So as to how it flies, here's my line of thought: Unbound should serve my network including the dns server machine itself with DNS, hence the external IP address in resolv.conf. dig and nslookup run on the dns server itself both use this with no problem and the rest of my network seems happy as well. It should also respond to queries for my internal zone by querying NSD on a local address. To me it then looks like there is no need for Unbound to bind to 127.0.0.1.
NSD should only serve Unbound's queries for my.domain. Thus it does not as I understand it need to bind to any address except localhost/127.0.0.1. And, since NSD is non-recursive this also means that having the nameserver 127.0.0.1 line in /etc/resolv.conf would cause all queries to fail except the ones for which it is authoritative. Now, I don't mind the other scenario, where NSD binds to 127.0.0.1@5300 (or 42 or whatever), and Unbound binds to 192.168.x.91 and 127.0.0.1, in which case I could put nameserver 127.0.0.1 in /etc/resolv.conf - but I don't see why it would be necessary? And using tcpdump I could see Unbound sending a query, which was immediately answered - but Unbound just said SERVFAIL... There is something weird here that I don't quite see/understand so I very much appreciate the input so far. Experimenting with the various settings proposed, good stuff. /Johan 2016-10-11 9:41 GMT+02:00 Paul de Weerd <[email protected]>: > I run a similar setup, NSD serving my local zones (on ::1@54) and > unbound querying those local zones there. Comparing your config with > mine, I didn't spot an obvious explanation for why it wouldn't work > for you, but I do note that your unbound isn't configured to listen on > 127.0.0.1, whilst your NSD *is* set to listen there. Not sure how > that flies with your resolv.conf setup. > > With the below config, unbound listens on localhost (v4 and v6) and my > local interface (v4 and v6). NSD only listens on the ::1 and at an > alternative port (54). > > Hope that helps. > > Cheers, > > Paul 'WEiRD' de Weerd > > --- nsd configuration ------------------------------------------------ > server: > hide-version: yes > ip-address: ::1@54 > verbosity: 1 > database: "" # disable database > > remote-control: > control-enable: yes > > zone: > name: "168.192.in-addr.arpa" > zonefile: "168.192.in-addr.arpa" > > zone: > name: "domain.tld" > zonefile: "domain.tld" > server: > interface: 127.0.0.1 > interface: ::1 > interface: 192.168.34.1 > interface: 2001:xxx:3af::1 > > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: 192.168.34.0/23 allow > access-control: 192.168.36.0/24 allow > access-control: ::0/0 refuse > access-control: ::1 allow > access-control: 2001:xxx:3af::/64 allow > access-control: 2001:xxx:3af:20::/64 allow > > hide-identity: yes > hide-version: yes > > do-not-query-localhost: no > > local-zone: "168.192.in-addr.arpa." nodefault > > stub-zone: > name: domain.tld > stub-addr: ::1@54 > > stub-zone: > name: 34.168.192.in-addr.arpa > stub-addr: ::1@54 > ---------------------------------------------------------------------- > > On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote: > | Hi all, > | > | I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my > | home network with DNS. I have a custom zone (only for LAN use) set up > | and previously used BIND successfully (but that VM crashed and its > | disk was hosed...) both as authoritative and caching/resolving. > | > | So now I am trying to learn to set up NSD to be authoritative for my > | small zone and Unbound to serve the LAN with all other queries. But > | there is a problem: > | > | 1. Unbound successfully responds to queries and provides lookup to the > | LAN machines for "the internet". > | 2. NSD successfully responds to queries for the custom zone. > | 3. But I cannot get Unbound to get a reply from NSD... > | > | I have tried multiple combinations of ports and interface bindings and > | I suspect that I am missing something simple here. Currently I have > | set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - > | so there should not be a conflict. In fact it works fine if I use dig > | @localhost <LANhostname> and dig @192.168.x.91 <internethostname> > | respectively, but the second version only provides an answer-less > | response if asked for a LAN hostname. > | > | Unbound is set to ask localhost for the stub zones, forward and reverse. > | > | And, yes, I could of course use Unbound to serve my local zone and > | drop NSD - but that would be giving up... It's supposed to work from > | all I read! :-) > | > | I have also tried having NSD listen on 127.0.0.1@5353, and telling > | unbound to use that as the stub-address, while then having Unbound > | listen on 127.0.0.1 as well as 192.168.x.91 to be able to set > | 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I > | can't test NSD with dig as it can't use an alternative port. > | > | A possibly related question: I can't seem to be able to use > | shortnames. The domain part should be picked up from the host name as > | given in /etc/myname, but that does not seem to work as I expect, I > | always have to provide the FQDN. Again something I have missed > | perhaps? > | > | Anyway, I am staring blindly at the config files now and really need > | help figuring it out. I have removed all that is commented, otherwise > | it's the default except for changes of course. > | > | Thanks for any clue bats coming my way... > | /Johan > | > | * resolv.conf > | lookup file bind > | nameserver 192.168.x.91 > | > | # cat /etc/myname > | dns03.my.domain > | > | # cat /etc/hosts > | 127.0.0.1 localhost > | ::1 localhost > | 192.168.x.91 dns03.my.domain dns03 > | > | # cat /var/unbound/etc/unbound.conf > | # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ > | > | server: > | interface: 192.168.x.91 > | interface: ::1 > | do-not-query-localhost: no > | > | access-control: 192.168.x.64/24 allow > | access-control: 127.0.0.0/8 allow > | access-control: 0.0.0.0/0 refuse > | access-control: ::0/0 refuse > | access-control: ::1 allow > | > | hide-identity: yes > | hide-version: yes > | > | # Uncomment to enable DNSSEC validation. > | # > | auto-trust-anchor-file: "/var/unbound/db/root.key" > | > | root-hints: /var/unbound/etc/root.hints > | > | remote-control: > | control-enable: yes > | control-use-cert: no > | control-interface: /var/run/unbound.sock > | > | stub-zone: > | name: "my.domain" > | stub-addr: 127.0.0.1 > | stub-zone: > | name: "x.168.192.in-addr.arpa" > | stub-addr: 127.0.0.1 > | > | # cat /var/nsd/etc/nsd.conf > | # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ > | > | server: > | hide-version: yes > | verbosity: 1 > | database: "" # disable database > | > | ## bind to a specific address/port > | ip-address: 127.0.0.1 > | > | remote-control: > | control-enable: yes > | > | zone: > | name: "my.domain" > | zonefile: "master/my.domain" > | zone: > | name: "x.168.192.in-addr.arpa" > | zonefile: "master/192.168.x.rev" > | > > -- >>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ > +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] > http://www.weirdnet.nl/
