Hi Johan,
On Mon, 10 Oct 2016 23:42:16 +0200 Johan Mellberg wrote:
> I have tried multiple combinations of ports and interface bindings and
> I suspect that I am missing something simple here. Currently I have
> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
> so there should not be a conflict.
For unbound to be the machine's resolver, it needs to listen on lo0.
>
> * resolv.conf
> lookup file bind
> nameserver 192.168.x.91
Remove the lookup line, and change the nameserver line to:
nameserver 127.0.0.1
>
> # cat /etc/myname
> dns03.my.domain
>
> # cat /etc/hosts
> 127.0.0.1 localhost
> ::1 localhost
> 192.168.x.91 dns03.my.domain dns03
>
> # cat /var/unbound/etc/unbound.conf
> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
>
> server:
> interface: 192.168.x.91
> interface: ::1
# Add this line:
interface: 127.0.0.1
> do-not-query-localhost: no
>
> access-control: 192.168.x.64/24 allow
> access-control: 127.0.0.0/8 allow
> access-control: 0.0.0.0/0 refuse
> access-control: ::0/0 refuse
> access-control: ::1 allow
>
> hide-identity: yes
> hide-version: yes
>
> # Uncomment to enable DNSSEC validation.
> #
> auto-trust-anchor-file: "/var/unbound/db/root.key"
>
> root-hints: /var/unbound/etc/root.hints
>
# Add these lines:
private-address: 192.168.0.0/16
private-domain: 'my.domain'
local-zone: 'x.168.192.in-addr.arpa' typetransparent
> remote-control:
> control-enable: yes
> control-use-cert: no
> control-interface: /var/run/unbound.sock
>
> stub-zone:
> name: "my.domain"
> stub-addr: 127.0.0.1
# Add port 42 here:-
# The ARPA Host Name Server Protocol (NAMESERVER)
# is an obsolete network protocol ====> unused low port
# http://en.wikipedia.org/wiki/ARPA_Host_Name_Server_Protocol
stub-addr: 127.0.0.1@42
> stub-zone:
> name: "x.168.192.in-addr.arpa"
> stub-addr: 127.0.0.1
# Again, add port 42 to the above line:
stub-addr: 127.0.0.1@42
>
> # cat /var/nsd/etc/nsd.conf
> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
>
> server:
> hide-version: yes
> verbosity: 1
> database: "" # disable database
>
> ## bind to a specific address/port
> ip-address: 127.0.0.1
# Again, add port 42 to the above line:
ip-address: 127.0.0.1@42
>
> remote-control:
> control-enable: yes
>
> zone:
> name: "my.domain"
> zonefile: "master/my.domain"
> zone:
> name: "x.168.192.in-addr.arpa"
> zonefile: "master/192.168.x.rev"
>
Hopefully those minor tweaks should get you going!
(As you had set 'do-not-query-localhost', probably the missing
companion typetransparent local-zone simply caught you out.)
While this post is 2 years old, the address and ports stuff is much the
same: http://marc.info/?l=openbsd-misc&m=141113669300630&w=2
While I've not tried it, another method could be instead of having NSD
listen on 127.0.0.1@42, have it listen on 127.0.0.53, which would
require another an /etc/hostname.lo53, pf rules, etc...
Cheers,
--
Craig Skinner | http://linkd.in/yGqkv7
