dns-over-tls queries?
Wouter Wijngaards
wouter at nlnetlabs.nl
Tue Feb 5 12:39:16 UTC 2019
Hi Håvard,
The reply looks like this when the client's IP address is refused by
unbound's access-control. When a local-zone refuses it, the query name
would be present in the reply.
Unbound simply won't parse the query from the unallowed source, and thus
the short reply contents.
The null TYPE0 CLASS0 is an artifact of that it doesn't parse it, and
then has nothing to print for log-replies.
Best regards, Wouter
On 2/5/19 1:26 PM, Havard Eidnes via Unbound-users wrote:
> Hi,
>
> following up on my own message:
>
>> Feb 4 16:00:56 myname unbound: [22507:0] info: a.b.c.d null TYPE0 CLASS0 REFUSED 0.000000 1 12
>
> Using kdig, I see the same problem client-side:
>
> % kdig -4 @a.b.c.d:853 vg.no. a +tls
> ;; WARNING: response doesn't have question section
> ;; TLS session (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: REFUSED; id: 54977
> ;; Flags: qr rd; QUERY: 0; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0
>
> ;; Received 12 B
> ;; Time 2019-02-05 13:22:00 CET
> ;; From a.b.c.d8 at 853(TCP) in 14.9 ms
> %
>
> Hrm, doesn't work as advertised. Need to dig deeper. Hints?
>
> Regards,
>
> - Håvard
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20190205/458d5886/attachment.bin>
More information about the Unbound-users
mailing list