I'm getting no results for server1.ipa.lhpmail.us over DoT

Hello community,

I have delegated a subzone (ipa.lhpmail.us) to my locally running nameserver, insofar, everything seems to be working. Google, Quad9 and even 1.1.1.1 are answering queries fine. Except, when using unbound to query [email protected]. Cloudflare is returning nodata ?

2021-02-13T09:15:46	unbound[92811]	[92811:2] info: query response was nodata ANSWER	 
2021-02-13T09:15:46	unbound[92811]	[92811:2] info: reply from <.> 1.1.1.1#853	 
2021-02-13T09:15:46	unbound[92811]	[92811:2] info: response for server1.ipa.lhpmail.us. A IN	 
2021-02-13T09:15:46	unbound[92811]	[92811:2] info: resolving server1.ipa.lhpmail.us. A IN	 
2021-02-13T09:15:46	unbound[92811]	[92811:2] info: 10.0.1.47 server1.ipa.lhpmail.us. A IN	 
2021-02-13T09:15:45	unbound[92811]	[92811:2] info: 10.0.1.47 server1.ipa.lhpmail.us. A IN	 
2021-02-13T09:15:44	unbound[92811]	[92811:2] info: 10.0.1.47 server1.ipa.lhpmail.us. A IN	 
2021-02-13T09:15:43	unbound[92811]	[92811:2] info: 10.0.1.47 server1.ipa.lhpmail.us. A IN	 
2021-02-13T09:15:42	unbound[92811]	[92811:2] info: 10.0.1.47 server1.ipa.lhpmail.us. A IN	 
2021-02-13T09:15:41	unbound[92811]	[92811:3] info: 10.0.1.47 server1.ipa.lhpmail.us. A IN
dig server1.ipa.lhpmail.us @ns.ipa.lhpmail.us                                                                                                                                                                                                                                                                     

; <<>> DiG 9.16.10 <<>> server1.ipa.lhpmail.us @ns.ipa.lhpmail.us
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1245
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 881c498a198d6b15dab065f36027e441184e08092e04d74f (good)
;; QUESTION SECTION:
;server1.ipa.lhpmail.us.                IN      A

;; ANSWER SECTION:
server1.ipa.lhpmail.us. 1200    IN      A       10.0.6.35

;; AUTHORITY SECTION:
ipa.lhpmail.us.         86400   IN      NS      server1.ipa.lhpmail.us.

;; Query time: 163 msec
;; SERVER: 45.88.183.146#53(45.88.183.146)
;; WHEN: Sat Feb 13 09:37:53 EST 2021
;; MSG SIZE  rcvd: 109

dig server1.ipa.lhpmail.us @1.1.1.1                                                                                                                                                                                                                                                                               

; <<>> DiG 9.16.10 <<>> server1.ipa.lhpmail.us @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58047
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;server1.ipa.lhpmail.us.                IN      A

;; ANSWER SECTION:
server1.ipa.lhpmail.us. 1128    IN      A       10.0.6.35

;; Query time: 7 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Feb 13 09:38:24 EST 2021
;; MSG SIZE  rcvd: 67
dig server1.ipa.lhpmail.us @10.0.0.1                                                                                                                                                                                                                                                                              

; <<>> DiG 9.16.10 <<>> server1.ipa.lhpmail.us @10.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10773
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;server1.ipa.lhpmail.us.                IN      A

;; Query time: 23 msec
;; SERVER: 10.0.0.1#53(10.0.0.1)
;; WHEN: Sat Feb 13 09:38:59 EST 2021
;; MSG SIZE  rcvd: 51

A temporary workaround would be for me to tell unbound, any queries bound to ipa.lhpmail.us, should go to 10.0.6.35 ? Better yet, is there anyway to manually query DoT to rule out unbound ?

EDIT

kdig -d @1.1.1.1 +tls-ca +tls-host=1.1.1.1 server1.ipa.lhpmail.us                                                                                                                                                                                                                                                 
;; DEBUG: Querying for owner(server1.ipa.lhpmail.us.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 560 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: od9obscoXQND56/DikypZrJkXGvbQV5Y61QGfcNitHo=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 47527
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; PADDING: 397 B

;; QUESTION SECTION:
;; server1.ipa.lhpmail.us.              IN      A

;; ANSWER SECTION:
server1.ipa.lhpmail.us. 74      IN      A       10.0.6.35

;; Received 468 B
;; Time 2021-02-13 09:56:06 EST
;; From [email protected](TCP) in 11.6 ms

Looks like unbound is to blame for this, I’ll look into this further.

EDIT

It’s unbound DNS rebinding protecting that filters out private addresses.

I’ve hit this one before, it’s a weird one. I recall solving it with private-address and then also private-domain to whitelist certain domains from the filtering.

I use opnsense firewall here, I just had to enable the option in System -> Settings -> Administration -> Disable DNS Rebinding Checks. I’m not sure if this is the default for upstream unbound, but if someone want’s know what setting is set in unbound.conf. Just tag me.

Unbound does default to this:

No private addresses are enabled by default. We consider to enable this for the RFC1918 private IP address space by default in later releases. That would enable private addresses for 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16 fd00::/8 and fe80::/10, since the RFC standards say these addresses should not be visible on the public internet. Turning on 127.0.0.0/8 would hinder many spam-blocklists as they use that.

1 Like