Outsourced Clue

dig +trace example.com is an extremely useful debugging tool with DNS.  It will walk the delegation path, showing the answer each authoritative DNS server in the path handed out, helping you track down some obscure DNS errors.  For example, here is a dig +trace for “outsourcedclue.com”.

; <<>> DiG 9.6.0-P1 <<>> +trace outsourcedclue.com
;; global options: +cmd
.			518073	IN	NS	F.ROOT-SERVERS.NET.
.			518073	IN	NS	M.ROOT-SERVERS.NET.
.			518073	IN	NS	B.ROOT-SERVERS.NET.
.			518073	IN	NS	D.ROOT-SERVERS.NET.
.			518073	IN	NS	K.ROOT-SERVERS.NET.
.			518073	IN	NS	A.ROOT-SERVERS.NET.
.			518073	IN	NS	H.ROOT-SERVERS.NET.
.			518073	IN	NS	J.ROOT-SERVERS.NET.
.			518073	IN	NS	E.ROOT-SERVERS.NET.
.			518073	IN	NS	L.ROOT-SERVERS.NET.
.			518073	IN	NS	C.ROOT-SERVERS.NET.
.			518073	IN	NS	G.ROOT-SERVERS.NET.
.			518073	IN	NS	I.ROOT-SERVERS.NET.
;; Received 512 bytes from 10.1.11.1#53(10.1.11.1) in 1 ms

com.			172800	IN	NS	I.GTLD-SERVERS.NET.
com.			172800	IN	NS	H.GTLD-SERVERS.NET.
com.			172800	IN	NS	J.GTLD-SERVERS.NET.
com.			172800	IN	NS	G.GTLD-SERVERS.NET.
com.			172800	IN	NS	F.GTLD-SERVERS.NET.
com.			172800	IN	NS	B.GTLD-SERVERS.NET.
com.			172800	IN	NS	A.GTLD-SERVERS.NET.
com.			172800	IN	NS	D.GTLD-SERVERS.NET.
com.			172800	IN	NS	L.GTLD-SERVERS.NET.
com.			172800	IN	NS	E.GTLD-SERVERS.NET.
com.			172800	IN	NS	M.GTLD-SERVERS.NET.
com.			172800	IN	NS	C.GTLD-SERVERS.NET.
com.			172800	IN	NS	K.GTLD-SERVERS.NET.
;; Received 496 bytes from 202.12.27.33#53(M.ROOT-SERVERS.NET) in 147 ms

outsourcedclue.com.	172800	IN	NS	ns1.softlayer.com.
outsourcedclue.com.	172800	IN	NS	ns2.softlayer.com.
;; Received 170 bytes from 192.35.51.30#53(F.GTLD-SERVERS.NET) in 45 ms

outsourcedclue.com.	86400	IN	A	208.43.45.4
outsourcedclue.com.	86400	IN	NS	ns2.softlayer.com.
outsourcedclue.com.	86400	IN	NS	ns1.softlayer.com.
;; Received 98 bytes from 67.228.255.5#53(ns2.softlayer.com) in 42 ms

I use Unbound as my recursive/caching DNS server of choice, and one day I noticed it didn’t support “dig +trace”.  Distraught, I dug in why.  Talking to a buddy, he suggested perhaps Unbound wasn’t allowing non-recursive queries, that +trace relies on.  So digging into the documentation, I discovered the allow_snoop option of the access-control directive.  So for example, if in your config file looks like this:

server:
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: 10.1.11.0/24 allow

just add the following directive to support “dig +trace” from the IP’s needed:

  access-control: 10.1.11.0/24 allow_snoop

Now you can dig +trace to your hearts content!

UPDATE: Modified for some changes and the latest version of Unbound (this includes 1.3.0)

NOTE: – If you are upgrading from a previous version, I would delete your *.pem files, regenerate them, and make sure to chown them to the unbound user/group.

There is a lot of noise out lately about the recently published DNS Caching Server vulnerability (and with good reason). A lot of patching of BIND and other vulnerable resolvers has commenced. Unbound, an open source recursive/caching resolver from the NLNetlabs guys doesn’t have the problem, and is just a good all around caching server. In this tutorial, I will show you how to setup a reliable and secure caching server.

Unbound 1.2.1 is the latest version. As with everything on Redhat/CentOS, I install packages via RPM. The Unbound tarball comes with spec file, so let’s use that (this is sort of a mini-tutorial of how to build RPM’s as well). I am using yum here, for the purposes of this document, you can substitute yum with up2date-nox if you are using Redhat 4.

1. Install rpm-build: yum install -y rpm-build

2. Create the directory tree needed for building RPM’s (I use $HOME/rpm):
mkdir -p ~/rpm/RPMS ~/rpm/SRPMS ~/rpm/SPECS ~/rpm/SOURCES ~/rpm/BUILD

3. Tell rpmbuild where to find it’s top level dir:
echo “%_topdir $HOME/rpm” > $HOME/.rpmmacros

4. Download unbound into the $HOME/rpm/SOURCES directory:
cd $HOME/rpm/SOURCES && wget http://unbound.net/downloads/unbound-latest.tar.gz

5. Now we want to extract the spec file and edit it:
tar zxf unbound-latest.tar.gz && cp unbound-1.2.1/contrib/unbound.spec $HOME/rpm/SPECS && rm -rf unbound-1.2.1. You need to edit the spec file and update the Version directive to 1.2.1

5. Let’s build the RPM now, it only requires flex and openssl-devel to be installed:
cd $HOME/rpm/SPECS && rpmbuild -bb unbound.spec

6. After lots of output, you should have a shiny new RPM in $HOME/rpm/RPMS/$arch where $arch is either i386 or x86_64

7. Now let’s install it, this will also create the “unbound” user and group:
rpm -ivh unbound-1.2.1-1.i386.rpm (or unbound-1.2.1-1.x86_64.rpm)

OK – we are all done with installation, it created a few directories and files

1. /var/unbound – this is the main directory for all of the files. The configuration we are going to setup is for a chroot’d instance running in this directory
2. /etc/init.d/unbound – The startup script
3. /etc/unbound.conf – a symlink to the main config file in /var/unbound/unbound.conf
4. The binary files, docs etc.

Let’s configure the thing now. There are a TON of configuration items, which can be viewed at this link, but we don’t need to worry about all those now (feel free to review at a later date). Here is the config I am using on most of my machines:

server:
    verbosity: 1
    interface:
    interface: 127.0.0.1
    do-ip6: no
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow_snoop
    access-control: 1.2.3.0/24 allow_snoop
    chroot: /var/unbound

remote-control:
    control-enable: yes

The key items are interface and access-control. A secure recursive server is NOT open to the world, only your internal/controlled networks. So what we do with the access-control items is by default, refuse all queries (you can use a firewall for this too, but I chose the config items in this case). Then, we allow queries from localhost ( access-control: 127.0.0.0/8 allow) and from our local network (access-control: 1.2.3.0/24 allow). Nobody else can query this new recursive server. The interface option tells the system which IP address to listen on (for example, if you run an authoritative server on this same machine, they will both use port 53.

Also – allow_snoop allows you support dig +trace.

Let’s fire this bad boy up (first let’s verify the config file – need to run this under sudo as root) and set it to run at boot:
root# cd /var/unbound && unbound-checkconf unbound.conf
unbound-checkconf: no errors in unbound.conf
root# unbound-control-setup
root# chkconfig –on unbound
root# /etc/init.d/unbound start

We should be all good to go now, let’s test it:
dig google.com @localhost

You should have gotten the results back for google.com etc. If it didn’t work, check /var/log/messages, it will show if unbound started properly or not. Good luck!