Bug 196138

Summary: Unbound fails with 2(SERVFAIL) when behind NAT
Product: Base System Reporter: rsimmons0
Component: binAssignee: Dag-Erling Smørgrav <des>
Status: Closed Works As Intended    
Severity: Affects Only Me CC: christop, des
Priority: ---    
Version: 10.1-RELEASE   
Hardware: amd64   
OS: Any   
See Also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=198383

Description rsimmons0 2014-12-19 17:47:39 UTC 
I have tried this two different ways, one with my home router's DNS (192.168.1.1), local_unbound fails. I also tried to set the default DNS server to 8.8.8.8 which I know I can connect to, but local_unbound fails there as well. Here is the output for setup that I followed. This is a fresh 10.1 install with freebsd-update already run.

# host google.com
google.com has address 64.233.171.139
google.com has address 64.233.171.113
google.com has address 64.233.171.138
google.com has address 64.233.171.100
google.com has address 64.233.171.101
google.com has address 64.233.171.102
google.com has IPv6 address 2607:f8b0:400d:c04::71
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
# cat /etc/resolv.conf
# Generated by resolvconf
search home
nameserver 8.8.8.8
# service local_unbound status
local_unbound is running as pid 389.
# service local_unbound setup
Performing initial setup.
Extracting forwarders from /etc/resolv.conf.
original /var/unbound/forward.conf saved as /var/unbound/forward.conf.20141219.174215
/var/unbound/lan-zones.conf not modified
/var/unbound/unbound.conf not modified
/etc/resolvconf.conf not modified
original /etc/resolv.conf saved as /etc/resolv.conf.20141219.174215
# cat /etc/resolv.conf
# Generated by resolvconf
search home
# nameserver 8.8.8.8
nameserver 127.0.0.1
options edns0
# host google.com
Host google.com not found: 2(SERVFAIL)
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=247 time=17.438 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=247 time=28.465 ms
^C
--- 8.8.8.8 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 17.438/22.951/28.465/5.513 ms
Comment 1 christop 2015-02-19 17:20:40 UTC 
I am using the local_unbound behind a NAT either and it works for me, when I disable DNSSEC in the local unbound.

At least Google does not support DNSSEC:
drill -D -S google.com @8.8.8.8
;; Number of trusted keys: 1
;; Chasing: google.com. A


DNSSEC Trust tree:
<no data>
No trusted keys found in tree: first error was: No DNSSEC public key(s)
;; Chase failed.

To disable DNSSEC for the local unbound you should add
val-permissive-mode: yes
to your local unbound.conf.

Does this fix your issue?
Comment 2 Glen Barber freebsd_committer freebsd_triage 2015-07-08 13:27:25 UTC 
Can you please test 10.2-PRERELEASE to confirm if this is still an issue?

Unbound has (recently) been updated to version 1.3.5 in 10.x.
Comment 3 christop 2015-07-25 14:11:33 UTC 
Yes and no.
No, because the default installation fails.
I booted FreeBSD-10.2-PRERELEASE-amd64-20150704-r285132-bootonly.iso and made an network install. Unbound is of version 1.4.22.

I do not think this a problem with the unbound software, but with the unbound configuration or DNSSEC in general.
In the default configuration with dnssec unbound tries to get the DNSSEC public keys from the upstream nameserver, but the upstram nameserver does not deliver.
Without public keys unbound cannot do validate the domain and fails.
This behaviour is correct, because otherwise any attacker could disable DNSSEC.

Yes, when I edit my /etc/resolv.conf

root@freebsd:~ # cat /etc/resolv.conf
search home
nameserver 8.8.8.8
options edns

and run

root@freebsd:~ # /etc/rc.d/local_unbound setup
Performing initial setup.
Extracting forwarders from /etc/resolv.conf.
original /var/unbound/forward.conf saved as /var/unbound/forward.conf.20150725.174438
/var/unbound/lan-zones.conf not modified
/var/unbound/unbound.conf not modified
/etc/resolvconf.conf not modified
original /etc/resolv.conf saved as /etc/resolv.conf.20150725.174438

and then unbound config looks like

root@freebsd:~ # cat /etc/unbound/forward.conf
# Generated by local-unbound-setup
# Do not edit this file.
forward-zone:
        name: .
        forward-addr: 8.8.8.8

After an restart of unbound 
root@freebsd:~ # /etc/rc.d/local_unbound restart

unbound resolves hosts:

root@freebsd:~ # host google.com
google.com has address 216.58.213.46
google.com has IPv6 address 2a00:1450:4008:800::1007
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.

When you are using DHCP, it will overwrite /etc/resolv.conf and unbound will be back to use the DHCP provided DNS Server.

In short:
Correctly configured Unbound works for me. Default configuration does not work.
DNSSEC by design does not work with forward nameserver, which does not answer for public DNSSEC keys. This should be mentioned somewhere explicitly, because in my opinion the most SOHO devices do not run a DNSSEC aware DNS Server.
Comment 4 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2015-10-14 18:16:21 UTC 
Add

local_unbound_forwarders="8.8.8.8"

to /etc/rc.conf and re-run 'service local_unbound setup' to prevent DHCP from switching back.