<div dir="auto">This feels overly complicated Would it not better to have a special shared service vrf that all other vrfs, have a routing policy into for the relevant traffic. The unbound setup could then be fairly simple, rather than trying to manifest it in multiple places. You can also use this setup for any other shared services. </div><br><div class="gmail_quote"><div dir="ltr">On Sat, 5 Jan 2019, 10:56 Ralf Jung via Unbound-users <<a href="mailto:unbound-users@nlnetlabs.nl" target="_blank" rel="noreferrer">unbound-users@nlnetlabs.nl</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
> Not sure what your goal is, but would it not be easier to work with network namespaces instead of VRF ?<br>
<br>
I could probably use `ip vrf exec` to put unbound fully inside the VRF, and have<br>
the same effect as a network namespace.<br>
But what I want to happen is that outgoing queries are made via the default VRF<br>
on erh0, while the same daemon also replies to queries from the intranet in the<br>
other VRF. AFAIK such cross-VRF operation is not possible with network namespaces.<br>
<br>
Kind regards,<br>
Ralf<br>
<br>
> <br>
> Just like containers do ?<br>
> <br>
> With kind regards,<br>
> Leen.<br>
> Just an other Unbound user.<br>
> <br>
> On Fri, Jan 04, 2019 at 02:00:31PM +0100, Ralf Jung via Unbound-users wrote:<br>
>> Hi again,<br>
>><br>
>> I should probably give some more details about my configuration... currently, I<br>
>> am playing with<br>
>><br>
>>> interface: 0.0.0.0<br>
>>> interface: ::<br>
>>> access-control: <a href="http://10.24.192.0/18" rel="noreferrer noreferrer noreferrer" target="_blank">10.24.192.0/18</a> allow<br>
>>> access-control: fd4e:f2d7:88d2:ffff::/64 allow<br>
>>> ip-freebind: yes<br>
>>> interface-automatic: yes<br>
>>> outgoing-interface: 82.165.162.239<br>
>><br>
>> When a request now comes in from the <a href="http://10.24.192.0/18" rel="noreferrer noreferrer noreferrer" target="_blank">10.24.192.0/18</a> subnet (which is in the<br>
>> VRF), I can see via tcpdump that unbound sends requests to an authoritative DNS<br>
>> server to resolve this request. However, the response to the original client<br>
>> never goes out.<br>
>> Via TCP, the request actually works and a response is sent out correctly!<br>
>><br>
>> However, all of this is for IPv4 only, and only when I have set<br>
>> net.ipv4.{tcp,udp}_l3mdev_accept=1. For IPv6 and without that setting (which<br>
>> doesn't seem to exist for IPv6), unbound does not even seem to receive the<br>
>> request, there is no reaction in the form of messages to the authoritative DNS.<br>
>><br>
>> Kind regards,<br>
>> Ralf<br>
>><br>
>> On 04.01.19 13:24, Ralf Jung via Unbound-users wrote:<br>
>>> Hi all,<br>
>>><br>
>>> I am playing around with the [VRF] support on the Linux kernel, and got basic<br>
>>> routing and address assignment to work for IPv4 and IPv6. The next step,<br>
>>> obviously, is to get DNS, and here I am running into the following error in unbound:<br>
>>><br>
>>>> unbound[3115]: [3115:0] error: can't bind socket: Cannot assign requested address for 2a03:2260:3009::2<br>
>>><br>
>>> This is the expected error when an application does not use setsockopt for<br>
>>> SO_BINDTODEVICE to configure the device on which the address is to be bound.<br>
>>><br>
>>> Is there any way to tell unbound to bind to a particular device (and not just a<br>
>>> particular address)? The only options I found for configuring unbound allow<br>
>>> giving IP addresses to bind to, but there seems to be no way to also configure<br>
>>> the network device to use.<br>
>>><br>
>>> [VRF]: <a href="https://www.kernel.org/doc/Documentation/networking/vrf.txt" rel="noreferrer noreferrer noreferrer" target="_blank">https://www.kernel.org/doc/Documentation/networking/vrf.txt</a><br>
>>><br>
>>> Kind regards,<br>
>>> Ralf<br>
>>><br>
</blockquote></div>