newbie question: Allowing recursion
David Newman
dnewman at networktest.com
Mon Feb 20 19:20:56 UTC 2023
Hi Yorgos,
Thanks very much. Logging and debugging was a very good idea. It showed
that the unbound config is fine, and that the issue is something I
neglected to mention: This system also runs NSD as an authoritative-only
name server, and NSD had already bound to UDP port 53.
This may be a question for the openbsd-misc list instead, but if anyone
here has examples of how to run an authoritative and recursive server on
the same box using unbound and NSD please let me know. I previously used
bind, which didn't have this issue because one server handled both
authoritative and recursive queries.
Thanks again!
dn
On 2/20/23 2:22 AM, George (Yorgos) Thessalonikefs via Unbound-users wrote:
> Hi David,
>
> Your configuration should work.
> Are you sure that Unbound is seeing that exact client IP address?
> If you increase verbosity (4 at least) Unbound will log why the query
> was refused.
>
> > A dig query against this server returns "recursion requested but not
> > available".
> I suppose the "status:" of that response is "REFUSED"?
>
> Best regards,
> -- Yorgos
>
>
> On 19/02/2023 20:50, David Newman via Unbound-users wrote:
>> New unbound user here, recent arrival after many years with bind.
>>
>> Attempts at a recursive lookup fail against an unbound server, even
>> though unbound.conf explicitly allows this from one particular
>> client. I searched the archive and didn't find an answer, but I may
>> have missed something.
>>
>> A dig query against this server returns "recursion requested but not
>> available". There are no firewalls blocking traffic between client
>> and server. Running tcpdump on the server shows the query coming in
>> and the server rejecting it.
>>
>> The server uses the Unbound v. 1.16.3 as supplied in OpenBSD 7.2 and
>> has these IP addresses:
>>
>> 149.28.38.111
>>
>> 2001:19f0:c:1055:5400:4ff:fe4c:d46a
>>
>> The client also runs OpenBSD 7.2 and has these IP addresses:
>>
>> 144.202.0.40
>>
>> 2001:19f0:c:75b:471f:a26a:c6f2:77bd
>>
>> The server's full unbound.conf is pasted below, but these are the
>> relevant bits:
>>
>> server:
>> root-hints: "/var/unbound/db/root.hints"
>> #qname-minimisation: yes
>> interface: 0.0.0.0
>> interface: ::0
>> do-ip6: yes
>>
>> access-control: 0.0.0.0/0 refuse
>>
>> ..
>>
>> access-control: 144.202.0.40/32 allow
>> access-control: 2001:19f0:c:75b::/64 allow
>>
>> Shouldn't the server allow a recursive query from this client? If
>> not, what's missing? Thanks!
>>
>> dn
>>
>>
>> full unbound.conf:
>>
>> # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
>>
>> server:
>> root-hints: "/var/unbound/db/root.hints"
>> #qname-minimisation: yes
>> interface: 0.0.0.0
>> #interface: 127.0.0.1 at 5353 # listen on alternative port
>> interface: ::0
>> do-ip6: yes
>>
>> # override the default "any" address to send queries; if multiple
>> # addresses are available, they are used randomly to counter
>> spoofing
>> #outgoing-interface: 192.0.2.1
>> #outgoing-interface: 2001:db8::53
>>
>> access-control: 0.0.0.0/0 refuse
>> access-control: 127.0.0.0/8 allow
>> access-control: ::0/0 refuse
>> access-control: ::1 allow
>>
>> # allow recursive queries from this client
>> access-control: 144.202.0.40/32 allow
>> access-control: 2001:19f0:c:75b::/64 allow
>>
>> hide-identity: yes
>> hide-version: yes
>>
>> # Perform DNSSEC validation.
>> #
>> #auto-trust-anchor-file: "/var/unbound/db/root.key"
>> #val-log-level: 2
>>
>> remote-control:
>> control-enable: yes
>> control-interface: /var/run/unbound.sock
>>
>> # Use an upstream forwarder (recursive resolver) for some or all zones.
>> #
>> forward-zone:
>> name: "." # use for ALL queries
>> # forward-addr: 192.0.2.53 # example address only
>> forward-addr: 9.9.9.9 #
>> forward-first: yes # try direct if forwarder fails
>>
>>
More information about the Unbound-users
mailing list