newbie question: Allowing recursion

George (Yorgos) Thessalonikefs george at nlnetlabs.nl
Mon Feb 20 10:22:54 UTC 2023 

Hi David,

Your configuration should work.
Are you sure that Unbound is seeing that exact client IP address?
If you increase verbosity (4 at least) Unbound will log why the query 
was refused.

 > A dig query against this server returns "recursion requested but not
 > available".
I suppose the "status:" of that response is "REFUSED"?

Best regards,
-- Yorgos


On 19/02/2023 20:50, David Newman via Unbound-users wrote:
> New unbound user here, recent arrival after many years with bind.
> 
> Attempts at a recursive lookup fail against an unbound server, even 
> though unbound.conf explicitly allows this from one particular client. I 
> searched the archive and didn't find an answer, but I may have missed 
> something.
> 
> A dig query against this server returns "recursion requested but not 
> available". There are no firewalls blocking traffic between client and 
> server. Running tcpdump on the server shows the query coming in and the 
> server rejecting it.
> 
> The server uses the Unbound v. 1.16.3 as supplied in OpenBSD 7.2 and has 
> these IP addresses:
> 
> 149.28.38.111
> 
> 2001:19f0:c:1055:5400:4ff:fe4c:d46a
> 
> The client also runs OpenBSD 7.2 and has these IP addresses:
> 
> 144.202.0.40
> 
> 2001:19f0:c:75b:471f:a26a:c6f2:77bd
> 
> The server's full unbound.conf is pasted below, but these are the 
> relevant bits:
> 
> server:
>          root-hints: "/var/unbound/db/root.hints"
>          #qname-minimisation: yes
>          interface: 0.0.0.0
>          interface: ::0
>          do-ip6: yes
> 
>          access-control: 0.0.0.0/0 refuse
> 
> ..
> 
>          access-control: 144.202.0.40/32 allow
>          access-control: 2001:19f0:c:75b::/64 allow
> 
> Shouldn't the server allow a recursive query from this client? If not, 
> what's missing? Thanks!
> 
> dn
> 
> 
> full unbound.conf:
> 
> # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
> 
> server:
>          root-hints: "/var/unbound/db/root.hints"
>          #qname-minimisation: yes
>      interface: 0.0.0.0
>      #interface: 127.0.0.1 at 5353    # listen on alternative port
>      interface: ::0
>      do-ip6: yes
> 
>      # override the default "any" address to send queries; if multiple
>      # addresses are available, they are used randomly to counter spoofing
>      #outgoing-interface: 192.0.2.1
>      #outgoing-interface: 2001:db8::53
> 
>      access-control: 0.0.0.0/0 refuse
>      access-control: 127.0.0.0/8 allow
>      access-control: ::0/0 refuse
>      access-control: ::1 allow
> 
>      # allow recursive queries from this client
>      access-control: 144.202.0.40/32 allow
>      access-control: 2001:19f0:c:75b::/64 allow
> 
>      hide-identity: yes
>      hide-version: yes
> 
>      # Perform DNSSEC validation.
>      #
>      #auto-trust-anchor-file: "/var/unbound/db/root.key"
>      #val-log-level: 2
> 
> remote-control:
>      control-enable: yes
>      control-interface: /var/run/unbound.sock
> 
> # Use an upstream forwarder (recursive resolver) for some or all zones.
> #
> forward-zone:
>      name: "."                # use for ALL queries
> #    forward-addr: 192.0.2.53        # example address only
>      forward-addr: 9.9.9.9            #
>      forward-first: yes            # try direct if forwarder fails
> 
>

More information about the Unbound-users mailing list