What's new

Unbound, Apple, Reverse DNS lookup and NXDOMAIN (oh my!)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Skywise

Occasional Visitor
I've got a couple of homepod minis, some iDevices and an AppleTV and they're all making reverse dns lookup requests, apparently because of Apple's Bonjour service (which is either homekit or icloud related - I can't find a solid answer on that while googling)

But in my unbound stats I'm seeing a lot of nxdomain responses to those reverse lookups: (I've confirmed these addresses ARE apple device related)


lb._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN470
b._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN380
db._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN380

Now as far as I can tell I don't THINK I'm having issues with the apple devices finding each other (though I have the occasional homekit weirdness which I'm not sure is related to this or typical Apple homekit weirdness!)

I THINK I want to have unbound relay these to the local dnsmasq/DHCP on the ASUS router to provide the proper lookup? I've tried making a few stabs at that but I'm still seeing the NXDOMAIN responses:
like -
services:
local-zone: "in-addr.arpa" redirect
local-data: "in-addr.arpa A 192.168.0.1"

But I'm still seeing NXDOMAIN for the return.
I've also seen one response via google where I should configure unbound to have these transparent?

Does anyone know how to have unbound on ASUS call down to the routers DHCP table?
Or, alternatively, do i actually need to do anything here and this is the correct behavior?



 
I've got a couple of homepod minis, some iDevices and an AppleTV and they're all making reverse dns lookup requests, apparently because of Apple's Bonjour service (which is either homekit or icloud related - I can't find a solid answer on that while googling)

But in my unbound stats I'm seeing a lot of nxdomain responses to those reverse lookups: (I've confirmed these addresses ARE apple device related)


lb._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN470

b._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN380
db._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN380


Now as far as I can tell I don't THINK I'm having issues with the apple devices finding each other (though I have the occasional homekit weirdness which I'm not sure is related to this or typical Apple homekit weirdness!)

I THINK I want to have unbound relay these to the local dnsmasq/DHCP on the ASUS router to provide the proper lookup? I've tried making a few stabs at that but I'm still seeing the NXDOMAIN responses:
like -
services:
local-zone: "in-addr.arpa" redirect
local-data: "in-addr.arpa A 192.168.0.1"

But I'm still seeing NXDOMAIN for the return.
I've also seen one response via google where I should configure unbound to have these transparent?

Does anyone know how to have unbound on ASUS call down to the routers DHCP table?
Or, alternatively, do i actually need to do anything here and this is the correct behavior?



Is unbound listening on port 53? if not, then all you are doing is creating one big dnsloop with your arpa declaration. You would only do such a redirection if dnsmasq was providing DHCP, but not providing a DNS service to clients, instead it would be handing out unbounds listen address that must reside on port 53 for such a configuration to make sense.
 
Two possible scenarios.
#1
dnsmasq is forwarding request to your unbound instance--- In this case the reverse lookup issue resides with dnsmasq and not your unbound instance.
#2
dnsmasq is serving the listening address of unbound to clients through DHCP, but unbound is unable to resolve local client lookups. ---- Issues relies with unbound and no arpa configuration pointing back to dnsmasq.

In instance #2 unbound will be listening on port 53

In instance #1 unbound will be listening on some arbitrary port other than 53.
 
In that case, You have issue #1. You need to resolve your local lookup crisis with your dnsmasq, not your unbound instance. Trying to do such with unbound may break all your dns resolution.
Interesting - I've got DNSFilter set to route everything through the router - is this a UI setting for dnsmasq or something I need to resolve through the shell?
 
no - 953 and 53535
solution ~ remove all local arpa. request information from your unbound.conf

add something like local=/168.192.in-addr.arpa/ to /jffs/configs/dnsmasq.conf.add , so dnsmasq knows not to try to forward those local request upstream to unbound instance since DNSMASQ is the self proprietor of both dhcp and dns request.
 
In this case, you would want something like

####domain=lan (or home)
local=/lan/
###these two lines are just examples of what your domain could be.
local=/168.192.in-addr.arpa/


all of these can be cleverly added to your /jffs/configs/dnsmasq.conf.add, However the top two lines can also be configured in the WebUI.
 
solution ~ remove all local arpa. request information from your unbound.conf

add something like local=/168.192.in-addr.arpa/ to /jffs/configs/dnsmasq.conf.add , so dnsmasq knows not to try to forward those local request upstream to unbound instance since DNSMASQ is the self proprietor of both dhcp and dns request.
Thanks - can I get by with something like local=/.in-addr.arpa/ ? i've seen a few requests to something like 1.0.0.10.in-addr.arpa (even though that's not my netspace I think that's apple looking for it.
 
Thanks - can I get by with something like local=/.in-addr.arpa/ ? i've seen a few requests to something like 1.0.0.10.in-addr.arpa (even though that's not my netspace I think that's apple looking for it.
you can cover all your locals then

do this,

local=/168.192.in-addr.arpa/
local=/10.in-addr.arpa/


but never

local=/.in-addr.arpa/ because that is too broad since it treats non-local request as local as well.
 
I don't think that's working (or my config is wrong)
arpa NXDOMAIN count is still going up
lb._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN501
dnsmasq.conf.add is

dhcp-option=lan,42,192.168.0.1 # ntpMerlin
local=/168.192.in-addr.arpa/
local=/10.in-addr.arpa/
 
I don't think that's working (or my config is wrong)
arpa NXDOMAIN count is still going up
lb._dns-sd._udp.0.0.168.192.in-addr.arpa127.0.0.1NXDOMAIN501

dnsmasq.conf.add is

dhcp-option=lan,42,192.168.0.1 # ntpMerlin
local=/168.192.in-addr.arpa/
local=/10.in-addr.arpa/
did you remove enteries from unbound and issue

service restart_dnsmasq (also restart unbound)
 
did you remove enteries from unbound and issue

service restart_dnsmasq (also restart unbound)
I had (rebooted the router actually) - I think it was just some latent reporting on the statistics page as I'm not seeing any recent reports of failure on those domains at all this morning!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top