Hi Yorgos,
Thanks very much. Logging and debugging was a very good idea. It showed
that the unbound config is fine, and that the issue is something I
neglected to mention: This system also runs NSD as an authoritative-only
name server, and NSD had already bound to UDP port 53.
This may be a question for the openbsd-misc list instead, but if anyone
here has examples of how to run an authoritative and recursive server on
the same box using unbound and NSD please let me know. I previously used
bind, which didn't have this issue because one server handled both
authoritative and recursive queries.
Thanks again!
dn
On 2/20/23 2:22 AM, George (Yorgos) Thessalonikefs via Unbound-users wrote:
Hi David,
Your configuration should work.
Are you sure that Unbound is seeing that exact client IP address?
If you increase verbosity (4 at least) Unbound will log why the query
was refused.
> A dig query against this server returns "recursion requested but not
> available".
I suppose the "status:" of that response is "REFUSED"?
Best regards,
-- Yorgos
On 19/02/2023 20:50, David Newman via Unbound-users wrote:
New unbound user here, recent arrival after many years with bind.
Attempts at a recursive lookup fail against an unbound server, even
though unbound.conf explicitly allows this from one particular
client. I searched the archive and didn't find an answer, but I may
have missed something.
A dig query against this server returns "recursion requested but not
available". There are no firewalls blocking traffic between client
and server. Running tcpdump on the server shows the query coming in
and the server rejecting it.
The server uses the Unbound v. 1.16.3 as supplied in OpenBSD 7.2 and
has these IP addresses:
149.28.38.111
2001:19f0:c:1055:5400:4ff:fe4c:d46a
The client also runs OpenBSD 7.2 and has these IP addresses:
144.202.0.40
2001:19f0:c:75b:471f:a26a:c6f2:77bd
The server's full unbound.conf is pasted below, but these are the
relevant bits:
server:
root-hints: "/var/unbound/db/root.hints"
#qname-minimisation: yes
interface: 0.0.0.0
interface: ::0
do-ip6: yes
access-control: 0.0.0.0/0 refuse
..
access-control: 144.202.0.40/32 allow
access-control: 2001:19f0:c:75b::/64 allow
Shouldn't the server allow a recursive query from this client? If
not, what's missing? Thanks!
dn
full unbound.conf:
# $OpenBSD: unbound.conf,v 1.21 2020/10/28 11:35:58 sthen Exp $
server:
root-hints: "/var/unbound/db/root.hints"
#qname-minimisation: yes
interface: 0.0.0.0
#interface: 127.0.0.1@5353 # listen on alternative port
interface: ::0
do-ip6: yes
# override the default "any" address to send queries; if multiple
# addresses are available, they are used randomly to counter
spoofing
#outgoing-interface: 192.0.2.1
#outgoing-interface: 2001:db8::53
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
# allow recursive queries from this client
access-control: 144.202.0.40/32 allow
access-control: 2001:19f0:c:75b::/64 allow
hide-identity: yes
hide-version: yes
# Perform DNSSEC validation.
#
#auto-trust-anchor-file: "/var/unbound/db/root.key"
#val-log-level: 2
remote-control:
control-enable: yes
control-interface: /var/run/unbound.sock
# Use an upstream forwarder (recursive resolver) for some or all zones.
#
forward-zone:
name: "." # use for ALL queries
# forward-addr: 192.0.2.53 # example address only
forward-addr: 9.9.9.9 #
forward-first: yes # try direct if forwarder fails
