Maintained by: NLnet Labs

[Unbound-users] unbound-1.4.7 fails to resolve on simple configuration

W.C.A. Wijngaards
Wed Dec 8 08:12:56 CET 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Andrew,

On 12/08/2010 01:35 AM, Andrew Savchenko wrote:
> I'm trying to setup simple caching resolver using unbound-1.4.7, but
> it fails to work and seems to fall into infinite loop. This is my
> config:

Not an infinite loop: waiting for data, and getting timeouts.

> server:
>     interface: 0.0.0.0
>     access-control: 127.0.0.1/32 allow
>     verbosity: 5
>     do-ip6: no

This config should resolve names.

> Then I run unbound-host kernel.org -C /etc/unbound/unbound.conf >
> unbound.log 2>&1 to test. You can see what happens in the attached
> file unbound.log. Program was terminated using ^C eventually. Running
> unbound daemon gives the same result.
> 
> Via tcpdump I can see all these packets sent (see unbound.log), but
> no replies. Bind on the same host works without any problems. I tried
> to stop bind during testing using unbound-host to exclude any
> interference, but this does not help.

So, unbound tries to send queries to root servers.  But it never
receives replies.  There is thus some sort of over-active firewall, that
blocks queries towards the DNS root servers.  (it does not block queries
to google DNS, apparently, so the firewall does not make sense).

> I tried to fetch the latest root hints from
> ftp://FTP.INTERNIC.NET/domain/named.cache and add a path to config
> file:
>     root-hints: "/etc/unbound/named.cache"
> but this doesn't help a bit.
> 
> Of course, my final setup will be more complicated. It's a sore fact,
> but more complicated things work, while simple resolver fails. When
> I use nsd daemon for local zone it works well (for local zone
> queries):

Yes because then queries to campus.local do not require the root DNS
servers.  Those root servers are still unreachable.

> And another note: without "do-not-query-localhost: no" option nsd
> running on 127.0.0.1:10053 will not be queried, this is not so
> obvious and it will be great to point it out somewhere in the
> documentation.

Thanks for that.

> But I want to use unbound's own resolver, and I have absolutely no
> idea what to do now: either I hit some grave bug or I deeply
> misunderstand how unbound should work. Any help will be appreciated.

Your network has strange firewalls.  If you dig @<address of root
server> +dnssec +cdflag then you send the exact packet that unbound is
also sending out.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz/L/cACgkQkDLqNwOhpPiY/wCfQCh+XAAkGNCT7udwD4ZS6XxI
vhUAoI2B18Iq8jBw3lbTlyjVgRdl6GQb
=xz9X
-----END PGP SIGNATURE-----