# local-unbound cannot query LAN resolver



## nulloranje (Aug 26, 2020)

I'm running a new installation of 12.1-RELEASE and enabled local-unbound.  The service works well, except I cannot query machines through the local-unbound to the resolver running elsewhere on my network.  Those queries return SERVFAIL.

I'm running the configuration as it comes from the installer.  My unbound.conf, forward.conf, and lan-zones seem correct:

```
> cat unbound.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
    username: unbound
    directory: /var/unbound
    chroot: /var/unbound
    pidfile: /var/run/local_unbound.pid
    auto-trust-anchor-file: /var/unbound/root.key
    # Setup logging
    verbosity: 3
    logfile: /var/unbound/unbound.log
    log-queries: yes

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf


> cat lan-zones.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
    # Unblock reverse lookups for LAN addresses
    unblock-lan-zones: yes
    insecure-lan-zones: yes


> cat forward.conf
# Generated by resolvconf

forward-zone:
    name: "lan"
    forward-addr: 10.0.32.1

forward-zone:
    name: "."
    forward-addr: 10.0.32.1
    forward-addr: fd46:520f:9320::1
```

And I can query the resolver directly:

```
> host artemis.lan 10.0.32.1
Using domain server:
Name: 10.0.32.1
Address: 10.0.32.1#53
Aliases:

artemis.lan has address 10.0.32.187
```

But something is getting lost along the way:

```
[1598424534] local-unbound[64844:0] info: 127.0.0.1 artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new
[1598424534] local-unbound[64844:0] info: validator operate: query artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1598424534] local-unbound[64844:0] info: resolving artemis.lan. A IN
[1598424534] local-unbound[64844:0] info: processQueryTargets: artemis.lan. A IN
[1598424534] local-unbound[64844:0] info: sending query: artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: sending to target: <lan.> 10.0.32.1#53
[1598424534] local-unbound[64844:0] debug: cache memory msg=69864 rrset=75014 infra=8559 val=71327
[1598424534] local-unbound[64844:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_reply
[1598424534] local-unbound[64844:0] info: iterator operate: query artemis.lan. A IN
[1598424534] local-unbound[64844:0] info: response for artemis.lan. A IN
[1598424534] local-unbound[64844:0] info: reply from <lan.> 10.0.32.1#53
[1598424534] local-unbound[64844:0] info: query response was ANSWER
[1598424534] local-unbound[64844:0] info: finishing processing for artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: validator[module 0] operate: extstate:module_wait_module event:module_event_moddone
[1598424534] local-unbound[64844:0] info: validator operate: query artemis.lan. A IN
[1598424534] local-unbound[64844:0] debug: cache memory msg=69864 rrset=75014 infra=8559 val=71327
[1598424534] local-unbound[64844:0] info: 127.0.0.1 artemis.lan.lan. A IN
```

I do occassionally see a message saying `[1598422075] local-unbound[64844:0] info: Could not establish a chain of trust to keys for lan. DNSKEY IN`.  My understanding is that setting `unblock-lan-zones` and `insecure-lan-zones` to `yes` would avoid DNSSEC issues on the local network.

Any ideas what's going wrong?


----------



## ekvz (Aug 26, 2020)

No, not really, sorry. I have unbound running on my router but all I remember about it is that it annoyed me when I was setting it up. What I am doing here is stick dnsmasq in front of unbound (this might or might not be a silly configuration). If that is an option for you and unbound works locally chances are dnsmasq would allow it to be reached from your network.


----------



## nulloranje (Aug 26, 2020)

That's a bit disappointing.  So am I not understanding the `insecure-lan-zones` directive correctly?


----------



## ekvz (Aug 26, 2020)

nulloranje said:


> That's a bit disappointing.  So am I not understanding the `insecure-lan-zones` directive correctly?



Don't get me wrong, it's not like i even tried making unbound reachable from outside. It's not a workaround in that sense. It's just what works for me.


----------

