[Unbound-users] Query on port 53 doesn't work

Holger Zuleger Holger.Zuleger at hznet.de
Wed Aug 6 21:24:01 UTC 2014 

Hi,

I have a somewhat strange problem running unbound and BIND together on 
one Linux box (2.6.32).

BIND is listening only on the primary IP address (IPv4 and IPv6) while 
unbound is configured to listen on the loopack interface (127.0.0.1 and 
::1) and the secondary ipv4 and ipv6 addresses.

As usual both nameserver software is using port 53 for this kind of service.
I stopped the firewall at the time running the test, to made sure that 
the traffic is not blocked anywhere.
Unbound is configured with query logging to get some feedback if a query 
is handled by the software or not.
As I'm not willing to run an open resolver, queries are restricted to 
localhost and some subnets via the access-control directive.


For testing purposes I also added port 553 as listening port, so the 
related unbound config is like this (port 443 is filtered out):

# grep "   interface:" unbound.conf | grep -v 443
	interface: 127.0.0.1
	interface: ::1
	interface: 88.198.13.180 at 553
	interface: 88.198.13.180 at 53
	interface: 2a01:4f8:130:1261::180 at 553
	interface: 2a01:4f8:130:1261::180 at 53

This (plus the running BIND authoritative server) results in a list of 
listening udp ports (output compressed, so that it fits in a line):

# netstat -p -anu | grep 53 | cut -c1-5,21-55,80-
udp  88.198.13.180:553       0.0.0.0:*   10515/unbound
udp  88.198.13.180:53        0.0.0.0:*   10515/unbound
udp  127.0.0.1:53            0.0.0.0:*   10515/unbound
udp  88.198.13.165:53        0.0.0.0:*   10551/named
udp6 2a01:4f8:130:1261:::553 :::*        10515/unbound
udp6 2a01:4f8:130:1261::1:53 :::*        10515/unbound
udp6 ::1:53                  :::*        10515/unbound
udp6 2a01:4f8:130:1261::2:53 :::*        10551/named

netstat cuts off parts of the ip address so in the third last line the 
host id is not ::1 but ::180.

Now sending a query from a host which subnet is allowed in the 
access-control directive:
$ dig -p 53 www.google.com @88.198.13.180

; <<>> DiG 9.10.1b1 <<>> -p 53 www.google.com @88.198.13.180
;; global options: +cmd
;; connection timed out; no servers could be reached

At the same time I sniffed on the dns server side, and got the incoming 
query, but no response. Also nothing seen in the querylog of unbound.

Now I tried the same with port 553 and this works:

$ dig -p 553 www.google.com @88.198.13.180

; <<>> DiG 9.10.1b1 <<>> -p 553 www.google.com @88.198.13.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7336
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		124	IN	A	173.194.116.148
www.google.com.		124	IN	A	173.194.116.147
www.google.com.		124	IN	A	173.194.116.144
www.google.com.		124	IN	A	173.194.116.146
www.google.com.		124	IN	A	173.194.116.145

;; Query time: 79 msec
;; SERVER: 88.198.13.180#553(88.198.13.180)
;; WHEN: Wed Aug 06 19:28:44 CEST 2014
;; MSG SIZE  rcvd: 123

I also got a message in the query log and saw the incoming and outgoing 
packets in the trace.
The same is true if I use IPv6 as transport protocol (port 53 is not 
working while 553 is).


Has anybody an idea why port 53 is not working?


To be a bit more confused, I tried the same dig command on the server 
itself.
Now IPv4 is working (port 53 and 553) but IPv6 is still working only on 
port 553 but not on port 53!

# dig -p 53 www.google.com @88.198.13.180

; <<>> DiG 9.7.0-P1 <<>> -p 53 www.google.com @88.198.13.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29523
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.			IN	A

;; ANSWER SECTION:
www.google.com.		298	IN	A	173.194.116.148
www.google.com.		298	IN	A	173.194.116.145
www.google.com.		298	IN	A	173.194.116.146
www.google.com.		298	IN	A	173.194.116.144
www.google.com.		298	IN	A	173.194.116.147

;; Query time: 0 msec
;; SERVER: 88.198.13.180#53(88.198.13.180)
;; WHEN: Wed Aug  6 19:34:01 2014
;; MSG SIZE  rcvd: 123

# dig -p 53 www.google.com @2a01:4f8:130:1261::180
; <<>> DiG 9.7.0-P1 <<>> -p 53 www.google.com @2a01:4f8:130:1261::180
;; global options: +cmd
;; connection timed out; no servers could be reached


Thanks for any idea/suggestion how to go further.
    Holger



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4140 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20140806/53532aeb/attachment.bin>

More information about the Unbound-users mailing list