Unbound never listens to TCP/853 despite being explicitely told to do so
Andrew Lemin
andrew.lemin at gmail.com
Wed Jan 8 00:21:34 UTC 2025
Assume you mean owned by the user 'unbound' ;)
Have you checked all the standard things?
Are you using the latest release (1.22)
IPv6 interface definition should be; 'interface: ::0 at 53' (single '0' I
believe).
You have different indentation for the 3rd and 4rd 'interface:' definitions.
Is IPv6 working correctly on your machine? Have you tried with IPv6
disabled? (get things working properly with IPv4 before enabling v6)
Start unbound using -d
Once all of the above things are checked, I would then remove all your
special config (comment things out), so you are using mostly defaults for
everything. If it then starts listening on 53 and 853, you can then start
enabling your custom settings one by one until you find the culprit.
Good luck..
On Wed, 8 Jan 2025 at 10:36, Daniel Ryšlink via Unbound-users <
unbound-users at lists.nlnetlabs.nl> wrote:
> Hello,
>
> I have run into immense trouble getting DNS-over-TLS working, basically
> although I have everything set up, the process never listens on 853/TCP,
> never logs any failures or problems, just ignores the whole TLS portion
> of the configuration. Below is my unbound.conf file. All the key and
> cert files mentioned are directly in /usr/local/etc/unbound folder,
> owned and readable by the 'undbound' user the server uses to run.
>
> Any ideas are welcome, thanks in advance.
>
>
> --
> Daniel Ryšlink
> System Administrator
>
>
> -----------------------------------------------
>
> server:
> tls-port: 853
> tls-cert-bundle: "ca-root-nss.crt"
> tls-service-key: "privkey.pem"
> tls-service-pem: "fullchain.pem"
> verbosity: 3
> statistics-interval: 600
> statistics-cumulative: no
> extended-statistics: yes
> num-threads: 4
> interface: 0.0.0.0 at 53
> interface: ::00 at 53
> interface: 0.0.0.0 at 853
> interface: ::00 at 853
> interface-automatic: yes
> port: 53
> outgoing-range: 8192
> outgoing-num-tcp: 20
> incoming-num-tcp: 20
> so-reuseport: yes
> edns-buffer-size: 1480
> max-udp-size: 4096
> msg-buffer-size: 65552
> msg-cache-size: 1000m
> msg-cache-slabs: 8
> num-queries-per-thread: 4096
> jostle-timeout: 200
> delay-close: 10
> rrset-cache-size: 16G
> rrset-cache-slabs: 8
> cache-min-ttl: 600
> cache-max-ttl: 86400
> cache-max-negative-ttl: 3600
> infra-host-ttl: 900
> infra-cache-min-rtt: 50
> infra-cache-slabs: 8
> do-ip4: yes
> do-ip6: yes
> do-udp: yes
> do-tcp: yes
> do-daemonize: yes
> include: "/usr/local/etc/unbound/acl_our_networks"
> include: "/usr/local/etc/unbound/acl_exceptions"
> chroot: "/usr/local/etc/unbound"
> username: "unbound"
> directory: "/usr/local/etc/unbound"
> logfile: "/var/log/unbound.log"
> use-syslog: yes
> log-time-ascii: yes
> log-queries: no
> log-replies: no
> log-local-actions: yes
> log-servfail: yes
> pidfile: "/var/run/unbound/unbound.pid"
> root-hints: "root.hints"
> hide-identity: no
> hide-version: no
> identity: ""
> version: "Unbound"
> harden-short-bufsize: yes
> harden-large-queries: yes
> harden-glue: yes
> harden-dnssec-stripped: yes
> harden-below-nxdomain: yes
> harden-referral-path: yes
> harden-algo-downgrade: no
> prefetch: yes
> auto-trust-anchor-file: "/usr/local/etc/unbound/root.key"
> domain-insecure: "cesta."
> key-cache-size: 40m
> key-cache-slabs: 8
> neg-cache-size: 10m
> ratelimit: 4000
> ratelimit-below-domain: ultra.brightmail.com. 100
> python:
> remote-control:
> control-enable: yes
> control-interface: 127.0.0.1
> control-interface: ::1
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20250108/12f8110f/attachment.htm>
More information about the Unbound-users
mailing list