unbound not listening on 853?
Phil Pennock
unbound-users+phil at spodhuis.org
Sun Jan 30 03:31:16 UTC 2022
On 2022-01-29 at 12:53 +0100, Havard Eidnes wrote:
> At this point I would check whether you have an older unbound
> binary package installed, and where unbound-checkconf comes from,
> whether it's the 1.14.0 version you built yourself or something
> else.
# whence -vfa unbound
unbound is /opt/unbound/sbin/unbound
# whence -vfa unbound-checkconf
unbound-checkconf is /opt/unbound/sbin/unbound-checkconf
# dpkg -l | grep unbound
ii optunbound-unbound 1.14.0~pt1 amd64 unbound packaged for install into /opt/unbound
On 2022-01-29 at 15:58 +0100, George Thessalonikefs via Unbound-users wrote:
> Oops, I just fixed (https://github.com/NLnetLabs/unbound/commit/c49e87e1b7abd9f7c62107dab7fd3006d2f53c2c)
> the alternate syntax for tls-* and ssl-* options to also work outside of the
> config file parsing.
Progress!
> Verbosity on 4 and above logs the listening socket creation phase.
Well, I used verbosity 5 and it doesn't log anything for these.
# journalctl -o cat -u unbound | less
[...]
Starting Validating, recursive, and caching DNS resolver...
[1643423300] unbound[1177707:0] debug: increased limit(open files) from 1024 to 4176
[1643423300] unbound[1177707:0] debug: creating udp6 socket :: 53
[1643423300] unbound[1177707:0] debug: creating tcp6 socket :: 53
[1643423300] unbound[1177707:0] debug: creating udp4 socket 0.0.0.0 53
[1643423300] unbound[1177707:0] debug: creating tcp4 socket 0.0.0.0 53
[1643423300] unbound[1177707:0] debug: creating tcp6 socket ::1 8953
[1643423300] unbound[1177707:0] debug: creating tcp4 socket 127.0.0.1 8953
[1643423300] unbound[1177707:0] debug: setup SSL certificates
[1643423300] unbound[1177707:0] debug: chdir to /etc/unbound
[1643423300] unbound[1177707:0] debug: drop user privileges, run as unbound
[1643423300] unbound[1177707:0] debug: switching log to stderr
[...]
> You asked for a clue hammer so are you sure that the config file you edit is
> the one that Unbound reads when starting? :)
Yes. Notably, I didn't edit a config file here, I was inspecting what I
had to see why it wasn't working; I use local-zone/local-data to create
both .lan and .home.arpa zones (same content, auto-generated from the
same data source); `unbound-control list_local_zones` shows them, and
also:
# unbound-control get_option interface
0.0.0.0
::0
0.0.0.0 at 853
::0 at 853
# unbound-control get_option ssl-port
853
#
So unbound-control sees the options are set. Similarly for
ssl-service-key and ssl-service-pem.
I can `dig -t a ns1.home.arpa. @IP` for the two servers in question and
see the DNS in place, and the NSID from the server.nsid option.
On 2022-01-29 at 16:06 +0100, Jaap Akkerhuis via Unbound-users wrote:
> lsof probably combines this into "*.*", try
>
> # lsof -p ` pgrep unbound `
>
> to see what unbound is listening to.
I believe my `lsof -nPc unbound` covered that. But sure, if we allow
for there being multiple unbound processes because it forks, and `-p`
taking a comma-separated list, then:
# lsof -p $(pgrep unbound | xargs | tr ' ' ,)
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
unbound 1177784 unbound cwd DIR 253,0 4096 9970660 /etc/unbound
unbound 1177784 unbound rtd DIR 253,0 4096 2 /
unbound 1177784 unbound txt REG 253,0 6377808 5505797 /opt/unbound/sbin/unbound
unbound 1177784 unbound mem REG 253,0 239896 1846469 /usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
unbound 1177784 unbound mem REG 253,0 51832 1835334 /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so
unbound 1177784 unbound mem REG 253,0 137584 1841049 /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.28.0
unbound 1177784 unbound mem REG 253,0 18816 1835327 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
unbound 1177784 unbound mem REG 253,0 1168056 1836942 /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.5
unbound 1177784 unbound mem REG 253,0 129248 1835078 /usr/lib/x86_64-linux-gnu/liblz4.so.1.9.2
unbound 1177784 unbound mem REG 253,0 162264 1840832 /usr/lib/x86_64-linux-gnu/liblzma.so.5.2.4
unbound 1177784 unbound mem REG 253,0 40040 1835341 /usr/lib/x86_64-linux-gnu/librt-2.31.so
unbound 1177784 unbound mem REG 253,0 157224 1835339 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
unbound 1177784 unbound mem REG 253,0 2954080 1835122 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
unbound 1177784 unbound mem REG 253,0 709496 1835302 /usr/lib/x86_64-linux-gnu/libsystemd.so.0.28.0
unbound 1177784 unbound mem REG 253,0 346672 1841021 /usr/lib/x86_64-linux-gnu/libevent-2.1.so.7.0.0
unbound 1177784 unbound mem REG 253,0 39016 1836339 /usr/lib/x86_64-linux-gnu/libprotobuf-c.so.1.0.0
unbound 1177784 unbound mem REG 253,0 598104 1836722 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
unbound 1177784 unbound mem REG 253,0 2029224 1835326 /usr/lib/x86_64-linux-gnu/libc-2.31.so
unbound 1177784 unbound mem REG 253,0 191480 1835322 /usr/lib/x86_64-linux-gnu/ld-2.31.so
unbound 1177784 unbound 0r CHR 1,3 0t0 6 /dev/null
unbound 1177784 unbound 1u unix 0xffff8c4baa57dc00 0t0 68005760 type=STREAM
unbound 1177784 unbound 2u unix 0xffff8c4baa57dc00 0t0 68005760 type=STREAM
unbound 1177784 unbound 3u IPv6 68005765 0t0 UDP *:domain
unbound 1177784 unbound 4u IPv6 68005766 0t0 TCP *:domain (LISTEN)
unbound 1177784 unbound 5u IPv4 68005767 0t0 UDP *:domain
unbound 1177784 unbound 6u IPv4 68005768 0t0 TCP *:domain (LISTEN)
unbound 1177784 unbound 7u IPv6 68005769 0t0 TCP ip6-localhost:8953 (LISTEN)
unbound 1177784 unbound 8u IPv4 68005770 0t0 TCP localhost:8953 (LISTEN)
unbound 1177784 unbound 9u unix 0xffff8c48d366c000 0t0 68005775 type=STREAM
unbound 1177784 unbound 10u unix 0xffff8c48d366d000 0t0 68005776 type=STREAM
unbound 1177784 unbound 11u a_inode 0,14 0 12415 [eventpoll]
unbound 1177784 unbound 12r FIFO 0,13 0t0 68005777 pipe
unbound 1177784 unbound 13w FIFO 0,13 0t0 68005777 pipe
kworker/u 1755537 root cwd DIR 253,0 4096 2 /
kworker/u 1755537 root rtd DIR 253,0 4096 2 /
kworker/u 1755537 root txt unknown /proc/1755537/exe
kworker/u 1757164 root cwd DIR 253,0 4096 2 /
kworker/u 1757164 root rtd DIR 253,0 4096 2 /
kworker/u 1757164 root txt unknown /proc/1757164/exe
kworker/u 1760804 root cwd DIR 253,0 4096 2 /
kworker/u 1760804 root rtd DIR 253,0 4096 2 /
kworker/u 1760804 root txt unknown /proc/1760804/exe
# dpkg-query -S /usr/lib/x86_64-linux-gnu/libssl.so.1.1
libssl1.1:amd64: /usr/lib/x86_64-linux-gnu/libssl.so.1.1
# openssl version
OpenSSL 1.1.1f 31 Mar 2020
# lsof -nP 2>/dev/null | grep ':53\b'
unbound 825 unbound 3u IPv6 28205 0t0 UDP *:53
unbound 825 unbound 4u IPv6 28206 0t0 TCP *:53 (LISTEN)
unbound 825 unbound 5u IPv4 28207 0t0 UDP *:53
unbound 825 unbound 6u IPv4 28208 0t0 TCP *:53 (LISTEN)
# lsof -nP 2>/dev/null | grep ':853\b'
#
I remain perplexed as to why this is silently failing. I first set this
up on a different host (older hardware) on 2017-10-31, per config git
repo. That was in an era before I used nfpm to make packages and I
don't have the version history of the unbound upgrades in my logbooks
from those older updates.
Clues in related logbooks _suggest_ I had 1.6.7-pt1 installed, which
would certainly fit: that was released 2017-10-10. It was also using an
ECTLS cert back then.
I really didn't touch it much in the time since, it was one of those
things which "just worked", until I went to look again because I was
going to add draft-ietf-add-ddr-04.txt support via local-data, but
figured I should double-check the prior state before touching, and look
at my monitoring and ... discovered that at some point it broke.
Related: what are people using for monitoring DNS-over-TLS service
availability? :) I'm currently just using a check_dns nagios-style
plugin in an old monitoring suite, because for my small home scale,
nagios-style service end-to-end probers still win.
More information about the Unbound-users
mailing list