From pztomasi at gmail.com Tue Mar 2 20:54:44 2021 From: pztomasi at gmail.com (Paulo Roberto Tomasi) Date: Tue, 2 Mar 2021 16:54:44 -0400 Subject: Help about TLD not working Message-ID: Hi, I would like help to understand/troubleshoot a failure to site www.nfs-e.net # local unbound seems correct: unbound:~$ dig www.netflix.com @127.0.0.1 +short www.dradis.netflix.com. www.us-east-1.internal.dradis.netflix.com. dualstack.apiproxy-website-nlb-prod-2-22bf9dee8ebc92ff.elb.us-east-1.amazonaws.com . 54.237.226.164 3.230.129.93 52.3.144.142 # But, dig to specified site/domain (www.nfs-e.net) doesn't get any result in local unbound # (via https://www.digwebinterface.com/?hostnames=www.nfs-e.net&type=&useresolver=8.8.4.4&ns=all&nameservers= each one of resolvers gets 177.11.21.10 as result) unbound:~$ dig www.nfs-e.net @127.0.0.1 ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.nfs-e.net @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53101 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;www.nfs-e.net. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 02 16:42:36 -04 2021 ;; MSG SIZE rcvd: 42 # Is there any verbose form of dig tool to give me a hint of what's happening when/where fail occurs? unbound:~# dig www.nfs-e.net ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.nfs-e.net ;; global options: +cmd ;; connection timed out; no servers could be reached Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From ch at ntrv.dk Tue Mar 2 21:22:17 2021 From: ch at ntrv.dk (Chriztoffer Hansen) Date: Tue, 2 Mar 2021 22:22:17 +0100 Subject: Help about TLD not working In-Reply-To: References: Message-ID: On Tue, 2 Mar 2021 at 21:54, Paulo Roberto Tomasi via Unbound-users wrote: > Is there any verbose form of dig tool to give me a hint of what's happening when/where fail occurs? How is your authoritative set-up done? Same machine(s) with different public IP's? NSD/Coredns/PowerDNS/BIND as the authoritative DNS server? And unbound as a forwarder? -- Chriztoffer From ch at ntrv.dk Tue Mar 2 21:16:25 2021 From: ch at ntrv.dk (Chriztoffer Hansen) Date: Tue, 2 Mar 2021 22:16:25 +0100 Subject: Help about TLD not working In-Reply-To: References: Message-ID: On Tue, 2 Mar 2021 at 21:54, Paulo Roberto Tomasi via Unbound-users wrote: > Is there any verbose form of dig tool to give me a hint of what's happening when/where fail occurs? > > unbound:~# dig www.nfs-e.net > > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.nfs-e.net > ;; global options: +cmd > ;; connection timed out; no servers could be reached dig A www.nfs-e.net @localhost dig AAAA www.nfs-e.net @localhost Optionally, check the manual (page) of dig tool for available options? https://man.openbsd.org/dig.1 $ dig A www.nfs-e.net ; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> A www.nfs-e.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26932 ;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.nfs-e.net. IN A ;; ANSWER SECTION: www.nfs-e.net. 0 IN A 177.11.21.10 ;; Query time: 5 msec ;; SERVER: 172.25.224.1#53(172.25.224.1) ;; WHEN: Tue Mar 02 22:12:58 CET 2021 ;; MSG SIZE rcvd: 60 $ dig AAAA www.nfs-e.net @1.1.1.1 ; <<>> DiG 9.11.5-P4-5.1+deb10u3-Debian <<>> AAAA www.nfs-e.net @1.1.1.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23336 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;www.nfs-e.net. IN AAAA ;; AUTHORITY SECTION: nfs-e.net. 3600 IN SOA ns1.nfs-e.net. hostmaster.nfs-e.net. 2021010113 14400 7200 1209600 14400 ;; Query time: 210 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Tue Mar 02 22:13:33 CET 2021 ;; MSG SIZE rcvd: 93 $ dig A www.nfs-e.net @resolver1.opendns.com ; <<>> DiG 9.16.11-Debian <<>> A www.nfs-e.net @resolver1.opendns.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22143 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.nfs-e.net. IN A ;; ANSWER SECTION: www.nfs-e.net. 555 IN A 177.11.21.10 ;; Query time: 0 msec ;; SERVER: 208.67.222.222#53(208.67.222.222) ;; WHEN: Tue Mar 02 21:16:11 UTC 2021 ;; MSG SIZE rcvd: 58 -- Chriztoffer From pztomasi at gmail.com Tue Mar 2 21:37:54 2021 From: pztomasi at gmail.com (Paulo Roberto Tomasi) Date: Tue, 2 Mar 2021 17:37:54 -0400 Subject: Help about TLD not working In-Reply-To: References: Message-ID: Hi, It seems it's something related to IPv4 connectivity My CIDR prefixes are not being delivered to destination via BGP (upstream failure) This way responses from authoritative servers of nfs-e.net domain doesn't return to local unbound - - - Why I'm saying this: unbound:~# dig www.nfs-e.net ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.nfs-e.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15680 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.nfs-e.net. IN A ;; ANSWER SECTION: www.nfs-e.net. 900 IN A 177.11.21.10 ;; AUTHORITY SECTION: nfs-e.net. 3600 IN NS darwin.nfs-e.net. nfs-e.net. 3600 IN NS ns2.nfs-e.net. nfs-e.net. 3600 IN NS ns1.nfs-e.net. ;; ADDITIONAL SECTION: ns1.nfs-e.net. 3600 IN A 177.11.20.10 ns2.nfs-e.net. 3600 IN A 177.11.20.20 darwin.nfs-e.net. 3600 IN A 189.28.42.146 ;; Query time: 4011 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 02 17:29:25 -04 2021 ;; MSG SIZE rcvd: 163 After I changed BGP announcements to another upstream, servers 177.11.20.10 / 177.11.20.20 and 189.28.42.146 were able to answer my dig requests Now I need to convince upstream provider to fix propagation of my public prefixes Thank you for your attention Em ter., 2 de mar. de 2021 ?s 17:23, Chriztoffer Hansen escreveu: > On Tue, 2 Mar 2021 at 21:54, Paulo Roberto Tomasi via Unbound-users > wrote: > > Is there any verbose form of dig tool to give me a hint of what's > happening when/where fail occurs? > > How is your authoritative set-up done? Same machine(s) with different > public IP's? > > NSD/Coredns/PowerDNS/BIND as the authoritative DNS server? And unbound > as a forwarder? > > -- > Chriztoffer > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From pztomasi at gmail.com Fri Mar 5 17:27:54 2021 From: pztomasi at gmail.com (Paulo Roberto Tomasi) Date: Fri, 5 Mar 2021 13:27:54 -0400 Subject: Configure DNS filtering in unbound Message-ID: Hi, Do you have an example of unbound as DNS filtering (similarly to nxfilter)? I see that unbound has thousand of options to customize its role, I'm not sure of what options to use I would like to block facebook/youtube/whatsapp/spotify and many other entertainment sites (on demand) to not be accessible from some machines. Thanks! -------------- next part -------------- An HTML attachment was scrubbed... URL: From marcos.ata1983 at gmail.com Fri Mar 5 17:35:05 2021 From: marcos.ata1983 at gmail.com (marcos.ata1983 at gmail.com) Date: Fri, 5 Mar 2021 14:35:05 -0300 Subject: Configure DNS filtering in unbound In-Reply-To: References: Message-ID: <79cfab48-5418-ac5b-95f6-3437d5205cce@gmail.com> Hi, https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26 Em 05/03/2021 14:27, Paulo Roberto Tomasi via Unbound-users escreveu: > Hi, > > Do you have an example of unbound as DNS filtering (similarly to > nxfilter)? > > I see that unbound has thousand of options to customize its role, I'm > not sure of what options to use > > I would like to block facebook/youtube/whatsapp/spotify and many other > entertainment sites (on demand) to not be accessible from some machines. > > Thanks! > -- Marcos Renato da Silva Junior From phatbuckett at gmail.com Fri Mar 5 19:37:50 2021 From: phatbuckett at gmail.com (Darren S.) Date: Fri, 5 Mar 2021 12:37:50 -0700 Subject: Configure DNS filtering in unbound In-Reply-To: <79cfab48-5418-ac5b-95f6-3437d5205cce@gmail.com> References: <79cfab48-5418-ac5b-95f6-3437d5205cce@gmail.com> Message-ID: +1 for RPZ in unbound, it's been great to use for DNS filtering at home. On Fri, Mar 5, 2021 at 10:35 AM marcos.ata1983--- via Unbound-users wrote: > > Hi, > > https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26 > > Em 05/03/2021 14:27, Paulo Roberto Tomasi via Unbound-users escreveu: > > Hi, > > > > Do you have an example of unbound as DNS filtering (similarly to > > nxfilter)? > > > > I see that unbound has thousand of options to customize its role, I'm > > not sure of what options to use > > > > I would like to block facebook/youtube/whatsapp/spotify and many other > > entertainment sites (on demand) to not be accessible from some machines. > > > > Thanks! > > > -- > Marcos Renato da Silva Junior > -- Darren Spruell phatbuckett at gmail.com From unbound-users at lists.roth.lu Sun Mar 7 11:14:41 2021 From: unbound-users at lists.roth.lu (unbound-users at lists.roth.lu) Date: Sun, 7 Mar 2021 12:14:41 +0100 Subject: Allow certain requests for some clients but not others Message-ID: Hey, I have two types of clients that should be able to do the following: 1) access local zones only (and forwarders to some partners) 2) #1 plus full recursive queries (to the Internet) How would I go about configuring that? (It is possible to have local zones in some backend server, that data does not need to be located within Unbound.) Thanks. Marki From benno at NLnetLabs.nl Thu Mar 11 09:53:25 2021 From: benno at NLnetLabs.nl (Benno Overeinder) Date: Thu, 11 Mar 2021 10:53:25 +0100 Subject: Configure DNS filtering in unbound In-Reply-To: References: <79cfab48-5418-ac5b-95f6-3437d5205cce@gmail.com> Message-ID: <50ce3917-8b45-e4c7-0f66-a64925cc09cb@NLnetLabs.nl> Thanks! Here are the links to blog posts. Note, we moved our blog post to our own nlnetlabs.nl domain. RPZ: https://blog.nlnetlabs.nl/response-policy-zones-in-unbound/ Client-based filtering: https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/ Best, -- Benno On 05/03/2021 20:37, Darren S. via Unbound-users wrote: > +1 for RPZ in unbound, it's been great to use for DNS filtering at home. > > On Fri, Mar 5, 2021 at 10:35 AM marcos.ata1983--- via Unbound-users > wrote: >> >> Hi, >> >> https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26 >> >> Em 05/03/2021 14:27, Paulo Roberto Tomasi via Unbound-users escreveu: >>> Hi, >>> >>> Do you have an example of unbound as DNS filtering (similarly to >>> nxfilter)? >>> >>> I see that unbound has thousand of options to customize its role, I'm >>> not sure of what options to use >>> >>> I would like to block facebook/youtube/whatsapp/spotify and many other >>> entertainment sites (on demand) to not be accessible from some machines. >>> >>> Thanks! >>> >> -- >> Marcos Renato da Silva Junior >> > > -- Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/ From andre.lfs.martins at gmail.com Thu Mar 11 13:33:37 2021 From: andre.lfs.martins at gmail.com (Andre Martins) Date: Thu, 11 Mar 2021 10:33:37 -0300 Subject: High resolution time Message-ID: Hi all I have a server running unbound 1.13.1 on an i7 with one CPU and 8 cores, 16gb of RAM. The usage is pretty low. It's my home DNS, so no more than 50 devices on the network. My internet connection is a fiber 300/150 mbits. I'm seeing high times in resolution, now it's around 1600ms. It goes down and then back up, but never below 400ms. I have tried to optimise my configuration, but no solution so far. This is an excerpt of my config file with the optimisation server: cache-max-ttl: 86400 cache-min-ttl: 7200 harden-dnssec-stripped: yes serve-expired: yes outgoing-num-tcp: 50 incoming-num-tcp: 50 num-queries-per-thread: 8192 outgoing-range: 16384 unwanted-reply-threshold: 0 jostle-timeout: 200 msg-cache-size: 50m rrset-cache-size: 100m num-threads: 8 msg-cache-slabs: 16 rrset-cache-slabs: 16 infra-cache-slabs: 16 key-cache-slabs: 16 prefetch: yes prefetch-key: yes serve-expired-ttl: 86400 udp-connect: yes rrset-roundrobin: yes infra-cache-numhosts: 50000 infra-host-ttl: 3600 so-reuseport: yes Attached my conf file. Your help is much appreciated Thanks -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: unbound.conf Type: application/octet-stream Size: 3311 bytes Desc: not available URL: From unbound-users at lists.roth.lu Thu Mar 11 21:35:55 2021 From: unbound-users at lists.roth.lu (Marki) Date: Thu, 11 Mar 2021 22:35:55 +0100 Subject: Configure DNS filtering in unbound In-Reply-To: <50ce3917-8b45-e4c7-0f66-a64925cc09cb@NLnetLabs.nl> References: <79cfab48-5418-ac5b-95f6-3437d5205cce@gmail.com> <50ce3917-8b45-e4c7-0f66-a64925cc09cb@NLnetLabs.nl> Message-ID: <3b36eef3-e5aa-c387-7c93-85ee50a2b59b@lists.roth.lu> That's interesting. How do I configure an ACL such that access to stubs (local authority) is allowed while the rest is denied, with the possibility to add exceptions (public resolvers)? Thanks. On 3/11/2021 10:53 AM, Benno Overeinder via Unbound-users wrote: > Thanks! > > Here are the links to blog posts.? Note, we moved our blog post to our > own nlnetlabs.nl domain. > > RPZ: https://blog.nlnetlabs.nl/response-policy-zones-in-unbound/ > > Client-based filtering: > https://blog.nlnetlabs.nl/client-based-filtering-in-unbound/ > > Best, > > -- Benno > > > On 05/03/2021 20:37, Darren S. via Unbound-users wrote: >> +1 for RPZ in unbound, it's been great to use for DNS filtering at home. >> >> On Fri, Mar 5, 2021 at 10:35 AM marcos.ata1983--- via Unbound-users >> wrote: >>> >>> Hi, >>> >>> https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26 >>> >>> >>> Em 05/03/2021 14:27, Paulo Roberto Tomasi via Unbound-users escreveu: >>>> Hi, >>>> >>>> Do you have an example of unbound as DNS filtering (similarly to >>>> nxfilter)? >>>> >>>> I see that unbound has thousand of options to customize its role, I'm >>>> not sure of what options to use >>>> >>>> I would like to block facebook/youtube/whatsapp/spotify and many other >>>> entertainment sites (on demand) to not be accessible from some >>>> machines. >>>> >>>> Thanks! >>>> >>> -- >>> Marcos Renato da Silva Junior >>> >> >> > From sraman at rbbn.com Fri Mar 12 08:51:18 2021 From: sraman at rbbn.com (Raman, Sankar) Date: Fri, 12 Mar 2021 08:51:18 +0000 Subject: Help: libunbound ub_result parsing Message-ID: <83ACA3DA-5CA3-4965-8136-8A7DE7E31DBC@rbbn.com> Hello; I am integrating unbound 1.13.0 in our opewrt based product for DNS, SRV and Inverse PTR queries. I am using ub_resolve_async() for queries and processing responses from ub_result via the callback. I have following questions in this regard: 1. For SRV response, the data[] in ub_result contains list of (port, protocol, priority, weight and host dname) (data[] also has the dname for PTR Answer). Is the dname in result->data[] always given in only uncompressed form or can also contain compressed form? 1. If compressed form can also be present, then what API to use to convert the dname to normal name string? 1. If uncompressed only then what is the appropriate API to use - sldns_write2str_dname() or dname_str()? 1. And what is the difference between sldns_write2str_dname() or dname_str()? Thanks Sankar Notice: This e-mail together with any attachments may contain information of Ribbon Communications Inc. and its Affiliates that is confidential and/or proprietary for the sole use of the intended recipient. Any review, disclosure, reliance or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please notify the sender immediately and then delete all copies, including any attachments. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthias.vossen at gmail.com Fri Mar 12 09:17:39 2021 From: matthias.vossen at gmail.com (=?utf-8?Q?Matthias_G=2E_Vossen?=) Date: Fri, 12 Mar 2021 10:17:39 +0100 Subject: Unbound fails to resolve subdomain Message-ID: Hello everybody! I have encountered an interesting problem which may or may not be a glitch in unbound. The problem and several tries to alleviate it have been documented in detail here: https://discourse.pi-hole.net/t/pi-hole-with-unbound-not-resolving-subdomain/45233 In short, my unbound configuration is able to resolve wunderground.com (http://wunderground.com/) without problems, but not weatherstation.wunderground.com (http://weatherstation.wunderground.com/). The resolve reaches a point where weatherstation.wunderground.com (http://weatherstation.wunderground.com/) is referred to rtupdate.wunderground.com (http://rtupdate.wunderground.com/), but in total fails to resolve to an IP adress and most of the times dig experiences a timeout. A dig to opendns or google dns resolves just fine. Configs have been checked and double checked without result. I am running unound v 1.9 on raspian buster. Maybe someone has an idea? Best, Matthias -------------- next part -------------- An HTML attachment was scrubbed... URL: From unbound at tacomawireless.net Fri Mar 12 16:34:45 2021 From: unbound at tacomawireless.net (Unbound) Date: Fri, 12 Mar 2021 08:34:45 -0800 Subject: Unbound fails to resolve subdomain In-Reply-To: References: Message-ID: On 2021-03-12 01:17, Matthias G. Vossen via Unbound-users wrote: > Hello everybody! I have encountered an interesting problem which may or may > not be > a glitch in unbound. The problem and several tries to alleviate it have been > documented in detail here: > https://discourse.pi-hole.net/t/pi-hole-with-unbound-not-resolving-subdomain/45233 > In short, my unbound configuration is able to resolve wunderground.com > (http://wunderground.com/) without problems, but not > weatherstation.wunderground.com (http://weatherstation.wunderground.com/). > The > resolve reaches a point where weatherstation.wunderground.com > (http://weatherstation.wunderground.com/) is referred to > rtupdate.wunderground.com > (http://rtupdate.wunderground.com/), but in total fails to resolve to an IP > adress > and most of the times dig experiences a timeout. A dig to opendns or google > dns > resolves just fine. Configs have been checked and double checked without > result. I > am running unound v 1.9 on raspian buster. Maybe someone has an idea? Best, > Matthias On a server that manages over 200 million domains. With knot as authoritative server, and unbound as recursive client. weatherstation.wunderground.com is slow to resolve, and is returned as a cloud: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 16538 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;; weatherstation.wunderground.com. IN A ;; ANSWER SECTION: weatherstation.wunderground.com. 298 IN CNAME rtupdate.wunderground.com. rtupdate.wunderground.com. 298 IN CNAME prod-pws-ng-ingest.pws-ng-prod-iks-wdc-01-997b58a668d15d562a6bed58ea7c5f9e-0001.us-east.containers.appdomain.cloud. prod-pws-ng-ingest.pws-ng-prod-iks-wdc-01-997b58a668d15d562a6bed58ea7c5f9e-0001.us-east.containers.appdomain.cloud. 300 IN CNAME pws-ng-prod-iks-wdc-01-997b58a668d15d562a6bed58ea7c5f9e-0001.us-east.containers.appdomain.cloud. pws-ng-prod-iks-wdc-01-997b58a668d15d562a6bed58ea7c5f9e-0001.us-east.containers.appdomain.cloud. 300 IN A169.55.126.243 pws-ng-prod-iks-wdc-01-997b58a668d15d562a6bed58ea7c5f9e-0001.us-east.containers.appdomain.cloud. 300 IN A169.61.113.60 pws-ng-prod-iks-wdc-01-997b58a668d15d562a6bed58ea7c5f9e-0001.us-east.containers.appdomain.cloud. 300 IN A169.55.126.244 pws-ng-prod-iks-wdc-01-997b58a668d15d562a6bed58ea7c5f9e-0001.us-east.containers.appdomain.cloud. 300 IN A169.63.130.179 pws-ng-prod-iks-wdc-01-997b58a668d15d562a6bed58ea7c5f9e-0001.us-east.containers.appdomain.cloud. 300 IN A169.63.130.180 pws-ng-prod-iks-wdc-01-997b58a668d15d562a6bed58ea7c5f9e-0001.us-east.containers.appdomain.cloud. 300 IN A169.61.113.58 ;; AUTHORITY SECTION: ;; ADDITIONAL SECTION: ;; Query time: 191 msec ;; SERVER: 127.0.0.1 ;; WHEN: Fri Mar 12 08:27:14 2021 ;; MSG SIZE rcvd: 310 IOW there are several choices for the path to take, and it's up to your client to choose *which* path to take. HTH --Chris From ahrar.ahmed at inara.pk Mon Mar 22 05:21:45 2021 From: ahrar.ahmed at inara.pk (Ahrar Ahmad Khan) Date: Mon, 22 Mar 2021 10:21:45 +0500 Subject: DNSTAP Arch Linux Message-ID: <1616390505597422204@inara.pk> ?Hello I am running unbound 13.1 on arch linux 5.11.7. I have insalled unbound with DNSTAP enable. i had also installed dnstap from the following $ go get -u -v github.com/dnstap/golang-dnstap $ go get -u -v github.com/dnstap/golang-dnstap/dnstap When ever i run "go/bin/dnstap -u /etc/unbound/dnstap.sock" and reload unbound services it works and i am seeing the clients and resolver queries. but when dnstap is not listening to the socket file i am seeing the following in unbound log [411:3] error: dnstap io: failed to connect to "/dnstap.sock": Connection refused Is it intentional for something to listen on the socket for unbound to not refuse connection? ??Regards Ahrar Ahmad Khan System Engineer Inara Technologies (Pvt) Ltd. Phone : +92(334)8462863 ? web:www.inaratech.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 1616389680351.png Type: image/png Size: 17245 bytes Desc: not available URL: From paranoiddroidx at gmail.com Tue Mar 23 10:54:53 2021 From: paranoiddroidx at gmail.com (Paranoid) Date: Tue, 23 Mar 2021 10:54:53 +0000 Subject: Can someone help me decipher these unbound logs Message-ID: config: https://paste.debian.net/1190404 unbound log:http://paste.debian.net/1190476/ dig log: http://paste.debian.net/1190477/ Synced time, made sure to regenerate the root.key file, double checked the ownership and permission to no avail. Decided to nuke my sdcard to install the preconfigured dietpi thinking it might be a mistake on my part, still the same issue. No matter how much I try dnssec just does not seem to work. I have a router running openwrt which I reset to default settings just in case it was a misconfiguration but get these same errors. Any help would be appreciated! -------------- next part -------------- An HTML attachment was scrubbed... URL: From francois.ronvaux at gmail.com Wed Mar 24 22:33:55 2021 From: francois.ronvaux at gmail.com (=?UTF-8?Q?Fran=C3=A7ois_RONVAUX?=) Date: Wed, 24 Mar 2021 23:33:55 +0100 Subject: Unbound does not forward query to NSD Message-ID: Hello, I have a server running both NSD and Unbound. The problem is that Unbound does not seem to redirect the queries for " mydomain.net" to NSD as it should. NSD listening interface : "ip_address_ns1" (this is the external interface facing Internet) NSD master authoritative zone : "mydomain.net" NSD master server of the zone : "ns1.mydomain.net" # Unbound config file. #===================== server: do-ip6: no do-ip4: yes do-tcp: yes do-udp: yes interface: 127.0.0.1 port: 53 verbosity: 1 statistics-cumulative: yes extended-statistics: yes access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow hide-identity: yes hide-version: yes root-hints: "/var/unbound/db/root.hints" auto-trust-anchor-file: "/var/unbound/db/root.key" module-config: "validator iterator" harden-glue: yes harden-algo-downgrade: no harden-dnssec-stripped: yes harden-below-nxdomain: yes harden-referral-path: yes aggressive-nsec: yes use-caps-for-id: yes qname-minimisation: yes val-clean-additional: yes cache-min-ttl: 3600 cache-max-ttl: 86400 prefetch: yes prefetch-key: yes unwanted-reply-threshold: 10000 do-not-query-localhost: no forward-zone: name: "mydomain.net." forward-addr: ip_address_ns1 # ns1.mydomain.net forward-addr: ip_address_ns2 # ns2.mydomain.net # End of File. #============= If I understand well the result of a "dig +trace mydomain.net", it seems that the query goes outside my server to the "." DNS servers and after ".net" DNS servers instead of going directly to "address_ip_ns1" or "address_ip_ns2" : root at ns1 [23:07:48]:~$ dig +trace mydomain.net ; <<>> dig 9.10.8-P1 <<>> +trace mydomain.net ;; global options: +cmd [...] . 518400 IN NS m.root-servers.net. ;; Received 1097 bytes from 198.41.0.4#53(198.41.0.4) in 12 ms [...] net. 172800 IN NS m.gtld-servers.net. ;; Received 1169 bytes from 199.7.83.42#53(l.root-servers.net) in 8 ms mydomain.net. 172800 IN NS ns1.mydomain.net. mydomain.net. 172800 IN NS ns2.mydomain.net. ;; Received 658 bytes from 192.31.80.30#53(d.gtld-servers.net) in 6 ms mydomain.net. 3600 IN A ip_address mydomain.net. 3600 IN NS ns1.mydomain.net. mydomain.net. 3600 IN NS ns2.mydomain.net. ;; Received 125 bytes from ip_address_ns1#53(ns1.mydomain.net) in 0 ms Do you have any suggestions ? Thanks in advance. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tom at whyscream.net Thu Mar 25 09:25:20 2021 From: tom at whyscream.net (Tom Hendrikx) Date: Thu, 25 Mar 2021 10:25:20 +0100 Subject: Unbound does not forward query to NSD In-Reply-To: References: Message-ID: Hi, In your exmaple, dig will do the recursion by itself. To test your unbound setup, you'll need to send a "dig mydomain.net" to your unbound server, and then check the unbound logs for the route taken. Kind regards, Tom On 24-03-2021 23:33, Fran?ois RONVAUX via Unbound-users wrote: > Hello, > > > I have a server running both NSD and Unbound. > > The problem is that Unbound does not seem to redirect the queries for > "mydomain.net " to NSD as it should. > > > NSD listening interface : "ip_address_ns1" (this is the external > interface facing Internet) > NSD master authoritative zone : "mydomain.net " > NSD master server of the zone : "ns1.mydomain.net " > > > > # Unbound config file. > #===================== > server: > ? ? ? ? do-ip6: no > ? ? ? ? do-ip4: yes > ? ? ? ? do-tcp: yes > ? ? ? ? do-udp: yes > > ? ? ? ? interface: 127.0.0.1 > ? ? ? ? port: 53 > > ? ? ? ? verbosity: 1 > ? ? ? ? statistics-cumulative: yes > ? ? ? ? extended-statistics: yes > > ? ? ? ? access-control: 0.0.0.0/0 refuse > ? ? ? ? access-control: 127.0.0.0/8 allow > > ? ? ? ? hide-identity: yes > ? ? ? ? hide-version: yes > > ? ? ? ? root-hints: "/var/unbound/db/root.hints" > ? ? ? ? auto-trust-anchor-file: "/var/unbound/db/root.key" > ? ? ? ? module-config: "validator iterator" > > ? ? ? ? harden-glue: yes > ? ? ? ? harden-algo-downgrade: no > ? ? ? ? harden-dnssec-stripped: yes > ? ? ? ? harden-below-nxdomain: yes > ? ? ? ? harden-referral-path: yes > ? ? ? ? aggressive-nsec: yes > ? ? ? ? use-caps-for-id: yes > ? ? ? ? qname-minimisation: yes > ? ? ? ? val-clean-additional: yes > > ? ? ? ? cache-min-ttl: 3600 > ? ? ? ? cache-max-ttl: 86400 > ? ? ? ? prefetch: yes > ? ? ? ? prefetch-key: yes > > ? ? ? ? unwanted-reply-threshold: 10000 > > ? ? ? ? do-not-query-localhost: no > > forward-zone: > ? ? ? ?name: "mydomain.net ." > ? ? ? ?forward-addr: ip_address_ns1 ? ? # ns1.mydomain.net > > ? ? ? ?forward-addr: ip_address_ns2 ? ? # ns2.mydomain.net > > > # End of File. > #============= > > > > If I understand well the result of a "dig +trace mydomain.net > ", it seems that the query goes outside my server > to the "." DNS servers and after ".net" DNS servers instead of going > directly to "address_ip_ns1" or "address_ip_ns2" : > > > root at ns1 [23:07:48]:~$ dig +trace mydomain.net > > ; <<>> dig 9.10.8-P1 <<>> +trace mydomain.net > ;; global options: +cmd > [...] > . ? ? ? ? ? ? ? ? ? ? ? 518400 ?IN ? ? ?NS m.root-servers.net > . > ;; Received 1097 bytes from 198.41.0.4#53(198.41.0.4) in 12 ms > > [...] > net. ? ? ? ? ? ? ? ? ? ?172800 ?IN ? ? ?NS m.gtld-servers.net > . > ;; Received 1169 bytes from 199.7.83.42#53(l.root-servers.net > ) in 8 ms > > mydomain.net . ? ? ? ? ? 172800 ?IN ? ? ?NS > ns1.mydomain.net . > mydomain.net . ? ? ? ? ? 172800 ?IN ? ? ?NS > ns2.mydomain.net . > ;; Received 658 bytes from 192.31.80.30#53(d.gtld-servers.net > ) in 6 ms > > mydomain.net . ? ? ? ? ? 3600 ? ?IN ? ? ?A > ip_address > mydomain.net . ? ? ? ? ? 3600 ? ?IN ? ? ?NS > ns1.mydomain.net . > mydomain.net . ? ? ? ? ? 3600 ? ?IN ? ? ?NS > ns2.mydomain.net . > ;; Received 125 bytes from ip_address_ns1#53(ns1.mydomain.net > ) in 0 ms > > > Do you have any suggestions ? > > > Thanks in advance. From francois.ronvaux at gmail.com Thu Mar 25 15:14:01 2021 From: francois.ronvaux at gmail.com (=?UTF-8?Q?Fran=C3=A7ois_RONVAUX?=) Date: Thu, 25 Mar 2021 16:14:01 +0100 Subject: Unbound does not forward query to NSD In-Reply-To: References: Message-ID: Hello Tom, Thanks for your reply. This is what I get after restarting Unbound with "verbosity: 3" settings... root at ns1 [14:53:10]:/var/log$ dig mydomain.net root at ns1 [14:53:10]:/var/log$ tail -f daemon Mar 25 14:53:10 ns1 unbound: [84765:0] notice: init module 0: validator Mar 25 14:53:10 ns1 unbound: [84765:0] notice: init module 1: iterator Mar 25 14:53:10 ns1 unbound: [84765:0] info: DelegationPoint: 0 names (0 missing), 2 addrs (0 result, 2 avail) parentNS Mar 25 14:53:10 ns1 unbound: [84765:0] info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (0 result, 26 avail) parentNS Mar 25 14:53:10 ns1 unbound: [84765:0] info: start of service (unbound 1.11.0). Mar 25 14:54:20 ns1 unbound: [84765:0] query: 127.0.0.1 mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: resolving mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: processQueryTargets: mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: sending query: mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: iterator operate: query mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: response for mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: reply from ip_address_ns2#53 Mar 25 14:54:20 ns1 unbound: [84765:0] info: query response was ANSWER Mar 25 14:54:20 ns1 unbound: [84765:0] info: finishing processing for mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: prime trust anchor Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query . DNSKEY IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: resolving . DNSKEY IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: priming . IN NS Mar 25 14:54:20 ns1 unbound: [84765:0] info: iterator operate: query . NS IN [...] around 1k lines of queries and answers ! [...] Mar 25 14:54:20 ns1 unbound: [84765:0] info: response for mydomain.net. DS IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: reply from 192.31.80.30#53 Mar 25 14:54:20 ns1 unbound: [84765:0] info: query response was nodata ANSWER Mar 25 14:54:20 ns1 unbound: [84765:0] info: finishing processing for mydomain.net. DS IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query mydomain.net. DS IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: NSEC3s for the referral proved no DS. Mar 25 14:54:20 ns1 unbound: [84765:0] info: validator operate: query mydomain.net. A IN Mar 25 14:54:20 ns1 unbound: [84765:0] info: Verified that unsigned response is INSECURE Mar 25 14:54:20 ns1 unbound: [84765:0] reply: 127.0.0.1 mydomain.net. A IN NOERROR 0.195477 0 57 So it seems that the NSD server (ns2.mydomain.net) is queried first but the query still goes up to the root DNS. -------------- next part -------------- An HTML attachment was scrubbed... URL: From daisuke.higashi at gmail.com Thu Mar 25 16:29:32 2021 From: daisuke.higashi at gmail.com (Daisuke HIGASHI) Date: Fri, 26 Mar 2021 01:29:32 +0900 Subject: Unbound does not forward query to NSD In-Reply-To: References: Message-ID: Hi, Regardless of forwarder statements, Unbound tries to verify DNSSEC "chain of trust" root -> net->mydomain.net" generating queries to these nameservers. If this is not desired, mark "insecure" on the target domain. ---- domain-insecure: "mydomain.net" *** forward-zone: name: "mydomain.net" forward-addr: ip_address_ns1 ---- or if you have mydomain.net's real DNSSEC trust anchor, set it ? From francois.ronvaux at gmail.com Thu Mar 25 17:54:57 2021 From: francois.ronvaux at gmail.com (=?UTF-8?Q?Fran=C3=A7ois_RONVAUX?=) Date: Thu, 25 Mar 2021 18:54:57 +0100 Subject: Unbound does not forward query to NSD In-Reply-To: References: Message-ID: Daisuke, The domain has currently no DNSSEC records. You are right. With the "domain-insecure" setting, the query is not forwarded anymore outside the server. root at ns1 [18:45:34]:/var/unbound/etc$ rcctl restart unbound && tail -f /var/log/daemon notice: init module 0: validator notice: init module 1: iterator info: DelegationPoint: 0 names (0 missing), 2 addrs (0 result, 2 avail) parentNS info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (0 result, 26 avail) parentNS info: start of service (unbound 1.11.0). query: 127.0.0.1 mydomain.net. A IN info: validator operate: query mydomain.net. A IN info: resolving mydomain.net. A IN info: processQueryTargets: mydomain.net. A IN info: sending query: mydomain.net. A IN info: iterator operate: query mydomain.net. A IN info: response for mydomain.net. A IN info: reply from ip_address_ns1#53 info: query response was ANSWER info: finishing processing for mydomain.net. A IN info: validator operate: query mydomain.net. A IN reply: 127.0.0.1 mydomain.net. A IN NOERROR 0.002583 0 57 Thanks for your suggestion ! Le jeu. 25 mars 2021 ? 17:29, Daisuke HIGASHI a ?crit : > Hi, > > Regardless of forwarder statements, Unbound tries to verify DNSSEC > "chain of trust" root -> net->mydomain.net" generating queries to > these nameservers. > If this is not desired, mark "insecure" on the target domain. > > ---- > domain-insecure: "mydomain.net" *** > forward-zone: > name: "mydomain.net" > forward-addr: ip_address_ns1 > ---- > > or if you have mydomain.net's real DNSSEC trust anchor, set it ? > -------------- next part -------------- An HTML attachment was scrubbed... URL: