Unbound, Apple, Reverse DNS lookup and NXDOMAIN (oh my!)

Skywise

Occasional Visitor
I've got a couple of homepod minis, some iDevices and an AppleTV and they're all making reverse dns lookup requests, apparently because of Apple's Bonjour service (which is either homekit or icloud related - I can't find a solid answer on that while googling)

But in my unbound stats I'm seeing a lot of nxdomain responses to those reverse lookups: (I've confirmed these addresses ARE apple device related)


lb._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN470
b._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN380
db._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN380

Now as far as I can tell I don't THINK I'm having issues with the apple devices finding each other (though I have the occasional homekit weirdness which I'm not sure is related to this or typical Apple homekit weirdness!)

I THINK I want to have unbound relay these to the local dnsmasq/DHCP on the ASUS router to provide the proper lookup? I've tried making a few stabs at that but I'm still seeing the NXDOMAIN responses:
like -
services:
local-zone: "in-addr.arpa" redirect
local-data: "in-addr.arpa A 192.168.0.1"

But I'm still seeing NXDOMAIN for the return.
I've also seen one response via google where I should configure unbound to have these transparent?

Does anyone know how to have unbound on ASUS call down to the routers DHCP table?
Or, alternatively, do i actually need to do anything here and this is the correct behavior?



 

Jumpstarter

Senior Member
I've got a couple of homepod minis, some iDevices and an AppleTV and they're all making reverse dns lookup requests, apparently because of Apple's Bonjour service (which is either homekit or icloud related - I can't find a solid answer on that while googling)

But in my unbound stats I'm seeing a lot of nxdomain responses to those reverse lookups: (I've confirmed these addresses ARE apple device related)


lb._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN470

b._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN380
db._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN380


Now as far as I can tell I don't THINK I'm having issues with the apple devices finding each other (though I have the occasional homekit weirdness which I'm not sure is related to this or typical Apple homekit weirdness!)

I THINK I want to have unbound relay these to the local dnsmasq/DHCP on the ASUS router to provide the proper lookup? I've tried making a few stabs at that but I'm still seeing the NXDOMAIN responses:
like -
services:
local-zone: "in-addr.arpa" redirect
local-data: "in-addr.arpa A 192.168.0.1"

But I'm still seeing NXDOMAIN for the return.
I've also seen one response via google where I should configure unbound to have these transparent?

Does anyone know how to have unbound on ASUS call down to the routers DHCP table?
Or, alternatively, do i actually need to do anything here and this is the correct behavior?



Is unbound listening on port 53? if not, then all you are doing is creating one big dnsloop with your arpa declaration. You would only do such a redirection if dnsmasq was providing DHCP, but not providing a DNS service to clients, instead it would be handing out unbounds listen address that must reside on port 53 for such a configuration to make sense.
 

Jumpstarter

Senior Member
Two possible scenarios.
#1
dnsmasq is forwarding request to your unbound instance--- In this case the reverse lookup issue resides with dnsmasq and not your unbound instance.
#2
dnsmasq is serving the listening address of unbound to clients through DHCP, but unbound is unable to resolve local client lookups. ---- Issues relies with unbound and no arpa configuration pointing back to dnsmasq.

In instance #2 unbound will be listening on port 53

In instance #1 unbound will be listening on some arbitrary port other than 53.
 

Skywise

Occasional Visitor
In that case, You have issue #1. You need to resolve your local lookup crisis with your dnsmasq, not your unbound instance. Trying to do such with unbound may break all your dns resolution.
Interesting - I've got DNSFilter set to route everything through the router - is this a UI setting for dnsmasq or something I need to resolve through the shell?
 

Jumpstarter

Senior Member
no - 953 and 53535
solution ~ remove all local arpa. request information from your unbound.conf

add something like local=/168.192.in-addr.arpa/ to /jffs/configs/dnsmasq.conf.add , so dnsmasq knows not to try to forward those local request upstream to unbound instance since DNSMASQ is the self proprietor of both dhcp and dns request.
 

Jumpstarter

Senior Member
In this case, you would want something like

####domain=lan (or home)
local=/lan/
###these two lines are just examples of what your domain could be.
local=/168.192.in-addr.arpa/


all of these can be cleverly added to your /jffs/configs/dnsmasq.conf.add, However the top two lines can also be configured in the WebUI.
 

Skywise

Occasional Visitor
solution ~ remove all local arpa. request information from your unbound.conf

add something like local=/168.192.in-addr.arpa/ to /jffs/configs/dnsmasq.conf.add , so dnsmasq knows not to try to forward those local request upstream to unbound instance since DNSMASQ is the self proprietor of both dhcp and dns request.
Thanks - can I get by with something like local=/.in-addr.arpa/ ? i've seen a few requests to something like 1.0.0.10.in-addr.arpa (even though that's not my netspace I think that's apple looking for it.
 

Jumpstarter

Senior Member
Thanks - can I get by with something like local=/.in-addr.arpa/ ? i've seen a few requests to something like 1.0.0.10.in-addr.arpa (even though that's not my netspace I think that's apple looking for it.
you can cover all your locals then

do this,

local=/168.192.in-addr.arpa/
local=/10.in-addr.arpa/


but never

local=/.in-addr.arpa/ because that is too broad since it treats non-local request as local as well.
 

Skywise

Occasional Visitor
I don't think that's working (or my config is wrong)
arpa NXDOMAIN count is still going up
lb._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN501
dnsmasq.conf.add is

dhcp-option=lan,42,192.168.0.1 # ntpMerlin
local=/168.192.in-addr.arpa/
local=/10.in-addr.arpa/
 

Jumpstarter

Senior Member
I don't think that's working (or my config is wrong)
arpa NXDOMAIN count is still going up
lb._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN501

dnsmasq.conf.add is

dhcp-option=lan,42,192.168.0.1 # ntpMerlin
local=/168.192.in-addr.arpa/
local=/10.in-addr.arpa/
did you remove enteries from unbound and issue

service restart_dnsmasq (also restart unbound)
 

Skywise

Occasional Visitor
did you remove enteries from unbound and issue

service restart_dnsmasq (also restart unbound)
I had (rebooted the router actually) - I think it was just some latent reporting on the statistics page as I'm not seeing any recent reports of failure on those domains at all this morning!
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top