Unbound server to respond queries on any port other than 53
A. Schulze
sca at andreasschulze.de
Sun Feb 16 12:16:44 UTC 2020
Hello!
Am 15.02.20 um 19:46 schrieb Sheikh Muhammed Ayub:
> server:
> port: 53
-> default, delete the line
> #outgoing-port-permit: 1025
> verbosity: 3
-> replace with "log-queries: yes" or even "log-replies: yes" if your unbound version is new enough.
> num-threads: 2
> outgoing-range: 512
> num-queries-per-thread: 1024
> msg-cache-size: 16m
> rrset-cache-size: 32m
> cache-max-ttl: 86400
> infra-host-ttl: 60
> infra-lame-ttl: 120
-> delete, use defaults while testing
> interface: 127.0.0.1
>
> #outgoing-interface: 192.168.64.129
> outgoing-interface: 192.168.64.131
-> if you have only one non loopback address, you don't need this
> access-control: 127.0.0.0/8 allow
> access-control: 192.168.8.120/8 allow
> access-control: 192.168.10.17/8 allow
> access-control: 192.168.43.103/8 allow
-> looks wrong. I suspect you like to allow smaller networks then 192.0.0.0/8
> do-ip4: yes
> do-ip6: no
> do-udp: yes
> do-tcp: yes
> username: unbound
> directory: "/etc/unbound"
-> delete, use defaults while testing
> logfile: "/var/log/unbound.log"
> use-syslog: no
-> as chroot is not listed, chroot defaults to /etc/unbound. this means, you unbound writes to /etc/unbound/var/log/unbound.log
does the directory exist and is writeable for unbound user?
> hide-version: yes
> so-rcvbuf: 4m
-> delete, use defaults while testing
> ip-address: 192.168.64.131 at 55
> interface: 192.168.64.131
-> probably the error: the second line overrides the first one.
> access-control: 192.168.64.131/32 allow
my resulting config looks like this:
/tmp/ub.conf
server:
log-replies: yes
interface: 127.0.0.1
access-control: 127.0.0.0/8 allow
logfile: "/var/log/unbound.log"
use-syslog: no
ip-address: 192.168.64.131 at 55
access-control: 192.168.64.131/32 allow
# unbound-checkconf /tmp/ub.conf
/etc/unbound/var/log: No such file or directory
[1581854171] unbound-checkconf[91:0] fatal error: logfile directory does not exist
# unbound -c /tmp/ub.conf -d
[1581855345] unbound[172:0] error: Could not open logfile /var/log/unbound.log: No such file or directory
[1581855345] unbound[172:0] notice: init module 0: subnet
[1581855345] unbound[172:0] notice: init module 1: validator
[1581855345] unbound[172:0] notice: init module 2: iterator
[1581855345] unbound[172:0] info: start of service (unbound 1.9.6).
<in an other terminal>
# netstat -lnpt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN -
tcp 0 0 192.168.64.131:55 0.0.0.0:* LISTEN -
-> notice the different ports on 127.0.0.1 and 192.168.64.131
# dig -p 55 @172.18.0.2 google.com A +short
172.217.23.142
-> works...
Andreas
>
> On Sat, Feb 15, 2020 at 10:38 PM A. Schulze <sca at andreasschulze.de <mailto:sca at andreasschulze.de>> wrote:
>
>
>
> Am 15.02.20 um 16:21 schrieb Sheikh Muhammed Ayub:
>
> keep discussion on list, please
>
> > I have set ip-address as:
> > ip-address: 192.168.64.131 at 55
>
> first check, unbound is running and do listen for queries:
>
> # id -u -n
> root
>
> # netstat -lnpt | grep 55
> tcp 0 0 192.168.64.131:55 <http://192.168.64.131:55> 0.0.0.0:* LISTEN 4711/unbound
>
> next: you need to adjust access-control, add "access-control: 192.168.64.131/32 <http://192.168.64.131/32> allow" to your unbound.conf
> and restart unbound.
>
> That should at least allow the query above from the host itself.
>
> man unbound.conf say: By default only localhost is allowed, the rest is refused.
> ... And 192.168.64.131 is not localhost ...
>
> > root at ubuntu:/etc/unbound/unbound.conf.d# nslookup -port=55
> last: please favor dig over nslookup
>
> # dig -p 55 unbound.net <http://unbound.net>. A @192.168.64.131 <http://192.168.64.131>
>
> otherwise post unbound logs, the output of the command and your unbound.conf.
>
> Andreas
>
>
More information about the Unbound-users
mailing list