On Mon, 30 Mar 2020 at 08:42, Carlos Lopez <clopmz at outlook.com> wrote: > Hi Stephen, > > Many thanks for your answer. Unbound under OpenBSD is compiled with few > options: > > Version 1.9.4 > > That may also be the difference. RHEL-8 is 1.7.3 so I don't know if that added features or config options which the 1.9.4 has in it. > Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr > --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound > --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key > --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound > --disable-shared --without-pthreads > Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL > 3.0.2 > Linked modules: dns64 respip validator iterator > > But, maybe this is not the problem ... Most relevance difference is > "disable-rpath" flag under CentOS ... I have tried a RHEL 8.1 vm and > problem is the same as is CentOS8 ... > > OK I am going with version differences or config options. Are you using the defaults with only an additional file mod for your local dns or something else? > -- > Regards, > C. L. Martinez > > On 30/03/2020, 14:32, "CentOS on behalf of Stephen John Smoogen" < > centos-bounces at centos.org on behalf of smooge at gmail.com> wrote: > > On Mon, 30 Mar 2020 at 03:47, Carlos Lopez <clopmz at outlook.com> wrote: > > > Good morning, > > > > I have detected two strange problems with unbound under CentOS8 > (fully > > patched). I have tried same configuration in an OpenBSD host, and > these > > problems do not appear. > > > > a/ Error mesage “connection refused”. I am using this unbound server > to > > resolv DNS records for our internal domain (Bind9 is configured to > listen > > in localhost interface, port 5353 udp and in the same host where > unbound > > runs). When I try to run a nslookup query like this: > > > > > set q=any > > > my.internal.dom > > ;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom failed: > > connection refused. > > > > > And I don’t understand why. Bind9 resolves this without problems, but > > unbound returns connection refused. Unbound is configured to listen > in > > 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0 > allow). The > > strange thing is that it only happens with that kind of request, any > other > > request works fine. > > > > b/ Unbound tries to connect to Root DNS servers directly. Every time > > unbound starts, it tries to connect to root DNS servers directly and > not > > through internal DNS. I am using a second unbound server as a cache > > nameserver in a DMZ zone and unbound anchor timer service is > disabled. My > > forward config is: > > > > > So I have only set up unbound on RHEL, and this is how we have always > expected it to work as a secure proxy. That would mean it is meant to > talk > to the ROOT domains and also give bad answers for zones which the ROOT > zones do not have a subdomain for. > > The CentOS-8 version is compiled with the following options which may > be > causing some of this (would need to see how the openbsd is compiled) > > configure_args --with-libevent --with-pthreads --with-ssl \\\ > --disable-rpath --disable-static \\\ > --enable-relro-now --enable-pie \\\ > --enable-subnet --enable-ipsecmod \\\ > --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ > --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid > \\\ > --enable-sha2 --disable-gost --enable-ecdsa \\\ > --with-rootkey-file=%{_sharedstatedir}/unbound/root.key > > > The centos-7 is > > %configure --with-libevent --with-pthreads --with-ssl \ > --disable-rpath --disable-static \ > --enable-subnet --enable-ipsecmod \ > --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ > --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \ > %if %{with_python} > --with-pythonmodule --with-pyunbound \ > %endif > --enable-sha2 --disable-gost --enable-ecdsa \ > --with-rootkey-file=%{_sharedstatedir}/unbound/root.key > > > Looking through the default configs, it seems this is the 'default' in > many > ways (getting the root items to get the latest keys etc need to be > turned > off) and you need to change a lot of flags to do otherwise. You would > need > to see what all the differences between the OpenBSD and the RHEL ones > are. > > Sorry I can't be of much more help. > > > forward-zone: > > name: "." > > forward-addr: 172.22.54.6 at 53<mailto:172.22.54.6 at 53> > > > > Any idea why these problems occur? > > > > -- > > Regards, > > C. L. Martinez > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > > > -- > Stephen J Smoogen. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > -- Stephen J Smoogen.