<html><head></head><body>How about running nsd on a different port and simply forward queries to these zones via unbound? <br><br><div class="gmail_quote">Am 20. Februar 2023 20:20:56 MEZ schrieb David Newman via Unbound-users <unbound-users@lists.nlnetlabs.nl>:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre dir="auto" class="k9mail">Hi Yorgos,<br><br>Thanks very much. Logging and debugging was a very good idea. It showed <br>that the unbound config is fine, and that the issue is something I <br>neglected to mention: This system also runs NSD as an authoritative-only <br>name server, and NSD had already bound to UDP port 53.<br><br>This may be a question for the openbsd-misc list instead, but if anyone <br>here has examples of how to run an authoritative and recursive server on <br>the same box using unbound and NSD please let me know. I previously used <br>bind, which didn't have this issue because one server handled both <br>authoritative and recursive queries.<br><br>Thanks again!<br><br>dn<br><br><br><br>On 2/20/23 2:22 AM, George (Yorgos) Thessalonikefs via Unbound-users wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #729fcf; padding-left: 1ex;"> Hi David,<br><br> Your configuration should work.<br> Are you sure that Unbound is seeing that exact client IP address?<br> If you increase verbosity (4 at least) Unbound will log why the query <br> was refused.<br><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;">A dig query against this server returns "recursion requested but not<br>available".<br></blockquote> I suppose the "status:" of that response is "REFUSED"?<br><br> Best regards,<br> -- Yorgos<br><br><br> On 19/02/2023 20:50, David Newman via Unbound-users wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 1ex 0.8ex; border-left: 1px solid #ad7fa8; padding-left: 1ex;"> New unbound user here, recent arrival after many years with bind.<br><br> Attempts at a recursive lookup fail against an unbound server, even <br> though unbound.conf explicitly allows this from one particular <br> client. I searched the archive and didn't find an answer, but I may <br> have missed something.<br><br> A dig query against this server returns "recursion requested but not <br> available". There are no firewalls blocking traffic between client <br> and server. Running tcpdump on the server shows the query coming in <br> and the server rejecting it.<br><br> The server uses the Unbound v. 1.16.3 as supplied in OpenBSD 7.2 and <br> has these IP addresses:<br><br> 149.28.38.111<br><br> 2001:19f0:c:1055:5400:4ff:fe4c:d46a<br><br> The client also runs OpenBSD 7.2 and has these IP addresses:<br><br> 144.202.0.40<br><br> 2001:19f0:c:75b:471f:a26a:c6f2:77bd<br><br> The server's full unbound.conf is pasted below, but these are the <br> relevant bits:<br><br> server:<br> root-hints: "/var/unbound/db/root.hints"<br> #qname-minimisation: yes<br> interface: 0.0.0.0<br> interface: ::0<br> do-ip6: yes<br><br> access-control: 0.0.0.0/0 refuse<br><br> ..<br><br> access-control: 144.202.0.40/32 allow<br> access-control: 2001:19f0:c:75b::/64 allow<br><br> Shouldn't the server allow a recursive query from this client? If <br> not, what's missing? Thanks!<br><br> dn<br><br><br> full unbound.conf:<br><br> # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $<br><br> server:<br> root-hints: "/var/unbound/db/root.hints"<br> #qname-minimisation: yes<br> interface: 0.0.0.0<br> #interface: 127.0.0.1@5353 # listen on alternative port<br> interface: ::0<br> do-ip6: yes<br><br> # override the default "any" address to send queries; if multiple<br> # addresses are available, they are used randomly to counter <br> spoofing<br> #outgoing-interface: 192.0.2.1<br> #outgoing-interface: 2001:db8::53<br><br> access-control: 0.0.0.0/0 refuse<br> access-control: 127.0.0.0/8 allow<br> access-control: ::0/0 refuse<br> access-control: ::1 allow<br><br> # allow recursive queries from this client<br> access-control: 144.202.0.40/32 allow<br> access-control: 2001:19f0:c:75b::/64 allow<br><br> hide-identity: yes<br> hide-version: yes<br><br> # Perform DNSSEC validation.<br> #<br> #auto-trust-anchor-file: "/var/unbound/db/root.key"<br> #val-log-level: 2<br><br> remote-control:<br> control-enable: yes<br> control-interface: /var/run/unbound.sock<br><br> # Use an upstream forwarder (recursive resolver) for some or all zones.<br> #<br> forward-zone:<br> name: "." # use for ALL queries<br> # forward-addr: 192.0.2.53 # example address only<br> forward-addr: 9.9.9.9 #<br> forward-first: yes # try direct if forwarder fails<br><br><br></blockquote></blockquote></pre></blockquote></div><div style='white-space: pre-wrap'><div class='k9mail-signature'>-- <br>Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.</div></div></body></html>