On Mon, 30 Mar 2020 at 03:47, Carlos Lopez <clopmz at outlook.com> wrote: > Good morning, > > I have detected two strange problems with unbound under CentOS8 (fully > patched). I have tried same configuration in an OpenBSD host, and these > problems do not appear. > > a/ Error mesage “connection refused”. I am using this unbound server to > resolv DNS records for our internal domain (Bind9 is configured to listen > in localhost interface, port 5353 udp and in the same host where unbound > runs). When I try to run a nslookup query like this: > > > set q=any > > my.internal.dom > ;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom failed: > connection refused. > > > And I don’t understand why. Bind9 resolves this without problems, but > unbound returns connection refused. Unbound is configured to listen in > 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0 allow). The > strange thing is that it only happens with that kind of request, any other > request works fine. > > b/ Unbound tries to connect to Root DNS servers directly. Every time > unbound starts, it tries to connect to root DNS servers directly and not > through internal DNS. I am using a second unbound server as a cache > nameserver in a DMZ zone and unbound anchor timer service is disabled. My > forward config is: > > So I have only set up unbound on RHEL, and this is how we have always expected it to work as a secure proxy. That would mean it is meant to talk to the ROOT domains and also give bad answers for zones which the ROOT zones do not have a subdomain for. The CentOS-8 version is compiled with the following options which may be causing some of this (would need to see how the openbsd is compiled) configure_args --with-libevent --with-pthreads --with-ssl \\\ --disable-rpath --disable-static \\\ --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key The centos-7 is %configure --with-libevent --with-pthreads --with-ssl \ --disable-rpath --disable-static \ --enable-subnet --enable-ipsecmod \ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \ %if %{with_python} --with-pythonmodule --with-pyunbound \ %endif --enable-sha2 --disable-gost --enable-ecdsa \ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key Looking through the default configs, it seems this is the 'default' in many ways (getting the root items to get the latest keys etc need to be turned off) and you need to change a lot of flags to do otherwise. You would need to see what all the differences between the OpenBSD and the RHEL ones are. Sorry I can't be of much more help. forward-zone: > name: "." forward-addr: 172.22.54.6 at 53<mailto:172.22.54.6 at 53> > > Any idea why these problems occur? > > -- > Regards, > C. L. Martinez > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen.