[CentOS] Problems with dnscrypt's package from EPEL

Thu Dec 14 18:40:55 UTC 2017
Stephen John Smoogen <smooge at gmail.com>

Can you give more information on the unbound setup? We use unbound in
Fedora Infrastructure on RHEL-7 servers. I know there is an selinux
dance we have to do to start it properly without a special policy...
but I don't know exactly the details on why.

On 11 December 2017 at 03:56, C. L. Martinez <carlopmart at gmail.com> wrote:
> Sorry Stephen. I have enabled another dnscrypt process in port 6355 to
> test ... But no luck.
>
> On the other side, I am not sure if dnscrypt the problem. I have
> replaced unbound by dnsmasq and voila! ... All it is working very fast
> (and dnsmasq only spends 75 MiB of RAM, when unbound spends 400 MiB).
> And no more SERVFAIL errors ... But I don't understand where is the
> problem with unbound.conf's file then. Using same config for dnscrypt
> and unbound in a FreeBSD vm, all works ok.
>
> On Sun, Dec 10, 2017 at 8:10 PM, Stephen John Smoogen <smooge at gmail.com> wrote:
>> Not sure if this is a factor yet, but your forwardzone is looking for
>> 3 ports but only 2 ports are configured in the systemd startup.. so
>> are 1/3 of all lookups going to fail? Or is the 6355 a 'given' (aka it
>> will be set up whether 6353 and 6354 are setup?)
>>
>> On 9 December 2017 at 16:45, C. L. Martinez <carlopmart at gmail.com> wrote:
>>> On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez wrote:
>>>> On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote:
>>>> > On 9 December 2017 at 14:04, C. L. Martinez <carlopmart at gmail.com> wrote:
>>>> > > Hi all,
>>>> > >
>>>> > >  I have installed dnscrypt's rpm package from EPEL repo under a CentOS 7.4 and using unbound as a resolver. But, I see constant timeouts and responses are very slow ... Using same config in a Debian 9 virtual machine, all works ok.
>>>> > >
>>>> > >  I think the problem is with dnscrypt's rpm package provided by EPEL. Anyone have seen similar problems?
>>>> > >
>>>> >
>>>> > Can you give some more information on what you are seeing and how you
>>>> > have it set up? I can try to duplicate it in EPEL and/or put in bugs
>>>> > on the package.
>>>> >
>>>> >
>>>>
>>>> Of course and thanks in advance Stephen. My dnscrypt startup scripts use the following options:
>>>>
>>>> [Service]
>>>> Type=forking
>>>> PIDFile=/var/run/dnscrypt-cs.pid
>>>> ExecStart=/usr/sbin/dnscrypt-proxy \
>>>>       --daemonize \
>>>>       --user=nobody \
>>>>       --pidfile=/var/run/dnscrypt-cs.pid \
>>>>       --ephemeral-keys \
>>>>       --resolver-name=cs-fi \
>>>>       --logfile=/tmp/cs.log \
>>>>       --local-address=127.0.0.1:6354
>>>> Restart=on-abort
>>>>
>>>> [Service]
>>>> Type=forking
>>>> PIDFile=/var/run/dnscrypt-ipredator.pid
>>>> ExecStart=/usr/sbin/dnscrypt-proxy \
>>>>       --daemonize \
>>>>       --user=nobody \
>>>>       --pidfile=/var/run/dnscrypt-ipredator.pid \
>>>>       --ephemeral-keys \
>>>>       --resolver-name=ipredator \
>>>>       --logfile=/tmp/ipredator.log \
>>>>       --local-address=127.0.0.1:6353
>>>> Restart=on-abort
>>>>
>>>> And unbound.conf is:
>>>>
>>>> server:
>>>>       interface: 127.0.0.1
>>>>       interface: 172.22.54.4
>>>>       interface: ::1
>>>>       port: 53
>>>>       do-ip6: no
>>>>       do-udp: yes
>>>>       do-tcp: yes
>>>>       num-threads: 1
>>>>
>>>>       access-control: 0.0.0.0/0 refuse
>>>>       access-control: 127.0.0.0/8 allow
>>>>       access-control: ::0/0 refuse
>>>>       access-control: ::1 allow
>>>>       access-control: 172.22.54.0/29 allow
>>>>       access-control: 172.22.55.1 allow
>>>>
>>>>       hide-identity: yes
>>>>       hide-version: yes
>>>>
>>>>       do-not-query-localhost: no
>>>>       val-permissive-mode: yes
>>>>       val-clean-additional: yes
>>>>       module-config: "validator iterator"
>>>
>>> Oops .. sorry. There are more options in unbound.conf's file:
>>>
>>> remote-control:
>>>         control-enable: yes
>>>         control-use-cert: yes
>>>         control-interface: 127.0.0.1
>>>
>>> forward-zone:
>>>         name: "."
>>>         forward-addr: 127.0.0.1 at 6353
>>>         forward-addr: 127.0.0.1 at 6354
>>>         forward-addr: 127.0.0.1 at 6355
>>>
>>> Sorry.
>>>
>>> --
>>> Greetings,
>>> C. L. Martinez
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>>
>>
>>
>> --
>> Stephen J Smoogen.
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos



-- 
Stephen J Smoogen.