Maintained by: NLnet Labs

[Unbound-users] BINDs views in unbound

W.C.A. Wijngaards
Fri Mar 27 11:04:16 CET 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Artis,

Neat trick!

Artis Caune wrote:
> 2009/3/26 Artis Caune <artis.caune at gmail.com>:
>> I can achieve bind views functionality in unbound with two unbound daemons:
>>
>> - firs unbound daemon is listening on all interfaces and has no
>> local-zone/local-data entries.
>>
>> - second unbound is listening on localhost and different port:
>>    server:
>>        port: 54
>>        interface: 127.0.0.1
>>        local-zone: myzone.lv transparent
>>        include: /usr/local/etc/unbound/zone-myzone.lv
>>
>> - redirect internal hosts to localhost (FreeBSD pf):
>>    table <int-dns> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, ... }
>>    rdr pass proto udp from <int-dns> to port 53 -> 127.0.0.1 port 54
>>    rdr pass proto tcp from <int-dns> to port 53 -> 127.0.0.1 port 54
>>
>> Is this kind of setup okay? Maybe it can be done with one unbound daemon?
> 
> actually this don't work, sockets are conflicting?:
> Mar 27 11:21:02 cache unbound: [10703:3] notice: sendmsg failed: Can't
> assign requested address
> Mar 27 11:21:02 cache unbound: [10703:3] notice: remote address is
> 192.168.195.39 port 43962
> 
> there is lot of such entries for different ips, and unbound sometimes
> is not answering queries.

This is because you bound the second unbound only to 127.0.0.1 and from
there it cannot sendmsg back to client.
use  interface: 0.0.0.0
or interface-automatic: yes

Don't forget to pf so only internal network can reach port 54 directly,
and give your second unbound access-control for your internal network.

> what means these entries?
> Mar 27 11:30:24 cache unbound: [10784:3] notice: sendto failed: Invalid argument
> Mar 27 11:30:24 cache unbound: [10784:3] notice: remote address is
> ::ffff:209.66.91.13 port 53

Unbound tries to disable ipv4 to ipv6 mapping.  But this still happened.
 It tries to send back, but the OS doesn't like it.  This should not
happen with the default config, this is for your first unbound? What is
its config?
For this also, interface-automatic: yes  may solve it (it actually
enables the mapping and uses it...).  Or some config changes.  Or
disable ipv4toipv6-mapping-by-default with some FreeBSD sysctl; unbound
tries to set a socket option but the kernel does not seem to honor it.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAknMpKAACgkQkDLqNwOhpPi0vwCfYNzjNILZCdQjTGQbumrUtmB+
U40AoJ4cVzNjdjDjQ1bcymJ4jhFz3jRE
=B+47
-----END PGP SIGNATURE-----