Maintained by: NLnet Labs

[Unbound-users] Can't get Unbound caching/recursive server to answer on outside IP

unbound at fongaboo.com
Wed Nov 5 15:19:37 CET 2014


Nevermind. You were right! I got it working...

Just added access-control allow x.x.x.x/x and life is good now.


Which makes sense because I could see it listening on sockstat, and I 
could even telnet into port 53 on the 2nd IP (since it is configured to 
answer TCP requests in addition to UDP) and get a handshake. So the 
daemon was running, bound on that IP and answering. It just was refusing 
to give any useful answers until I told it it was cool to talk to my 
originating IP.


On Wed, 5 Nov 2014, unbound at fongaboo.com wrote:

>
> Thank you. I'm going to do some googling on access-control. In the meantime, 
> here is my conf file:
>
> ## Authoritative, validating, recursive caching DNS
> ## unbound.conf -- https://calomel.org
> #
> server:
>  # log verbosity
>    verbosity: 2
>
>  # specify the interfaces to answer queries from by ip-address.  The default
>  # is to listen to localhost (127.0.0.1 and ::1).  specify 0.0.0.0 and ::0 
> to
>  # bind to all available interfaces.  specify every interface[@port] on a 
> new
>  # 'interface:' labeled line.  The listen interfaces are not changed on
>  # reload, only on restart.
>    interface: 127.0.0.1
>    interface: <2nd outside IP>
>
>  # port to answer queries from
>    port: 53
>
>  # Enable IPv4, "yes" or "no".
>    do-ip4: yes
>
>  # Enable IPv6, "yes" or "no".
>    do-ip6: no
>
>  # Enable UDP, "yes" or "no".
>    do-udp: yes
>
>  # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
>  # quicker to resolve as the functions related to TCP checks are not done.i
>  # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu 
> domains
>  # due to their size.
>    do-tcp: yes
>
>  # control which client ips are allowed to make (recursive) queries to this
>  # server. Specify classless netblocks with /size and action.  By default
>  # everything is refused, except for localhost.  Choose deny (drop message),
>  # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
>  # and nonrecursive ok)
>    access-control: 127.0.0.0/8 allow
>    access-control: 10.0.0.0/16 allow
>
>  # Read  the  root  hints from this file. Default is nothing, using built in
>  # hints for the IN class. The file has the format of  zone files,  with 
> root
>  # nameserver  names  and  addresses  only. The default may become outdated,
>  # when servers change,  therefore  it is good practice to use a root-hints
>  # file.  get one from ftp://FTP.INTERNIC.NET/domain/named.cache
>    root-hints: "/var/unbound/root.hints"
>
>  # enable to not answer id.server and hostname.bind queries.
>    hide-identity: yes
>
>  # enable to not answer version.server and version.bind queries.
>    hide-version: yes
>
>  # Will trust glue only if it is within the servers authority.
>  # Harden against out of zone rrsets, to avoid spoofing attempts.
>  # Hardening queries multiple name servers for the same data to make
>  # spoofing significantly harder and does not mandate dnssec.
>    harden-glue: yes
>
>  # Require DNSSEC data for trust-anchored zones, if such data is absent, the
>  # zone becomes  bogus.  Harden against receiving dnssec-stripped data. If 
> you
>  # turn it off, failing to validate dnskey data for a trustanchor will 
> trigger
>  # insecure mode for that zone (like without a trustanchor).  Default on,
>  # which insists on dnssec data for trust-anchored zones.
>    harden-dnssec-stripped: yes
>
>  # Use 0x20-encoded random bits in the query to foil spoof attempts.
>  # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
>  # While upper and lower case letters are allowed in domain names, no 
> significance
>  # is attached to the case. That is, two names with the same spelling but
>  # different case are to be treated as if identical. This means calomel.org 
> is the
>  # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
>    use-caps-for-id: yes
>
>  # the time to live (TTL) value lower bound, in seconds. Default 0.
>  # If more than an hour could easily give trouble due to stale data.
>    cache-min-ttl: 3600
>
>  # the time to live (TTL) value cap for RRsets and messages in the
>  # cache. Items are not cached for longer. In seconds.
>    cache-max-ttl: 86400
>
>  # perform prefetching of close to expired message cache entries.  If a 
> client
>  # requests the dns lookup and the TTL of the cached hostname is going to
>  # expire in less than 10% of its TTL, unbound will (1st) return the ip of 
> the
>  # host to the client and (2nd) pre-fetch the dns request from the remote 
> dns
>  # server. This method has been shown to increase the amount of cached hits 
> by
>  # local clients by 10% on average.
>    prefetch: yes
>
>  # number of threads to create. 1 disables threading. This should equal the 
> number
>  # of CPU cores in the machine. Our example machine has 4 CPU cores.
>    num-threads: 4
>
>
>  ## Unbound Optimization and Speed Tweaks ###
>
>  # the number of slabs to use for cache and must be a power of 2 times the
>  # number of num-threads set above. more slabs reduce lock contention, but
>  # fragment memory usage.
>    msg-cache-slabs: 8
>    rrset-cache-slabs: 8
>    infra-cache-slabs: 8
>    key-cache-slabs: 8
>
>  # Increase the memory size of the cache. Use roughly twice as much rrset 
> cache
>  # memory as you use msg cache memory. Due to malloc overhead, the total 
> memory
>  # usage is likely to rise to double (or 2.5x) the total cache memory. The 
> test
>  # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed 
> objects.
>    rrset-cache-size: 256m
>    msg-cache-size: 128m
>
>  # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
>  # the kernel buffer larger so that no messages are lost in spikes in the 
> traffic.
>    so-rcvbuf: 1m
>
>  ## Unbound Optimization and Speed Tweaks ###
>
>
>  # Enforce privacy of these addresses. Strips them away from answers.  It 
> may
>  # cause DNSSEC validation to additionally mark it as bogus.  Protects 
> against
>  # 'DNS Rebinding' (uses browser as network proxy).  Only 'private-domain' 
> and
>  # 'local-data' names are allowed to have these private addresses. No 
> default.
>  # private-address: 10.0.0.0/8
>  # private-address: 172.16.0.0/12
>  # private-address: 10.0.0.0/16
>
>  # Allow the domain (and its subdomains) to contain private addresses.
>  # local-data statements are allowed to contain private addresses too.
>  # private-domain: "home.lan"
>
>  # If nonzero, unwanted replies are not only reported in statistics, but 
> also
>  # a running total is kept per thread. If it reaches the threshold, a 
> warning
>  # is printed and a defensive action is taken, the cache is cleared to flush
>  # potential poison out of it.  A suggested value is 10000000, the default 
> is
>  # 0 (turned off). We think 10K is a good value.
>    unwanted-reply-threshold: 10000
>
>  # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND  on
>  # localhost you will want to allow the resolver to send queries to 
> localhost.
>  # Make sure to set do-not-query-localhost: yes . If yes, the above default
>  # do-not-query-address entries are present.  if no, localhost can be 
> queried
>  # (for testing and debugging).
>    do-not-query-localhost: no
>
>  # File with trusted keys, kept up to date using RFC5011 probes, initial 
> file
>  # like trust-anchor-file, then it stores metadata.  Use several entries, 
> one
>  # per domain name, to track multiple zones. If you use forward-zone below 
> to
>  # query the Google DNS servers you MUST comment out this option or all DNS
>  # queries will fail.
>    auto-trust-anchor-file: "/var/unbound/root.key"
>
>  # Should additional section of secure message also be kept clean of 
> unsecure
>  # data. Useful to shield the users of this validator from potential bogus
>  # data in the additional section. All unsigned data in the additional 
> section
>  # is removed from secure messages.
>    val-clean-additional: yes
>
>  # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
>  # account for a 70 percent share of all advertising traffic. Block them.
>  # local-zone: "doubleclick.net" redirect
>  # local-data: "doubleclick.net A 127.0.0.1"
>  # local-zone: "googlesyndication.com" redirect
>  # local-data: "googlesyndication.com A 127.0.0.1"
>  # local-zone: "googleadservices.com" redirect
>  # local-data: "googleadservices.com A 127.0.0.1"
>  # local-zone: "google-analytics.com" redirect
>  # local-data: "google-analytics.com A 127.0.0.1"
>  # local-zone: "ads.youtube.com" redirect
>  # local-data: "ads.youtube.com A 127.0.0.1"
>  # local-zone: "adserver.yahoo.com" redirect
>  # local-data: "adserver.yahoo.com A 127.0.0.1"
>
>
>  # Unbound will not load if you specify the same local-zone and local-data
>  # servers in the main configuration as well as in this "include:" file. We
>  # suggest commenting out any of the local-zone and local-data lines above 
> if
>  # you suspect they could be included in the unbound_ad_servers servers 
> file.
>  #include: "/usr/local/etc/unbound/unbound_ad_servers"
>
>  # locally served zones can be configured for the machines on the LAN.
>
>  # local-zone: "home.lan." static
>
>  # local-data: "firewall.home.lan.  IN A 10.0.0.1"
>  # local-data: "laptop.home.lan.    IN A 10.0.0.2"
>  # local-data: "xboxone.home.lan.   IN A 10.0.0.3"
>  # local-data: "ps4.home.lan.       IN A 10.0.0.4"
>  # local-data: "dhcp5.home.lan.     IN A 10.0.0.5"
>  # local-data: "dhcp6.home.lan.     IN A 10.0.0.6"
>  # local-data: "dhcp7.home.lan.     IN A 10.0.0.7"
>
>  # local-data-ptr: "10.0.0.1  firewall.home.lan"
>  # local-data-ptr: "10.0.0.2  laptop.home.lan"
>  # local-data-ptr: "10.0.0.3  xboxone.home.lan"
>  # local-data-ptr: "10.0.0.4  ps4.home.lan"
>  # local-data-ptr: "10.0.0.5  dhcp5.home.lan"
>  # local-data-ptr: "10.0.0.6  dhcp6.home.lan"
>  # local-data-ptr: "10.0.0.7  dhcp7.home.lan"
>
>  # Unbound can query your NSD or BIND server for private domain queries too.
>  # On our NSD page we have NSD configured to serve the private domain,
>  # "home.lan". Here we can tell Unbound to connect to the NSD server when it
>  # needs to resolve a *.home.lan hostname or IP.
>  #
>  # private-domain: "home.lan"
>  # local-zone: "0.0.10.in-addr.arpa." nodefault
>  # stub-zone:
>  #      name: "home.lan"
>  #      stub-addr: 10.0.0.111 at 53
>
>  # If you have an internal or private DNS names the external DNS servers can
>  # not resolve, then you can assign domain name strings to be redirected to 
> a
>  # seperate dns server. For example, our comapny has the domain
>  # organization.com and the domain name internal.organization.com can not be
>  # resolved by Google's public DNS, but can be resolved by our private DNS
>  # server located at 1.1.1.1. The following tells Unbound that any
>  # organization.com domain, i.e. *.organization.com be dns resolved by 
> 1.1.1.1
>  # instead of the public dns servers.
>  #
>  # forward-zone:
>  #    name: "organization.com"
>  #    forward-addr: 1.1.1.1        # Internal or private DNS
>
>  # Use the following forward-zone to forward all queries to Google DNS,
>  # OpenDNS.com or your local ISP's dns servers for example. To test 
> resolution
>  # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
>  # milliseconds.
>  #
>    forward-zone:
>       name: "."
>  #    forward-addr: 8.8.8.8        # Google Public DNS
>  #    forward-addr: 74.82.42.42    # Hurricane Electric
>  #    forward-addr: 4.2.2.4        # Level3 Verizon
>       forward-addr: 208.67.222.222 # OpenDNS
>       forward-addr: 208.67.220.220 # OpenDNS
> #
> #
> ## Authoritative, validating, recursive caching DNS
> ## unbound.conf -- https://calomel.org
>
> remote-control:
>        control-enable: yes
>        control-interface: 127.0.0.1
>        control-port: 8953
>        server-key-file: "/var/unbound/unbound_server.key"
>        server-cert-file: "/var/unbound/unbound_server.pem"
>        control-key-file: "/var/unbound/unbound_control.key"
>        control-key-file: "/var/unbound/unbound_control.key"
>
>
>
>
> On Tue, 4 Nov 2014, staticsafe wrote:
>
>> On 11/4/2014 13:07, unbound at fongaboo.com wrote:
>>> 
>>> Have a FreeBSD 10 machine. Have two outside IPs bound to it. First IP
>>> has NSD running as an authoritative server. This is specified
>>> specifically in the interface entry of nsd.conf.
>>> 
>>> Trying to run caching/recursive nameserver with unbound on the second
>>> IP. I specified the following entries in unbound.conf:
>>>
>>>     interface: 127.0.0.1
>>>     interface: <Second IP>
>> ...
>>> Any ideas why I can't get answers on the second IP?
>> 
>> I suspect it might have to do with the default access-control options
>> (which limit to localhost only and refuse everyone else).
>> 
>> You can also see if unbound listens to the IP correctly:
>> `netstat -tulpnW | grep unbound`
>> 
>> Can you paste your entire unbound.conf please (including any included
>> files)?
>> 
>> 
>> -- 
>> staticsafe
>> https://staticsafe.ca
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>> 
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>