Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

forward-host not working #1165

Open
T3rm1 opened this issue Oct 26, 2024 · 16 comments
Open

forward-host not working #1165

T3rm1 opened this issue Oct 26, 2024 · 16 comments
Assignees

Comments

@T3rm1
Copy link

T3rm1 commented Oct 26, 2024

I think there might be a problem with forward-host. It never works and returns SERVFAIL.

Setup: I tried 1.20.0 and 1.22.0

forward-zone:
        name: "."
        forward-tls-upstream: yes
        # doesn't work
        forward-host: fbe4717c.d.adguard-dns.com@853
        # does work
        # forward-addr: 94.140.14.49@853#d.adguard-dns.com

Tested with dig @127.0.0.1 heise.de
Response:

; <<>> DiG 9.18.27 <<>> @127.0.0.1 heise.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54607
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;heise.de.                      IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sat Oct 26 23:20:54 UTC 2024
;; MSG SIZE  rcvd: 37

Here is the log:

[1729983740] unbound[196:0] info: start of service (unbound 1.20.0).
[1729983758] unbound[196:0] info: 127.0.0.1 heise.de. A IN
[1729983758] unbound[196:0] debug: udp request from ip4 127.0.0.1 port 59760 (len 16)
[1729983758] unbound[196:0] debug: mesh_run: start
[1729983758] unbound[196:0] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new
[1729983758] unbound[196:0] info: validator operate: query heise.de. A IN
[1729983758] unbound[196:0] debug: validator: pass to next module
[1729983758] unbound[196:0] debug: mesh_run: validator module exit state is module_wait_module
[1729983758] unbound[196:0] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1729983758] unbound[196:0] debug: process_request: new external request event
[1729983758] unbound[196:0] debug: iter_handle processing q with state INIT REQUEST STATE
[1729983758] unbound[196:0] info: resolving heise.de. A IN
[1729983758] unbound[196:0] debug: request has dependency depth of 0
[1729983758] unbound[196:0] debug: forwarding request
[1729983758] unbound[196:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1729983758] unbound[196:0] info: processQueryTargets: heise.de. A IN
[1729983758] unbound[196:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
[1729983758] unbound[196:0] info: DelegationPoint<.>: 1 names (1 missing), 0 addrs (0 result, 0 avail) parentNS
[1729983758] unbound[196:0] info:   fbe4717c.d.adguard-dns.com.
[1729983758] unbound[196:0] debug: attempt to get extra 3 targets
[1729983758] unbound[196:0] info: new target fbe4717c.d.adguard-dns.com. AAAA IN
[1729983758] unbound[196:0] info: new target fbe4717c.d.adguard-dns.com. A IN
[1729983758] unbound[196:0] debug: rpz: iterator module callback: have_rpz=0
[1729983758] unbound[196:0] debug: no current targets
[1729983758] unbound[196:0] debug: waiting for 2 targets to resolve
[1729983758] unbound[196:0] debug: mesh_run: iterator module exit state is module_wait_subquery
[1729983758] unbound[196:0] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1729983758] unbound[196:0] info: iterator operate: query fbe4717c.d.adguard-dns.com. AAAA IN
[1729983758] unbound[196:0] debug: iter_handle processing q with state INIT REQUEST STATE
[1729983758] unbound[196:0] info: resolving fbe4717c.d.adguard-dns.com. AAAA IN
[1729983758] unbound[196:0] debug: request has dependency depth of 1
[1729983758] unbound[196:0] debug: forwarding request
[1729983758] unbound[196:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1729983758] unbound[196:0] info: processQueryTargets: fbe4717c.d.adguard-dns.com. AAAA IN
[1729983758] unbound[196:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
[1729983758] unbound[196:0] info: DelegationPoint<.>: 1 names (1 missing), 0 addrs (0 result, 0 avail) parentNS
[1729983758] unbound[196:0] info:   fbe4717c.d.adguard-dns.com.
[1729983758] unbound[196:0] debug: attempt to get extra 2 targets
[1729983758] unbound[196:0] info: skipping target due to dependency cycle (harden-glue: no may fix some of the cycles) fbe4717c.d.adguard-dns.com. A IN
[1729983758] unbound[196:0] debug: rpz: iterator module callback: have_rpz=0
[1729983758] unbound[196:0] debug: No more query targets, attempting last resort
[1729983758] unbound[196:0] debug: configured stub or forward servers failed -- returning SERVFAIL
[1729983758] unbound[196:0] debug: store error response in message cache
[1729983758] unbound[196:0] debug: return error response SERVFAIL
[1729983758] unbound[196:0] debug: mesh_run: iterator module exit state is module_finished
[1729983758] unbound[196:0] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_moddone
[1729983758] unbound[196:0] info: validator operate: query fbe4717c.d.adguard-dns.com. AAAA IN
[1729983758] unbound[196:0] debug: validator: nextmodule returned
[1729983758] unbound[196:0] debug: not validating response, is valrec(validation recursion lookup)
[1729983758] unbound[196:0] debug: mesh_run: validator module exit state is module_finished
[1729983758] unbound[196:0] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1729983758] unbound[196:0] info: iterator operate: query fbe4717c.d.adguard-dns.com. A IN
[1729983758] unbound[196:0] debug: iter_handle processing q with state INIT REQUEST STATE
[1729983758] unbound[196:0] info: resolving fbe4717c.d.adguard-dns.com. A IN
[1729983758] unbound[196:0] debug: request has dependency depth of 1
[1729983758] unbound[196:0] debug: forwarding request
[1729983758] unbound[196:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1729983758] unbound[196:0] info: processQueryTargets: fbe4717c.d.adguard-dns.com. A IN
[1729983758] unbound[196:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
[1729983758] unbound[196:0] info: DelegationPoint<.>: 1 names (1 missing), 0 addrs (0 result, 0 avail) parentNS
[1729983758] unbound[196:0] info:   fbe4717c.d.adguard-dns.com.
[1729983758] unbound[196:0] debug: attempt to get extra 2 targets
[1729983758] unbound[196:0] info: skipping target due to dependency cycle (harden-glue: no may fix some of the cycles) fbe4717c.d.adguard-dns.com. A IN
[1729983758] unbound[196:0] debug: rpz: iterator module callback: have_rpz=0
[1729983758] unbound[196:0] debug: No more query targets, attempting last resort
[1729983758] unbound[196:0] debug: configured stub or forward servers failed -- returning SERVFAIL
[1729983758] unbound[196:0] debug: store error response in message cache
[1729983758] unbound[196:0] debug: return error response SERVFAIL
[1729983758] unbound[196:0] debug: mesh_run: iterator module exit state is module_finished
[1729983758] unbound[196:0] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_moddone
[1729983758] unbound[196:0] info: validator operate: query fbe4717c.d.adguard-dns.com. A IN
[1729983758] unbound[196:0] debug: validator: nextmodule returned
[1729983758] unbound[196:0] debug: not validating response, is valrec(validation recursion lookup)
[1729983758] unbound[196:0] debug: mesh_run: validator module exit state is module_finished
[1729983758] unbound[196:0] debug: iterator[module 1] operate: extstate:module_wait_subquery event:module_event_pass
[1729983758] unbound[196:0] info: iterator operate: query heise.de. A IN
[1729983758] unbound[196:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1729983758] unbound[196:0] info: processQueryTargets: heise.de. A IN
[1729983758] unbound[196:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
[1729983758] unbound[196:0] info: DelegationPoint<.>: 1 names (0 missing), 0 addrs (0 result, 0 avail) parentNS
[1729983758] unbound[196:0] info:   fbe4717c.d.adguard-dns.com. * A AAAA
[1729983758] unbound[196:0] debug: rpz: iterator module callback: have_rpz=0
[1729983758] unbound[196:0] debug: No more query targets, attempting last resort
[1729983758] unbound[196:0] debug: configured stub or forward servers failed -- returning SERVFAIL
[1729983758] unbound[196:0] debug: store error response in message cache
[1729983758] unbound[196:0] debug: return error response SERVFAIL
[1729983758] unbound[196:0] debug: mesh_run: iterator module exit state is module_finished
[1729983758] unbound[196:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1729983758] unbound[196:0] info: validator operate: query heise.de. A IN
[1729983758] unbound[196:0] debug: validator: nextmodule returned
[1729983758] unbound[196:0] debug: cannot validate non-answer, rcode SERVFAIL
[1729983758] unbound[196:0] debug: mesh_run: validator module exit state is module_finished
[1729983758] unbound[196:0] error: SERVFAIL <heise.de. A IN>: all the configured stub or forward servers failed, at zone . no server to query no addresses for nameservers
[1729983758] unbound[196:0] debug: query took 0.000000 sec
[1729983758] unbound[196:0] info: 127.0.0.1 heise.de. A IN SERVFAIL 0.000000 0 37
[1729983758] unbound[196:0] info: mesh_run: end 0 recursion states (0 with reply, 0 detached), 0 waiting replies, 1 recursion replies sent, 0 replies dropped, 0 states jostled out
[1729983758] unbound[196:0] info: average recursion processing time 0.000000 sec
[1729983758] unbound[196:0] info: histogram of recursion processing times
[1729983758] unbound[196:0] info: [25%]=0 median[50%]=0 [75%]=0
[1729983758] unbound[196:0] info: lower(secs) upper(secs) recursions
[1729983758] unbound[196:0] info:    0.000000    0.000001 1
[1729983758] unbound[196:0] debug: cache memory msg=66842 rrset=66104 infra=8224 val=66384

Note that it does work, if I comment the host and uncomment the addr.

@T3rm1 T3rm1 changed the title forward-host not working forward-host not working Oct 27, 2024
@Aura67
Copy link

Aura67 commented Oct 27, 2024

the forward-host is written exactly like the forward-addr with an upstream like Adguard dns and other upstream servers.
like this:

forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 94.140.14.14@853#dns.adguard-dns.com
forward-addr: 94.140.15.15@853#dns.adguard-dns.com
forward-host: 94.140.14.14@853#dns.adguard-dns.com
forward-host: 94.140.15.15@853#dns.adguard-dns.com

Once you have added it to your unbound config, restart the unbound service with service unbound restart and then check with: service unbound status whether there are any errors.

@T3rm1
Copy link
Author

T3rm1 commented Oct 27, 2024

@Aura67
That makes no sense at all to me. The documentation states:

Name of server to forward to. Is itself resolved before it is used.

The name of the server is the domain, not the IP address. And as you can see in the log, it tries so resolve the address of the domain. So that does work as written.

If forward-addr and forward-host were configured the same way, what would be the difference between them.
Also, for the Adguard DNS to work properly it is required to use the domain address, not the IP address.

@Aura67
Copy link

Aura67 commented Oct 27, 2024

it makes sense in the unbound wiki it says that you can use # @ and enter the name of the upstream server like that and I use it like that myself and my unbound resolves exactly the name that I specified.

but here the part from the wiki:

Name of server to forward to. Is itself resolved before it is used.

To use a non-default port for DNS communication append '@' with the port number.

If TLS is enabled, then you can append a '#' and a name, then it’ll check the TLS authentication certificates with that name.

If you combine the '@' and '#', the '@' comes first. If only '#' is used the default port is

@T3rm1
Copy link
Author

T3rm1 commented Oct 27, 2024

@Aura67
Sorry, but I believe you are wrong here because what you write is illogical.

The whole purpose of forward-host is that you don't need to specify an IP address. If you specify a domain, then there is also no need to use # in the config because the name of the domain for certificate validation is already specified. I believe the documentation can be improved here to make that clearer.

Thanks for trying to help but I'll wait for a member to respond here.

@sunbearc22
Copy link

sunbearc22 commented Oct 30, 2024

See info on Ad-Guard public DNS.

image

I think you used the wrong IP-address? Also, I think you have a typo in the tls domain name used in your forward-addr: attribute? I think you just need to use forward-host and not forward-addr as the former allows TLS which is what you want.

@gthess gthess self-assigned this Oct 30, 2024
@T3rm1
Copy link
Author

T3rm1 commented Oct 30, 2024

@sunbearc22
No, I didn't use a wrong ip and I don't have a typo. Maybe you misunderstood something. Did you read through the log that I posted?
You are probably in another region than I am. Of course it will show another ip for you than for me. You will get an ip of a server that is closer to you.

I understand that everyone is just trying to help but please don't just type the first thing that comes to your head.

I think you just need to use forward-host and not forward-addr

Again, you seem to misunderstand the issue. The whole issue is about using forward-host. Just look at my config. I use it and it's not working.

Let's just wait for someone from the team to respond here, please.

@Zoey2936
Copy link

I had the same Issue.
If you set the forward zone to "." and only use forward hosts (no address), then it will try to resolve its own hostname with itself, which does not work. Instead, unbound should not try to forward the hostname to itself and instead resolve it by itself (without forwarding — so use the root server etc.) or there should be an option to set an IP of a DNS server which will only be used to look up the forward-host ip.

As a workaround I created a second forward host which only matches the hostname of the dns server I want to use and set there forward-addr

@gthess
Copy link
Member

gthess commented Oct 30, 2024

Indeed, as @Zoey2936 said using -host instead of -addr may introduce a cyclic dependency in case resolving of the hostname itself relies on reaching the configured server in the first place.
I think I remember a warning about that in the manpage, but I only see one for the authority zone configuration.

@T3rm1
Copy link
Author

T3rm1 commented Oct 30, 2024

@gthess Do you think this is something that should be solved in the code so this works without the mentioned workaround?

@gthess
Copy link
Member

gthess commented Oct 30, 2024

Not sure because it would need explicit permission to bypass the configuration, as in don't forward certain queries and instead resolve yourself. The issue is about forwarding "." which is a special case by itself but it shouldn't impact generic configuration. I'll bring it up with the team if that is something we would like to change. In general the current practice if you forward the root is to specify IP addresses to avoid the chicken-egg problem.

I also don't understand the workaround because I believe it is the same as using forward-addr in the first place, unless I misread something.

@Zoey2936
Copy link

Zoey2936 commented Oct 30, 2024

my workarround looks like this:

 forward-zone:
       name: "dns.example.org"
       forward-no-cache: no
       forward-tls-upstream: yes
       forward-addr: 1.1.1.1@853#1.1.1.1
       forward-addr: 192.168.168.1@853#dns.example.org
 forward-zone:
       name: "."
       forward-no-cache: yes
       forward-tls-upstream: yes
       forward-host: dns.example.org@853#dns.example.org

I use 1.1.1.1 in the first forward-zone if I'm outside of my LAN, but I need 192.168.168.1 inside my LAN, because I block port 53/853 outgoing on udp/tcp in my LAN.
It would be nice if I there would be a fallback option, like this:

forward-zone:
       name: "."
       forward-no-cache: yes
       forward-tls-upstream: yes
       forward-host: dns.example.org@853#dns.example.org
       fallback-addr: unbound
       fallback-addr: 192.168.168.1@853#dns.example.org

so it first tries to resolve the forward-host using "default" unbound resolving using root dns server and if it fails (which it would do in my LAN) it would use 192.168.168.1@853#dns.example.org which is the dns server in my LAN (which would fail outside my LAN). And every other request would then use forward-host because unbound now knows its ip.
Maybe fallback is the wrong word, because it should only be used to lookup dns.exmaple.org and not to resolve any other domain just because dns.exmaple.org timeouts. So fallback-addr should only be used to resolve dns.example.org and nothing else

@Zoey2936
Copy link

I hope you understand what I mean. I edited my last message a bit

@gthess
Copy link
Member

gthess commented Oct 30, 2024

I understand and thanks for sharing configuration, but I think the specific forward-zone for dns.example.org is brittle since Unbound stores nameserver connection infrormation in its infrastructure cache and progressively penalizes servers that are not responsive. But I suppose you are not changing networks back and forth faster than infra-host-ttl.

@Zoey2936
Copy link

sorry, but I think I don't understand exactly what you mean

@gthess
Copy link
Member

gthess commented Oct 30, 2024

@Zoey2936, in your home network the 1.1.1.1 address does not work and Unbound eventually will note that in its infrastructure cache. If you now change networks and Unbound knows that 192.168.168.1 is the only nameserver that works for the dns.example.org delegation it will run out of options since 192.168.168.1 should not be working outside of your network.

This is however theoretical and in reality it should not happen because it all relies on the TTL of the dns.example.org A/AAAA records, how often Unbound needs to resolve those, how often the 1.1.1.1 and 192.168.168.1 nameservers need to be contacted (for that specific delegation) so that Unbound can figure out they are unresponsive, and the infra-host-ttl value which is the TTL for Unbound's infrastructure cache.

But in a more practical note, issuing unbound-control flush_infra all when changing networks is the safest approach if the new network dramatically changes the way Unbound can connect to nameservers.

Another small thing to note about the "dns.example.org" forward zone; it is used to forward all queries for that zone and anything below it.

@Zoey2936
Copy link

Thanks for the explanation!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants