This looks good, and I'm able to successfully forward standard dns to my router with sudo ./hnsd -p 4 -r 127.0.0.1:53 --upstream 192.168.1.1 and I know that's working since I'm able to resolve local dhcp hostnames through it, though I don't seem to be able to resolve hns domains when --upstream is in use. This part looks related: redirecting lookup to fallback for: www.welcome.nb.:

dig A @127.0.0.1 www.welcome.nb

; <<>> DiG 9.16.12 <<>> A @127.0.0.1 www.welcome.nb
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3922
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.welcome.nb.			IN	A

;; AUTHORITY SECTION:
.			1797	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2021031703 1800 900 604800 86400

;; Query time: 416 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 17 23:34:12 EDT 2021
;; MSG SIZE  rcvd: 118

hnsd output:

rs: query
rs:   id=3922
rs:   labels=3
rs:   name=www.welcome.nb.
rs:   type=1
rs:   class=1
rs:   edns=1
rs:   dnssec=0
rs:   tld=nb
rs:   addr=127.0.0.1:58873
rs_worker: request 15: www.welcome.nb.
ns: query
ns:   id=44869
ns:   labels=1
ns:   name=nb.
ns:   type=1
ns:   class=1
ns:   edns=1
ns:   dnssec=1
ns:   tld=nb
ns:   addr=127.0.0.1:22606
pool: sending proof request for: nb.
chain (59467): using safe height of 59467 for resolution
peer 1 (173.255.209.126:44806): sending proof request for: nb.
ns: query
ns:   id=14919
ns:   labels=1
ns:   name=nb.
ns:   type=1
ns:   class=1
ns:   edns=1
ns:   dnssec=1
ns:   tld=nb
ns:   addr=127.0.0.1:38525
pool: sending proof request for: nb.
chain (59467): using safe height of 59467 for resolution
peer 1 (173.255.209.126:44806): already requesting proof for: nb.
ns: query
ns:   id=40762
ns:   labels=1
ns:   name=nb.
ns:   type=1
ns:   class=1
ns:   edns=1
ns:   dnssec=1
ns:   tld=nb
ns:   addr=127.0.0.1:60755
pool: sending proof request for: nb.
chain (59467): using safe height of 59467 for resolution
peer 1 (173.255.209.126:44806): already requesting proof for: nb.
peer 1 (173.255.209.126:44806): received proof: b92ad996982b44fbea27d833c52e3fb0d6192d63835a13c61dfeb0126e2ee2ef
peer 1 (173.255.209.126:44806): received proof for: nb
ns: sending msg (40762)
ns: sending msg (14919)
ns: sending msg (44869)
ns: query
ns:   id=53376
ns:   labels=2
ns:   name=ns1.nb.
ns:   type=28
ns:   class=1
ns:   edns=1
ns:   dnssec=1
ns:   tld=nb
ns:   addr=127.0.0.1:18811
pool: sending proof request for: nb.
chain (59467): using safe height of 59467 for resolution
peer 1 (173.255.209.126:44806): sending proof request for: nb.
ns: query
ns:   id=34138
ns:   labels=2
ns:   name=ns1.nb.
ns:   type=28
ns:   class=1
ns:   edns=1
ns:   dnssec=1
ns:   tld=nb
ns:   addr=127.0.0.1:13838
pool: sending proof request for: nb.
chain (59467): using safe height of 59467 for resolution
peer 0 (139.162.183.168:44806): sending proof request for: nb.
ns: query
ns:   id=49908
ns:   labels=2
ns:   name=ns1.nb.
ns:   type=28
ns:   class=1
ns:   edns=1
ns:   dnssec=1
ns:   tld=nb
ns:   addr=127.0.0.1:5698
pool: sending proof request for: nb.
chain (59467): using safe height of 59467 for resolution
peer 1 (173.255.209.126:44806): already requesting proof for: nb.
peer 1 (173.255.209.126:44806): received proof: b92ad996982b44fbea27d833c52e3fb0d6192d63835a13c61dfeb0126e2ee2ef
peer 1 (173.255.209.126:44806): received proof for: nb
ns: sending msg (49908)
ns: sending msg (53376)
ns: query
ns:   id=2273
ns:   labels=1
ns:   name=nb.
ns:   type=1
ns:   class=1
ns:   edns=1
ns:   dnssec=1
ns:   tld=nb
ns:   addr=127.0.0.1:26623
cache: cache hit for: nb.
ns: sending cached msg (2273): 174
ns: query
ns:   id=31046
ns:   labels=1
ns:   name=nb.
ns:   type=1
ns:   class=1
ns:   edns=1
ns:   dnssec=1
ns:   tld=nb
ns:   addr=127.0.0.1:18842
cache: cache hit for: nb.
ns: sending cached msg (31046): 174
rs: received answer for: www.welcome.nb.
rs: redirecting lookup to fallback for: www.welcome.nb.
rs_worker: request 15: www.welcome.nb.
rs: received answer for: www.welcome.nb.
rs:   rcode: 3
rs:   havedata: 0
rs:   nxdomain: 1
rs:   secure: 0
rs:   bogus: 0
peer 0 (139.162.183.168:44806): received proof: b92ad996982b44fbea27d833c52e3fb0d6192d63835a13c61dfeb0126e2ee2ef
peer 0 (139.162.183.168:44806): received proof for: nb
ns: sending msg (34138)
peer 0 (139.162.183.168:44806): unknown command: 6
peer 1 (173.255.209.126:44806): unknown command: 6

Edit: This may be unrelated to this patch, and I think this is the same problem from before that I never figured out. I can reproduce it on home internet as well as mobile tethering (though the output looks different) so maybe I should open a separate issue for this.

;; QUESTION SECTION:
;www.welcome.nb.			IN	A

;; AUTHORITY SECTION:
nb.			3600	IN	SOA	a.misconfigured.powerdns.server. hostmaster.nb. 2021030901 10800 3600 604800 3600

cache: cache hit for: nb.
ns: sending cached msg (61351): 174
rs: received answer for: www.welcome.nb.
rs:   rcode: 3
rs:   havedata: 0
rs:   nxdomain: 1
rs:   secure: 0
rs:   bogus: 1
rs:   why_bogus: validation failure <www.welcome.nb. A IN>: no DNSSEC records from 44.231.6.183 for DS nb. while building chain of trust
peer 2 (74.207.247.120:44806): unknown command: 6

I was able to resolve welcome.nb with this patch (without the www. which doesn't exist) but it highlights a big problem in this design, names are getting redirected wrong. In particular I'm noticing that names that delegate to ICANN names via NS are failing.

For example, the HNS name 3b has NS ns1.buffrr.dev which is an ICANN domain. For some reason when unbound tries to lookup .dev in the recursive process, the name that gets forwarded to the upstream server is 3b (not dev) -- so this will take some fine tuning.

HNS names that resolve directly without delegating to ICANN are working on this branch though, you can try proofofconcept for one.

Great welcome.nb works when tethered to my phone so on normal networks it works as intended.

I think I figured out definitively that my router's port 53 outbound redirect is messing up hnsd, anytime that rule is active on my router, hns resolution seems to be broken. I'll put the details in a new issue since I have it reproducible now.

does your router allow any recursive dns traffic? Because even if the root resolution is done internally, the recursive resolver will still need to make requests to port 53 on all the authoritative nameservers for each zone it needs to query

Ah I didn't realize that, the rule that everyone typically uses for redirecting chromecast to pihole involves redirecting all outbound udp traffic on port 53 to the pihole. Wouldn't this mean that hns resolution itself would not work on a hostile network that tampers with traffic on port 53? Is there any way to make the recursive resolver use the upstream setting for authoritative queries? I'm not sure how that works so maybe that doesn't make sense.

Wouldn't this mean that hns resolution itself would not work on a hostile network that tampers with traffic on port 53?

Correct, in my hotel last week I experienced this and had to use a VPN to get any kind of local-recursive DNS resolution to work. I still think this is a useful option to add to hnsd since the hard-coded root zone may be out of date. And I think pi-hole should still work in this configuration, but I'm not entirely sure how pihole works.

Yeah definitely useful regardless. I can set my --upstream to my pihole and that works as well, doubleclick.net resolves to 0.0.0.0. The only issue is my catchall rule, which I admit is a bit niche. But on the other hand, handling not having access to recursive resolving abilities, including a case where the clearnet is completely inaccessible, would solve the use case of using hns on an isolated intranet or mesh network where clearnet access isn't available at all, I think I mentioned before we have mesh nodes that may have spotty clearnet access, but could potentially connect to other hns peers who do have clearnet access over the mesh. So being able to resolve hns domains when only the hns network is accessible would be a nice to have.

Regardless, this is a good step towards enabling hnsd on a wider variety of configurations.

So, unfortunately I think I need cut bait on this one for now and come back to it later, it may require a much bigger refactor or actually patching up libunbound to bend to our will. Here's what I learned:

• The upstream fallback recursive resolver must be called by the root server. Why? Because of the situation where an HNS name may have an ICANN name delegated as its NS:

request: google.com
-> root server rejects
-> query forwarded upstream to 1.1.1.1
-> no problem, resolved

request: proofofconcept
-> root server gets NS+glue from HNS root zone
-> no problem, resolved

request: rough
-> root server gets NS a.dns.park.io from HNS root zone
-> recursive asks root again for io
-> root server rejects
-> query for io forwarded upstream to 1.1.1.1
-> question has not been answered 😢

So, in 535a2bf I tried moving the fallback resolver to root server in place of the hard-coded ICANN lookup, but this didn't really work either. It might, but it's going to need a lot more hacky code, because what we want to do is convert an authoritative request into a recursive request, and the data types are all different (hns resource serialization vs unbound result struct).

The ideal fix for this is a wild configuration for the unbound recursive resolver itself that says "if the stubbed root zone returns NXDOMAIN, give up and forward an entirely new request to this upstream recursive..."

Gotcha, thanks for your work so far on this!