Maintained by: NLnet Labs

[Unbound-users] Unbound and Bind Views

Hayward, Bruce
Wed Oct 27 22:39:39 CEST 2010


#        interface: 192.0.2.154 at 5003

        # interface: 2001:DB8::5

 

        interface: 142.161.130.152 at 49152

        interface: 142.161.130.131 at 49152

#       interface: 142.161.2.131

        interface: 127.0.0.1 at 53

        interface: 127.0.0.1 at 49152

 

        # enable this feature to copy the source address of queries to reply.

        # Socket options are not supported on all platforms. experimental. 

        interface-automatic: yes

 

        # port to answer queries from

#       port: 53

 

[root at wnpgmb02hbv-ns09 etc]# netstat -na |grep 49152

[root at wnpgmb02hbv-ns09 etc]#

 

 

Bruce

Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com <mailto:bruce.hayward at mtsallstream.com>  

________________________________

From: Arni Birgisson [mailto:arnib at menandmice.com] 
Sent: October 27, 2010 3:16 PM
To: Hayward, Bruce
Cc: unbound-users at unbound.net
Subject: Re: [Unbound-users] Unbound and Bind Views

 

Hi Bruce,

 

I have configured a test server at Men & Mice with:

interface: 10.99.99.1 at 9000

 

and output of netstat -na | grep 9000 

tcp        0      0 10.99.99.1:9000             0.0.0.0:*                   LISTEN

udp        0      0 10.99.99.1:9000             0.0.0.0:*

 

Notice that UDP ports never display the "LISTEN"  state as the TCP ports are.

 

	and sees it listening (netstat -na|grep -I listen or netstat -tnlp | grep unbound or netstat -anlp | grep unbound)

 

I can't quite see from your command there below, but in your grep command is using a -i switch (lower case i for case-insensitive).

 

Hope this helps!

 

Best regards

Arni.

 

 

Arni Birgisson

Professional Services
Men & Mice
Address: Noatun 17, IS-105, Reykjavik, Iceland
Phone: +354-412-1500
Email: arnib at menandmice.com

www.menandmice.com <http://www.menandmice.com/> 

Men & Mice
We bring control and flexibility to network management

Disclaimer: www.menandmice.com/disclaimer

 

 

 

On Oct 27, 2010, at 7:56 PM, Hayward, Bruce wrote:





Before I spend more on this (I even have Iptables firewall logs running as well as the usual assortment)

Is there someone out there that has configured an interface in the unbound.conf to a port other than 53? (something in the private/dynamic range)

Per the unbound.conf  man:
interface: <ip address[@port]>

and sees it listening (netstat -na|grep -I listen or netstat -tnlp | grep unbound or netstat -anlp | grep unbound)

?

Thanks

Bruce

Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com 


-----Original Message-----
From: Ondřej Surý [mailto:ondrej at sury.org] 
Sent: October 27, 2010 12:46 PM
To: Hayward, Bruce
Cc: unbound-users at unbound.net
Subject: Re: [Unbound-users] Unbound and Bind Views

Hi,

On Wed, Oct 27, 2010 at 19:32, Hayward, Bruce
<Bruce.Hayward at mtsallstream.com> wrote:



Hi

	 

	Would then:

	 

	iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j REDIRECT --to-port 49152


I think so, but it's a long time since I had to use iptables.




regardless of IP address direct any ip hitting port 53 to redirect to port 49152?

	 

	Also do not see the port showing up with the netstat regardless of options - does unbound not open that port when configured?


Try: netstat -tnlp and -unlp and if the port doesn't show up then
check the logs. (Well check the log file anyway as a first thing when
something doesn't work as expected...)

root at ookami:~# netstat -tnlp | grep unbound
tcp        0      0 127.0.0.1:53            0.0.0.0:*
LISTEN      1715/unbound
tcp        0      0 127.0.0.1:953           0.0.0.0:*
LISTEN      1715/unbound
tcp6       0      0 ::1:53                  :::*
LISTEN      1715/unbound
tcp6       0      0 ::1:953                 :::*
LISTEN      1715/unbound
root at ookami:~# netstat -anlp | grep unbound
tcp        0      0 127.0.0.1:53            0.0.0.0:*
LISTEN      1715/unbound
tcp        0      0 127.0.0.1:953           0.0.0.0:*
LISTEN      1715/unbound
tcp6       0      0 ::1:53                  :::*
LISTEN      1715/unbound
tcp6       0      0 ::1:953                 :::*
LISTEN      1715/unbound
udp        0      0 127.0.0.1:53            0.0.0.0:*
        1715/unbound
udp6       0      0 ::1:53                  :::*
        1715/unbound
unix  3      [ ]         STREAM     CONNECTED     9599     1715/unbound
unix  3      [ ]         STREAM     CONNECTED     9598     1715/unbound
unix  2      [ ]         DGRAM                    9586     1715/unbound





-----Original Message-----

	From: Ondřej Surý [mailto:ondrej at sury.org]

	Sent: October 27, 2010 12:22 PM

	To: Hayward, Bruce

	Cc: unbound-users at unbound.net

	Subject: Re: [Unbound-users] Unbound and Bind Views

	 

	On Wed, Oct 27, 2010 at 19:14, Hayward, Bruce

	<Bruce.Hayward at mtsallstream.com> wrote:

		Hi

		 

		I been hammering my way through this.

		 

		The tool that I have on the RHEL servers is iptables (not something that we normally use)

		 

		I have figured out enough to know that I cannot use port forwarding as this is to localhost. But must use thee port redirect option  E.g.

		iptables -t nat -A PREROUTING -p tcp -d 142.161.130.xxx --dport 53 -j REDIRECT --to-ports 49152

		iptables -t nat -A PREROUTING -p udp -d 142.161.130.xxx --dport 53 -j REDIRECT --to-ports 49152

		 

		Means if 142.161.130.xxx will connect at port 53 of this server then it will actually connected to 49152

	 

	I think you need -s 142... and not -d 142... here.  -s is source

	address, -d is destination address.

	 

		And in the unbound.conf file I have setup

		       interface: 142.161.130.xxy at 49152

		       interface: 142.161.130.xxx at 49152

		       interface: 127.0.0.1 at 53

		       interface: 127.0.0.1 at 49152

		 

		When I do a netstat -na|grep -i listen - I do not see the port 49152 listening.

	 

		What am I missing?

	 

	-l switch to nestat.

	 

		Bruce

		 

		Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com

		 

		 

		-----Original Message-----

		From: Ondřej Surý [mailto:ondrej at sury.org]

		Sent: October 25, 2010 8:33 AM

		To: Hayward, Bruce

		Cc: unbound-users at unbound.net

		Subject: Re: [Unbound-users] Unbound and Bind Views

		 

		Hi Bruce,

		 

		it should be fairly easy to accomplish both option using DNAT on linux

		(or using other translation mechanisms either on the router or on the

		end box).

		 

		f.e. on linux you can use:

		 

		- 10.10.10.1 is the normal address

		- 10.10.10.2 is extra address you use to serve internal clients (can

		be localhost if NATed on the box)

		- 192.168.1.1/32 is the specific CIDR

		 

		iptables -t nat -A PREROUTING -s 192.168.1.1/32 -d 10.10.10.1 -j DNAT

		--to-destination 10.10.14.2

		 

		If you do the NAT on the router before, it has the added benefit of

		splitting the load (so you can provide less loaded service to your

		customers... etc.)

		 

		Ondrej

		 

		On Mon, Oct 25, 2010 at 15:18, Hayward, Bruce

		<Bruce.Hayward at mtsallstream.com> wrote:

			Hey

			 

			On specific resolvers we use bind views to direct those who come from an IP in a specific CIDR to use a specific zone.  We have two cases of these views.

			 

			We also use views to isolate those that should only use internal zones versus those that should not use internal zones (external customers)

			 

			Those that do not come from an IP in a specific CIDR use a global zone.

			 

			"Views" were introduced in Bind 9.

			 

			http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html

			 

			Bruce

			 

			Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com

			 

			 

			-----Original Message-----

			From: unbound-users-bounces at NLnetLabs.nl [mailto:unbound-users-bounces at NLnetLabs.nl] On Behalf Of Ondrej Surý

			Sent: October 21, 2010 9:52 AM

			To: unbound-users at unbound.net

			Subject: Re: [Unbound-users] Unbound and Bind Views

			 

			Hey Bruce,

			 

			I think that it's pretty well documented in the mail you sent a

			link...  you setup two unbound instances and mangle the traffic from

			set of ip addresses using standard firewall/nat features your

			operating system has.

			 

			Anyway maybe if you can explain what you are trying to accomplish then

			we can propose alternative without views.

			 

			Ondrej

			 

			On Thu, Oct 21, 2010 at 15:32, Hayward, Bruce

			<Bruce.Hayward at mtsallstream.com> wrote:

				 

				One area of Bind that we use is views to direct traffic.

				 

				Before we can switch to Unbound, we would need a means of emulating

				views.

				 

				In researching this (on Google) I came across a thread discussing this:

				http://www.mail-archive.com/unbound-users@unbound.net/msg00337.html

				 

				Has anyone documented steps to accomplish this?

				 

				Thanks

				 

				Bruce

				 

				Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e)

				bruce.hayward at mtsallstream.com

				 

				 

				 

				 

				Is it really necessary to print this email?

				 

				MTS ALLSTREAM INC. CONFIDENTIALITY WARNING: This email message is confidential and intended only for the named recipient(s).  If you are not the intended recipient, or an agent responsible for delivering it to the intended recipient, or if this message has been sent to you in error, you are hereby notified that any review, use, dissemination, distribution or copying of this message or its contents is strictly prohibited.   If you have received this message in error, please notify the sender immediately and delete the original message.  If there is an agreement attached with this message, such agreement will not be binding until it is signed by all parties named therein.

				 

				_______________________________________________

				Unbound-users mailing list

				Unbound-users at unbound.net

				http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

			 

			 

			 

			--

			Ondřej Surý <ondrej at sury.org>

			 

			_______________________________________________

			Unbound-users mailing list

			Unbound-users at unbound.net

			http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

			 

		 

		 

		 

		--

		Ondřej Surý <ondrej at sury.org>

		 

	 

	 

	 

	--

	Ondřej Surý <ondrej at sury.org>

	 




-- 
Ondřej Surý <ondrej at sury.org>

_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20101027/aa8ec4df/attachment-0001.html>