VRF support in unbound?

Ralf Jung post at ralfj.de
Fri Jan 4 13:00:31 UTC 2019

Hi again,

I should probably give some more details about my configuration... currently, I
am playing with

>     interface:
>     interface: ::
>     access-control: allow
>     access-control: fd4e:f2d7:88d2:ffff::/64 allow
>     ip-freebind: yes
>     interface-automatic: yes
>     outgoing-interface:

When a request now comes in from the subnet (which is in the
VRF), I can see via tcpdump that unbound sends requests to an authoritative DNS
server to resolve this request.  However, the response to the original client
never goes out.
Via TCP, the request actually works and a response is sent out correctly!

However, all of this is for IPv4 only, and only when I have set
net.ipv4.{tcp,udp}_l3mdev_accept=1.  For IPv6 and without that setting (which
doesn't seem to exist for IPv6), unbound does not even seem to receive the
request, there is no reaction in the form of messages to the authoritative DNS.

Kind regards,

On 04.01.19 13:24, Ralf Jung via Unbound-users wrote:
> Hi all,
> I am playing around with the [VRF] support on the Linux kernel, and got basic
> routing and address assignment to work for IPv4 and IPv6.  The next step,
> obviously, is to get DNS, and here I am running into the following error in unbound:
>> unbound[3115]: [3115:0] error: can't bind socket: Cannot assign requested address for 2a03:2260:3009::2
> This is the expected error when an application does not use setsockopt for
> SO_BINDTODEVICE to configure the device on which the address is to be bound.
> Is there any way to tell unbound to bind to a particular device (and not just a
> particular address)?  The only options I found for configuring unbound allow
> giving IP addresses to bind to, but there seems to be no way to also configure
> the network device to use.
> [VRF]: https://www.kernel.org/doc/Documentation/networking/vrf.txt
> Kind regards,
> Ralf

More information about the Unbound-users mailing list