notice: send failed: Permission denied

Wouter Wijngaards wouter at nlnetlabs.nl
Mon Apr 12 09:20:16 UTC 2021 

Hi John,

Fix code is in
https://github.com/NLnetLabs/unbound/commit/addd21f750b6042c40c2a92aef9b8919d8497532

This stops the logs messages unless you set a high verbosity level.
These error numbers did not get reported before, I guess because the
block rule is reject.

Best regards, Wouter

On 06/04/2021 03:48, Caroptions Caroptions via Unbound-users wrote:
> Important note, the firewall block rule is reject, not block ...
> 
> Thanks,
> John
> 
> ------------------------------------------------------------------------
> *From:* Unbound-users <unbound-users-bounces at lists.nlnetlabs.nl> on
> behalf of Caroptions Caroptions via Unbound-users
> <unbound-users at lists.nlnetlabs.nl>
> *Sent:* Monday, April 5, 2021 2:20 PM
> *To:* unbound-users at lists.nlnetlabs.nl <unbound-users at lists.nlnetlabs.nl>
> *Subject:* notice: send failed: Permission denied
>  
> Hi,
> 
> Probably it is discussed already, then sorry for reiterating the same
> problem, but I couldn't find solution.
> 
> unbound 1.13.1
> 
> I block certain ASNs/IPs on firewall. unbound starts normally, then
> after some time flood log with messages:
> 
> unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
> unbound[90575]: [90575:2] notice: send failed: Permission denied
> unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
> unbound[90575]: [90575:2] notice: send failed: Permission denied
> unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
> unbound[90575]: [90575:2] notice: send failed: Permission denied
> unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
> unbound[90575]: [90575:2] notice: send failed: Permission denied
> unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
> 
> the SAME ip for hours. My firewall process CPU load jumps and stays on
> high level. unbound process CPU load high as well.
> 
> My temporary workaround is adding:
> 
> do-not-query-address: xx.xx.xx.xx
> 
> When I add new ip to this list it stays normal for some time till
> unbound find new NS server IP which is blocked on firewall and all loads
> jumps and flood log with "notice" messages.
> 
> In my understanding unbound should stop attempting to contact specific
> NS if it is not reachable/down?
> 
> Thanks,
> John 
> 
> 
>

More information about the Unbound-users mailing list