Good morning,
I have detected two strange problems with unbound under CentOS8 (fully patched). I have tried same configuration in an OpenBSD host, and these problems do not appear.
a/ Error mesage “connection refused”. I am using this unbound server to resolv DNS records for our internal domain (Bind9 is configured to listen in localhost interface, port 5353 udp and in the same host where unbound runs). When I try to run a nslookup query like this:
set q=any my.internal.dom
;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom failed: connection refused.
And I don’t understand why. Bind9 resolves this without problems, but unbound returns connection refused. Unbound is configured to listen in 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0 allow). The strange thing is that it only happens with that kind of request, any other request works fine.
b/ Unbound tries to connect to Root DNS servers directly. Every time unbound starts, it tries to connect to root DNS servers directly and not through internal DNS. I am using a second unbound server as a cache nameserver in a DMZ zone and unbound anchor timer service is disabled. My forward config is:
forward-zone: name: "." forward-addr: 172.22.54.6@53mailto:172.22.54.6@53
Any idea why these problems occur?
-- Regards, C. L. Martinez
On Mon, 30 Mar 2020 at 03:47, Carlos Lopez clopmz@outlook.com wrote:
Good morning,
I have detected two strange problems with unbound under CentOS8 (fully patched). I have tried same configuration in an OpenBSD host, and these problems do not appear.
a/ Error mesage “connection refused”. I am using this unbound server to resolv DNS records for our internal domain (Bind9 is configured to listen in localhost interface, port 5353 udp and in the same host where unbound runs). When I try to run a nslookup query like this:
set q=any my.internal.dom
;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom failed: connection refused.
And I don’t understand why. Bind9 resolves this without problems, but unbound returns connection refused. Unbound is configured to listen in 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0 allow). The strange thing is that it only happens with that kind of request, any other request works fine.
b/ Unbound tries to connect to Root DNS servers directly. Every time unbound starts, it tries to connect to root DNS servers directly and not through internal DNS. I am using a second unbound server as a cache nameserver in a DMZ zone and unbound anchor timer service is disabled. My forward config is:
So I have only set up unbound on RHEL, and this is how we have always expected it to work as a secure proxy. That would mean it is meant to talk to the ROOT domains and also give bad answers for zones which the ROOT zones do not have a subdomain for.
The CentOS-8 version is compiled with the following options which may be causing some of this (would need to see how the openbsd is compiled)
configure_args --with-libevent --with-pthreads --with-ssl \\ --disable-rpath --disable-static \\ --enable-relro-now --enable-pie \\ --enable-subnet --enable-ipsecmod \\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\ --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\ --enable-sha2 --disable-gost --enable-ecdsa \\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
The centos-7 is
%configure --with-libevent --with-pthreads --with-ssl \ --disable-rpath --disable-static \ --enable-subnet --enable-ipsecmod \ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \ %if %{with_python} --with-pythonmodule --with-pyunbound \ %endif --enable-sha2 --disable-gost --enable-ecdsa \ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
Looking through the default configs, it seems this is the 'default' in many ways (getting the root items to get the latest keys etc need to be turned off) and you need to change a lot of flags to do otherwise. You would need to see what all the differences between the OpenBSD and the RHEL ones are.
Sorry I can't be of much more help.
forward-zone:
name: "."
forward-addr: 172.22.54.6@53mailto:172.22.54.6@53
Any idea why these problems occur?
-- Regards, C. L. Martinez _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi Stephen,
Many thanks for your answer. Unbound under OpenBSD is compiled with few options:
Version 1.9.4
Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound --disable-shared --without-pthreads Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 3.0.2 Linked modules: dns64 respip validator iterator
But, maybe this is not the problem ... Most relevance difference is "disable-rpath" flag under CentOS ... I have tried a RHEL 8.1 vm and problem is the same as is CentOS8 ...
On Mon, 30 Mar 2020 at 08:42, Carlos Lopez clopmz@outlook.com wrote:
Hi Stephen,
Many thanks for your answer. Unbound under OpenBSD is compiled with few options:
Version 1.9.4
That may also be the difference. RHEL-8 is 1.7.3 so I don't know if that added features or config options which the 1.9.4 has in it.
Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound --disable-shared --without-pthreads Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 3.0.2 Linked modules: dns64 respip validator iterator
But, maybe this is not the problem ... Most relevance difference is "disable-rpath" flag under CentOS ... I have tried a RHEL 8.1 vm and problem is the same as is CentOS8 ...
OK I am going with version differences or config options. Are you using the defaults with only an additional file mod for your local dns or something else?
-- Regards, C. L. Martinez
On 30/03/2020, 14:32, "CentOS on behalf of Stephen John Smoogen" < centos-bounces@centos.org on behalf of smooge@gmail.com> wrote:
On Mon, 30 Mar 2020 at 03:47, Carlos Lopez <clopmz@outlook.com> wrote: > Good morning, > > I have detected two strange problems with unbound under CentOS8(fully > patched). I have tried same configuration in an OpenBSD host, and these > problems do not appear. > > a/ Error mesage “connection refused”. I am using this unbound server to > resolv DNS records for our internal domain (Bind9 is configured to listen > in localhost interface, port 5353 udp and in the same host where unbound > runs). When I try to run a nslookup query like this: > > > set q=any > > my.internal.dom > ;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom failed: > connection refused. > > > And I don’t understand why. Bind9 resolves this without problems, but > unbound returns connection refused. Unbound is configured to listen in > 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0 allow). The > strange thing is that it only happens with that kind of request, any other > request works fine. > > b/ Unbound tries to connect to Root DNS servers directly. Every time > unbound starts, it tries to connect to root DNS servers directly and not > through internal DNS. I am using a second unbound server as a cache > nameserver in a DMZ zone and unbound anchor timer service is disabled. My > forward config is: > > So I have only set up unbound on RHEL, and this is how we have always expected it to work as a secure proxy. That would mean it is meant to talk to the ROOT domains and also give bad answers for zones which the ROOT zones do not have a subdomain for.
The CentOS-8 version is compiled with the following options which maybe causing some of this (would need to see how the openbsd is compiled)
configure_args --with-libevent --with-pthreads --with-ssl \\\ --disable-rpath --disable-static \\\ --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid\\ --enable-sha2 --disable-gost --enable-ecdsa \\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
The centos-7 is %configure --with-libevent --with-pthreads --with-ssl \ --disable-rpath --disable-static \ --enable-subnet --enable-ipsecmod \ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \ %if %{with_python} --with-pythonmodule --with-pyunbound \ %endif --enable-sha2 --disable-gost --enable-ecdsa \ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key Looking through the default configs, it seems this is the 'default' inmany ways (getting the root items to get the latest keys etc need to be turned off) and you need to change a lot of flags to do otherwise. You would need to see what all the differences between the OpenBSD and the RHEL ones are.
Sorry I can't be of much more help. forward-zone: > name: "." forward-addr: 172.22.54.6@53<mailto:172.22.54.6@53> > > Any idea why these problems occur? > > -- > Regards, > C. L. Martinez > _______________________________________________ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Many thanks Stepehn. I am using the following options:
server: interface: 0.0.0.0 do-ip6: no
access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: 172.22.55.0/27 allow hide-identity: yes hide-version: yes
do-tcp: no do-not-query-localhost: no extended-statistics: yes so-reuseport: yes use-caps-for-id: yes unblock-lan-zones: yes insecure-lan-zones: yes
-
Carlos Lopez -
Stephen John Smoogen