notice: send failed: Permission denied

[Caroptions Caroptions]

Important note, the firewall block rule is reject, not block ...

Thanks,
John

________________________________
From: Unbound-users <unbound-users-bounces at lists.nlnetlabs.nl> on behalf of Caroptions Caroptions via Unbound-users <unbound-users at lists.nlnetlabs.nl>
Sent: Monday, April 5, 2021 2:20 PM
To: unbound-users at lists.nlnetlabs.nl <unbound-users at lists.nlnetlabs.nl>
Subject: notice: send failed: Permission denied

Hi,

Probably it is discussed already, then sorry for reiterating the same problem, but I couldn't find solution.

unbound 1.13.1

I block certain ASNs/IPs on firewall. unbound starts normally, then after some time flood log with messages:

unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
unbound[90575]: [90575:2] notice: send failed: Permission denied
unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
unbound[90575]: [90575:2] notice: send failed: Permission denied
unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
unbound[90575]: [90575:2] notice: send failed: Permission denied
unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
unbound[90575]: [90575:2] notice: send failed: Permission denied
unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53

the SAME ip for hours. My firewall process CPU load jumps and stays on high level. unbound process CPU load high as well.

My temporary workaround is adding:

do-not-query-address: xx.xx.xx.xx

When I add new ip to this list it stays normal for some time till unbound find new NS server IP which is blocked on firewall and all loads jumps and flood log with "notice" messages.

In my understanding unbound should stop attempting to contact specific NS if it is not reachable/down?

Thanks,
John



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20210406/2c42ada0/attachment-0001.htm>