Maintained by: NLnet Labs

[Unbound-users] It Works... RE: - RE: Unbound and Bind Views

Hayward, Bruce
Thu Oct 28 22:27:17 CEST 2010


This works, at least at the base level. Now we will need to figure out the tuning (e.g. how many threads, what port for unbound-control...) in each running instance.  Currently I have it setup for 8 threads, 3 in one instance, 3 in another, and two in another.

So now based upon a from IP, it pays attention to the appropriate (one of three) configs file. All three are listening at the same time.

Bruce

Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com 


-----Original Message-----
From: unbound-users-bounces at NLnetLabs.nl [mailto:unbound-users-bounces at NLnetLabs.nl] On Behalf Of Hayward, Bruce
Sent: October 28, 2010 12:33 PM
To: unbound-users at unbound.net
Subject: Re: [Unbound-users] Solved - at least why other ports are notshowing - RE: Unbound and Bind Views

Hi All

I have setup some virtual interfaces, using private (192.168..) IPs and using IPTables to forward the incoming traffic to them.

Likewise these private interfaces do not show when configured in the unbound.conf on the interface line (netstat -tnlp | grep unbound) if we turn on Interface-automatic: yes.

I rebuilt the 'Public' virtual IPs to dangle off of the physical interface (eth1), instead of the loopback.

Testing is going well with 'Interface-automatic: yes' turned off, with the new virtual interfaces running private IPs, and the Public Virtuals moved from the loopback to an ethx virtual.

The next phase will be creating another instance of unbound running at the same time (just will create another config directory, and use the same binary), and get it to discriminate between the two versions running, based upon the private IP listened to. 


If all of this works, then we have 'views'.


Bruce

Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com 


-----Original Message-----
From: Hayward, Bruce 
Sent: October 28, 2010 7:45 AM
To: unbound-users at unbound.net
Subject: Solved - at least why other ports are not showing - RE: [Unbound-users] Unbound and Bind Views

Hi all

If you enable:
interface-automatic: yes
then any interface ports other than 53 disappear (when using interface: <ip address[@port]> as per the documentation).

We have interface-automatic: yes enabled as suggested as we run in an anycast model (same virtuals regardless of geo).

Thoughts on how to accomplish both (views and anycast) given the behaviour of ports on the <ip address[@port]> line teamed with interface-automatic.

Much Thanks

Bruce

Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com 


-----Original Message-----
From: Ondřej Surý [mailto:ondrej at sury.org] 
Sent: October 27, 2010 4:50 PM
To: Hayward, Bruce
Cc: unbound-users at unbound.net
Subject: Re: [Unbound-users] Unbound and Bind Views

Just tried that for you...

# netstat -tnlp | grep unbound
tcp        0      0 127.0.0.1:953           0.0.0.0:*
LISTEN      3078/unbound
tcp        0      0 127.0.0.1:49152         0.0.0.0:*
LISTEN      3078/unbound
tcp6       0      0 ::1:953                 :::*
LISTEN      3078/unbound


On Wed, Oct 27, 2010 at 19:32, Hayward, Bruce
<Bruce.Hayward at mtsallstream.com> wrote:
> Hi
>
> Would then:
>
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j REDIRECT --to-port 49152
>
> regardless of IP address direct any ip hitting port 53 to redirect to port 49152?
>
> Also do not see the port showing up with the netstat regardless of options - does unbound not open that port when configured?
>
> Thanks
>
> Bruce
>
> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com
>
>
> -----Original Message-----
> From: Ondřej Surý [mailto:ondrej at sury.org]
> Sent: October 27, 2010 12:22 PM
> To: Hayward, Bruce
> Cc: unbound-users at unbound.net
> Subject: Re: [Unbound-users] Unbound and Bind Views
>
> On Wed, Oct 27, 2010 at 19:14, Hayward, Bruce
> <Bruce.Hayward at mtsallstream.com> wrote:
>> Hi
>>
>> I been hammering my way through this.
>>
>> The tool that I have on the RHEL servers is iptables (not something that we normally use)
>>
>> I have figured out enough to know that I cannot use port forwarding as this is to localhost. But must use thee port redirect option  E.g.
>> iptables -t nat -A PREROUTING -p tcp -d 142.161.130.xxx --dport 53 -j REDIRECT --to-ports 49152
>> iptables -t nat -A PREROUTING -p udp -d 142.161.130.xxx --dport 53 -j REDIRECT --to-ports 49152
>>
>> Means if 142.161.130.xxx will connect at port 53 of this server then it will actually connected to 49152
>
> I think you need -s 142... and not -d 142... here.  -s is source
> address, -d is destination address.
>
>> And in the unbound.conf file I have setup
>>        interface: 142.161.130.xxy at 49152
>>        interface: 142.161.130.xxx at 49152
>>        interface: 127.0.0.1 at 53
>>        interface: 127.0.0.1 at 49152
>>
>> When I do a netstat -na|grep -i listen - I do not see the port 49152 listening.
>
>> What am I missing?
>
> -l switch to nestat.
>
>> Bruce
>>
>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com
>>
>>
>> -----Original Message-----
>> From: Ondřej Surý [mailto:ondrej at sury.org]
>> Sent: October 25, 2010 8:33 AM
>> To: Hayward, Bruce
>> Cc: unbound-users at unbound.net
>> Subject: Re: [Unbound-users] Unbound and Bind Views
>>
>> Hi Bruce,
>>
>> it should be fairly easy to accomplish both option using DNAT on linux
>> (or using other translation mechanisms either on the router or on the
>> end box).
>>
>> f.e. on linux you can use:
>>
>> - 10.10.10.1 is the normal address
>> - 10.10.10.2 is extra address you use to serve internal clients (can
>> be localhost if NATed on the box)
>> - 192.168.1.1/32 is the specific CIDR
>>
>> iptables -t nat -A PREROUTING -s 192.168.1.1/32 -d 10.10.10.1 -j DNAT
>> --to-destination 10.10.14.2
>>
>> If you do the NAT on the router before, it has the added benefit of
>> splitting the load (so you can provide less loaded service to your
>> customers... etc.)
>>
>> Ondrej
>>
>> On Mon, Oct 25, 2010 at 15:18, Hayward, Bruce
>> <Bruce.Hayward at mtsallstream.com> wrote:
>>> Hey
>>>
>>> On specific resolvers we use bind views to direct those who come from an IP in a specific CIDR to use a specific zone.  We have two cases of these views.
>>>
>>> We also use views to isolate those that should only use internal zones versus those that should not use internal zones (external customers)
>>>
>>> Those that do not come from an IP in a specific CIDR use a global zone.
>>>
>>> "Views" were introduced in Bind 9.
>>>
>>> http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html
>>>
>>> Bruce
>>>
>>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) bruce.hayward at mtsallstream.com
>>>
>>>
>>> -----Original Message-----
>>> From: unbound-users-bounces at NLnetLabs.nl [mailto:unbound-users-bounces at NLnetLabs.nl] On Behalf Of Ondrej Surý
>>> Sent: October 21, 2010 9:52 AM
>>> To: unbound-users at unbound.net
>>> Subject: Re: [Unbound-users] Unbound and Bind Views
>>>
>>> Hey Bruce,
>>>
>>> I think that it's pretty well documented in the mail you sent a
>>> link...  you setup two unbound instances and mangle the traffic from
>>> set of ip addresses using standard firewall/nat features your
>>> operating system has.
>>>
>>> Anyway maybe if you can explain what you are trying to accomplish then
>>> we can propose alternative without views.
>>>
>>> Ondrej
>>>
>>> On Thu, Oct 21, 2010 at 15:32, Hayward, Bruce
>>> <Bruce.Hayward at mtsallstream.com> wrote:
>>>>
>>>> One area of Bind that we use is views to direct traffic.
>>>>
>>>> Before we can switch to Unbound, we would need a means of emulating
>>>> views.
>>>>
>>>> In researching this (on Google) I came across a thread discussing this:
>>>> http://www.mail-archive.com/unbound-users@unbound.net/msg00337.html
>>>>
>>>> Has anyone documented steps to accomplish this?
>>>>
>>>> Thanks
>>>>
>>>> Bruce
>>>>
>>>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e)
>>>> bruce.hayward at mtsallstream.com
>>>>
>>>>
>>>>
>>>>
>>>> Is it really necessary to print this email?
>>>>
>>>> MTS ALLSTREAM INC. CONFIDENTIALITY WARNING: This email message is confidential and intended only for the named recipient(s).  If you are not the intended recipient, or an agent responsible for delivering it to the intended recipient, or if this message has been sent to you in error, you are hereby notified that any review, use, dissemination, distribution or copying of this message or its contents is strictly prohibited.   If you have received this message in error, please notify the sender immediately and delete the original message.  If there is an agreement attached with this message, such agreement will not be binding until it is signed by all parties named therein.
>>>>
>>>> _______________________________________________
>>>> Unbound-users mailing list
>>>> Unbound-users at unbound.net
>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>>
>>>
>>>
>>> --
>>> Ondřej Surý <ondrej at sury.org>
>>>
>>> _______________________________________________
>>> Unbound-users mailing list
>>> Unbound-users at unbound.net
>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>>
>>
>>
>>
>> --
>> Ondřej Surý <ondrej at sury.org>
>>
>
>
>
> --
> Ondřej Surý <ondrej at sury.org>
>



-- 
Ondřej Surý <ondrej at sury.org>

_______________________________________________
Unbound-users mailing list
Unbound-users at unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users