unbound not listening on 853?
George Thessalonikefs
george at nlnetlabs.nl
Sat Jan 29 14:58:31 UTC 2022
Hi Phil,
Oops, I just fixed
(https://github.com/NLnetLabs/unbound/commit/c49e87e1b7abd9f7c62107dab7fd3006d2f53c2c)
the alternate syntax for tls-* and ssl-* options to also work outside of
the config file parsing.
Thanks for reporting!
I can't tell what is happening by what you shared but I do know that if
the SSL context cannot be created it leads to a fatal error (Unbound
does not start) and if a listening socket cannot be setup, it also leads
to Unbound not being able to start.
Verbosity on 4 and above logs the listening socket creation phase.
You asked for a clue hammer so are you sure that the config file you
edit is the one that Unbound reads when starting? :)
You can change the DNS port to something non-standard (port: 1234), or
just use module-config: "iterator" and see if those changes are picked
up on startup.
Best regards,
-- George
On 29/01/2022 03:48, Phil Pennock via Unbound-users wrote:
> Folks, I've probably made a stupid mistake somewhere, but I can't find
> it. Cluehammer me please. I setup DNS-over-TLS ages ago at home but
> rarely touch it, and I just went to take a look and it doesn't appear to
> be available. (I should probably sort out some monitoring). I last
> touched it last year to replace an expiring cert.
>
> As far as I can tell, Unbound is built with support, it's configured
> with `interface:` and `tls-port:` and the key/cert, but
> `lsof -nPc unbound` shows it's not listening on 853.
>
> It looks like unbound-checkconf doesn't like the `tls-` names, but does
> take `ssl-` variants; an oversight?
>
> OS is Ubuntu 20.04 (amd64); unbound is self-compiled 1.14.0.
> I restarted with `verbosity: 5` and can see no mention of this port.
> It appears to just be silently ignored and I'm not figuring out what I
> messed up.
>
> # unbound -V
> Version 1.14.0
>
> Configure line: --prefix=/opt/unbound --with-ssl --enable-pie --enable-relro-now --enable-subnet --with-libevent --enable-systemd --enable-tfo-client --enable-tfo-server --enable-dnstap
> Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1f 31 Mar 2020
> Linked modules: dns64 subnetcache respip validator iterator
> TCP Fastopen feature available
>
>
> # unbound-checkconf -o interface
> 0.0.0.0
> ::0
> 0.0.0.0 at 853
> ::0 at 853
> # unbound-checkconf -o tls-port
> [1643422803] unbound-checkconf[1654730:0] fatal error: cannot print option 'tls-port'
> # unbound-checkconf -o ssl-port
> 853
> # unbound-checkconf -o ssl-service-key
> /etc/unbound/tls/unbound-dns-home-2021.key
> # unbound-checkconf -o ssl-service-pem
> /etc/unbound/tls/unbound-dns-home-2021.chain.pem
>
> The cert is a P-256/prime256v1 one from a home CA, EKU allows for
> web-server, I don't recall any docs saying anything special is needed in
> a cert for DNS. The SANs in the cert include my home LAN IPs, home LAN
> hostnames, etc.
>
> What did I do wrong, please? (Besides only monitor port 53)
> -Phil
More information about the Unbound-users
mailing list