unbound not listening on 853?

Sun Jan 30 03:39:15 UTC 2022

Hello,

This may be unlikely, but I saw something similar and when I tailed the logs, it was the fact I had the interface as 0.0.0.0. It couldn't bind the ports to that interface. I changed it to the server's ip / interface and it worked.

Good luck,
Steven Wills

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Saturday, January 29th, 2022 at 21:31, Phil Pennock via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:

> On 2022-01-29 at 12:53 +0100, Havard Eidnes wrote:
>
> > At this point I would check whether you have an older unbound
> >
> > binary package installed, and where unbound-checkconf comes from,
> >
> > whether it's the 1.14.0 version you built yourself or something
> >
> > else.
>
> whence -vfa unbound
> ===================
>
> unbound is /opt/unbound/sbin/unbound
>
> whence -vfa unbound-checkconf
> =============================
>
> unbound-checkconf is /opt/unbound/sbin/unbound-checkconf
>
> dpkg -l | grep unbound
> ======================
>
> ii optunbound-unbound 1.14.0~pt1 amd64 unbound packaged for install into /opt/unbound
>
> On 2022-01-29 at 15:58 +0100, George Thessalonikefs via Unbound-users wrote:
>
> > Oops, I just fixed (https://github.com/NLnetLabs/unbound/commit/c49e87e1b7abd9f7c62107dab7fd3006d2f53c2c)
> >
> > the alternate syntax for tls-* and ssl-* options to also work outside of the
> >
> > config file parsing.
>
> Progress!
>
> > Verbosity on 4 and above logs the listening socket creation phase.
>
> Well, I used verbosity 5 and it doesn't log anything for these.
>
> journalctl -o cat -u unbound | less
> ===================================
>
> [...]
>
> Starting Validating, recursive, and caching DNS resolver...
>
> [1643423300] unbound[1177707:0] debug: increased limit(open files) from 1024 to 4176
>
> [1643423300] unbound[1177707:0] debug: creating udp6 socket :: 53
>
> [1643423300] unbound[1177707:0] debug: creating tcp6 socket :: 53
>
> [1643423300] unbound[1177707:0] debug: creating udp4 socket 0.0.0.0 53
>
> [1643423300] unbound[1177707:0] debug: creating tcp4 socket 0.0.0.0 53
>
> [1643423300] unbound[1177707:0] debug: creating tcp6 socket ::1 8953
>
> [1643423300] unbound[1177707:0] debug: creating tcp4 socket 127.0.0.1 8953
>
> [1643423300] unbound[1177707:0] debug: setup SSL certificates
>
> [1643423300] unbound[1177707:0] debug: chdir to /etc/unbound
>
> [1643423300] unbound[1177707:0] debug: drop user privileges, run as unbound
>
> [1643423300] unbound[1177707:0] debug: switching log to stderr
>
> [...]
>
> > You asked for a clue hammer so are you sure that the config file you edit is
> >
> > the one that Unbound reads when starting? :)
>
> Yes. Notably, I didn't edit a config file here, I was inspecting what I
>
> had to see why it wasn't working; I use local-zone/local-data to create
>
> both .lan and .home.arpa zones (same content, auto-generated from the
>
> same data source); `unbound-control list_local_zones` shows them, and
>
> also:
>
> unbound-control get_option interface
> ====================================
>
> 0.0.0.0
>
> ::0
>
> 0.0.0.0 at 853
>
> ::0 at 853
>
> unbound-control get_option ssl-port
> ===================================
>
> 853
>
> So unbound-control sees the options are set. Similarly for
>
> ssl-service-key and ssl-service-pem.
>
> I can `dig -t a ns1.home.arpa. @IP` for the two servers in question and
>
> see the DNS in place, and the NSID from the server.nsid option.
>
> On 2022-01-29 at 16:06 +0100, Jaap Akkerhuis via Unbound-users wrote:
>
> > lsof probably combines this into ".", try
> >
> > lsof -p `pgrep unbound`
> > =======================
> >
> > to see what unbound is listening to.
>
> I believe my `lsof -nPc unbound` covered that. But sure, if we allow
>
> for there being multiple unbound processes because it forks, and `-p`
>
> taking a comma-separated list, then:
>
> lsof -p $(pgrep unbound | xargs | tr ' ' ,)
> ===========================================
>
> COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
>
> unbound 1177784 unbound cwd DIR 253,0 4096 9970660 /etc/unbound
>
> unbound 1177784 unbound rtd DIR 253,0 4096 2 /
>
> unbound 1177784 unbound txt REG 253,0 6377808 5505797 /opt/unbound/sbin/unbound
>
> unbound 1177784 unbound mem REG 253,0 239896 1846469 /usr/lib/x86_64-linux-gnu/libnss_systemd.so.2
>
> unbound 1177784 unbound mem REG 253,0 51832 1835334 /usr/lib/x86_64-linux-gnu/libnss_files-2.31.so
>
> unbound 1177784 unbound mem REG 253,0 137584 1841049 /usr/lib/x86_64-linux-gnu/libgpg-error.so.0.28.0
>
> unbound 1177784 unbound mem REG 253,0 18816 1835327 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
>
> unbound 1177784 unbound mem REG 253,0 1168056 1836942 /usr/lib/x86_64-linux-gnu/libgcrypt.so.20.2.5
>
> unbound 1177784 unbound mem REG 253,0 129248 1835078 /usr/lib/x86_64-linux-gnu/liblz4.so.1.9.2
>
> unbound 1177784 unbound mem REG 253,0 162264 1840832 /usr/lib/x86_64-linux-gnu/liblzma.so.5.2.4
>
> unbound 1177784 unbound mem REG 253,0 40040 1835341 /usr/lib/x86_64-linux-gnu/librt-2.31.so
>
> unbound 1177784 unbound mem REG 253,0 157224 1835339 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
>
> unbound 1177784 unbound mem REG 253,0 2954080 1835122 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
>
> unbound 1177784 unbound mem REG 253,0 709496 1835302 /usr/lib/x86_64-linux-gnu/libsystemd.so.0.28.0
>
> unbound 1177784 unbound mem REG 253,0 346672 1841021 /usr/lib/x86_64-linux-gnu/libevent-2.1.so.7.0.0
>
> unbound 1177784 unbound mem REG 253,0 39016 1836339 /usr/lib/x86_64-linux-gnu/libprotobuf-c.so.1.0.0
>
> unbound 1177784 unbound mem REG 253,0 598104 1836722 /usr/lib/x86_64-linux-gnu/libssl.so.1.1
>
> unbound 1177784 unbound mem REG 253,0 2029224 1835326 /usr/lib/x86_64-linux-gnu/libc-2.31.so
>
> unbound 1177784 unbound mem REG 253,0 191480 1835322 /usr/lib/x86_64-linux-gnu/ld-2.31.so
>
> unbound 1177784 unbound 0r CHR 1,3 0t0 6 /dev/null
>
> unbound 1177784 unbound 1u unix 0xffff8c4baa57dc00 0t0 68005760 type=STREAM
>
> unbound 1177784 unbound 2u unix 0xffff8c4baa57dc00 0t0 68005760 type=STREAM
>
> unbound 1177784 unbound 3u IPv6 68005765 0t0 UDP *:domain
>
> unbound 1177784 unbound 4u IPv6 68005766 0t0 TCP *:domain (LISTEN)
>
> unbound 1177784 unbound 5u IPv4 68005767 0t0 UDP *:domain
>
> unbound 1177784 unbound 6u IPv4 68005768 0t0 TCP *:domain (LISTEN)
>
> unbound 1177784 unbound 7u IPv6 68005769 0t0 TCP ip6-localhost:8953 (LISTEN)
>
> unbound 1177784 unbound 8u IPv4 68005770 0t0 TCP localhost:8953 (LISTEN)
>
> unbound 1177784 unbound 9u unix 0xffff8c48d366c000 0t0 68005775 type=STREAM
>
> unbound 1177784 unbound 10u unix 0xffff8c48d366d000 0t0 68005776 type=STREAM
>
> unbound 1177784 unbound 11u a_inode 0,14 0 12415 [eventpoll]
>
> unbound 1177784 unbound 12r FIFO 0,13 0t0 68005777 pipe
>
> unbound 1177784 unbound 13w FIFO 0,13 0t0 68005777 pipe
>
> kworker/u 1755537 root cwd DIR 253,0 4096 2 /
>
> kworker/u 1755537 root rtd DIR 253,0 4096 2 /
>
> kworker/u 1755537 root txt unknown /proc/1755537/exe
>
> kworker/u 1757164 root cwd DIR 253,0 4096 2 /
>
> kworker/u 1757164 root rtd DIR 253,0 4096 2 /
>
> kworker/u 1757164 root txt unknown /proc/1757164/exe
>
> kworker/u 1760804 root cwd DIR 253,0 4096 2 /
>
> kworker/u 1760804 root rtd DIR 253,0 4096 2 /
>
> kworker/u 1760804 root txt unknown /proc/1760804/exe
>
> dpkg-query -S /usr/lib/x86_64-linux-gnu/libssl.so.1.1
> =====================================================
>
> libssl1.1:amd64: /usr/lib/x86_64-linux-gnu/libssl.so.1.1
>
> openssl version
> ===============
>
> OpenSSL 1.1.1f 31 Mar 2020
>
> lsof -nP 2>/dev/null | grep ':53\b'
> ===================================
>
> unbound 825 unbound 3u IPv6 28205 0t0 UDP *:53
>
> unbound 825 unbound 4u IPv6 28206 0t0 TCP *:53 (LISTEN)
>
> unbound 825 unbound 5u IPv4 28207 0t0 UDP *:53
>
> unbound 825 unbound 6u IPv4 28208 0t0 TCP *:53 (LISTEN)
>
> lsof -nP 2>/dev/null | grep ':853\b'
> ====================================
>
> I remain perplexed as to why this is silently failing. I first set this
>
> up on a different host (older hardware) on 2017-10-31, per config git
>
> repo. That was in an era before I used nfpm to make packages and I
>
> don't have the version history of the unbound upgrades in my logbooks
>
> from those older updates.
>
> Clues in related logbooks suggest I had 1.6.7-pt1 installed, which
>
> would certainly fit: that was released 2017-10-10. It was also using an
>
> ECTLS cert back then.
>
> I really didn't touch it much in the time since, it was one of those
>
> things which "just worked", until I went to look again because I was
>
> going to add draft-ietf-add-ddr-04.txt support via local-data, but
>
> figured I should double-check the prior state before touching, and look
>
> at my monitoring and ... discovered that at some point it broke.
>
> Related: what are people using for monitoring DNS-over-TLS service
>
> availability? :) I'm currently just using a check_dns nagios-style
>
> plugin in an old monitoring suite, because for my small home scale,
>
> nagios-style service end-to-end probers still win.