Bug 3436 - Incorrect unbound answer for domain A-record
Incorrect unbound answer for domain A-record
Status: ASSIGNED
Product: unbound
Classification: Unclassified
Component: server
1.6.8
x86_64 Linux
: P3 major
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-01-26 09:36 CET by Alexander Miroshnichenko
Modified: 2018-01-26 14:13 CET (History)
2 users (show)

See Also:


Attachments
Unbound logs (410.32 KB, text/x-log)
2018-01-26 09:36 CET, Alexander Miroshnichenko
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Miroshnichenko 2018-01-26 09:36:30 CET
Created attachment 490 [details]
Unbound logs

I have found incorrect unbound answer for onlineprogrammingbooks.com domain.

What is Google DNS returns:

$ host -t A onlineprogrammingbooks.com. 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

onlineprogrammingbooks.com has address 192.254.225.151

What returns Athority DNS:
$ host -t ns onlineprogrammingbooks.com
onlineprogrammingbooks.com name server ns152.hostgator.com.
onlineprogrammingbooks.com name server ns151.hostgator.com.

$ host -t A onlineprogrammingbooks.com. ns151.hostgator.com.
Using domain server:
Name: ns151.hostgator.com.
Address: 50.87.144.153#53
Aliases:

onlineprogrammingbooks.com has address 192.254.225.151


What returns unbound:
$ host -t A onlineprogrammingbooks.com. 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

onlineprogrammingbooks.com has no A record

A have attached logs with verbosity=4 and modules="validator iterator"
Same answer if disable validator.
Comment 1 Alexander Miroshnichenko 2018-01-26 09:45:12 CET
Same behavior with unbound 1.5.10
Comment 2 Wouter Wijngaards 2018-01-26 14:07:36 CET
Hi Alexander,

For me it works fine.  This piece of your logs is the pertinent piece.

It says that 50.87.144.153 (the nameserver for onlineprogrammingbooks.com, that ns..hostgator server), replies with an answer that does not contain an A record.

When I query that server directly, it does reply with an A record.  And when I run unbound-host it also works.  But in your logs we can see that, sometimes, it doesn't reply with an A record in the answer.

Because there is no A record, unbound concludes that there is none.

The problem seems to be that your answers are somehow different.  Is there a firewall or something that is removing the A record?

Jan 26 11:23:18 [unbound] [6434:2] info: iterator operate: query onlineprogrammingbooks.com. A IN_
Jan 26 11:23:18 [unbound] [6434:2] info: scrub for onlineprogrammingbooks.com. NS IN_
Jan 26 11:23:18 [unbound] [6434:2] info: sanitize: removing potential poison RRset: ns151.hostgator.com. A IN_
Jan 26 11:23:18 [unbound] [6434:2] info: response for onlineprogrammingbooks.com. A IN_
Jan 26 11:23:18 [unbound] [6434:2] info: reply from <onlineprogrammingbooks.com.> 50.87.144.153#53_
Jan 26 11:23:18 [unbound] [6434:2] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0_;; flags: qr aa ; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 0 _;; QUESTION SECTION:_o
nlineprogrammingbooks.com._IN_A__;; ANSWER SECTION:__;; AUTHORITY SECTION:_onlineprogrammingbooks.com._86400_IN_NS_ns151.hostgator.com._onlineprogrammingbooks.com._86400_IN_NS_ns152.hostgator.com.__;; ADDITIONA
L SECTION:_;; MSG SIZE  rcvd: 94_
Jan 26 11:23:18 [unbound] [6434:2] info: query response was nodata ANSWER_

Best regards, Wouter
Comment 3 Wouter Wijngaards 2018-01-26 14:13:49 CET
Hi Alexander,

One way in which that A record could be removed, if if this unbound is set to send all its queries with a forward to another unbound.  And that unbound has a private-address option that removes the subnetblock 192.254.0.0/16.  Similar to how blocks like 192.168 and so on could be suppressed.  This option is not on by default or anything like that, but people use it for lan IPs and so on.  From your logs it does not look like your unbound is configured to remove that netblock.

Best regards, Wouter