[Unbound-users] Query on port 53 doesn't work

[Holger Zuleger]

Hi,





As usual both nameserver software is using port 53 for this kind of service.





# grep "   interface:" unbound.conf | grep -v 443
        interface: 127.0.0.1
        interface: ::1
        interface: 88.198.13.180@553
        interface: 88.198.13.180@53
        interface: 2a01:4f8:130:1261::180@553
        interface: 2a01:4f8:130:1261::180@53



# netstat -p -anu | grep 53 | cut -c1-5,21-55,80-
udp  88.198.13.180:553       0.0.0.0:*   10515/unbound
udp  88.198.13.180:53        0.0.0.0:*   10515/unbound
udp  127.0.0.1:53            0.0.0.0:*   10515/unbound
udp  88.198.13.165:53        0.0.0.0:*   10551/named
udp6 2a01:4f8:130:1261:::553 :::*        10515/unbound
udp6 2a01:4f8:130:1261::1:53 :::*        10515/unbound
udp6 ::1:53                  :::*        10515/unbound
udp6 2a01:4f8:130:1261::2:53 :::*        10551/named




$ dig -p 53 www.google.com @88.198.13.180

; <<>> DiG 9.10.1b1 <<>> -p 53 www.google.com @88.198.13.180
;; global options: +cmd
;; connection timed out; no servers could be reached



Now I tried the same with port 553 and this works:

$ dig -p 553 www.google.com @88.198.13.180

; <<>> DiG 9.10.1b1 <<>> -p 553 www.google.com @88.198.13.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7336
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         124     IN      A       173.194.116.148
www.google.com.         124     IN      A       173.194.116.147
www.google.com.         124     IN      A       173.194.116.144
www.google.com.         124     IN      A       173.194.116.146
www.google.com.         124     IN      A       173.194.116.145

;; Query time: 79 msec
;; SERVER: 88.198.13.180#553(88.198.13.180)
;; WHEN: Wed Aug 06 19:28:44 CEST 2014
;; MSG SIZE  rcvd: 123




Has anybody an idea why port 53 is not working?




# dig -p 53 www.google.com @88.198.13.180

; <<>> DiG 9.7.0-P1 <<>> -p 53 www.google.com @88.198.13.180
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29523
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         298     IN      A       173.194.116.148
www.google.com.         298     IN      A       173.194.116.145
www.google.com.         298     IN      A       173.194.116.146
www.google.com.         298     IN      A       173.194.116.144
www.google.com.         298     IN      A       173.194.116.147

;; Query time: 0 msec
;; SERVER: 88.198.13.180#53(88.198.13.180)
;; WHEN: Wed Aug  6 19:34:01 2014
;; MSG SIZE  rcvd: 123

# dig -p 53 www.google.com @2a01:4f8:130:1261::180
; <<>> DiG 9.7.0-P1 <<>> -p 53 www.google.com @2a01:4f8:130:1261::180
;; global options: +cmd
;; connection timed out; no servers could be reached


Thanks for any idea/suggestion how to go further.
   Holger

I have a somewhat strange problem running unbound and BIND together on one Linux box (2.6.32). BIND is listening only on the primary IP address (IPv4 and IPv6) while unbound is configured to listen on the loopack interface (127.0.0.1 and ::1) and the secondary ipv4 and ipv6 addresses. I stopped the firewall at the time running the test, to made sure that the traffic is not blocked anywhere. Unbound is configured with query logging to get some feedback if a query is handled by the software or not. As I'm not willing to run an open resolver, queries are restricted to localhost and some subnets via the access-control directive. For testing purposes I also added port 553 as listening port, so the related unbound config is like this (port 443 is filtered out): This (plus the running BIND authoritative server) results in a list of listening udp ports (output compressed, so that it fits in a line): netstat cuts off parts of the ip address so in the third last line the host id is not ::1 but ::180. Now sending a query from a host which subnet is allowed in the access-control directive: At the same time I sniffed on the dns server side, and got the incoming query, but no response. Also nothing seen in the querylog of unbound. I also got a message in the query log and saw the incoming and outgoing packets in the trace. The same is true if I use IPv6 as transport protocol (port 53 is not working while 553 is). To be a bit more confused, I tried the same dig command on the server itself. Now IPv4 is working (port 53 and 553) but IPv6 is still working only on port 553 but not on port 53!

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users