Re: FreeBSD Trust Chain

From: Tim Daneliuk <tundra_at_tundraware.com>
Date: Thu, 13 Jan 2022 14:06:01 UTC
On 1/13/22 3:42 AM, Tomasz CEDRO wrote:
<SNIP>
> Do you use local_unbound? Some people (including me) recently noticed
> resolve problems with local_unbound when using local LAN dns servers
> (i.e. 192.168.0.1) on a desktop machine, when using external dns only
> for local_unbound all seems to work fine, when using that local LAN
> resolver directly without local_unbound also all seems to work fine.
> Looks a bit similar issue somewhere out there maybe? :-)
> 

Nope, we're not using local_unbound.

The machine in question is a public facing DNS server behind a
static IP on the Comcast Business network.  It also acts as a nating
firewall to one of our LANs.

The bind instance there properly resolves queries for our zone.  But when it
is asked to lookup something outside our own domain, it intermittently fails
to do so with no predictable pattern.  Adding a forwarder - either
Cloudflare's or one of our other master DNS servers not on  the same
network, everything resolves just fine.

This configuration has been in place and working for years so we surmise
that either something got broken by a recent bind update, or Comcast is
doing evil things with DNS queries.
-- 
----------------------------------------------------------------------------
Tim Daneliuk     tundra@tundraware.com
PGP Key:         http://www.tundraware.com/PGP/