Maintained by: NLnet Labs

[Unbound-users] Can't get Unbound caching/recursive server to answer on outside IP

unbound at fongaboo.com
Wed Nov 5 14:53:35 CET 2014


Thank you. I'm going to do some googling on access-control. In the 
meantime, here is my conf file:

## Authoritative, validating, recursive caching DNS
## unbound.conf -- https://calomel.org
#
server:
   # log verbosity
     verbosity: 2

   # specify the interfaces to answer queries from by ip-address.  The default
   # is to listen to localhost (127.0.0.1 and ::1).  specify 0.0.0.0 and ::0 to
   # bind to all available interfaces.  specify every interface[@port] on a new
   # 'interface:' labeled line.  The listen interfaces are not changed on
   # reload, only on restart.
     interface: 127.0.0.1
     interface: <2nd outside IP>

   # port to answer queries from
     port: 53

   # Enable IPv4, "yes" or "no".
     do-ip4: yes

   # Enable IPv6, "yes" or "no".
     do-ip6: no

   # Enable UDP, "yes" or "no".
     do-udp: yes

   # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
   # quicker to resolve as the functions related to TCP checks are not done.i
   # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
   # due to their size.
     do-tcp: yes

   # control which client ips are allowed to make (recursive) queries to this
   # server. Specify classless netblocks with /size and action.  By default
   # everything is refused, except for localhost.  Choose deny (drop message),
   # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
   # and nonrecursive ok)
     access-control: 127.0.0.0/8 allow
     access-control: 10.0.0.0/16 allow

   # Read  the  root  hints from this file. Default is nothing, using built in
   # hints for the IN class. The file has the format of  zone files,  with  root
   # nameserver  names  and  addresses  only. The default may become outdated,
   # when servers change,  therefore  it is good practice to use a root-hints
   # file.  get one from ftp://FTP.INTERNIC.NET/domain/named.cache
     root-hints: "/var/unbound/root.hints"

   # enable to not answer id.server and hostname.bind queries.
     hide-identity: yes

   # enable to not answer version.server and version.bind queries.
     hide-version: yes

   # Will trust glue only if it is within the servers authority.
   # Harden against out of zone rrsets, to avoid spoofing attempts.
   # Hardening queries multiple name servers for the same data to make
   # spoofing significantly harder and does not mandate dnssec.
     harden-glue: yes

   # Require DNSSEC data for trust-anchored zones, if such data is absent, the
   # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If you
   # turn it off, failing to validate dnskey data for a trustanchor will trigger
   # insecure mode for that zone (like without a trustanchor).  Default on,
   # which insists on dnssec data for trust-anchored zones.
     harden-dnssec-stripped: yes

   # Use 0x20-encoded random bits in the query to foil spoof attempts.
   # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
   # While upper and lower case letters are allowed in domain names, no significance
   # is attached to the case. That is, two names with the same spelling but
   # different case are to be treated as if identical. This means calomel.org is the
   # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
     use-caps-for-id: yes

   # the time to live (TTL) value lower bound, in seconds. Default 0.
   # If more than an hour could easily give trouble due to stale data.
     cache-min-ttl: 3600

   # the time to live (TTL) value cap for RRsets and messages in the
   # cache. Items are not cached for longer. In seconds.
     cache-max-ttl: 86400

   # perform prefetching of close to expired message cache entries.  If a client
   # requests the dns lookup and the TTL of the cached hostname is going to
   # expire in less than 10% of its TTL, unbound will (1st) return the ip of the
   # host to the client and (2nd) pre-fetch the dns request from the remote dns
   # server. This method has been shown to increase the amount of cached hits by
   # local clients by 10% on average.
     prefetch: yes

   # number of threads to create. 1 disables threading. This should equal the number
   # of CPU cores in the machine. Our example machine has 4 CPU cores.
     num-threads: 4


   ## Unbound Optimization and Speed Tweaks ###

   # the number of slabs to use for cache and must be a power of 2 times the
   # number of num-threads set above. more slabs reduce lock contention, but
   # fragment memory usage.
     msg-cache-slabs: 8
     rrset-cache-slabs: 8
     infra-cache-slabs: 8
     key-cache-slabs: 8

   # Increase the memory size of the cache. Use roughly twice as much rrset cache
   # memory as you use msg cache memory. Due to malloc overhead, the total memory
   # usage is likely to rise to double (or 2.5x) the total cache memory. The test
   # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
     rrset-cache-size: 256m
     msg-cache-size: 128m

   # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
   # the kernel buffer larger so that no messages are lost in spikes in the traffic.
     so-rcvbuf: 1m

   ## Unbound Optimization and Speed Tweaks ###


   # Enforce privacy of these addresses. Strips them away from answers.  It may
   # cause DNSSEC validation to additionally mark it as bogus.  Protects against
   # 'DNS Rebinding' (uses browser as network proxy).  Only 'private-domain' and
   # 'local-data' names are allowed to have these private addresses. No default.
   # private-address: 10.0.0.0/8
   # private-address: 172.16.0.0/12
   # private-address: 10.0.0.0/16

   # Allow the domain (and its subdomains) to contain private addresses.
   # local-data statements are allowed to contain private addresses too.
   # private-domain: "home.lan"

   # If nonzero, unwanted replies are not only reported in statistics, but also
   # a running total is kept per thread. If it reaches the threshold, a warning
   # is printed and a defensive action is taken, the cache is cleared to flush
   # potential poison out of it.  A suggested value is 10000000, the default is
   # 0 (turned off). We think 10K is a good value.
     unwanted-reply-threshold: 10000

   # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND  on
   # localhost you will want to allow the resolver to send queries to localhost.
   # Make sure to set do-not-query-localhost: yes . If yes, the above default
   # do-not-query-address entries are present.  if no, localhost can be queried
   # (for testing and debugging).
     do-not-query-localhost: no

   # File with trusted keys, kept up to date using RFC5011 probes, initial file
   # like trust-anchor-file, then it stores metadata.  Use several entries, one
   # per domain name, to track multiple zones. If you use forward-zone below to
   # query the Google DNS servers you MUST comment out this option or all DNS
   # queries will fail.
     auto-trust-anchor-file: "/var/unbound/root.key"

   # Should additional section of secure message also be kept clean of unsecure
   # data. Useful to shield the users of this validator from potential bogus
   # data in the additional section. All unsigned data in the additional section
   # is removed from secure messages.
     val-clean-additional: yes

   # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
   # account for a 70 percent share of all advertising traffic. Block them.
   # local-zone: "doubleclick.net" redirect
   # local-data: "doubleclick.net A 127.0.0.1"
   # local-zone: "googlesyndication.com" redirect
   # local-data: "googlesyndication.com A 127.0.0.1"
   # local-zone: "googleadservices.com" redirect
   # local-data: "googleadservices.com A 127.0.0.1"
   # local-zone: "google-analytics.com" redirect
   # local-data: "google-analytics.com A 127.0.0.1"
   # local-zone: "ads.youtube.com" redirect
   # local-data: "ads.youtube.com A 127.0.0.1"
   # local-zone: "adserver.yahoo.com" redirect
   # local-data: "adserver.yahoo.com A 127.0.0.1"


   # Unbound will not load if you specify the same local-zone and local-data
   # servers in the main configuration as well as in this "include:" file. We
   # suggest commenting out any of the local-zone and local-data lines above if
   # you suspect they could be included in the unbound_ad_servers servers file.
   #include: "/usr/local/etc/unbound/unbound_ad_servers"

   # locally served zones can be configured for the machines on the LAN.

   # local-zone: "home.lan." static

   # local-data: "firewall.home.lan.  IN A 10.0.0.1"
   # local-data: "laptop.home.lan.    IN A 10.0.0.2"
   # local-data: "xboxone.home.lan.   IN A 10.0.0.3"
   # local-data: "ps4.home.lan.       IN A 10.0.0.4"
   # local-data: "dhcp5.home.lan.     IN A 10.0.0.5"
   # local-data: "dhcp6.home.lan.     IN A 10.0.0.6"
   # local-data: "dhcp7.home.lan.     IN A 10.0.0.7"

   # local-data-ptr: "10.0.0.1  firewall.home.lan"
   # local-data-ptr: "10.0.0.2  laptop.home.lan"
   # local-data-ptr: "10.0.0.3  xboxone.home.lan"
   # local-data-ptr: "10.0.0.4  ps4.home.lan"
   # local-data-ptr: "10.0.0.5  dhcp5.home.lan"
   # local-data-ptr: "10.0.0.6  dhcp6.home.lan"
   # local-data-ptr: "10.0.0.7  dhcp7.home.lan"

   # Unbound can query your NSD or BIND server for private domain queries too.
   # On our NSD page we have NSD configured to serve the private domain,
   # "home.lan". Here we can tell Unbound to connect to the NSD server when it
   # needs to resolve a *.home.lan hostname or IP.
   #
   # private-domain: "home.lan"
   # local-zone: "0.0.10.in-addr.arpa." nodefault
   # stub-zone:
   #      name: "home.lan"
   #      stub-addr: 10.0.0.111 at 53

   # If you have an internal or private DNS names the external DNS servers can
   # not resolve, then you can assign domain name strings to be redirected to a
   # seperate dns server. For example, our comapny has the domain
   # organization.com and the domain name internal.organization.com can not be
   # resolved by Google's public DNS, but can be resolved by our private DNS
   # server located at 1.1.1.1. The following tells Unbound that any
   # organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
   # instead of the public dns servers.
   #
   # forward-zone:
   #    name: "organization.com"
   #    forward-addr: 1.1.1.1        # Internal or private DNS

   # Use the following forward-zone to forward all queries to Google DNS,
   # OpenDNS.com or your local ISP's dns servers for example. To test resolution
   # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
   # milliseconds.
   #
     forward-zone:
        name: "."
   #    forward-addr: 8.8.8.8        # Google Public DNS
   #    forward-addr: 74.82.42.42    # Hurricane Electric
   #    forward-addr: 4.2.2.4        # Level3 Verizon
        forward-addr: 208.67.222.222 # OpenDNS
        forward-addr: 208.67.220.220 # OpenDNS
#
#
## Authoritative, validating, recursive caching DNS
## unbound.conf -- https://calomel.org

remote-control:
         control-enable: yes
         control-interface: 127.0.0.1
         control-port: 8953
         server-key-file: "/var/unbound/unbound_server.key"
         server-cert-file: "/var/unbound/unbound_server.pem"
         control-key-file: "/var/unbound/unbound_control.key"
         control-key-file: "/var/unbound/unbound_control.key"




On Tue, 4 Nov 2014, staticsafe wrote:

> On 11/4/2014 13:07, unbound at fongaboo.com wrote:
>>
>> Have a FreeBSD 10 machine. Have two outside IPs bound to it. First IP
>> has NSD running as an authoritative server. This is specified
>> specifically in the interface entry of nsd.conf.
>>
>> Trying to run caching/recursive nameserver with unbound on the second
>> IP. I specified the following entries in unbound.conf:
>>
>>     interface: 127.0.0.1
>>     interface: <Second IP>
> ...
>> Any ideas why I can't get answers on the second IP?
>
> I suspect it might have to do with the default access-control options
> (which limit to localhost only and refuse everyone else).
>
> You can also see if unbound listens to the IP correctly:
> `netstat -tulpnW | grep unbound`
>
> Can you paste your entire unbound.conf please (including any included
> files)?
>
>
> -- 
> staticsafe
> https://staticsafe.ca
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>