Re: unbound and truly multihomed setup
On Thu, 29 Sep 2016, Gregory Edigarov wrote: > Hi, > > Need an advice. > > I have a bgp router with 3 interfaces: > > em0 (xxx.yyy,zzz.1/24), > em1, em2 - looking at uplinks > > bgp is up and running, packets are forwarded just fine. also there is nsd, > listening on both em1,em2 serving my reverse zone. > > so far everything works. > > now I want this host also be a resolver for lan, that sits on xxx.yyy,zzz.1 > > here is what I have in unbound.conf > > > server: > verbosity: 1 > outgoing-interface: 0.0.0.0 > interface: 127.0.0.1 > interface: > access-control: 127.0.0.0/8 allow > access-control: xxx.yyy.zzz.0/24 allow > access-control: ::1 allow > access-control: :::127.0.0.1 allow > root-hints: /etc/unbound/root.hints > > some hosts are resolving correctly, for example google.com, but many have > SERVFAIL. > > if I have > outgoing-interface: xxx.yyy.zzz.1 > > nothing works. > > > so the question is: how to make unbound work in such setup? I can't speak specifically to unbound, but check the source and destination IPs very carefully in tcpdump. I recently had similar trouble with nsd. Binding to 0.0.0.0 or ::1 is not enough: it will use the same IP for all responses no matter where they came to. I had to explicitly state the IPs I wanted to listen on so that the responses came from the right IP. (I would check both directions: clients -> unbound and unbound -> nameservers.) Martin
Re: unbound and truly multihomed setup
after all, it revealed to be just fiber connection fucked up, and causing the enormous packet drops. sorry for the noise On 29.09.16 10:48, Gregory Edigarov wrote: Hi, Need an advice. I have a bgp router with 3 interfaces: em0 (xxx.yyy,zzz.1/24), em1, em2 - looking at uplinks bgp is up and running, packets are forwarded just fine. also there is nsd, listening on both em1,em2 serving my reverse zone. so far everything works. now I want this host also be a resolver for lan, that sits on xxx.yyy,zzz.1 here is what I have in unbound.conf server: verbosity: 1 outgoing-interface: 0.0.0.0 interface: 127.0.0.1 interface: access-control: 127.0.0.0/8 allow access-control: xxx.yyy.zzz.0/24 allow access-control: ::1 allow access-control: :::127.0.0.1 allow root-hints: /etc/unbound/root.hints some hosts are resolving correctly, for example google.com, but many have SERVFAIL. if I have outgoing-interface: xxx.yyy.zzz.1 nothing works. so the question is: how to make unbound work in such setup? thank you. -- With best regards, Gregory Edigarov
Re: unbound and truly multihomed setup
Hi Gregory, On Thu, 29 Sep 2016 14:30:05 +0300 Gregory Edigarov wrote: > $ dig openbsd.org @127.0.0.1 > ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> openbsd.org @127.0.0.1 > ;; global options: +cmd > ;; connection timed out; no servers could be reached Debian isn't OpenBSD.. This means unbound isn't listening on localhost. e.g: $ dig openbsd.org @127.1.2.7 ; <<>> DiG 9.4.2-P2 <<>> openbsd.org @127.1.2.7 ;; global options: printcmd ;; connection timed out; no servers could be reached On OpenBSD, unbound's listening ports can be found with: $ fstat -u _unbound | fgrep internet _unbound unbound151333* internet dgram udp 127.0.0.1:53 _unbound unbound151334* internet stream tcp 0x0 127.0.0.1:53 _unbound unbound151335* internet dgram udp 10.11.12.13:53 _unbound unbound151336* internet stream tcp 0x0 10.11.12.13:53 Ah dinnae ken aboot Debian. -- Craig Skinner | http://linkd.in/yGqkv7
Re: unbound and truly multihomed setup
Hi Gregory, On Thu, 29 Sep 2016 14:06:28 +0300 Gregory Edigarov wrote: > I cannot use interfaces em1 and em2, it's where nsd is listening. On OpenBSD, NSD listens on port 53, and unbound sends queries out from various ports > 1023 On OpenBSD, there's no conflict. An 'outgoing-interface: ' is not a listening 'interface: ...' Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: unbound and truly multihomed setup
Tried to play around with ports nsd/unbound listens on? //Мэксб > On 29 sep. 2016, at 09:48, Gregory Edigarov wrote: > > Hi, > > Need an advice. > > I have a bgp router with 3 interfaces: > > em0 (xxx.yyy,zzz.1/24), > em1, em2 - looking at uplinks > > bgp is up and running, packets are forwarded just fine. also there is nsd, listening on both em1,em2 serving my reverse zone. > > so far everything works. > > now I want this host also be a resolver for lan, that sits on xxx.yyy,zzz.1 > > here is what I have in unbound.conf > > > server: >verbosity: 1 >outgoing-interface: 0.0.0.0 >interface: 127.0.0.1 >interface: >access-control: 127.0.0.0/8 allow >access-control: xxx.yyy.zzz.0/24 allow >access-control: ::1 allow >access-control: :::127.0.0.1 allow >root-hints: /etc/unbound/root.hints > > some hosts are resolving correctly, for example google.com, but many have SERVFAIL. > > if I have > outgoing-interface: xxx.yyy.zzz.1 > > nothing works. > > > so the question is: how to make unbound work in such setup? > > thank you. > > -- > > With best regards, > >Gregory Edigarov
Re: unbound and truly multihomed setup
Hi Craig, On 29.09.16 13:28, Craig Skinner wrote: Hi Gregory, On Thu, 29 Sep 2016 10:48:37 +0300 Gregory Edigarov wrote: em0 (xxx.yyy,zzz.1/24), em1, em2 - looking at uplinks ... outgoing-interface: 0.0.0.0 Removing the outgoing-interface line would probably resolve it. Adding this private-addres line might help too: private-address: xxx.yyy.zzz.0/24 Multiple outgoing-interface lines can be put in, for each of your em1 & em2 interfaces, I cannot use interfaces em1 and em2, it's where nsd is listening. I removed the outgoing interface line. still no effect. the description of private-address: directive has nothing relevant to my situation, but I've tried it, and still got nothing. and separate lines for IPv4 & IPv6 too, for each interface. The default is 'all', so its a bit pointless to manually list all your external interfaces. See /usr/src/usr.sbin/unbound/doc/example.conf.in http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/unbound/doc/example.conf.in Cheers,
Re: unbound and truly multihomed setup
Hi Gregory, On Thu, 29 Sep 2016 10:48:37 +0300 Gregory Edigarov wrote: > em0 (xxx.yyy,zzz.1/24), > em1, em2 - looking at uplinks > ... > > outgoing-interface: 0.0.0.0 Removing the outgoing-interface line would probably resolve it. Adding this private-addres line might help too: private-address: xxx.yyy.zzz.0/24 Multiple outgoing-interface lines can be put in, for each of your em1 & em2 interfaces, and separate lines for IPv4 & IPv6 too, for each interface. The default is 'all', so its a bit pointless to manually list all your external interfaces. See /usr/src/usr.sbin/unbound/doc/example.conf.in http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/unbound/doc/example.conf.in Cheers, -- Craig Skinner | http://linkd.in/yGqkv7
Re: unbound and truly multihomed setup
corrected unbound.conf snippet, just to be sure I am properly understood On 29.09.16 10:48, Gregory Edigarov wrote: Hi, Need an advice. I have a bgp router with 3 interfaces: em0 (xxx.yyy,zzz.1/24), em1, em2 - looking at uplinks bgp is up and running, packets are forwarded just fine. also there is nsd, listening on both em1,em2 serving my reverse zone. so far everything works. now I want this host also be a resolver for lan, that sits on xxx.yyy,zzz.1 here is what I have in unbound.conf server: verbosity: 1 outgoing-interface: 0.0.0.0 interface: 127.0.0.1 interface: xxx.yyy.zzz.1 access-control: 127.0.0.0/8 allow access-control: xxx.yyy.zzz.0/24 allow access-control: ::1 allow access-control: :::127.0.0.1 allow root-hints: /etc/unbound/root.hints some hosts are resolving correctly, for example google.com, but many have SERVFAIL. if I have outgoing-interface: xxx.yyy.zzz.1 nothing works. so the question is: how to make unbound work in such setup? thank you. -- With best regards, Gregory Edigarov
unbound and truly multihomed setup
Hi, Need an advice. I have a bgp router with 3 interfaces: em0 (xxx.yyy,zzz.1/24), em1, em2 - looking at uplinks bgp is up and running, packets are forwarded just fine. also there is nsd, listening on both em1,em2 serving my reverse zone. so far everything works. now I want this host also be a resolver for lan, that sits on xxx.yyy,zzz.1 here is what I have in unbound.conf server: verbosity: 1 outgoing-interface: 0.0.0.0 interface: 127.0.0.1 interface: access-control: 127.0.0.0/8 allow access-control: xxx.yyy.zzz.0/24 allow access-control: ::1 allow access-control: :::127.0.0.1 allow root-hints: /etc/unbound/root.hints some hosts are resolving correctly, for example google.com, but many have SERVFAIL. if I have outgoing-interface: xxx.yyy.zzz.1 nothing works. so the question is: how to make unbound work in such setup? thank you. -- With best regards, Gregory Edigarov