newbie question: Allowing recursion
Uwe Werler
uwe at werler.is
Mon Feb 20 21:40:17 UTC 2023
How about running nsd on a different port and simply forward queries to these zones via unbound?
Am 20. Februar 2023 20:20:56 MEZ schrieb David Newman via Unbound-users <unbound-users at lists.nlnetlabs.nl>:
>Hi Yorgos,
>
>Thanks very much. Logging and debugging was a very good idea. It showed
>that the unbound config is fine, and that the issue is something I
>neglected to mention: This system also runs NSD as an authoritative-only
>name server, and NSD had already bound to UDP port 53.
>
>This may be a question for the openbsd-misc list instead, but if anyone
>here has examples of how to run an authoritative and recursive server on
>the same box using unbound and NSD please let me know. I previously used
>bind, which didn't have this issue because one server handled both
>authoritative and recursive queries.
>
>Thanks again!
>
>dn
>
>
>
>On 2/20/23 2:22 AM, George (Yorgos) Thessalonikefs via Unbound-users wrote:
>> Hi David,
>>
>> Your configuration should work.
>> Are you sure that Unbound is seeing that exact client IP address?
>> If you increase verbosity (4 at least) Unbound will log why the query
>> was refused.
>>
>> > A dig query against this server returns "recursion requested but not
>> > available".
>> I suppose the "status:" of that response is "REFUSED"?
>>
>> Best regards,
>> -- Yorgos
>>
>>
>> On 19/02/2023 20:50, David Newman via Unbound-users wrote:
>>> New unbound user here, recent arrival after many years with bind.
>>>
>>> Attempts at a recursive lookup fail against an unbound server, even
>>> though unbound.conf explicitly allows this from one particular
>>> client. I searched the archive and didn't find an answer, but I may
>>> have missed something.
>>>
>>> A dig query against this server returns "recursion requested but not
>>> available". There are no firewalls blocking traffic between client
>>> and server. Running tcpdump on the server shows the query coming in
>>> and the server rejecting it.
>>>
>>> The server uses the Unbound v. 1.16.3 as supplied in OpenBSD 7.2 and
>>> has these IP addresses:
>>>
>>> 149.28.38.111
>>>
>>> 2001:19f0:c:1055:5400:4ff:fe4c:d46a
>>>
>>> The client also runs OpenBSD 7.2 and has these IP addresses:
>>>
>>> 144.202.0.40
>>>
>>> 2001:19f0:c:75b:471f:a26a:c6f2:77bd
>>>
>>> The server's full unbound.conf is pasted below, but these are the
>>> relevant bits:
>>>
>>> server:
>>> root-hints: "/var/unbound/db/root.hints"
>>> #qname-minimisation: yes
>>> interface: 0.0.0.0
>>> interface: ::0
>>> do-ip6: yes
>>>
>>> access-control: 0.0.0.0/0 refuse
>>>
>>> ..
>>>
>>> access-control: 144.202.0.40/32 allow
>>> access-control: 2001:19f0:c:75b::/64 allow
>>>
>>> Shouldn't the server allow a recursive query from this client? If
>>> not, what's missing? Thanks!
>>>
>>> dn
>>>
>>>
>>> full unbound.conf:
>>>
>>> # $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
>>>
>>> server:
>>> root-hints: "/var/unbound/db/root.hints"
>>> #qname-minimisation: yes
>>> interface: 0.0.0.0
>>> #interface: 127.0.0.1 at 5353 # listen on alternative port
>>> interface: ::0
>>> do-ip6: yes
>>>
>>> # override the default "any" address to send queries; if multiple
>>> # addresses are available, they are used randomly to counter
>>> spoofing
>>> #outgoing-interface: 192.0.2.1
>>> #outgoing-interface: 2001:db8::53
>>>
>>> access-control: 0.0.0.0/0 refuse
>>> access-control: 127.0.0.0/8 allow
>>> access-control: ::0/0 refuse
>>> access-control: ::1 allow
>>>
>>> # allow recursive queries from this client
>>> access-control: 144.202.0.40/32 allow
>>> access-control: 2001:19f0:c:75b::/64 allow
>>>
>>> hide-identity: yes
>>> hide-version: yes
>>>
>>> # Perform DNSSEC validation.
>>> #
>>> #auto-trust-anchor-file: "/var/unbound/db/root.key"
>>> #val-log-level: 2
>>>
>>> remote-control:
>>> control-enable: yes
>>> control-interface: /var/run/unbound.sock
>>>
>>> # Use an upstream forwarder (recursive resolver) for some or all zones.
>>> #
>>> forward-zone:
>>> name: "." # use for ALL queries
>>> # forward-addr: 192.0.2.53 # example address only
>>> forward-addr: 9.9.9.9 #
>>> forward-first: yes # try direct if forwarder fails
>>>
>>>
--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20230220/2a44f33a/attachment.htm>
More information about the Unbound-users
mailing list