Comments (7)
The Discourse topic discussion revealed that NickJLange runs two instances of unbound.
The unbound configuration as shared above looks faulty, which may have contributed to NickJLange's observation, particularly if only one of the unbound instances has been using that configuration:
root@cnamed2:~# cat /etc/unbound/unbound.conf.d/localzone-myhouse.privatedomain.com.conf
(...)
local-data: "cnamed.myhouse.privatedomain.com. IN A 192.168.1104"
local-data: "canmed.myhouse.privatedomain.com. TXT 'Cheese' "
local-data: "nodered.myhouse.privatedomain.com. CNAME cnamed.myhouse.privatedomain.com."
192.168.1104
is not a valid IP address, and canmed
seems like a twisted cnamed
.
from ftl.
I have reproduced your issue in my environment, which spurred me on to researching unbound's behaviour (see also my more detailed comment in the original Discourse issue from last week).
Your dig above requests the A record domain (cnamed
), not the CNAME domain (nodered
).
Both unbound as well as Pi-hole will answer that request with an IP.
However, unbound will answer the request for the CNAME domain (nodered
) with the CNAME record - it does not expand CNAMEs:
~ $ dig nodered.myhouse.lan @127.0.0.1 -p5335
; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> nodered.myhouse.lan @127.0.0.1 -p5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58722
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nodered.myhouse.lan. IN A
;; ANSWER SECTION:
nodered.myhouse.lan. 3600 IN CNAME cnamed.myhouse.lan.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Thu Sep 14 17:34:27 CEST 2023
;; MSG SIZE rcvd: 69
Consequently, this is the same answer that Pi-hole is giving you (of course):
~ $ dig nodered.myhouse.lan
; <<>> DiG 9.11.5-P4-5.1+deb10u8-Raspbian <<>> nodered.myhouse.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57924
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nodered.myhouse.lan. IN A
;; ANSWER SECTION:
nodered.myhouse.lan. 30 IN CNAME cnamed.myhouse.lan.
;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Sep 14 17:34:03 CEST 2023
;; MSG SIZE rcvd: 69
This is also in line with your shared log excerpts from the Discourse discussion, which prompted me to point out that
Your log output suggests that Pi-hole has received that reply from your unbound.
It is a deliberate decision of unbound maintainer's to not expand those CNAMEs (as a guard against potential malicious intents like DNS cache poisoning, if I understood those discussions correctly that I have linked above).
So overall, I don't think this can be considered to be a bug, neither in pihole-FTL nor in dnsmasq.
from ftl.
This issue has been mentioned on Pi-hole Userspace. There might be relevant details there:
from ftl.
Sorry for our first reply having taken so long. I had a quick look about two weeks ago but missed an important details: It is a dnsmasq
not a (at least not a "native") pihole-FTL
issue. Unfortunately, we won't be able to do much about it and I as much as I really hate to say "not my business", I still feel you should speak up at https://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss - especially since you already have lots of details available (esp. the unbound logs showing what is going on).
One thing you could do beforehand would be enabling the embedded pcap
packet dumping. I'll reply to you about this in the linked Discourse discussion as things can be formatted more nicely over there. I will furthermore mark this ticket as an external issue but we can still leave it open until we incorporated the fix from dnsmasq
upstream once ready.
from ftl.
It seems that -being a recursive resolver rather than an authoritative one- unbound does not expand CNAMEs from local definitions, which would prompt the behaviour you observe.
See e.g. https://lists.nlnetlabs.nl/pipermail/unbound-users/2009-March/000509.html and NLnetLabs/unbound#132
from ftl.
Thank you for your time and effort on pihole.
So that's sort of interesting - I'm using the container version of pihole. Just to make sure I'm not missing something - should FTL be logging under a different name? At any rate, I can raise an issue upstream.
I'll get a pcap over the weekend and update.
root@terraOmega-pihole:/var/log/pihole# grep -ri dnsmasq * | head -n 5
pihole.log:Sep 14 00:00:04 dnsmasq[240]: query[A] compute.googleapis.com from 192.168.100.110
pihole.log:Sep 14 00:00:04 dnsmasq[240]: forwarded compute.googleapis.com to 192.168.100.112#5335
pihole.log:Sep 14 00:00:04 dnsmasq[240]: query[AAAA] compute.googleapis.com from 192.168.100.110
pihole.log:Sep 14 00:00:04 dnsmasq[240]: forwarded compute.googleapis.com to 192.168.100.112#5335
pihole.log:Sep 14 00:00:04 dnsmasq[240]: reply compute.googleapis.com is 142.250.81.234
The Discourse topic discussion revealed that NickJLange runs two instances of unbound.
The unbound configuration as shared above looks faulty, which may have contributed to NickJLange's observation, particularly if only one of the unbound instances has been using that configuration:
root@cnamed2:~# cat /etc/unbound/unbound.conf.d/localzone-myhouse.privatedomain.com.conf
(...)
local-data: "cnamed.myhouse.privatedomain.com. IN A 192.168.1104"
local-data: "canmed.myhouse.privatedomain.com. TXT 'Cheese' "
local-data: "nodered.myhouse.privatedomain.com. CNAME cnamed.myhouse.privatedomain.com."
192.168.1104
is not a valid IP address, andcanmed
seems like a twistedcnamed
.
Alas, this was just a sanitization-typo (and a failed one at that!)
It seems that -being a recursive resolver rather than an authoritative one- unbound does not expand CNAMEs from
local definitions, which would prompt the behaviour you observe.
See e.g. https://lists.nlnetlabs.nl/pipermail/unbound-users/2009-March/000509.html and https://github.com/NLnetLabs/unbound/issues/132
This looks more promising although it doesn't explain that unbound is correctly resolving when asked directly.
from ftl.
Hi @Bucking-Horn -
Thanks for spending some time here to replicate the behaviour. I agree with the premise that this behaviour is what the unbound product chose as intended behaviour of the software. Let me close the GI issue and we can move back to Discourse.
Thank you!
from ftl.
Related Issues (20)
- Dynamic-Host on dnsmasq is broken HOT 14
- PARSE_ARP_CACHE=false should not disable network table HOT 4
- conditional forwarding with non-natural CIDR block HOT 9
- DNS over HTTPS stops working intermittently HOT 3
- pihole-FTL stops answering DNS for a while when using the "show all" option in the query log Web UI, returns broken data HOT 5
- DNS stop working randomaly HOT 2
- ABP style entries are not counted as "number" of domains HOT 7
- Exact blacklist blocks the IPv4 query, but not the IPv6 query HOT 4
- dynamic-host via tailscale resolving/returning interface IP not configured IP in conf. HOT 2
- Serverside Pagination not sending correct data for paging HOT 3
- api/info/sensors returns 404 when it shouldn't HOT 2
- DBimport false sql error HOT 21
- FTL Failing to Update HOT 12
- FTLv6 restarts on `-RTMIN` instead of only reloading the lists HOT 4
- Regression: input multiple domains in domain input field adds them as a single domain HOT 7
- pihole-FTL will not return SOA records if NXDOMAIN is cached for A records HOT 3
- FTL crashes: FATAL: verify_shmem_pid(): Failed to open shared memory object "FTL-settings": No such file or directory HOT 2
- Pi-hole forwarding requests for special-use domain home.arpa HOT 2
- v6 - Domain counts are shown, but no individual domains shown. HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ftl.