[Unbound-users] Can't get Unbound caching/recursive server to answer on outside IP
unbound at fongaboo.com
unbound at fongaboo.com
Wed Nov 5 14:19:37 UTC 2014
Nevermind. You were right! I got it working...
Just added access-control allow x.x.x.x/x and life is good now.
Which makes sense because I could see it listening on sockstat, and I
could even telnet into port 53 on the 2nd IP (since it is configured to
answer TCP requests in addition to UDP) and get a handshake. So the
daemon was running, bound on that IP and answering. It just was refusing
to give any useful answers until I told it it was cool to talk to my
originating IP.
On Wed, 5 Nov 2014, unbound at fongaboo.com wrote:
>
> Thank you. I'm going to do some googling on access-control. In the meantime,
> here is my conf file:
>
> ## Authoritative, validating, recursive caching DNS
> ## unbound.conf -- https://calomel.org
> #
> server:
> # log verbosity
> verbosity: 2
>
> # specify the interfaces to answer queries from by ip-address. The default
> # is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0
> to
> # bind to all available interfaces. specify every interface[@port] on a
> new
> # 'interface:' labeled line. The listen interfaces are not changed on
> # reload, only on restart.
> interface: 127.0.0.1
> interface: <2nd outside IP>
>
> # port to answer queries from
> port: 53
>
> # Enable IPv4, "yes" or "no".
> do-ip4: yes
>
> # Enable IPv6, "yes" or "no".
> do-ip6: no
>
> # Enable UDP, "yes" or "no".
> do-udp: yes
>
> # Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
> # quicker to resolve as the functions related to TCP checks are not done.i
> # NOTE: you may need tcp enabled to get the DNSSEC results from *.edu
> domains
> # due to their size.
> do-tcp: yes
>
> # control which client ips are allowed to make (recursive) queries to this
> # server. Specify classless netblocks with /size and action. By default
> # everything is refused, except for localhost. Choose deny (drop message),
> # refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
> # and nonrecursive ok)
> access-control: 127.0.0.0/8 allow
> access-control: 10.0.0.0/16 allow
>
> # Read the root hints from this file. Default is nothing, using built in
> # hints for the IN class. The file has the format of zone files, with
> root
> # nameserver names and addresses only. The default may become outdated,
> # when servers change, therefore it is good practice to use a root-hints
> # file. get one from ftp://FTP.INTERNIC.NET/domain/named.cache
> root-hints: "/var/unbound/root.hints"
>
> # enable to not answer id.server and hostname.bind queries.
> hide-identity: yes
>
> # enable to not answer version.server and version.bind queries.
> hide-version: yes
>
> # Will trust glue only if it is within the servers authority.
> # Harden against out of zone rrsets, to avoid spoofing attempts.
> # Hardening queries multiple name servers for the same data to make
> # spoofing significantly harder and does not mandate dnssec.
> harden-glue: yes
>
> # Require DNSSEC data for trust-anchored zones, if such data is absent, the
> # zone becomes bogus. Harden against receiving dnssec-stripped data. If
> you
> # turn it off, failing to validate dnskey data for a trustanchor will
> trigger
> # insecure mode for that zone (like without a trustanchor). Default on,
> # which insists on dnssec data for trust-anchored zones.
> harden-dnssec-stripped: yes
>
> # Use 0x20-encoded random bits in the query to foil spoof attempts.
> # http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
> # While upper and lower case letters are allowed in domain names, no
> significance
> # is attached to the case. That is, two names with the same spelling but
> # different case are to be treated as if identical. This means calomel.org
> is the
> # same as CaLoMeL.Org which is the same as CALOMEL.ORG.
> use-caps-for-id: yes
>
> # the time to live (TTL) value lower bound, in seconds. Default 0.
> # If more than an hour could easily give trouble due to stale data.
> cache-min-ttl: 3600
>
> # the time to live (TTL) value cap for RRsets and messages in the
> # cache. Items are not cached for longer. In seconds.
> cache-max-ttl: 86400
>
> # perform prefetching of close to expired message cache entries. If a
> client
> # requests the dns lookup and the TTL of the cached hostname is going to
> # expire in less than 10% of its TTL, unbound will (1st) return the ip of
> the
> # host to the client and (2nd) pre-fetch the dns request from the remote
> dns
> # server. This method has been shown to increase the amount of cached hits
> by
> # local clients by 10% on average.
> prefetch: yes
>
> # number of threads to create. 1 disables threading. This should equal the
> number
> # of CPU cores in the machine. Our example machine has 4 CPU cores.
> num-threads: 4
>
>
> ## Unbound Optimization and Speed Tweaks ###
>
> # the number of slabs to use for cache and must be a power of 2 times the
> # number of num-threads set above. more slabs reduce lock contention, but
> # fragment memory usage.
> msg-cache-slabs: 8
> rrset-cache-slabs: 8
> infra-cache-slabs: 8
> key-cache-slabs: 8
>
> # Increase the memory size of the cache. Use roughly twice as much rrset
> cache
> # memory as you use msg cache memory. Due to malloc overhead, the total
> memory
> # usage is likely to rise to double (or 2.5x) the total cache memory. The
> test
> # box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed
> objects.
> rrset-cache-size: 256m
> msg-cache-size: 128m
>
> # buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
> # the kernel buffer larger so that no messages are lost in spikes in the
> traffic.
> so-rcvbuf: 1m
>
> ## Unbound Optimization and Speed Tweaks ###
>
>
> # Enforce privacy of these addresses. Strips them away from answers. It
> may
> # cause DNSSEC validation to additionally mark it as bogus. Protects
> against
> # 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain'
> and
> # 'local-data' names are allowed to have these private addresses. No
> default.
> # private-address: 10.0.0.0/8
> # private-address: 172.16.0.0/12
> # private-address: 10.0.0.0/16
>
> # Allow the domain (and its subdomains) to contain private addresses.
> # local-data statements are allowed to contain private addresses too.
> # private-domain: "home.lan"
>
> # If nonzero, unwanted replies are not only reported in statistics, but
> also
> # a running total is kept per thread. If it reaches the threshold, a
> warning
> # is printed and a defensive action is taken, the cache is cleared to flush
> # potential poison out of it. A suggested value is 10000000, the default
> is
> # 0 (turned off). We think 10K is a good value.
> unwanted-reply-threshold: 10000
>
> # IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
> # localhost you will want to allow the resolver to send queries to
> localhost.
> # Make sure to set do-not-query-localhost: yes . If yes, the above default
> # do-not-query-address entries are present. if no, localhost can be
> queried
> # (for testing and debugging).
> do-not-query-localhost: no
>
> # File with trusted keys, kept up to date using RFC5011 probes, initial
> file
> # like trust-anchor-file, then it stores metadata. Use several entries,
> one
> # per domain name, to track multiple zones. If you use forward-zone below
> to
> # query the Google DNS servers you MUST comment out this option or all DNS
> # queries will fail.
> auto-trust-anchor-file: "/var/unbound/root.key"
>
> # Should additional section of secure message also be kept clean of
> unsecure
> # data. Useful to shield the users of this validator from potential bogus
> # data in the additional section. All unsigned data in the additional
> section
> # is removed from secure messages.
> val-clean-additional: yes
>
> # Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
> # account for a 70 percent share of all advertising traffic. Block them.
> # local-zone: "doubleclick.net" redirect
> # local-data: "doubleclick.net A 127.0.0.1"
> # local-zone: "googlesyndication.com" redirect
> # local-data: "googlesyndication.com A 127.0.0.1"
> # local-zone: "googleadservices.com" redirect
> # local-data: "googleadservices.com A 127.0.0.1"
> # local-zone: "google-analytics.com" redirect
> # local-data: "google-analytics.com A 127.0.0.1"
> # local-zone: "ads.youtube.com" redirect
> # local-data: "ads.youtube.com A 127.0.0.1"
> # local-zone: "adserver.yahoo.com" redirect
> # local-data: "adserver.yahoo.com A 127.0.0.1"
>
>
> # Unbound will not load if you specify the same local-zone and local-data
> # servers in the main configuration as well as in this "include:" file. We
> # suggest commenting out any of the local-zone and local-data lines above
> if
> # you suspect they could be included in the unbound_ad_servers servers
> file.
> #include: "/usr/local/etc/unbound/unbound_ad_servers"
>
> # locally served zones can be configured for the machines on the LAN.
>
> # local-zone: "home.lan." static
>
> # local-data: "firewall.home.lan. IN A 10.0.0.1"
> # local-data: "laptop.home.lan. IN A 10.0.0.2"
> # local-data: "xboxone.home.lan. IN A 10.0.0.3"
> # local-data: "ps4.home.lan. IN A 10.0.0.4"
> # local-data: "dhcp5.home.lan. IN A 10.0.0.5"
> # local-data: "dhcp6.home.lan. IN A 10.0.0.6"
> # local-data: "dhcp7.home.lan. IN A 10.0.0.7"
>
> # local-data-ptr: "10.0.0.1 firewall.home.lan"
> # local-data-ptr: "10.0.0.2 laptop.home.lan"
> # local-data-ptr: "10.0.0.3 xboxone.home.lan"
> # local-data-ptr: "10.0.0.4 ps4.home.lan"
> # local-data-ptr: "10.0.0.5 dhcp5.home.lan"
> # local-data-ptr: "10.0.0.6 dhcp6.home.lan"
> # local-data-ptr: "10.0.0.7 dhcp7.home.lan"
>
> # Unbound can query your NSD or BIND server for private domain queries too.
> # On our NSD page we have NSD configured to serve the private domain,
> # "home.lan". Here we can tell Unbound to connect to the NSD server when it
> # needs to resolve a *.home.lan hostname or IP.
> #
> # private-domain: "home.lan"
> # local-zone: "0.0.10.in-addr.arpa." nodefault
> # stub-zone:
> # name: "home.lan"
> # stub-addr: 10.0.0.111 at 53
>
> # If you have an internal or private DNS names the external DNS servers can
> # not resolve, then you can assign domain name strings to be redirected to
> a
> # seperate dns server. For example, our comapny has the domain
> # organization.com and the domain name internal.organization.com can not be
> # resolved by Google's public DNS, but can be resolved by our private DNS
> # server located at 1.1.1.1. The following tells Unbound that any
> # organization.com domain, i.e. *.organization.com be dns resolved by
> 1.1.1.1
> # instead of the public dns servers.
> #
> # forward-zone:
> # name: "organization.com"
> # forward-addr: 1.1.1.1 # Internal or private DNS
>
> # Use the following forward-zone to forward all queries to Google DNS,
> # OpenDNS.com or your local ISP's dns servers for example. To test
> resolution
> # speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
> # milliseconds.
> #
> forward-zone:
> name: "."
> # forward-addr: 8.8.8.8 # Google Public DNS
> # forward-addr: 74.82.42.42 # Hurricane Electric
> # forward-addr: 4.2.2.4 # Level3 Verizon
> forward-addr: 208.67.222.222 # OpenDNS
> forward-addr: 208.67.220.220 # OpenDNS
> #
> #
> ## Authoritative, validating, recursive caching DNS
> ## unbound.conf -- https://calomel.org
>
> remote-control:
> control-enable: yes
> control-interface: 127.0.0.1
> control-port: 8953
> server-key-file: "/var/unbound/unbound_server.key"
> server-cert-file: "/var/unbound/unbound_server.pem"
> control-key-file: "/var/unbound/unbound_control.key"
> control-key-file: "/var/unbound/unbound_control.key"
>
>
>
>
> On Tue, 4 Nov 2014, staticsafe wrote:
>
>> On 11/4/2014 13:07, unbound at fongaboo.com wrote:
>>>
>>> Have a FreeBSD 10 machine. Have two outside IPs bound to it. First IP
>>> has NSD running as an authoritative server. This is specified
>>> specifically in the interface entry of nsd.conf.
>>>
>>> Trying to run caching/recursive nameserver with unbound on the second
>>> IP. I specified the following entries in unbound.conf:
>>>
>>> interface: 127.0.0.1
>>> interface: <Second IP>
>> ...
>>> Any ideas why I can't get answers on the second IP?
>>
>> I suspect it might have to do with the default access-control options
>> (which limit to localhost only and refuse everyone else).
>>
>> You can also see if unbound listens to the IP correctly:
>> `netstat -tulpnW | grep unbound`
>>
>> Can you paste your entire unbound.conf please (including any included
>> files)?
>>
>>
>> --
>> staticsafe
>> https://staticsafe.ca
>> _______________________________________________
>> Unbound-users mailing list
>> Unbound-users at unbound.net
>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>>
> _______________________________________________
> Unbound-users mailing list
> Unbound-users at unbound.net
> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
>
More information about the Unbound-users
mailing list