Re: Failure to get unbound to talk to nsd on the same server (Solved)
Hi all, thanks for all the suggestions. However it turned out that all I needed to do was to add domain-insecure: "my.domain" to unbound.conf so that unbound would ignore the lack of DNSSEC of my internal domain. I have not paid much attention to DNSSEC until now, but it seems I may need to. So, problem solved, onto the next one! ;-) /Johan On Wed, Oct 12, 2016 at 04:18:39PM +0300, Kapetanakis Giannis wrote: > Hi, > > Haven't followed the whole thread and by just looking at the topic, > I have a similar setup (carped as well) for caching DNS. > 2 servers, 2 carped IPs. > > This is how it works: > > unbound.conf: > interface: 127.0.0.1 > port: 53 > outgoing-interface: ext_ip > access-control: local_networks > do-not-query-localhost: no > include: "/var/unbound/etc/stub_zones_insecure" > include: "/var/unbound/etc/stub_zones" > > stub_zones: > stub-zone: > name: "foo.example.com." > stub-addr: 127.0.0.1@5678 > > stub_zones_insecure: > domain-insecure: "foo.example.com." > > insecure is for when you have network problems to be able to resolv > otherwrise it hungs at DNSSEC (if you have it enabled). This is for local > zones only. > > resolv.conf: > nameserver 127.0.0.1 > > nsd.conf: > ip-address: 127.0.0.1@5678 > zone: >name: foo.example.com >zonefile: /var/nsd/zones/slave/%s >request-xfr: master_DNS_IP NOKEY >allow-notify: master_DNS_IP NOKEY > > pf.conf: > # requests from local dns server (unbound) > pass out quick on $dns1_if proto {tcp, udp} to $dns1_if:network port 53 > modulate state (if-bound, no-sync) nat-to ($dns1_if) > pass out quick on $dns1_if proto {tcp, udp} to any port 53 modulate state > (if-bound, no-sync) route-to ($dns1_if $dns1_gw) nat-to ($dns1_if) > pass out quick on $dns2_if proto {tcp, udp} to $dns2_if:network port 53 > modulate state (if-bound, no-sync) nat-to ($dns2_if) > pass out quick on $dns2_if proto {tcp, udp} to any port 53 modulate state > (if-bound, no-sync) route-to ($dns2_if $dns2_gw) nat-to ($dns2_if) > > # requests from clients (unbound) > pass in quick on $dns1_if proto {tcp,udp} from $dns1_if:network to > ($dns1_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns1_if > pass in quick on $dns2_if proto {tcp,udp} from $dns2_if:network to > ($dns2_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns2_if > pass in quick on $dns1_if proto {tcp,udp} from to ($dns1_carp) > port 53 keep state rdr-to 127.0.0.1 reply-to ($dns1_if $dns1_gw) > pass in quick on $dns2_if proto {tcp,udp} from to ($dns2_carp) > port 53 keep state rdr-to 127.0.0.1 reply-to ($dns2_if $dns2_gw) > pass out quick on $dns1_if proto udp from 127.0.0.1 port 53 nat-to > ($dns1_carp) > pass out quick on $dns2_if proto udp from 127.0.0.1 port 53 nat-to > ($dns2_carp) > > # nsd > pass in quick on $dns1_if proto udp from $master_DNS to ($dns1_if) port 5678 > keep state rdr-to 127.0.0.1 reply-to $dns1_if > > hope these help. For me they work the last 2 years. They only problem I > haven't solved so far which requires a different setup is when you make a > change on the master and the unbound has the previous entry in the cache... > the cache has to expire. > > > G
Re: Failure to get unbound to talk to nsd on the same server
Hi, Haven't followed the whole thread and by just looking at the topic, I have a similar setup (carped as well) for caching DNS. 2 servers, 2 carped IPs. This is how it works: unbound.conf: interface: 127.0.0.1 port: 53 outgoing-interface: ext_ip access-control: local_networks do-not-query-localhost: no include: "/var/unbound/etc/stub_zones_insecure" include: "/var/unbound/etc/stub_zones" stub_zones: stub-zone: name: "foo.example.com." stub-addr: 127.0.0.1@5678 stub_zones_insecure: domain-insecure: "foo.example.com." insecure is for when you have network problems to be able to resolv otherwrise it hungs at DNSSEC (if you have it enabled). This is for local zones only. resolv.conf: nameserver 127.0.0.1 nsd.conf: ip-address: 127.0.0.1@5678 zone: name: foo.example.com zonefile: /var/nsd/zones/slave/%s request-xfr: master_DNS_IP NOKEY allow-notify: master_DNS_IP NOKEY pf.conf: # requests from local dns server (unbound) pass out quick on $dns1_if proto {tcp, udp} to $dns1_if:network port 53 modulate state (if-bound, no-sync) nat-to ($dns1_if) pass out quick on $dns1_if proto {tcp, udp} to any port 53 modulate state (if-bound, no-sync) route-to ($dns1_if $dns1_gw) nat-to ($dns1_if) pass out quick on $dns2_if proto {tcp, udp} to $dns2_if:network port 53 modulate state (if-bound, no-sync) nat-to ($dns2_if) pass out quick on $dns2_if proto {tcp, udp} to any port 53 modulate state (if-bound, no-sync) route-to ($dns2_if $dns2_gw) nat-to ($dns2_if) # requests from clients (unbound) pass in quick on $dns1_if proto {tcp,udp} from $dns1_if:network to ($dns1_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns1_if pass in quick on $dns2_if proto {tcp,udp} from $dns2_if:network to ($dns2_carp) port 53 keep state rdr-to 127.0.0.1 reply-to $dns2_if pass in quick on $dns1_if proto {tcp,udp} from to ($dns1_carp) port 53 keep state rdr-to 127.0.0.1 reply-to ($dns1_if $dns1_gw) pass in quick on $dns2_if proto {tcp,udp} from to ($dns2_carp) port 53 keep state rdr-to 127.0.0.1 reply-to ($dns2_if $dns2_gw) pass out quick on $dns1_if proto udp from 127.0.0.1 port 53 nat-to ($dns1_carp) pass out quick on $dns2_if proto udp from 127.0.0.1 port 53 nat-to ($dns2_carp) # nsd pass in quick on $dns1_if proto udp from $master_DNS to ($dns1_if) port 5678 keep state rdr-to 127.0.0.1 reply-to $dns1_if hope these help. For me they work the last 2 years. They only problem I haven't solved so far which requires a different setup is when you make a change on the master and the unbound has the previous entry in the cache... the cache has to expire. G
Re: Failure to get unbound to talk to nsd on the same server
Hiya Johan, On Tue, 11 Oct 2016 23:50:20 +0200 Johan Mellberg wrote: > There is something weird here that I don't quite see/understand so I > very much appreciate the input so far. DNS is fun to run! The skilled OpenBSD devs have given us well set up separated daemons. Paul, I & others have been successfully running both NSD & unbound together on OpenBSD servers for several years, since BIND removal. After various attempts, what we've independently found to work is: *) both daemons listening on localhost *) NSD on a nonstandard port (on localhost only) *) unbound using both of these directives: *) do-not-query-localhost: no (which you have) *) local-zone: (see unbound.conf(5)) Also see 'private-domain: ' in unbound.conf(5). Perhaps you could get them working together this way too, and then alter single settings to establish what breaks? Cool, -- Craig Skinner | http://linkd.in/yGqkv7
Re: Failure to get unbound to talk to nsd on the same server
So as to how it flies, here's my line of thought: Unbound should serve my network including the dns server machine itself with DNS, hence the external IP address in resolv.conf. dig and nslookup run on the dns server itself both use this with no problem and the rest of my network seems happy as well. It should also respond to queries for my internal zone by querying NSD on a local address. To me it then looks like there is no need for Unbound to bind to 127.0.0.1. NSD should only serve Unbound's queries for my.domain. Thus it does not as I understand it need to bind to any address except localhost/127.0.0.1. And, since NSD is non-recursive this also means that having the nameserver 127.0.0.1 line in /etc/resolv.conf would cause all queries to fail except the ones for which it is authoritative. Now, I don't mind the other scenario, where NSD binds to 127.0.0.1@5300 (or 42 or whatever), and Unbound binds to 192.168.x.91 and 127.0.0.1, in which case I could put nameserver 127.0.0.1 in /etc/resolv.conf - but I don't see why it would be necessary? And using tcpdump I could see Unbound sending a query, which was immediately answered - but Unbound just said SERVFAIL... There is something weird here that I don't quite see/understand so I very much appreciate the input so far. Experimenting with the various settings proposed, good stuff. /Johan 2016-10-11 9:41 GMT+02:00 Paul de Weerd: > I run a similar setup, NSD serving my local zones (on ::1@54) and > unbound querying those local zones there. Comparing your config with > mine, I didn't spot an obvious explanation for why it wouldn't work > for you, but I do note that your unbound isn't configured to listen on > 127.0.0.1, whilst your NSD *is* set to listen there. Not sure how > that flies with your resolv.conf setup. > > With the below config, unbound listens on localhost (v4 and v6) and my > local interface (v4 and v6). NSD only listens on the ::1 and at an > alternative port (54). > > Hope that helps. > > Cheers, > > Paul 'WEiRD' de Weerd > > --- nsd configuration > server: > hide-version: yes > ip-address: ::1@54 > verbosity: 1 > database: "" # disable database > > remote-control: > control-enable: yes > > zone: > name: "168.192.in-addr.arpa" > zonefile: "168.192.in-addr.arpa" > > zone: > name: "domain.tld" > zonefile: "domain.tld" > server: > interface: 127.0.0.1 > interface: ::1 > interface: 192.168.34.1 > interface: 2001:xxx:3af::1 > > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: 192.168.34.0/23 allow > access-control: 192.168.36.0/24 allow > access-control: ::0/0 refuse > access-control: ::1 allow > access-control: 2001:xxx:3af::/64 allow > access-control: 2001:xxx:3af:20::/64 allow > > hide-identity: yes > hide-version: yes > > do-not-query-localhost: no > > local-zone: "168.192.in-addr.arpa." nodefault > > stub-zone: > name: domain.tld > stub-addr: ::1@54 > > stub-zone: > name: 34.168.192.in-addr.arpa > stub-addr: ::1@54 > -- > > On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote: > | Hi all, > | > | I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my > | home network with DNS. I have a custom zone (only for LAN use) set up > | and previously used BIND successfully (but that VM crashed and its > | disk was hosed...) both as authoritative and caching/resolving. > | > | So now I am trying to learn to set up NSD to be authoritative for my > | small zone and Unbound to serve the LAN with all other queries. But > | there is a problem: > | > | 1. Unbound successfully responds to queries and provides lookup to the > | LAN machines for "the internet". > | 2. NSD successfully responds to queries for the custom zone. > | 3. But I cannot get Unbound to get a reply from NSD... > | > | I have tried multiple combinations of ports and interface bindings and > | I suspect that I am missing something simple here. Currently I have > | set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - > | so there should not be a conflict. In fact it works fine if I use dig > | @localhost and dig @192.168.x.91 > | respectively, but the second version only provides an answer-less > | response if asked for a LAN hostname. > | > | Unbound is set to ask localhost for the stub zones, forward and reverse. > | > | And, yes, I could of course use Unbound to serve my local zone and > | drop NSD - but that would be giving up... It's supposed to work from > | all I read! :-) > | > | I have also tried having NSD listen on 127.0.0.1@5353, and telling > | unbound to use that as the stub-address,
Re: Failure to get unbound to talk to nsd on the same server
(Resending to list) Yes, I thought of and tried that too with similar lack of success. But as I could see from the tcpdump (see reply to Raimo's mail) NSD responds so it's probably an Unbound issue. The forward-zone directive can be used but it expects the forward-addr to be able to provide recursion so it should not be used in my case (although it should work since recursion is not needed). 2016-10-11 8:51 GMT+02:00 mxb: > > Try to use forward-zone instead of stub-zone in unbound.conf > > forward-zone: > name: “abc.com" > forward-addr: 127.0.0.1 > > >> On 10 okt. 2016, at 23:42, Johan Mellberg wrote: >> >> Hi all, >> >> I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my >> home network with DNS. I have a custom zone (only for LAN use) set up >> and previously used BIND successfully (but that VM crashed and its >> disk was hosed...) both as authoritative and caching/resolving. >> >> So now I am trying to learn to set up NSD to be authoritative for my >> small zone and Unbound to serve the LAN with all other queries. But >> there is a problem: >> >> 1. Unbound successfully responds to queries and provides lookup to the >> LAN machines for "the internet". >> 2. NSD successfully responds to queries for the custom zone. >> 3. But I cannot get Unbound to get a reply from NSD... >> >> I have tried multiple combinations of ports and interface bindings and >> I suspect that I am missing something simple here. Currently I have >> set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - >> so there should not be a conflict. In fact it works fine if I use dig >> @localhost and dig @192.168.x.91 >> respectively, but the second version only provides an answer-less >> response if asked for a LAN hostname. >> >> Unbound is set to ask localhost for the stub zones, forward and reverse. >> >> And, yes, I could of course use Unbound to serve my local zone and >> drop NSD - but that would be giving up... It's supposed to work from >> all I read! :-) >> >> I have also tried having NSD listen on 127.0.0.1@5353, and telling >> unbound to use that as the stub-address, while then having Unbound >> listen on 127.0.0.1 as well as 192.168.x.91 to be able to set >> 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I >> can't test NSD with dig as it can't use an alternative port. >> >> A possibly related question: I can't seem to be able to use >> shortnames. The domain part should be picked up from the host name as >> given in /etc/myname, but that does not seem to work as I expect, I >> always have to provide the FQDN. Again something I have missed >> perhaps? >> >> Anyway, I am staring blindly at the config files now and really need >> help figuring it out. I have removed all that is commented, otherwise >> it's the default except for changes of course. >> >> Thanks for any clue bats coming my way... >> /Johan >> >> * resolv.conf >> lookup file bind >> nameserver 192.168.x.91 >> >> # cat /etc/myname >> dns03.my.domain >> >> # cat /etc/hosts >> 127.0.0.1 localhost >> ::1 localhost >> 192.168.x.91 dns03.my.domain dns03 >> >> # cat /var/unbound/etc/unbound.conf >> # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ >> >> server: >>interface: 192.168.x.91 >>interface: ::1 >>do-not-query-localhost: no >> >>access-control: 192.168.x.64/24 allow >>access-control: 127.0.0.0/8 allow >>access-control: 0.0.0.0/0 refuse >>access-control: ::0/0 refuse >>access-control: ::1 allow >> >>hide-identity: yes >>hide-version: yes >> >># Uncomment to enable DNSSEC validation. >># >>auto-trust-anchor-file: "/var/unbound/db/root.key" >> >>root-hints: /var/unbound/etc/root.hints >> >> remote-control: >>control-enable: yes >>control-use-cert: no >>control-interface: /var/run/unbound.sock >> >> stub-zone: >>name: "my.domain" >>stub-addr: 127.0.0.1 >> stub-zone: >>name: "x.168.192.in-addr.arpa" >>stub-addr: 127.0.0.1 >> >> # cat /var/nsd/etc/nsd.conf >> # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ >> >> server: >>hide-version: yes >>verbosity: 1 >>database: "" # disable database >> >> ## bind to a specific address/port >>ip-address: 127.0.0.1 >> >> remote-control: >>control-enable: yes >> >> zone: >>name: "my.domain" >>zonefile: "master/my.domain" >> zone: >>name: "x.168.192.in-addr.arpa" >>zonefile: "master/192.168.x.rev"
Re: Failure to get unbound to talk to nsd on the same server
On 2016-10-11, Raimo Niskanenwrote: > And -l Port to dig selects a non-default port. N.B. dig in OpenBSD base doesn't support this.
Re: Failure to get unbound to talk to nsd on the same server
Thanks. Here's the output of the various dig commands and the tcpdump where relevant. pf is unchanged and there is no difference whether disabled with pfctl -d or not. The tcpdump is interesting since apparently the query reached NSD and it replies - but Unbound does not see/accept it (?). Could it be that it refuses replies on the port it used to send the query? The first dig command is run on another host in the lan (chief), the others are run on the dns server itself (dns03). Note that the successful replies refer to another dns server, but at the moment it does not exist. No machines are configured to use that, it's only in the zone files for now. ### Run on chief (192.168.x.95) ### [johan@chief ~]$ dig @192.168.x.91 ericsson.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @192.168.x.91 ericsson.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32640 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ericsson.com. IN A ;; ANSWER SECTION: ericsson.com. 28800 IN A 193.180.16.203 ;; Query time: 51 msec ;; SERVER: 192.168.x.91#53(192.168.x.91) ;; WHEN: tis okt 11 13:40:10 CEST 2016 ;; MSG SIZE rcvd: 57 ### Run on dns03 (192.168.x.91) ### $ dig aftonbladet.se ; <<>> DiG 9.4.2-P2 <<>> aftonbladet.se ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5621 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;aftonbladet.se.IN A ;; ANSWER SECTION: aftonbladet.se. 300 IN A 52.50.97.124 aftonbladet.se. 300 IN A 52.30.21.46 aftonbladet.se. 300 IN A 52.50.100.254 ;; Query time: 66 msec ;; SERVER: 192.168.x.91#53(192.168.x.91) ;; WHEN: Tue Oct 11 13:42:40 2016 ;; MSG SIZE rcvd: 80 $ dig chief.my.domain ; <<>> DiG 9.4.2-P2 <<>> chief.my.domain ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 3456 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;chief.my.domain. IN A ;; Query time: 442 msec ;; SERVER: 192.168.x.91#53(192.168.x.91) ;; WHEN: Tue Oct 11 13:43:45 2016 ;; MSG SIZE rcvd: 38 While running the above query the following tcpdump was captured: # tcpdump -i lo0 net 127 and port 53 tcpdump: listening on lo0, link-type LOOP 13:59:57.145012 localhost.39240 > localhost.domain: 10949% [1au] A? chief.my.domain. (49) 13:59:57.145478 localhost.domain > localhost.39240: 10949*- 1/2/3 A 192.168.x.95 (137) $ dig @localhost chief.my.domain ; <<>> DiG 9.4.2-P2 <<>> @localhost chief.my.domain ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36657 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;chief.my.domain. IN A ;; ANSWER SECTION: chief.my.domain. 86400 IN A 192.168.x.95 ;; AUTHORITY SECTION: my.domain. 86400 IN NS dns03.my.domain. my.domain. 86400 IN NS dns04.my.domain. ;; ADDITIONAL SECTION: dns03.my.domain. 86400 IN A 192.168.x.91 dns04.my.domain. 86400 IN A 192.168.x.92 ;; Query time: 6 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Oct 11 13:44:10 2016 ;; MSG SIZE rcvd: 126 And here's the tcpdump of that query: # tcpdump -i lo0 net 127 and port 53 tcpdump: listening on lo0, link-type LOOP 14:01:28.099979 localhost.30023 > localhost.domain: 51528+ A? chief.my.domain. (38) 14:01:28.100456 localhost.domain > localhost.30023: 51528*- 1/2/2 A 192.168.x.95 (126) $ dig @localhost chief ; <<>> DiG 9.4.2-P2 <<>> @localhost chief ; (2 servers found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 64595 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;chief. IN A ;; Query time: 5 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Oct 11 13:47:55 2016 ;; MSG SIZE rcvd: 23 2016-10-11 8:29 GMT+02:00 Raimo Niskanen: > Please give more details on which dig commands you used on which machine(s) > and paste their exact results. Otherwise hard to tell since your setup > seems about right. Does pf get in your way? > > And -l Port to dig selects a non-default port. > > Anything interesting in your system logs on the DNS server? > > Try to tcpdump on 127.0.0.1 port 53 and see if you have traffic there > between unbound and nsd. > > Good luck! > > / Raimo Niskanen > > > > On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote: >> Hi all, >> >> I
Re: Failure to get unbound to talk to nsd on the same server
Hi Johan, On Mon, 10 Oct 2016 23:42:16 +0200 Johan Mellberg wrote: > I have tried multiple combinations of ports and interface bindings and > I suspect that I am missing something simple here. Currently I have > set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - > so there should not be a conflict. For unbound to be the machine's resolver, it needs to listen on lo0. > > * resolv.conf > lookup file bind > nameserver 192.168.x.91 Remove the lookup line, and change the nameserver line to: nameserver 127.0.0.1 > > # cat /etc/myname > dns03.my.domain > > # cat /etc/hosts > 127.0.0.1 localhost > ::1 localhost > 192.168.x.91 dns03.my.domain dns03 > > # cat /var/unbound/etc/unbound.conf > # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ > > server: > interface: 192.168.x.91 > interface: ::1 # Add this line: interface: 127.0.0.1 > do-not-query-localhost: no > > access-control: 192.168.x.64/24 allow > access-control: 127.0.0.0/8 allow > access-control: 0.0.0.0/0 refuse > access-control: ::0/0 refuse > access-control: ::1 allow > > hide-identity: yes > hide-version: yes > > # Uncomment to enable DNSSEC validation. > # > auto-trust-anchor-file: "/var/unbound/db/root.key" > > root-hints: /var/unbound/etc/root.hints > # Add these lines: private-address: 192.168.0.0/16 private-domain: 'my.domain' local-zone: 'x.168.192.in-addr.arpa' typetransparent > remote-control: > control-enable: yes > control-use-cert: no > control-interface: /var/run/unbound.sock > > stub-zone: > name: "my.domain" > stub-addr: 127.0.0.1 # Add port 42 here:- # The ARPA Host Name Server Protocol (NAMESERVER) # is an obsolete network protocol > unused low port # http://en.wikipedia.org/wiki/ARPA_Host_Name_Server_Protocol stub-addr: 127.0.0.1@42 > stub-zone: > name: "x.168.192.in-addr.arpa" > stub-addr: 127.0.0.1 # Again, add port 42 to the above line: stub-addr: 127.0.0.1@42 > > # cat /var/nsd/etc/nsd.conf > # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ > > server: > hide-version: yes > verbosity: 1 > database: "" # disable database > > ## bind to a specific address/port > ip-address: 127.0.0.1 # Again, add port 42 to the above line: ip-address: 127.0.0.1@42 > > remote-control: > control-enable: yes > > zone: > name: "my.domain" > zonefile: "master/my.domain" > zone: > name: "x.168.192.in-addr.arpa" > zonefile: "master/192.168.x.rev" > Hopefully those minor tweaks should get you going! (As you had set 'do-not-query-localhost', probably the missing companion typetransparent local-zone simply caught you out.) While this post is 2 years old, the address and ports stuff is much the same: http://marc.info/?l=openbsd-misc=141113669300630=2 While I've not tried it, another method could be instead of having NSD listen on 127.0.0.1@42, have it listen on 127.0.0.53, which would require another an /etc/hostname.lo53, pf rules, etc... Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: Failure to get unbound to talk to nsd on the same server
I run a similar setup, NSD serving my local zones (on ::1@54) and unbound querying those local zones there. Comparing your config with mine, I didn't spot an obvious explanation for why it wouldn't work for you, but I do note that your unbound isn't configured to listen on 127.0.0.1, whilst your NSD *is* set to listen there. Not sure how that flies with your resolv.conf setup. With the below config, unbound listens on localhost (v4 and v6) and my local interface (v4 and v6). NSD only listens on the ::1 and at an alternative port (54). Hope that helps. Cheers, Paul 'WEiRD' de Weerd --- nsd configuration server: hide-version: yes ip-address: ::1@54 verbosity: 1 database: "" # disable database remote-control: control-enable: yes zone: name: "168.192.in-addr.arpa" zonefile: "168.192.in-addr.arpa" zone: name: "domain.tld" zonefile: "domain.tld" server: interface: 127.0.0.1 interface: ::1 interface: 192.168.34.1 interface: 2001:xxx:3af::1 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: 192.168.34.0/23 allow access-control: 192.168.36.0/24 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: 2001:xxx:3af::/64 allow access-control: 2001:xxx:3af:20::/64 allow hide-identity: yes hide-version: yes do-not-query-localhost: no local-zone: "168.192.in-addr.arpa." nodefault stub-zone: name: domain.tld stub-addr: ::1@54 stub-zone: name: 34.168.192.in-addr.arpa stub-addr: ::1@54 -- On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote: | Hi all, | | I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my | home network with DNS. I have a custom zone (only for LAN use) set up | and previously used BIND successfully (but that VM crashed and its | disk was hosed...) both as authoritative and caching/resolving. | | So now I am trying to learn to set up NSD to be authoritative for my | small zone and Unbound to serve the LAN with all other queries. But | there is a problem: | | 1. Unbound successfully responds to queries and provides lookup to the | LAN machines for "the internet". | 2. NSD successfully responds to queries for the custom zone. | 3. But I cannot get Unbound to get a reply from NSD... | | I have tried multiple combinations of ports and interface bindings and | I suspect that I am missing something simple here. Currently I have | set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - | so there should not be a conflict. In fact it works fine if I use dig | @localhost and dig @192.168.x.91 | respectively, but the second version only provides an answer-less | response if asked for a LAN hostname. | | Unbound is set to ask localhost for the stub zones, forward and reverse. | | And, yes, I could of course use Unbound to serve my local zone and | drop NSD - but that would be giving up... It's supposed to work from | all I read! :-) | | I have also tried having NSD listen on 127.0.0.1@5353, and telling | unbound to use that as the stub-address, while then having Unbound | listen on 127.0.0.1 as well as 192.168.x.91 to be able to set | 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I | can't test NSD with dig as it can't use an alternative port. | | A possibly related question: I can't seem to be able to use | shortnames. The domain part should be picked up from the host name as | given in /etc/myname, but that does not seem to work as I expect, I | always have to provide the FQDN. Again something I have missed | perhaps? | | Anyway, I am staring blindly at the config files now and really need | help figuring it out. I have removed all that is commented, otherwise | it's the default except for changes of course. | | Thanks for any clue bats coming my way... | /Johan | | * resolv.conf | lookup file bind | nameserver 192.168.x.91 | | # cat /etc/myname | dns03.my.domain | | # cat /etc/hosts | 127.0.0.1 localhost | ::1 localhost | 192.168.x.91 dns03.my.domain dns03 | | # cat /var/unbound/etc/unbound.conf | # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ | | server: | interface: 192.168.x.91 | interface: ::1 | do-not-query-localhost: no | | access-control: 192.168.x.64/24 allow | access-control: 127.0.0.0/8 allow | access-control: 0.0.0.0/0 refuse | access-control: ::0/0 refuse | access-control: ::1 allow | | hide-identity: yes | hide-version: yes | | # Uncomment to enable DNSSEC validation. | # | auto-trust-anchor-file:
Re: Failure to get unbound to talk to nsd on the same server
Try to use forward-zone instead of stub-zone in unbound.conf forward-zone: name: “abc.com" forward-addr: 127.0.0.1 > On 10 okt. 2016, at 23:42, Johan Mellbergwrote: > > Hi all, > > I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my > home network with DNS. I have a custom zone (only for LAN use) set up > and previously used BIND successfully (but that VM crashed and its > disk was hosed...) both as authoritative and caching/resolving. > > So now I am trying to learn to set up NSD to be authoritative for my > small zone and Unbound to serve the LAN with all other queries. But > there is a problem: > > 1. Unbound successfully responds to queries and provides lookup to the > LAN machines for "the internet". > 2. NSD successfully responds to queries for the custom zone. > 3. But I cannot get Unbound to get a reply from NSD... > > I have tried multiple combinations of ports and interface bindings and > I suspect that I am missing something simple here. Currently I have > set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - > so there should not be a conflict. In fact it works fine if I use dig > @localhost and dig @192.168.x.91 > respectively, but the second version only provides an answer-less > response if asked for a LAN hostname. > > Unbound is set to ask localhost for the stub zones, forward and reverse. > > And, yes, I could of course use Unbound to serve my local zone and > drop NSD - but that would be giving up... It's supposed to work from > all I read! :-) > > I have also tried having NSD listen on 127.0.0.1@5353, and telling > unbound to use that as the stub-address, while then having Unbound > listen on 127.0.0.1 as well as 192.168.x.91 to be able to set > 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I > can't test NSD with dig as it can't use an alternative port. > > A possibly related question: I can't seem to be able to use > shortnames. The domain part should be picked up from the host name as > given in /etc/myname, but that does not seem to work as I expect, I > always have to provide the FQDN. Again something I have missed > perhaps? > > Anyway, I am staring blindly at the config files now and really need > help figuring it out. I have removed all that is commented, otherwise > it's the default except for changes of course. > > Thanks for any clue bats coming my way... > /Johan > > * resolv.conf > lookup file bind > nameserver 192.168.x.91 > > # cat /etc/myname > dns03.my.domain > > # cat /etc/hosts > 127.0.0.1 localhost > ::1 localhost > 192.168.x.91 dns03.my.domain dns03 > > # cat /var/unbound/etc/unbound.conf > # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ > > server: >interface: 192.168.x.91 >interface: ::1 >do-not-query-localhost: no > >access-control: 192.168.x.64/24 allow >access-control: 127.0.0.0/8 allow >access-control: 0.0.0.0/0 refuse >access-control: ::0/0 refuse >access-control: ::1 allow > >hide-identity: yes >hide-version: yes > ># Uncomment to enable DNSSEC validation. ># >auto-trust-anchor-file: "/var/unbound/db/root.key" > >root-hints: /var/unbound/etc/root.hints > > remote-control: >control-enable: yes >control-use-cert: no >control-interface: /var/run/unbound.sock > > stub-zone: >name: "my.domain" >stub-addr: 127.0.0.1 > stub-zone: >name: "x.168.192.in-addr.arpa" >stub-addr: 127.0.0.1 > > # cat /var/nsd/etc/nsd.conf > # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ > > server: >hide-version: yes >verbosity: 1 >database: "" # disable database > > ## bind to a specific address/port >ip-address: 127.0.0.1 > > remote-control: >control-enable: yes > > zone: >name: "my.domain" >zonefile: "master/my.domain" > zone: >name: "x.168.192.in-addr.arpa" >zonefile: "master/192.168.x.rev"
Re: Failure to get unbound to talk to nsd on the same server
Please give more details on which dig commands you used on which machine(s) and paste their exact results. Otherwise hard to tell since your setup seems about right. Does pf get in your way? And -l Port to dig selects a non-default port. Anything interesting in your system logs on the DNS server? Try to tcpdump on 127.0.0.1 port 53 and see if you have traffic there between unbound and nsd. Good luck! / Raimo Niskanen On Mon, Oct 10, 2016 at 11:42:16PM +0200, Johan Mellberg wrote: > Hi all, > > I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my > home network with DNS. I have a custom zone (only for LAN use) set up > and previously used BIND successfully (but that VM crashed and its > disk was hosed...) both as authoritative and caching/resolving. > > So now I am trying to learn to set up NSD to be authoritative for my > small zone and Unbound to serve the LAN with all other queries. But > there is a problem: > > 1. Unbound successfully responds to queries and provides lookup to the > LAN machines for "the internet". > 2. NSD successfully responds to queries for the custom zone. > 3. But I cannot get Unbound to get a reply from NSD... > > I have tried multiple combinations of ports and interface bindings and > I suspect that I am missing something simple here. Currently I have > set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - > so there should not be a conflict. In fact it works fine if I use dig > @localhost and dig @192.168.x.91 > respectively, but the second version only provides an answer-less > response if asked for a LAN hostname. > > Unbound is set to ask localhost for the stub zones, forward and reverse. > > And, yes, I could of course use Unbound to serve my local zone and > drop NSD - but that would be giving up... It's supposed to work from > all I read! :-) > > I have also tried having NSD listen on 127.0.0.1@5353, and telling > unbound to use that as the stub-address, while then having Unbound > listen on 127.0.0.1 as well as 192.168.x.91 to be able to set > 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I > can't test NSD with dig as it can't use an alternative port. > > A possibly related question: I can't seem to be able to use > shortnames. The domain part should be picked up from the host name as > given in /etc/myname, but that does not seem to work as I expect, I > always have to provide the FQDN. Again something I have missed > perhaps? > > Anyway, I am staring blindly at the config files now and really need > help figuring it out. I have removed all that is commented, otherwise > it's the default except for changes of course. > > Thanks for any clue bats coming my way... > /Johan > > * resolv.conf > lookup file bind > nameserver 192.168.x.91 > > # cat /etc/myname > dns03.my.domain > > # cat /etc/hosts > 127.0.0.1 localhost > ::1 localhost > 192.168.x.91 dns03.my.domain dns03 > > # cat /var/unbound/etc/unbound.conf > # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ > > server: > interface: 192.168.x.91 > interface: ::1 > do-not-query-localhost: no > > access-control: 192.168.x.64/24 allow > access-control: 127.0.0.0/8 allow > access-control: 0.0.0.0/0 refuse > access-control: ::0/0 refuse > access-control: ::1 allow > > hide-identity: yes > hide-version: yes > > # Uncomment to enable DNSSEC validation. > # > auto-trust-anchor-file: "/var/unbound/db/root.key" > > root-hints: /var/unbound/etc/root.hints > > remote-control: > control-enable: yes > control-use-cert: no > control-interface: /var/run/unbound.sock > > stub-zone: > name: "my.domain" > stub-addr: 127.0.0.1 > stub-zone: > name: "x.168.192.in-addr.arpa" > stub-addr: 127.0.0.1 > > # cat /var/nsd/etc/nsd.conf > # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ > > server: > hide-version: yes > verbosity: 1 > database: "" # disable database > > ## bind to a specific address/port > ip-address: 127.0.0.1 > > remote-control: > control-enable: yes > > zone: > name: "my.domain" > zonefile: "master/my.domain" > zone: > name: "x.168.192.in-addr.arpa" > zonefile: "master/192.168.x.rev" -- / Raimo Niskanen, Erlang/OTP, Ericsson AB
Failure to get unbound to talk to nsd on the same server
Hi all, I am setting up a fresh OpenBSD 6.0 server in a KVM VM to serve my home network with DNS. I have a custom zone (only for LAN use) set up and previously used BIND successfully (but that VM crashed and its disk was hosed...) both as authoritative and caching/resolving. So now I am trying to learn to set up NSD to be authoritative for my small zone and Unbound to serve the LAN with all other queries. But there is a problem: 1. Unbound successfully responds to queries and provides lookup to the LAN machines for "the internet". 2. NSD successfully responds to queries for the custom zone. 3. But I cannot get Unbound to get a reply from NSD... I have tried multiple combinations of ports and interface bindings and I suspect that I am missing something simple here. Currently I have set NSD to listen on 127.0.0.1 and Unbound listens on 192.168.x.91 - so there should not be a conflict. In fact it works fine if I use dig @localhost and dig @192.168.x.91 respectively, but the second version only provides an answer-less response if asked for a LAN hostname. Unbound is set to ask localhost for the stub zones, forward and reverse. And, yes, I could of course use Unbound to serve my local zone and drop NSD - but that would be giving up... It's supposed to work from all I read! :-) I have also tried having NSD listen on 127.0.0.1@5353, and telling unbound to use that as the stub-address, while then having Unbound listen on 127.0.0.1 as well as 192.168.x.91 to be able to set 127.0.0.1 as the nameserver in /etc/resolv.conf. Same result except I can't test NSD with dig as it can't use an alternative port. A possibly related question: I can't seem to be able to use shortnames. The domain part should be picked up from the host name as given in /etc/myname, but that does not seem to work as I expect, I always have to provide the FQDN. Again something I have missed perhaps? Anyway, I am staring blindly at the config files now and really need help figuring it out. I have removed all that is commented, otherwise it's the default except for changes of course. Thanks for any clue bats coming my way... /Johan * resolv.conf lookup file bind nameserver 192.168.x.91 # cat /etc/myname dns03.my.domain # cat /etc/hosts 127.0.0.1 localhost ::1 localhost 192.168.x.91 dns03.my.domain dns03 # cat /var/unbound/etc/unbound.conf # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ server: interface: 192.168.x.91 interface: ::1 do-not-query-localhost: no access-control: 192.168.x.64/24 allow access-control: 127.0.0.0/8 allow access-control: 0.0.0.0/0 refuse access-control: ::0/0 refuse access-control: ::1 allow hide-identity: yes hide-version: yes # Uncomment to enable DNSSEC validation. # auto-trust-anchor-file: "/var/unbound/db/root.key" root-hints: /var/unbound/etc/root.hints remote-control: control-enable: yes control-use-cert: no control-interface: /var/run/unbound.sock stub-zone: name: "my.domain" stub-addr: 127.0.0.1 stub-zone: name: "x.168.192.in-addr.arpa" stub-addr: 127.0.0.1 # cat /var/nsd/etc/nsd.conf # $OpenBSD: nsd.conf,v 1.11 2015/04/12 11:49:39 sthen Exp $ server: hide-version: yes verbosity: 1 database: "" # disable database ## bind to a specific address/port ip-address: 127.0.0.1 remote-control: control-enable: yes zone: name: "my.domain" zonefile: "master/my.domain" zone: name: "x.168.192.in-addr.arpa" zonefile: "master/192.168.x.rev"