unbound not listening on 853?

George Thessalonikefs george at nlnetlabs.nl
Sat Jan 29 14:58:31 UTC 2022


Hi Phil,

Oops, I just fixed 
(https://github.com/NLnetLabs/unbound/commit/c49e87e1b7abd9f7c62107dab7fd3006d2f53c2c) 
the alternate syntax for tls-* and ssl-* options to also work outside of 
the config file parsing.
Thanks for reporting!

I can't tell what is happening by what you shared but I do know that if 
the SSL context cannot be created it leads to a fatal error (Unbound 
does not start) and if a listening socket cannot be setup, it also leads 
to Unbound not being able to start.
Verbosity on 4 and above logs the listening socket creation phase.

You asked for a clue hammer so are you sure that the config file you 
edit is the one that Unbound reads when starting? :)
You can change the DNS port to something non-standard (port: 1234), or 
just use module-config: "iterator" and see if those changes are picked 
up on startup.

Best regards,
-- George

On 29/01/2022 03:48, Phil Pennock via Unbound-users wrote:
> Folks, I've probably made a stupid mistake somewhere, but I can't find
> it.  Cluehammer me please.  I setup DNS-over-TLS ages ago at home but
> rarely touch it, and I just went to take a look and it doesn't appear to
> be available.  (I should probably sort out some monitoring).  I last
> touched it last year to replace an expiring cert.
> 
> As far as I can tell, Unbound is built with support, it's configured
> with `interface:` and `tls-port:` and the key/cert, but
> `lsof -nPc unbound` shows it's not listening on 853.
> 
> It looks like unbound-checkconf doesn't like the `tls-` names, but does
> take `ssl-` variants; an oversight?
> 
> OS is Ubuntu 20.04 (amd64); unbound is self-compiled 1.14.0.
> I restarted with `verbosity: 5` and can see no mention of this port.
> It appears to just be silently ignored and I'm not figuring out what I
> messed up.
> 
> # unbound -V
> Version 1.14.0
> 
> Configure line: --prefix=/opt/unbound --with-ssl --enable-pie --enable-relro-now --enable-subnet --with-libevent --enable-systemd --enable-tfo-client --enable-tfo-server --enable-dnstap
> Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1f  31 Mar 2020
> Linked modules: dns64 subnetcache respip validator iterator
> TCP Fastopen feature available
> 
> 
> # unbound-checkconf -o interface
> 0.0.0.0
> ::0
> 0.0.0.0 at 853
> ::0 at 853
> # unbound-checkconf -o tls-port
> [1643422803] unbound-checkconf[1654730:0] fatal error: cannot print option 'tls-port'
> # unbound-checkconf -o ssl-port
> 853
> # unbound-checkconf -o ssl-service-key
> /etc/unbound/tls/unbound-dns-home-2021.key
> # unbound-checkconf -o ssl-service-pem
> /etc/unbound/tls/unbound-dns-home-2021.chain.pem
> 
> The cert is a P-256/prime256v1 one from a home CA, EKU allows for
> web-server, I don't recall any docs saying anything special is needed in
> a cert for DNS.  The SANs in the cert include my home LAN IPs, home LAN
> hostnames, etc.
> 
> What did I do wrong, please?  (Besides only monitor port 53)
> -Phil


More information about the Unbound-users mailing list