver will set the recursion desired bit to 0 such that the root server knows that it isn't being asked to do recursion. The root server will then respond with a NS record such that the recursive resolver can continue resolution and the next server down the hierarchy. – kasperd Dec 18 '17 at 16:13
  • @kasperd this is true... until QNAME minimization was introduced and will thus become less and less true. Each nameserver will see only in the request the part relevant to it, not the full name queried. – Patrick Mevzek Dec 21 '17 at 05:43
  • @PatrickMevzek The current state of RFC 7816 is experimental. So far I haven't noticed any deployments of it. – kasperd Dec 21 '17 at 10:03
  • @kasperd it is already implemented in software (ex: PowerDNS, knot, unbound, planned for bind, etc.) and deployed, see Quad9 open resolvers – Patrick Mevzek Dec 21 '17 at 12:44

0 Answers0