Hi David,
Your configuration should work.
Are you sure that Unbound is seeing that exact client IP address?
If you increase verbosity (4 at least) Unbound will log why the query
was refused.
> A dig query against this server returns "recursion requested but not
> available".
I suppose the "status:" of that response is "REFUSED"?
Best regards,
-- Yorgos
On 19/02/2023 20:50, David Newman via Unbound-users wrote:
New unbound user here, recent arrival after many years with bind.
Attempts at a recursive lookup fail against an unbound server, even
though unbound.conf explicitly allows this from one particular client. I
searched the archive and didn't find an answer, but I may have missed
something.
A dig query against this server returns "recursion requested but not
available". There are no firewalls blocking traffic between client and
server. Running tcpdump on the server shows the query coming in and the
server rejecting it.
The server uses the Unbound v. 1.16.3 as supplied in OpenBSD 7.2 and has
these IP addresses:
149.28.38.111
2001:19f0:c:1055:5400:4ff:fe4c:d46a
The client also runs OpenBSD 7.2 and has these IP addresses:
144.202.0.40
2001:19f0:c:75b:471f:a26a:c6f2:77bd
The server's full unbound.conf is pasted below, but these are the
relevant bits:
server:
root-hints: "/var/unbound/db/root.hints"
#qname-minimisation: yes
interface: 0.0.0.0
interface: ::0
do-ip6: yes
access-control: 0.0.0.0/0 refuse
..
access-control: 144.202.0.40/32 allow
access-control: 2001:19f0:c:75b::/64 allow
Shouldn't the server allow a recursive query from this client? If not,
what's missing? Thanks!
dn
full unbound.conf:
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
server:
root-hints: "/var/unbound/db/root.hints"
#qname-minimisation: yes
interface: 0.0.0.0
#interface: 127.0.0.1@5353 # listen on alternative port
interface: ::0
do-ip6: yes
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
# allow recursive queries from this client
access-control: 144.202.0.40/32 allow
access-control: 2001:19f0:c:75b::/64 allow
hide-identity: yes
hide-version: yes
# Perform DNSSEC validation.
#
#auto-trust-anchor-file: "/var/unbound/db/root.key"
#val-log-level: 2
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
# Use an upstream forwarder (recursive resolver) for some or all zones.
#
forward-zone:
name: "." # use for ALL queries
# forward-addr: 192.0.2.53 # example address only
forward-addr: 9.9.9.9 #
forward-first: yes # try direct if forwarder fails
