--OqZxW6Yu4sgZZmrd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jun 29, 2014 at 03:28:26PM +0400, Dmitry Morozovsky wrote: > Dear colleagues, >=20 > after upgrading my home file server to stable/10 I found that after turni= ng on=20 > local unbound reverse DNS queries for my RFC1918 zone stop working: >=20 > root@hamster:/# host 192.168.33.1 > 1.33.168.192.in-addr.arpa domain name pointer jennie.wpub.woozle.net. > root@hamster:/# host 192.168.33.1 127.1 > Using domain server: > Name: 127.1 > Address: 127.0.0.1#53 > Aliases: >=20 > Host 1.33.168.192.in-addr.arpa not found: 3(NXDOMAIN) >=20 > Moreover, turning on unbound verbosity, I do not actually see right queri= es in=20 > outgoing interface: >=20 > root@hamster:/# tcpdump -nvvilo0 port 53 > tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 65= 535 bytes > 15:18:39.304353 IP (tos 0x0, ttl 64, id 4862, offset 0, flags [none], pro= to UDP (17), length 71, bad cksum 0 (->69a6)!) > 127.0.0.1.13508 > 127.0.0.1.53: [bad udp cksum 0xfe46 -> 0xaf70!] 525= 25+ PTR? 1.33.168.192.in-addr.arpa. (43) > 15:18:39.304400 IP (tos 0x0, ttl 64, id 4863, offset 0, flags [none], pro= to UDP (17), length 130, bad cksum 0 (->696a)!) > 127.0.0.1.53 > 127.0.0.1.13508: [bad udp cksum 0xfe81 -> 0x0ce5!] 525= 25 NXDomain* q: PTR? 1.33.168.192.in-addr.arpa. 0/1/0 ns: 168.192.in-addr.a= rpa. SOA localhost. nobody.invalid. 1 3600 1200 604800 10800 (102) >=20 > and no query to forward server. >=20 > configs are standard, generated by unbound setup script: >=20 > =3D=3D> /var/unbound/forward.conf <=3D=3D > # Generated by local-unbound-setup > forward-zone: > name: . > forward-addr: 192.168.33.2 >=20 > =3D=3D> /var/unbound/unbound.conf <=3D=3D > # Generated by local-unbound-setup > server: > username: unbound > directory: /var/unbound > chroot: /var/unbound > pidfile: /var/run/local_unbound.pid > auto-trust-anchor-file: /var/unbound/root.key >=20 > include: /var/unbound/forward.conf >=20 > Any hints? Or did I missed something trivial? I think, yes, you are supposed to spend a hour reading the unbound.conf man page, without skipping of a single config option. Otherwise,=20 making unbound(8) work as local caching resolver for the private network is impossible. The 'log-queries' and 'verbosity' would allow to see what is going on. For the fake home. TLD and 192.168/16 network, I have to tell unbound that the zones are not signed, and it is fine to forward RFC1918 addresses to the upstream. I use the following magic (for upstream forwarder 192.168.102.80). No idea if this could be simplified. domain-insecure: "home." domain-insecure: "168.192.in-addr.arpa." private-domain: "home." local-zone: "168.192.in-addr.arpa." transparent stub-zone: name: "168.192.in-addr.arpa." stub-addr: 192.168.102.80 --OqZxW6Yu4sgZZmrd Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJTsCm4AAoJEJDCuSvBvK1BTSAP/R9oR8TkWxpUow0ADujosj+m /WZfTDjm2Er32PD/K3JE4pRnQpmtl6tncJxnxWm/v9f4SJcVc2BgNYZWrXMd4bU5 xbbbeB88DmsokLKXc6bWnLDDpIBPzwslt3pq4zuJ483ubASWwXhfZkNzPufzldKY Y2Nfb4/sjs6NMa9xkaNWLcNKgB/W9u0u7HtSKq43Kn1JJBRowwiKEoKcEdCABT2D i1NLPOL3H9Ga89Cr2rXMY1W1SRnEbyStdS3tm8+KQRNCNIqwGPTNlJhK2dCk2Z4X +Ri0bdoOvR1aIZeiYoKiSzHR8pA7KAfI75H2hSPgpIFLgKsANJxh/tCPNGBnX+NK 0CCXq9UYcWrbDLuYFboqxX3dLat4mtpLav46K6nL8cbK9ZtBbavIMJIJse+IdSrE /0k7rTgNQAST1qKGxmIUtCgzM/9yS5vUjnE4Q29T4fm3+lFqrOMkIOAe3DR5OBh2 FD8GzRlX7nluu1mfry6/8AwCuNzW41Xs1yg20tt4GC1OWsJfQ5EsffFc2OD1Ejdc lpaaPaJB2bun4gOUryNWMrfAd8+BSZiPImJ06aVv9Wq819VefSYrC9zDUTw59xyU Qd0KxkjPEDEITNJ3J7yuCnUwsihsbXYlyGR9V1H/3reIUHJ2AaDwcd0T5Eu6eJnf FU2BPdnEGz4E6BRyCtE9 =ywam -----END PGP SIGNATURE----- --OqZxW6Yu4sgZZmrd--