[Unbound-users] unbound-1.4.7 fails to resolve on simple configuration
wouter at NLnetLabs.nl
Wed Dec 8 07:12:56 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
On 12/08/2010 01:35 AM, Andrew Savchenko wrote:
> I'm trying to setup simple caching resolver using unbound-1.4.7, but
> it fails to work and seems to fall into infinite loop. This is my
Not an infinite loop: waiting for data, and getting timeouts.
> interface: 0.0.0.0
> access-control: 127.0.0.1/32 allow
> verbosity: 5
> do-ip6: no
This config should resolve names.
> Then I run unbound-host kernel.org -C /etc/unbound/unbound.conf >
> unbound.log 2>&1 to test. You can see what happens in the attached
> file unbound.log. Program was terminated using ^C eventually. Running
> unbound daemon gives the same result.
> Via tcpdump I can see all these packets sent (see unbound.log), but
> no replies. Bind on the same host works without any problems. I tried
> to stop bind during testing using unbound-host to exclude any
> interference, but this does not help.
So, unbound tries to send queries to root servers. But it never
receives replies. There is thus some sort of over-active firewall, that
blocks queries towards the DNS root servers. (it does not block queries
to google DNS, apparently, so the firewall does not make sense).
> I tried to fetch the latest root hints from
> ftp://FTP.INTERNIC.NET/domain/named.cache and add a path to config
> root-hints: "/etc/unbound/named.cache"
> but this doesn't help a bit.
> Of course, my final setup will be more complicated. It's a sore fact,
> but more complicated things work, while simple resolver fails. When
> I use nsd daemon for local zone it works well (for local zone
Yes because then queries to campus.local do not require the root DNS
servers. Those root servers are still unreachable.
> And another note: without "do-not-query-localhost: no" option nsd
> running on 127.0.0.1:10053 will not be queried, this is not so
> obvious and it will be great to point it out somewhere in the
Thanks for that.
> But I want to use unbound's own resolver, and I have absolutely no
> idea what to do now: either I hit some grave bug or I deeply
> misunderstand how unbound should work. Any help will be appreciated.
Your network has strange firewalls. If you dig @<address of root
server> +dnssec +cdflag then you send the exact packet that unbound is
also sending out.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users