newbie question: Allowing recursion

David Newman dnewman at networktest.com
Sun Feb 19 19:50:32 UTC 2023 

New unbound user here, recent arrival after many years with bind.

Attempts at a recursive lookup fail against an unbound server, even 
though unbound.conf explicitly allows this from one particular client. I 
searched the archive and didn't find an answer, but I may have missed 
something.

A dig query against this server returns "recursion requested but not 
available". There are no firewalls blocking traffic between client and 
server. Running tcpdump on the server shows the query coming in and the 
server rejecting it.

The server uses the Unbound v. 1.16.3 as supplied in OpenBSD 7.2 and has 
these IP addresses:

149.28.38.111

2001:19f0:c:1055:5400:4ff:fe4c:d46a

The client also runs OpenBSD 7.2 and has these IP addresses:

144.202.0.40

2001:19f0:c:75b:471f:a26a:c6f2:77bd

The server's full unbound.conf is pasted below, but these are the 
relevant bits:

server:
         root-hints: "/var/unbound/db/root.hints"
         #qname-minimisation: yes
         interface: 0.0.0.0
         interface: ::0
         do-ip6: yes

         access-control: 0.0.0.0/0 refuse

..

         access-control: 144.202.0.40/32 allow
         access-control: 2001:19f0:c:75b::/64 allow

Shouldn't the server allow a recursive query from this client? If not, 
what's missing? Thanks!

dn


full unbound.conf:

# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $

server:
         root-hints: "/var/unbound/db/root.hints"
         #qname-minimisation: yes
     interface: 0.0.0.0
     #interface: 127.0.0.1 at 5353    # listen on alternative port
     interface: ::0
     do-ip6: yes

     # override the default "any" address to send queries; if multiple
     # addresses are available, they are used randomly to counter spoofing
     #outgoing-interface: 192.0.2.1
     #outgoing-interface: 2001:db8::53

     access-control: 0.0.0.0/0 refuse
     access-control: 127.0.0.0/8 allow
     access-control: ::0/0 refuse
     access-control: ::1 allow

     # allow recursive queries from this client
     access-control: 144.202.0.40/32 allow
     access-control: 2001:19f0:c:75b::/64 allow

     hide-identity: yes
     hide-version: yes

     # Perform DNSSEC validation.
     #
     #auto-trust-anchor-file: "/var/unbound/db/root.key"
     #val-log-level: 2

remote-control:
     control-enable: yes
     control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for some or all zones.
#
forward-zone:
     name: "."                # use for ALL queries
#    forward-addr: 192.0.2.53        # example address only
     forward-addr: 9.9.9.9            #
     forward-first: yes            # try direct if forwarder fails

More information about the Unbound-users mailing list