[CentOS] Some problems with Unbound under CentOS8

Mon Mar 30 12:31:43 UTC 2020
Stephen John Smoogen <smooge at gmail.com>

On Mon, 30 Mar 2020 at 03:47, Carlos Lopez <clopmz at outlook.com> wrote:

> Good morning,
> I have detected two strange problems with unbound under CentOS8 (fully
> patched). I have tried same configuration in an OpenBSD host, and these
> problems do not appear.
> a/ Error mesage “connection refused”. I am using this unbound server to
> resolv DNS records for our internal domain (Bind9 is configured to listen
> in localhost interface, port 5353 udp and in the same host where unbound
> runs). When I try to run a nslookup query like this:
> > set q=any
> > my.internal.dom
> ;; Connection to for my.internal.dom  failed:
> connection refused.
> >
> And I don’t understand why. Bind9 resolves this without problems, but
> unbound returns connection refused. Unbound is configured to listen in
> and allow all connections (access-control: allow). The
> strange thing is that it only happens with that kind of request, any other
> request works fine.
> b/ Unbound tries to connect to Root DNS servers directly. Every time
> unbound starts, it tries to connect to root DNS servers directly and not
> through internal DNS. I am using a second unbound server as a cache
> nameserver in a DMZ zone and unbound anchor timer service is disabled. My
> forward config is:
So I have only set up unbound on RHEL, and this is how we have always
expected it to work as a secure proxy. That would mean it is meant to talk
to the ROOT domains and also give bad answers for zones which the ROOT
zones do not have a subdomain for.

The CentOS-8 version is compiled with the following options which may be
causing some of this (would need to see how the openbsd is compiled)

configure_args --with-libevent --with-pthreads --with-ssl \\\
            --disable-rpath --disable-static \\\
            --enable-relro-now --enable-pie \\\
            --enable-subnet --enable-ipsecmod \\\
            --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
            --enable-sha2 --disable-gost --enable-ecdsa \\\

The centos-7 is

%configure  --with-libevent --with-pthreads --with-ssl \
            --disable-rpath --disable-static \
            --enable-subnet --enable-ipsecmod \
            --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
            --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
%if %{with_python}
            --with-pythonmodule --with-pyunbound \
            --enable-sha2 --disable-gost --enable-ecdsa \

Looking through the default configs, it seems this is the 'default' in many
ways (getting the root items to get the latest keys etc need to be turned
off) and you need to change a lot of flags to do otherwise. You would need
to see what all the differences between the OpenBSD and the RHEL ones are.

Sorry I can't be of much more help.

>                 name: "."

                forward-addr: at 53<mailto: at 53>
> Any idea why these problems occur?
> --
> Regards,
> C. L. Martinez
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos

Stephen J Smoogen.