newbie question: Allowing recursion

Uwe Werler uwe at werler.is
Mon Feb 20 21:40:17 UTC 2023 

How about running nsd on a different port and simply forward queries to these zones via unbound? 

Am 20. Februar 2023 20:20:56 MEZ schrieb David Newman via Unbound-users <unbound-users at lists.nlnetlabs.nl>:
>Hi Yorgos,
>
>Thanks very much. Logging and debugging was a very good idea. It showed 
>that the unbound config is fine, and that the issue is something I 
>neglected to mention: This system also runs NSD as an authoritative-only 
>name server, and NSD had already bound to UDP port 53.
>
>This may be a question for the openbsd-misc list instead, but if anyone 
>here has examples of how to run an authoritative and recursive server on 
>the same box using unbound and NSD please let me know. I previously used 
>bind, which didn't have this issue because one server handled both 
>authoritative and recursive queries.
>
>Thanks again!
>
>dn
>
>
>
>On 2/20/23 2:22 AM, George (Yorgos) Thessalonikefs via Unbound-users wrote:
>> Hi David,
>>
>> Your configuration should work.
>> Are you sure that Unbound is seeing that exact client IP address?
>> If you increase verbosity (4 at least) Unbound will log why the query 
>> was refused.
>>
>> > A dig query against this server returns "recursion requested but not
>> > available".
>> I suppose the "status:" of that response is "REFUSED"?
>>
>> Best regards,
>> -- Yorgos
>>
>>
>> On 19/02/2023 20:50, David Newman via Unbound-users wrote:
>>> New unbound user here, recent arrival after many years with bind.
>>>
>>> Attempts at a recursive lookup fail against an unbound server, even 
>>> though unbound.conf explicitly allows this from one particular 
>>> client. I searched the archive and didn't find an answer, but I may 
>>> have missed something.
>>>
>>> A dig query against this server returns "recursion requested but not 
>>> available". There are no firewalls blocking traffic between client 
>>> and server. Running tcpdump on the server shows the query coming in 
>>> and the server rejecting it.
>>>
>>> The server uses the Unbound v. 1.16.3 as supplied in OpenBSD 7.2 and 
>>> has these IP addresses:
>>>
>>> 149.28.38.111
>>>
>>> 2001:19f0:c:1055:5400:4ff:fe4c:d46a
>>>
>>> The client also runs OpenBSD 7.2 and has these IP addresses:
>>>
>>> 144.202.0.40
>>>
>>> 2001:19f0:c:75b:471f:a26a:c6f2:77bd
>>>
>>> The server's full unbound.conf is pasted below, but these are the 
>>> relevant bits:
>>>
>>> server:
>>>          root-hints: "/var/unbound/db/root.hints"
>>>          #qname-minimisation: yes
>>>          interface: 0.0.0.0
>>>          interface: ::0
>>>          do-ip6: yes
>>>
>>>          access-control: 0.0.0.0/0 refuse
>>>
>>> ..
>>>
>>>          access-control: 144.202.0.40/32 allow
>>>          access-control: 2001:19f0:c:75b::/64 allow
>>>
>>> Shouldn't the server allow a recursive query from this client? If 
>>> not, what's missing? Thanks!
>>>
>>> dn
>>>
>>>
>>> full unbound.conf:
>>>
>>> # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
>>>
>>> server:
>>>          root-hints: "/var/unbound/db/root.hints"
>>>          #qname-minimisation: yes
>>>      interface: 0.0.0.0
>>>      #interface: 127.0.0.1 at 5353    # listen on alternative port
>>>      interface: ::0
>>>      do-ip6: yes
>>>
>>>      # override the default "any" address to send queries; if multiple
>>>      # addresses are available, they are used randomly to counter 
>>> spoofing
>>>      #outgoing-interface: 192.0.2.1
>>>      #outgoing-interface: 2001:db8::53
>>>
>>>      access-control: 0.0.0.0/0 refuse
>>>      access-control: 127.0.0.0/8 allow
>>>      access-control: ::0/0 refuse
>>>      access-control: ::1 allow
>>>
>>>      # allow recursive queries from this client
>>>      access-control: 144.202.0.40/32 allow
>>>      access-control: 2001:19f0:c:75b::/64 allow
>>>
>>>      hide-identity: yes
>>>      hide-version: yes
>>>
>>>      # Perform DNSSEC validation.
>>>      #
>>>      #auto-trust-anchor-file: "/var/unbound/db/root.key"
>>>      #val-log-level: 2
>>>
>>> remote-control:
>>>      control-enable: yes
>>>      control-interface: /var/run/unbound.sock
>>>
>>> # Use an upstream forwarder (recursive resolver) for some or all zones.
>>> #
>>> forward-zone:
>>>      name: "."                # use for ALL queries
>>> #    forward-addr: 192.0.2.53        # example address only
>>>      forward-addr: 9.9.9.9            #
>>>      forward-first: yes            # try direct if forwarder fails
>>>
>>>

-- 
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230220/2a44f33a/attachment.htm>

More information about the Unbound-users mailing list