If you've read some recent posts (Get Unbound DNS lookups working in Ubuntu 16.04 Xenial, understand SERVFAIL and Unbound DNS server behind a VIP - solving reply from unexpected source) you know that I've set up a high available Unbound DNS resolver/cacher for internal networks.
But just a few days before rolling out definitively for all internal servers a problem came across: The reverse DNS lookups didn't work.
With the Unbound DNS resolver defined as nameserver in /etc/resolv.conf:
$ host 192.168.253.153
Host 153.253.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
$ host 10.161.206.153
Host 153.206.161.10.in-addr.arpa. not found: 3(NXDOMAIN)
The same command and the reverse lookup worked fine in a server still using the old standalone DNS servers. But why?
It's because of this, as found in the official documentation of unbound.conf:
The default zones are localhost, reverse 127.0.0.1 and ::1, the onion and the AS112 zones. The AS112 zones are reverse DNS zones for private use and reserved IP addresses for which the servers on the internet cannot provide correct answers. They are configured by default to give nxdomain (no reverse information) answers. The defaults can be turned off by specifying your own local-zone of that name, or using the 'nodefault' type.
So here we got the explanation. Unbound is by default configured to serve NXDOMAIN instead of serving the reserve dns information.
In order to change that behaviour, the internal IP addresses (see RFC1918), need to be defined in unbound.conf as local-zones in the server: section:
server:
interface: 0.0.0.0
interface-automatic: yes
access-control: 10.0.0.0/16 allow
access-control: 127.0.0.0/8 allow
access-control: 172.16.0.0/12 allow
access-control: 192.168.0.0/16 allow
verbosity: 1
domain-insecure: *
root-hints: /var/lib/unbound/root.hints
local-zone: "10.in-addr.arpa." nodefault
local-zone: "16.172.in-addr.arpa." nodefault
local-zone: "17.172.in-addr.arpa." nodefault
local-zone: "18.172.in-addr.arpa." nodefault
local-zone: "19.172.in-addr.arpa." nodefault
local-zone: "20.172.in-addr.arpa." nodefault
local-zone: "21.172.in-addr.arpa." nodefault
local-zone: "22.172.in-addr.arpa." nodefault
local-zone: "23.172.in-addr.arpa." nodefault
local-zone: "24.172.in-addr.arpa." nodefault
local-zone: "25.172.in-addr.arpa." nodefault
local-zone: "26.172.in-addr.arpa." nodefault
local-zone: "27.172.in-addr.arpa." nodefault
local-zone: "28.172.in-addr.arpa." nodefault
local-zone: "29.172.in-addr.arpa." nodefault
local-zone: "30.172.in-addr.arpa." nodefault
local-zone: "31.172.in-addr.arpa." nodefault
local-zone: "168.192.in-addr.arpa." nodefault
forward-zone:
name: "."
forward-addr: domaincontroller1.example.com
forward-addr: domaincontroller2.example.com
forward-addr: domaincontroller3.example.com
#forward-addr: 8.8.4.4 # Google
#forward-addr: 8.8.8.8 # Google
Now that the RFC1918 networks are defined as local zones (and Unbound was restarted) I checked the reverse DNS lookup again on the same host using Unbound as DNS resolver:
$ host 192.168.253.153
153.253.168.192.in-addr.arpa domain name pointer olymp.localdomain.local.
$ host 10.161.206.153
153.253.168.192.in-addr.arpa domain name pointer domaincontroller1.example.com.
nothanks from wrote on Jun 22nd, 2023:
So many moons later, but today we came across this exact issue and your post helped us fix these reverse lookups in unbound. Thank you for sharing!
gctwnl from wrote on Aug 11th, 2019:
Thank you! I have been puzzling over unbound and nsd all day and this was the final piece of the puzzle. I already had created a stub-zone for 2.168.192.in-addr.arpa but the local-zone item was the missing piece.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera Git GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Influx Internet Java KVM Kibana Kodi Kubernetes LVM LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office OpenSearch PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder