BUG: interface-automatic vs DNS-over-TLS (Re: unbound not listening on 853?)

Phil Pennock unbound-users+phil at spodhuis.org
Tue Feb 1 00:09:02 UTC 2022


On 2022-01-28 at 21:48 -0500, Phil Pennock via Unbound-users wrote:
> Folks, I've probably made a stupid mistake somewhere, but I can't find
> it.

Found it: setting server.interface-automatic to "yes" causes the
DNS-over-TLS ports to not be opened.

My config has:

  # Multiple IPv6 addresses, replies come from the wrong one without this
  interface-automatic: yes

Recompiling with some additional logging at VERB_OPS let me see what was
happening.  Setting that bool to "no" was sufficient to get unbound
listening on port 853.

I _think_ the interface-automatic setting was needed because these boxes
are also home container servers (via K3S) so interfaces dynamically
appear and disappear over time and I debugged some DNS failures to
wrong-origin responses without the setting.

Working from current git head, release-1.14.0-51-g10d98041:

[1643673519] unbound[178009:0] notice: listening_ports_open: auto AF_INET6, do_auto=1
[1643673519] unbound[178009:0] notice: listening_ports_open: auto AF_INET(4), do_auto=1
 -- port 853 not opened, confirmed with lsof

setting "interface-automatic: no":

[1643673589] unbound[178948:0] notice: listening_ports_open[0]: is IPv4 [0.0.0.0] ssl_port=853
[1643673589] unbound[178948:0] notice: listening_ports_open[1]: is IPv6 [::0] ssl_port=853
[1643673589] unbound[178948:0] notice: listening_ports_open[2]: is IPv4 [0.0.0.0 at 853] ssl_port=853
[1643673589] unbound[178948:0] notice: listening_ports_open[3]: is IPv6 [::0 at 853] ssl_port=853

-Phil


More information about the Unbound-users mailing list