newbie question: Allowing recursion

Sun, 19 Feb 2023 12:00:07 -0800 

New unbound user here, recent arrival after many years with bind.
Attempts at a recursive lookup fail against an unbound server, even though unbound.conf explicitly allows this from one particular client. I searched the archive and didn't find an answer, but I may have missed something.
A dig query against this server returns "recursion requested but not available". There are no firewalls blocking traffic between client and server. Running tcpdump on the server shows the query coming in and the server rejecting it.
The server uses the Unbound v. 1.16.3 as supplied in OpenBSD 7.2 and has these IP addresses: 

149.28.38.111

2001:19f0:c:1055:5400:4ff:fe4c:d46a

The client also runs OpenBSD 7.2 and has these IP addresses:

144.202.0.40

2001:19f0:c:75b:471f:a26a:c6f2:77bd
The server's full unbound.conf is pasted below, but these are the relevant bits: 

server:
        root-hints: "/var/unbound/db/root.hints"
        #qname-minimisation: yes
        interface: 0.0.0.0
        interface: ::0
        do-ip6: yes

        access-control: 0.0.0.0/0 refuse

..

        access-control: 144.202.0.40/32 allow
        access-control: 2001:19f0:c:75b::/64 allow
Shouldn't the server allow a recursive query from this client? If not, what's missing? Thanks! 

dn


full unbound.conf:

# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $

server:
        root-hints: "/var/unbound/db/root.hints"
        #qname-minimisation: yes
    interface: 0.0.0.0
    #interface: 127.0.0.1@5353    # listen on alternative port
    interface: ::0
    do-ip6: yes

    # override the default "any" address to send queries; if multiple
    # addresses are available, they are used randomly to counter spoofing
    #outgoing-interface: 192.0.2.1
    #outgoing-interface: 2001:db8::53

    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: ::0/0 refuse
    access-control: ::1 allow

    # allow recursive queries from this client
    access-control: 144.202.0.40/32 allow
    access-control: 2001:19f0:c:75b::/64 allow

    hide-identity: yes
    hide-version: yes

    # Perform DNSSEC validation.
    #
    #auto-trust-anchor-file: "/var/unbound/db/root.key"
    #val-log-level: 2

remote-control:
    control-enable: yes
    control-interface: /var/run/unbound.sock

# Use an upstream forwarder (recursive resolver) for some or all zones.
#
forward-zone:
    name: "."                # use for ALL queries
#    forward-addr: 192.0.2.53        # example address only
    forward-addr: 9.9.9.9            #
    forward-first: yes            # try direct if forwarder fails

Reply via email to