subject:"Failure to get unbound to talk to nsd on the same server"

Re: Failure to get unbound to talk to nsd on the same server (Solved)

2016-10-18 Thread Johan Mellberg

Hi all,

thanks for all the suggestions. However it turned out that all I needed to do 
was to add

domain-insecure: "my.domain"

to unbound.conf so that unbound would ignore the lack of DNSSEC of my internal 
domain. I have not paid much attention to DNSSEC until now, but it seems I may 
need to.

So, problem solved, onto the next one! ;-)

/Johan

On Wed, Oct 12, 2016 at 04:18:39PM +0300, Kapetanakis Giannis wrote:
> Hi, 
> 
> Haven't followed the whole thread and by just looking at the topic,
> I have a similar setup (carped as well) for caching DNS.
> 2 servers, 2 carped IPs.
> 
> This is how it works:
> 
> unbound.conf:
> interface: 127.0.0.1
> port: 53
> outgoing-interface: ext_ip
> access-control: local_networks
> do-not-query-localhost: no
> include: "/var/unbound/etc/stub_zones_insecure"
> include: "/var/unbound/etc/stub_zones"
> 
> stub_zones:
> stub-zone:
> name: "foo.example.com."
> stub-addr: 127.0.0.1@5678
> 
> stub_zones_insecure:
> domain-insecure: "foo.example.com."
> 
> insecure is for when you have network problems to be able to resolv
> otherwrise it hungs at DNSSEC (if you have it enabled). This is for local 
> zones only.
> 
> resolv.conf:
> nameserver 127.0.0.1
> 
> nsd.conf:
> ip-address: 127.0.0.1@5678
> zone:
>name: foo.example.com
>zonefile: /var/nsd/zones/slave/%s
>request-xfr: master_DNS_IP NOKEY
>allow-notify: master_DNS_IP NOKEY
> 
> pf.conf:
> # requests from local dns server (unbound)
> pass out quick on $dns1_if proto {tcp, udp} to $dns1_if:network port 53 
> modulate state (if-bound, no-sync) nat-to ($dns1_if)
> pass out quick on $dns1_if proto {tcp, udp} to any port 53 modulate state 
> (if-bound, no-sync) route-to ($dns1_if $dns1_gw) nat-to ($dns1_if)
> pass out quick on $dns2_if proto {tcp, udp} to $dns2_if:network port 53 
> modulate state (if-bound, no-sync) nat-to ($dns2_if)
> pass out quick on $dns2_if proto {tcp, udp} to any port 53 modulate state 
> (if-bound, no-sync) route-to ($dns2_if $dns2_gw) nat-to ($dns2_if)
> 
> # requests from clients (unbound)
> pass in quick on $dns1_if proto {tcp,udp} from $dns1_if:network to 
> ($dns1_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns1_if
> pass in quick on $dns2_if proto {tcp,udp} from $dns2_if:network to 
> ($dns2_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns2_if
> pass in quick on $dns1_if proto {tcp,udp} from  to ($dns1_carp) 
> port 53 keep state rdr-to 127.0.0.1 reply-to ($dns1_if $dns1_gw)
> pass in quick on $dns2_if proto {tcp,udp} from  to ($dns2_carp) 
> port 53 keep state rdr-to 127.0.0.1 reply-to ($dns2_if $dns2_gw)
> pass out quick on $dns1_if proto udp from 127.0.0.1 port 53 nat-to 
> ($dns1_carp)
> pass out quick on $dns2_if proto udp from 127.0.0.1 port 53 nat-to 
> ($dns2_carp)
> 
> # nsd 
> pass in quick on $dns1_if proto udp from $master_DNS to ($dns1_if) port 5678 
> keep state rdr-to 127.0.0.1 reply-to $dns1_if
> 
> hope these help. For me they work the last 2 years. They only problem I 
> haven't solved so far which requires a different setup is when you make a 
> change on the master and the unbound has the previous entry in the cache... 
> the cache has to expire.
> 
> 
> G

Re: Failure to get unbound to talk to nsd on the same server

2016-10-12 Thread Kapetanakis Giannis

Hi, 

Haven't followed the whole thread and by just looking at the topic,
I have a similar setup (carped as well) for caching DNS.
2 servers, 2 carped IPs.

This is how it works:

unbound.conf:
interface: 127.0.0.1
port: 53
outgoing-interface: ext_ip
access-control: local_networks
do-not-query-localhost: no
include: "/var/unbound/etc/stub_zones_insecure"
include: "/var/unbound/etc/stub_zones"

stub_zones:
stub-zone:
name: "foo.example.com."
stub-addr: 127.0.0.1@5678

stub_zones_insecure:
domain-insecure: "foo.example.com."

insecure is for when you have network problems to be able to resolv
otherwrise it hungs at DNSSEC (if you have it enabled). This is for local zones 
only.

resolv.conf:
nameserver 127.0.0.1

nsd.conf:
ip-address: 127.0.0.1@5678
zone:
   name: foo.example.com
   zonefile: /var/nsd/zones/slave/%s
   request-xfr: master_DNS_IP NOKEY
   allow-notify: master_DNS_IP NOKEY

pf.conf:
# requests from local dns server (unbound)
pass out quick on $dns1_if proto {tcp, udp} to $dns1_if:network port 53 
modulate state (if-bound, no-sync) nat-to ($dns1_if)
pass out quick on $dns1_if proto {tcp, udp} to any port 53 modulate state 
(if-bound, no-sync) route-to ($dns1_if $dns1_gw) nat-to ($dns1_if)
pass out quick on $dns2_if proto {tcp, udp} to $dns2_if:network port 53 
modulate state (if-bound, no-sync) nat-to ($dns2_if)
pass out quick on $dns2_if proto {tcp, udp} to any port 53 modulate state 
(if-bound, no-sync) route-to ($dns2_if $dns2_gw) nat-to ($dns2_if)

# requests from clients (unbound)
pass in quick on $dns1_if proto {tcp,udp} from $dns1_if:network to ($dns1_carp) 
port 53 keep state rdr-to 127.0.0.1 reply-to $dns1_if
pass in quick on $dns2_if proto {tcp,udp} from $dns2_if:network to ($dns2_carp) 
port 53 keep state rdr-to 127.0.0.1 reply-to $dns2_if
pass in quick on $dns1_if proto {tcp,udp} from  to ($dns1_carp) port 
53 keep state rdr-to 127.0.0.1 reply-to ($dns1_if $dns1_gw)
pass in quick on $dns2_if proto {tcp,udp} from  to ($dns2_carp) port 
53 keep state rdr-to 127.0.0.1 reply-to ($dns2_if $dns2_gw)
pass out quick on $dns1_if proto udp from 127.0.0.1 port 53 nat-to ($dns1_carp)
pass out quick on $dns2_if proto udp from 127.0.0.1 port 53 nat-to ($dns2_carp)

# nsd 
pass in quick on $dns1_if proto udp from $master_DNS to ($dns1_if) port 5678 
keep state rdr-to 127.0.0.1 reply-to $dns1_if

hope these help. For me they work the last 2 years. They only problem I haven't 
solved so far which requires a different setup is when you make a change on the 
master and the unbound has the previous entry in the cache... the cache has to 
expire.


G

Re: Failure to get unbound to talk to nsd on the same server

2016-10-12 Thread Craig Skinner

Hiya Johan,

On Tue, 11 Oct 2016 23:50:20 +0200 Johan Mellberg wrote:
> There is something weird here that I don't quite see/understand so I
> very much appreciate the input so far. 

DNS is fun to run! 

The skilled OpenBSD devs have given us well set up separated daemons.

Paul, I & others have been successfully running both NSD & unbound
together on OpenBSD servers for several years, since BIND removal.

After various attempts, what we've independently found to work is:
*) both daemons listening on localhost
*) NSD on a nonstandard port (on localhost only)
*) unbound using both of these directives:
   *) do-not-query-localhost: no (which you have)
   *) local-zone:   (see unbound.conf(5))

Also see 'private-domain: ' in unbound.conf(5).

Perhaps you could get them working together this way too,
and then alter single settings to establish what breaks?

Cool,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Failure to get unbound to talk to nsd on the same server

2016-10-11 Thread Johan Mellberg

So as to how it flies, here's my line of thought:

Unbound should serve my network including the dns server machine
itself with DNS, hence the external IP address in resolv.conf. dig and
nslookup run on the dns server itself both use this with no problem
and the rest of my network seems happy as well. It should also respond
to queries for my internal zone by querying NSD on a local address. To
me it then looks like there is no need for Unbound to bind to
127.0.0.1.

NSD should only serve Unbound's queries for my.domain. Thus it does
not as I understand it need to bind to any address except
localhost/127.0.0.1. And, since NSD is non-recursive this also means
that having the nameserver 127.0.0.1 line in /etc/resolv.conf would
cause all queries to fail except the ones for which it is
authoritative.

Now, I don't mind the other scenario, where NSD binds to
127.0.0.1@5300 (or 42 or whatever), and Unbound binds to 192.168.x.91
and 127.0.0.1, in which case I could put nameserver 127.0.0.1 in
/etc/resolv.conf - but I don't see why it would be necessary?

And using tcpdump I could see Unbound sending a query, which was
immediately answered - but Unbound just said SERVFAIL...

There is something weird here that I don't quite see/understand so I
very much appreciate the input so far. Experimenting with the various
settings proposed, good stuff.

/Johan

2016-10-11 9:41 GMT+02:00 Paul de Weerd :
> I run a similar setup, NSD serving my local zones (on ::1@54) and
> unbound querying those local zones there.  Comparing your config with
> mine, I didn't spot an obvious explanation for why it wouldn't work
> for you, but I do note that your unbound isn't configured to listen on
> 127.0.0.1, whilst your NSD *is* set to listen there.  Not sure how
> that flies with your resolv.conf setup.
>
> With the below config, unbound listens on localhost (v4 and v6) and my
> local interface (v4 and v6).  NSD only listens on the ::1 and at an
> alternative port (54).
>
> Hope that helps.
>
> Cheers,
>
> Paul 'WEiRD' de Weerd
>
> --- nsd configuration 
> server:
> hide-version: yes
> ip-address: ::1@54
> verbosity: 1
> database: "" # disable database
>
> remote-control:
> control-enable: yes
>
> zone:
> name: "168.192.in-addr.arpa"
> zonefile: "168.192.in-addr.arpa"
>
> zone:
> name: "domain.tld"
> zonefile: "domain.tld"
> server:
> interface: 127.0.0.1
> interface: ::1
> interface: 192.168.34.1
> interface: 2001:xxx:3af::1
>
> access-control: 0.0.0.0/0 refuse
> access-control: 127.0.0.0/8 allow
> access-control: 192.168.34.0/23 allow
> access-control: 192.168.36.0/24 allow
> access-control: ::0/0 refuse
> access-control: ::1 allow
> access-control: 2001:xxx:3af::/64 allow
> access-control: 2001:xxx:3af:20::/64 allow
>
> hide-identity: yes
> hide-version: yes
>
> do-not-query-localhost: no
>
> local-zone: "168.192.in-addr.arpa." nodefault
>
> stub-zone:
> name: domain.tld
> stub-addr: ::1@54
>
> stub-zone:
> name: 34.168.192.in-addr.arpa
> stub-addr: ::1@54
> --
>
> On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote:
> | Hi all,
> |
> | I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
> | home network with DNS. I have a custom zone (only for LAN use) set up
> | and previously used BIND successfully (but that VM crashed and its
> | disk was hosed...) both as authoritative and caching/resolving.
> |
> | So now I am trying to learn to set up NSD to be authoritative for my
> | small zone and Unbound to serve the LAN with all other queries. But
> | there is a problem:
> |
> | 1. Unbound successfully responds to queries and provides lookup to the
> | LAN machines for "the internet".
> | 2. NSD successfully responds to queries for the custom zone.
> | 3. But I cannot get Unbound to get a reply from NSD...
> |
> | I have tried multiple combinations of ports and interface bindings and
> | I suspect that I am missing something simple here. Currently I have
> | set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
> | so there should not be a conflict. In fact it works fine if I use dig
> | @localhost  and dig @192.168.x.91 
> | respectively, but the second version only provides an answer-less
> | response if asked for a LAN hostname.
> |
> | Unbound is set to ask localhost for the stub zones, forward and reverse.
> |
> | And, yes, I could of course use Unbound to serve my local zone and
> | drop NSD - but that would be giving up... It's supposed to work from
> | all I read! :-)
> |
> | I have also tried having NSD listen on 127.0.0.1@5353, and telling
> | unbound to use that as the stub-address,

Re: Failure to get unbound to talk to nsd on the same server

2016-10-11 Thread Johan Mellberg

(Resending to list)
Yes, I thought of and tried that too with similar lack of success. But
as I could see from the tcpdump (see reply to Raimo's mail) NSD
responds so it's probably an Unbound issue. The forward-zone directive
can be used but it expects the forward-addr to be able to provide
recursion so it should not be used in my case (although it should work
since recursion is not needed).

2016-10-11 8:51 GMT+02:00 mxb :
>
> Try to use forward-zone instead of stub-zone in unbound.conf
>
> forward-zone:
> name: “abc.com"
> forward-addr: 127.0.0.1
>
>
>> On 10 okt. 2016, at 23:42, Johan Mellberg 
wrote:
>>
>> Hi all,
>>
>> I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
>> home network with DNS. I have a custom zone (only for LAN use) set up
>> and previously used BIND successfully (but that VM crashed and its
>> disk was hosed...) both as authoritative and caching/resolving.
>>
>> So now I am trying to learn to set up NSD to be authoritative for my
>> small zone and Unbound to serve the LAN with all other queries. But
>> there is a problem:
>>
>> 1. Unbound successfully responds to queries and provides lookup to the
>> LAN machines for "the internet".
>> 2. NSD successfully responds to queries for the custom zone.
>> 3. But I cannot get Unbound to get a reply from NSD...
>>
>> I have tried multiple combinations of ports and interface bindings and
>> I suspect that I am missing something simple here. Currently I have
>> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
>> so there should not be a conflict. In fact it works fine if I use dig
>> @localhost  and dig @192.168.x.91 
>> respectively, but the second version only provides an answer-less
>> response if asked for a LAN hostname.
>>
>> Unbound is set to ask localhost for the stub zones, forward and reverse.
>>
>> And, yes, I could of course use Unbound to serve my local zone and
>> drop NSD - but that would be giving up... It's supposed to work from
>> all I read! :-)
>>
>> I have also tried having NSD listen on 127.0.0.1@5353, and telling
>> unbound to use that as the stub-address, while then having Unbound
>> listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
>> 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
>> can't test NSD with dig as it can't use an alternative port.
>>
>> A possibly related question: I can't seem to be able to use
>> shortnames. The domain part should be picked up from the host name as
>> given in /etc/myname, but that does not seem to work as I expect, I
>> always have to provide the FQDN. Again something I have missed
>> perhaps?
>>
>> Anyway, I am staring blindly at the config files now and really need
>> help figuring it out. I have removed all that is commented, otherwise
>> it's the default except for changes of course.
>>
>> Thanks for any clue bats coming my way...
>> /Johan
>>
>> * resolv.conf
>> lookup file bind
>> nameserver 192.168.x.91
>>
>> # cat /etc/myname
>> dns03.my.domain
>>
>> # cat /etc/hosts
>> 127.0.0.1   localhost
>> ::1 localhost
>> 192.168.x.91   dns03.my.domain dns03
>>
>> # cat /var/unbound/etc/unbound.conf
>> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
>>
>> server:
>>interface: 192.168.x.91
>>interface: ::1
>>do-not-query-localhost: no
>>
>>access-control: 192.168.x.64/24 allow
>>access-control: 127.0.0.0/8 allow
>>access-control: 0.0.0.0/0 refuse
>>access-control: ::0/0 refuse
>>access-control: ::1 allow
>>
>>hide-identity: yes
>>hide-version: yes
>>
>># Uncomment to enable DNSSEC validation.
>>#
>>auto-trust-anchor-file: "/var/unbound/db/root.key"
>>
>>root-hints: /var/unbound/etc/root.hints
>>
>> remote-control:
>>control-enable: yes
>>control-use-cert: no
>>control-interface: /var/run/unbound.sock
>>
>> stub-zone:
>>name: "my.domain"
>>stub-addr: 127.0.0.1
>> stub-zone:
>>name: "x.168.192.in-addr.arpa"
>>stub-addr: 127.0.0.1
>>
>> # cat /var/nsd/etc/nsd.conf
>> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
>>
>> server:
>>hide-version: yes
>>verbosity: 1
>>database: "" # disable database
>>
>> ## bind to a specific address/port
>>ip-address: 127.0.0.1
>>
>> remote-control:
>>control-enable: yes
>>
>> zone:
>>name: "my.domain"
>>zonefile: "master/my.domain"
>> zone:
>>name: "x.168.192.in-addr.arpa"
>>zonefile: "master/192.168.x.rev"

Re: Failure to get unbound to talk to nsd on the same server

2016-10-11 Thread Stuart Henderson

On 2016-10-11, Raimo Niskanen  wrote:
> And -l Port to dig selects a non-default port.

N.B. dig in OpenBSD base doesn't support this.

Re: Failure to get unbound to talk to nsd on the same server

2016-10-11 Thread Johan Mellberg

Thanks.

Here's the output of the various dig commands and the tcpdump where
relevant. pf is unchanged and there is no difference whether disabled
with pfctl -d or not. The tcpdump is interesting since apparently the
query reached NSD and it replies - but Unbound does not see/accept it
(?). Could it be that it refuses replies on the port it used to send
the query?

The first dig command is run on another host in the lan (chief), the
others are run on the dns server itself (dns03). Note that the
successful replies refer to another dns server, but at the moment it
does not exist. No machines are configured to use that, it's only in
the zone files for now.

### Run on chief (192.168.x.95) ###

[johan@chief ~]$ dig @192.168.x.91 ericsson.com

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @192.168.x.91 ericsson.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32640
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ericsson.com.  IN  A

;; ANSWER SECTION:
ericsson.com.   28800   IN  A   193.180.16.203

;; Query time: 51 msec
;; SERVER: 192.168.x.91#53(192.168.x.91)
;; WHEN: tis okt 11 13:40:10 CEST 2016
;; MSG SIZE  rcvd: 57

### Run on dns03 (192.168.x.91) ###
$ dig aftonbladet.se

; <<>> DiG 9.4.2-P2 <<>> aftonbladet.se
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5621
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;aftonbladet.se.IN  A

;; ANSWER SECTION:
aftonbladet.se. 300 IN  A   52.50.97.124
aftonbladet.se. 300 IN  A   52.30.21.46
aftonbladet.se. 300 IN  A   52.50.100.254

;; Query time: 66 msec
;; SERVER: 192.168.x.91#53(192.168.x.91)
;; WHEN: Tue Oct 11 13:42:40 2016
;; MSG SIZE  rcvd: 80

$ dig chief.my.domain

; <<>> DiG 9.4.2-P2 <<>> chief.my.domain
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3456
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;chief.my.domain.  IN  A

;; Query time: 442 msec
;; SERVER: 192.168.x.91#53(192.168.x.91)
;; WHEN: Tue Oct 11 13:43:45 2016
;; MSG SIZE  rcvd: 38

While running the above query the following tcpdump was captured:

#  tcpdump -i lo0 net 127 and port 53
tcpdump: listening on lo0, link-type LOOP
13:59:57.145012 localhost.39240 > localhost.domain: 10949% [1au] A?
chief.my.domain. (49)
13:59:57.145478 localhost.domain > localhost.39240: 10949*- 1/2/3 A
192.168.x.95 (137)

$ dig @localhost chief.my.domain

; <<>> DiG 9.4.2-P2 <<>> @localhost chief.my.domain
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36657
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;chief.my.domain.  IN  A

;; ANSWER SECTION:
chief.my.domain.   86400   IN  A   192.168.x.95

;; AUTHORITY SECTION:
my.domain. 86400   IN  NS  dns03.my.domain.
my.domain. 86400   IN  NS  dns04.my.domain.

;; ADDITIONAL SECTION:
dns03.my.domain.   86400   IN  A   192.168.x.91
dns04.my.domain.   86400   IN  A   192.168.x.92

;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 11 13:44:10 2016
;; MSG SIZE  rcvd: 126

And here's the tcpdump of that query:

#  tcpdump -i lo0 net 127 and port 53
tcpdump: listening on lo0, link-type LOOP
14:01:28.099979 localhost.30023 > localhost.domain: 51528+ A?
chief.my.domain. (38)
14:01:28.100456 localhost.domain > localhost.30023: 51528*- 1/2/2 A
192.168.x.95 (126)


$ dig @localhost chief

; <<>> DiG 9.4.2-P2 <<>> @localhost chief
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 64595
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;chief. IN  A

;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Oct 11 13:47:55 2016
;; MSG SIZE  rcvd: 23

2016-10-11 8:29 GMT+02:00 Raimo Niskanen :
> Please give more details on which dig commands you used on which machine(s)
> and paste their exact results.  Otherwise hard to tell since your setup
> seems about right.  Does pf get in your way?
>
> And -l Port to dig selects a non-default port.
>
> Anything interesting in your system logs on the DNS server?
>
> Try to tcpdump on 127.0.0.1 port 53 and see if you have traffic there
> between unbound and nsd.
>
> Good luck!
>
> / Raimo Niskanen
>
>
>
> On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote:
>> Hi all,
>>
>> I

Re: Failure to get unbound to talk to nsd on the same server

2016-10-11 Thread Craig Skinner

Hi Johan,

On Mon, 10 Oct 2016 23:42:16 +0200 Johan Mellberg wrote:
> I have tried multiple combinations of ports and interface bindings and
> I suspect that I am missing something simple here. Currently I have
> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
> so there should not be a conflict.

For unbound to be the machine's resolver, it needs to listen on lo0.

> 
> * resolv.conf
> lookup file bind
> nameserver 192.168.x.91

Remove the lookup line, and change the nameserver line to:
nameserver 127.0.0.1

> 
> # cat /etc/myname
> dns03.my.domain
> 
> # cat /etc/hosts
> 127.0.0.1   localhost
> ::1 localhost
> 192.168.x.91   dns03.my.domain dns03
> 
> # cat /var/unbound/etc/unbound.conf
> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
> 
> server:
> interface: 192.168.x.91
> interface: ::1
  # Add this line:
  interface: 127.0.0.1
> do-not-query-localhost: no
> 
> access-control: 192.168.x.64/24 allow
> access-control: 127.0.0.0/8 allow
> access-control: 0.0.0.0/0 refuse
> access-control: ::0/0 refuse
> access-control: ::1 allow
> 
> hide-identity: yes
> hide-version: yes
> 
> # Uncomment to enable DNSSEC validation.
> #
> auto-trust-anchor-file: "/var/unbound/db/root.key"
> 
> root-hints: /var/unbound/etc/root.hints
> 
  # Add these lines:
  private-address: 192.168.0.0/16
  private-domain: 'my.domain'
  local-zone: 'x.168.192.in-addr.arpa' typetransparent


> remote-control:
> control-enable: yes
> control-use-cert: no
> control-interface: /var/run/unbound.sock
> 
> stub-zone:
> name: "my.domain"
> stub-addr: 127.0.0.1
  # Add port 42 here:-
  # The ARPA Host Name Server Protocol (NAMESERVER)
  # is an obsolete network protocol > unused low port
  # http://en.wikipedia.org/wiki/ARPA_Host_Name_Server_Protocol
  stub-addr: 127.0.0.1@42
> stub-zone:
> name: "x.168.192.in-addr.arpa"
> stub-addr: 127.0.0.1
  # Again, add port 42 to the above line:
  stub-addr: 127.0.0.1@42
> 
> # cat /var/nsd/etc/nsd.conf
> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
> 
> server:
> hide-version: yes
> verbosity: 1
> database: "" # disable database
> 
> ## bind to a specific address/port
> ip-address: 127.0.0.1
  # Again, add port 42 to the above line:
  ip-address: 127.0.0.1@42
> 
> remote-control:
> control-enable: yes
> 
> zone:
> name: "my.domain"
> zonefile: "master/my.domain"
> zone:
> name: "x.168.192.in-addr.arpa"
> zonefile: "master/192.168.x.rev"
> 

Hopefully those minor tweaks should get you going!

(As you had set 'do-not-query-localhost', probably the missing
companion typetransparent local-zone simply caught you out.)

While this post is 2 years old, the address and ports stuff is much the
same: http://marc.info/?l=openbsd-misc=141113669300630=2

While I've not tried it, another method could be instead of having NSD
listen on 127.0.0.1@42, have it listen on 127.0.0.53, which would
require another an /etc/hostname.lo53, pf rules, etc...

Cheers,
-- 
Craig Skinner | http://linkd.in/yGqkv7

Re: Failure to get unbound to talk to nsd on the same server

2016-10-11 Thread Paul de Weerd

I run a similar setup, NSD serving my local zones (on ::1@54) and
unbound querying those local zones there.  Comparing your config with
mine, I didn't spot an obvious explanation for why it wouldn't work
for you, but I do note that your unbound isn't configured to listen on
127.0.0.1, whilst your NSD *is* set to listen there.  Not sure how
that flies with your resolv.conf setup.

With the below config, unbound listens on localhost (v4 and v6) and my
local interface (v4 and v6).  NSD only listens on the ::1 and at an
alternative port (54).

Hope that helps.

Cheers,

Paul 'WEiRD' de Weerd

--- nsd configuration 
server: 
hide-version: yes
ip-address: ::1@54
verbosity: 1
database: "" # disable database

remote-control:
control-enable: yes

zone:   
name: "168.192.in-addr.arpa"
zonefile: "168.192.in-addr.arpa"

zone:   
name: "domain.tld"
zonefile: "domain.tld"
server: 
interface: 127.0.0.1
interface: ::1
interface: 192.168.34.1
interface: 2001:xxx:3af::1

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 192.168.34.0/23 allow
access-control: 192.168.36.0/24 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: 2001:xxx:3af::/64 allow
access-control: 2001:xxx:3af:20::/64 allow

hide-identity: yes
hide-version: yes

do-not-query-localhost: no

local-zone: "168.192.in-addr.arpa." nodefault

stub-zone:
name: domain.tld
stub-addr: ::1@54

stub-zone:
name: 34.168.192.in-addr.arpa
stub-addr: ::1@54
--

On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote:
| Hi all,
| 
| I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
| home network with DNS. I have a custom zone (only for LAN use) set up
| and previously used BIND successfully (but that VM crashed and its
| disk was hosed...) both as authoritative and caching/resolving.
| 
| So now I am trying to learn to set up NSD to be authoritative for my
| small zone and Unbound to serve the LAN with all other queries. But
| there is a problem:
| 
| 1. Unbound successfully responds to queries and provides lookup to the
| LAN machines for "the internet".
| 2. NSD successfully responds to queries for the custom zone.
| 3. But I cannot get Unbound to get a reply from NSD...
| 
| I have tried multiple combinations of ports and interface bindings and
| I suspect that I am missing something simple here. Currently I have
| set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
| so there should not be a conflict. In fact it works fine if I use dig
| @localhost  and dig @192.168.x.91 
| respectively, but the second version only provides an answer-less
| response if asked for a LAN hostname.
| 
| Unbound is set to ask localhost for the stub zones, forward and reverse.
| 
| And, yes, I could of course use Unbound to serve my local zone and
| drop NSD - but that would be giving up... It's supposed to work from
| all I read! :-)
| 
| I have also tried having NSD listen on 127.0.0.1@5353, and telling
| unbound to use that as the stub-address, while then having Unbound
| listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
| 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
| can't test NSD with dig as it can't use an alternative port.
| 
| A possibly related question: I can't seem to be able to use
| shortnames. The domain part should be picked up from the host name as
| given in /etc/myname, but that does not seem to work as I expect, I
| always have to provide the FQDN. Again something I have missed
| perhaps?
| 
| Anyway, I am staring blindly at the config files now and really need
| help figuring it out. I have removed all that is commented, otherwise
| it's the default except for changes of course.
| 
| Thanks for any clue bats coming my way...
| /Johan
| 
| * resolv.conf
| lookup file bind
| nameserver 192.168.x.91
| 
| # cat /etc/myname
| dns03.my.domain
| 
| # cat /etc/hosts
| 127.0.0.1   localhost
| ::1 localhost
| 192.168.x.91   dns03.my.domain dns03
| 
| # cat /var/unbound/etc/unbound.conf
| # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
| 
| server:
| interface: 192.168.x.91
| interface: ::1
| do-not-query-localhost: no
| 
| access-control: 192.168.x.64/24 allow
| access-control: 127.0.0.0/8 allow
| access-control: 0.0.0.0/0 refuse
| access-control: ::0/0 refuse
| access-control: ::1 allow
| 
| hide-identity: yes
| hide-version: yes
| 
| # Uncomment to enable DNSSEC validation.
| #
| auto-trust-anchor-file:

Re: Failure to get unbound to talk to nsd on the same server

2016-10-11 Thread mxb

Try to use forward-zone instead of stub-zone in unbound.conf

forward-zone:
name: “abc.com"
forward-addr: 127.0.0.1


> On 10 okt. 2016, at 23:42, Johan Mellberg  wrote:
>
> Hi all,
>
> I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
> home network with DNS. I have a custom zone (only for LAN use) set up
> and previously used BIND successfully (but that VM crashed and its
> disk was hosed...) both as authoritative and caching/resolving.
>
> So now I am trying to learn to set up NSD to be authoritative for my
> small zone and Unbound to serve the LAN with all other queries. But
> there is a problem:
>
> 1. Unbound successfully responds to queries and provides lookup to the
> LAN machines for "the internet".
> 2. NSD successfully responds to queries for the custom zone.
> 3. But I cannot get Unbound to get a reply from NSD...
>
> I have tried multiple combinations of ports and interface bindings and
> I suspect that I am missing something simple here. Currently I have
> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
> so there should not be a conflict. In fact it works fine if I use dig
> @localhost  and dig @192.168.x.91 
> respectively, but the second version only provides an answer-less
> response if asked for a LAN hostname.
>
> Unbound is set to ask localhost for the stub zones, forward and reverse.
>
> And, yes, I could of course use Unbound to serve my local zone and
> drop NSD - but that would be giving up... It's supposed to work from
> all I read! :-)
>
> I have also tried having NSD listen on 127.0.0.1@5353, and telling
> unbound to use that as the stub-address, while then having Unbound
> listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
> 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
> can't test NSD with dig as it can't use an alternative port.
>
> A possibly related question: I can't seem to be able to use
> shortnames. The domain part should be picked up from the host name as
> given in /etc/myname, but that does not seem to work as I expect, I
> always have to provide the FQDN. Again something I have missed
> perhaps?
>
> Anyway, I am staring blindly at the config files now and really need
> help figuring it out. I have removed all that is commented, otherwise
> it's the default except for changes of course.
>
> Thanks for any clue bats coming my way...
> /Johan
>
> * resolv.conf
> lookup file bind
> nameserver 192.168.x.91
>
> # cat /etc/myname
> dns03.my.domain
>
> # cat /etc/hosts
> 127.0.0.1   localhost
> ::1 localhost
> 192.168.x.91   dns03.my.domain dns03
>
> # cat /var/unbound/etc/unbound.conf
> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
>
> server:
>interface: 192.168.x.91
>interface: ::1
>do-not-query-localhost: no
>
>access-control: 192.168.x.64/24 allow
>access-control: 127.0.0.0/8 allow
>access-control: 0.0.0.0/0 refuse
>access-control: ::0/0 refuse
>access-control: ::1 allow
>
>hide-identity: yes
>hide-version: yes
>
># Uncomment to enable DNSSEC validation.
>#
>auto-trust-anchor-file: "/var/unbound/db/root.key"
>
>root-hints: /var/unbound/etc/root.hints
>
> remote-control:
>control-enable: yes
>control-use-cert: no
>control-interface: /var/run/unbound.sock
>
> stub-zone:
>name: "my.domain"
>stub-addr: 127.0.0.1
> stub-zone:
>name: "x.168.192.in-addr.arpa"
>stub-addr: 127.0.0.1
>
> # cat /var/nsd/etc/nsd.conf
> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
>
> server:
>hide-version: yes
>verbosity: 1
>database: "" # disable database
>
> ## bind to a specific address/port
>ip-address: 127.0.0.1
>
> remote-control:
>control-enable: yes
>
> zone:
>name: "my.domain"
>zonefile: "master/my.domain"
> zone:
>name: "x.168.192.in-addr.arpa"
>zonefile: "master/192.168.x.rev"

Re: Failure to get unbound to talk to nsd on the same server

2016-10-11 Thread Raimo Niskanen

Please give more details on which dig commands you used on which machine(s)
and paste their exact results.  Otherwise hard to tell since your setup
seems about right.  Does pf get in your way?

And -l Port to dig selects a non-default port.

Anything interesting in your system logs on the DNS server?

Try to tcpdump on 127.0.0.1 port 53 and see if you have traffic there
between unbound and nsd.

Good luck!

/ Raimo Niskanen



On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote:
> Hi all,
> 
> I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
> home network with DNS. I have a custom zone (only for LAN use) set up
> and previously used BIND successfully (but that VM crashed and its
> disk was hosed...) both as authoritative and caching/resolving.
> 
> So now I am trying to learn to set up NSD to be authoritative for my
> small zone and Unbound to serve the LAN with all other queries. But
> there is a problem:
> 
> 1. Unbound successfully responds to queries and provides lookup to the
> LAN machines for "the internet".
> 2. NSD successfully responds to queries for the custom zone.
> 3. But I cannot get Unbound to get a reply from NSD...
> 
> I have tried multiple combinations of ports and interface bindings and
> I suspect that I am missing something simple here. Currently I have
> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
> so there should not be a conflict. In fact it works fine if I use dig
> @localhost  and dig @192.168.x.91 
> respectively, but the second version only provides an answer-less
> response if asked for a LAN hostname.
> 
> Unbound is set to ask localhost for the stub zones, forward and reverse.
> 
> And, yes, I could of course use Unbound to serve my local zone and
> drop NSD - but that would be giving up... It's supposed to work from
> all I read! :-)
> 
> I have also tried having NSD listen on 127.0.0.1@5353, and telling
> unbound to use that as the stub-address, while then having Unbound
> listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
> 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
> can't test NSD with dig as it can't use an alternative port.
> 
> A possibly related question: I can't seem to be able to use
> shortnames. The domain part should be picked up from the host name as
> given in /etc/myname, but that does not seem to work as I expect, I
> always have to provide the FQDN. Again something I have missed
> perhaps?
> 
> Anyway, I am staring blindly at the config files now and really need
> help figuring it out. I have removed all that is commented, otherwise
> it's the default except for changes of course.
> 
> Thanks for any clue bats coming my way...
> /Johan
> 
> * resolv.conf
> lookup file bind
> nameserver 192.168.x.91
> 
> # cat /etc/myname
> dns03.my.domain
> 
> # cat /etc/hosts
> 127.0.0.1   localhost
> ::1 localhost
> 192.168.x.91   dns03.my.domain dns03
> 
> # cat /var/unbound/etc/unbound.conf
> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $
> 
> server:
> interface: 192.168.x.91
> interface: ::1
> do-not-query-localhost: no
> 
> access-control: 192.168.x.64/24 allow
> access-control: 127.0.0.0/8 allow
> access-control: 0.0.0.0/0 refuse
> access-control: ::0/0 refuse
> access-control: ::1 allow
> 
> hide-identity: yes
> hide-version: yes
> 
> # Uncomment to enable DNSSEC validation.
> #
> auto-trust-anchor-file: "/var/unbound/db/root.key"
> 
> root-hints: /var/unbound/etc/root.hints
> 
> remote-control:
> control-enable: yes
> control-use-cert: no
> control-interface: /var/run/unbound.sock
> 
> stub-zone:
> name: "my.domain"
> stub-addr: 127.0.0.1
> stub-zone:
> name: "x.168.192.in-addr.arpa"
> stub-addr: 127.0.0.1
> 
> # cat /var/nsd/etc/nsd.conf
> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $
> 
> server:
> hide-version: yes
> verbosity: 1
> database: "" # disable database
> 
> ## bind to a specific address/port
> ip-address: 127.0.0.1
> 
> remote-control:
> control-enable: yes
> 
> zone:
> name: "my.domain"
> zonefile: "master/my.domain"
> zone:
> name: "x.168.192.in-addr.arpa"
> zonefile: "master/192.168.x.rev"

-- 

/ Raimo Niskanen, Erlang/OTP, Ericsson AB

Failure to get unbound to talk to nsd on the same server

2016-10-10 Thread Johan Mellberg

Hi all,

I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my
home network with DNS. I have a custom zone (only for LAN use) set up
and previously used BIND successfully (but that VM crashed and its
disk was hosed...) both as authoritative and caching/resolving.

So now I am trying to learn to set up NSD to be authoritative for my
small zone and Unbound to serve the LAN with all other queries. But
there is a problem:

1. Unbound successfully responds to queries and provides lookup to the
LAN machines for "the internet".
2. NSD successfully responds to queries for the custom zone.
3. But I cannot get Unbound to get a reply from NSD...

I have tried multiple combinations of ports and interface bindings and
I suspect that I am missing something simple here. Currently I have
set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 -
so there should not be a conflict. In fact it works fine if I use dig
@localhost  and dig @192.168.x.91 
respectively, but the second version only provides an answer-less
response if asked for a LAN hostname.

Unbound is set to ask localhost for the stub zones, forward and reverse.

And, yes, I could of course use Unbound to serve my local zone and
drop NSD - but that would be giving up... It's supposed to work from
all I read! :-)

I have also tried having NSD listen on 127.0.0.1@5353, and telling
unbound to use that as the stub-address, while then having Unbound
listen on 127.0.0.1 as well as 192.168.x.91 to be able to set
127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I
can't test NSD with dig as it can't use an alternative port.

A possibly related question: I can't seem to be able to use
shortnames. The domain part should be picked up from the host name as
given in /etc/myname, but that does not seem to work as I expect, I
always have to provide the FQDN. Again something I have missed
perhaps?

Anyway, I am staring blindly at the config files now and really need
help figuring it out. I have removed all that is commented, otherwise
it's the default except for changes of course.

Thanks for any clue bats coming my way...
/Johan

* resolv.conf
lookup file bind
nameserver 192.168.x.91

# cat /etc/myname
dns03.my.domain

# cat /etc/hosts
127.0.0.1   localhost
::1 localhost
192.168.x.91   dns03.my.domain dns03

# cat /var/unbound/etc/unbound.conf
# $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $

server:
interface: 192.168.x.91
interface: ::1
do-not-query-localhost: no

access-control: 192.168.x.64/24 allow
access-control: 127.0.0.0/8 allow
access-control: 0.0.0.0/0 refuse
access-control: ::0/0 refuse
access-control: ::1 allow

hide-identity: yes
hide-version: yes

# Uncomment to enable DNSSEC validation.
#
auto-trust-anchor-file: "/var/unbound/db/root.key"

root-hints: /var/unbound/etc/root.hints

remote-control:
control-enable: yes
control-use-cert: no
control-interface: /var/run/unbound.sock

stub-zone:
name: "my.domain"
stub-addr: 127.0.0.1
stub-zone:
name: "x.168.192.in-addr.arpa"
stub-addr: 127.0.0.1

# cat /var/nsd/etc/nsd.conf
# $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $

server:
hide-version: yes
verbosity: 1
database: "" # disable database

## bind to a specific address/port
ip-address: 127.0.0.1

remote-control:
control-enable: yes

zone:
name: "my.domain"
zonefile: "master/my.domain"
zone:
name: "x.168.192.in-addr.arpa"
zonefile: "master/192.168.x.rev"

Re: Failure to get unbound to talk to nsd on the same server (Solved)

Re: Failure to get unbound to talk to nsd on the same server

Re: Failure to get unbound to talk to nsd on the same server

Re: Failure to get unbound to talk to nsd on the same server

Re: Failure to get unbound to talk to nsd on the same server

Re: Failure to get unbound to talk to nsd on the same server

Re: Failure to get unbound to talk to nsd on the same server

Re: Failure to get unbound to talk to nsd on the same server

Re: Failure to get unbound to talk to nsd on the same server

Re: Failure to get unbound to talk to nsd on the same server

Re: Failure to get unbound to talk to nsd on the same server

Failure to get unbound to talk to nsd on the same server

12 matches

Site Navigation

Mail list logo

Footer information