Re: Setup client to remote control another Unbound server

Mon, 30 May 2016 15:59:37 -0700 


P.S. I tried completely disabling the firewall and I still get:
[1464648999] unbound-control[78400:0] error: connect: Connection refused for <backend IP> 


On Mon, 30 May 2016, Unbound DNS Resolver via Unbound-users wrote:



Thank you. I got the key exchanges working ok.
I can run actual DNS queries from the machine that is running unbound when I specify my resolver to query localhost, backend IP or the WAN IP.
Similarly, on the other machine on my LAN, I can run DNS queries to the unbound machine across the backend or by querying the WAN address.
However unbound-control is only able to get status if I run it on the WAN IP. But attempts at remote control on the backend IP fail on the backend IP. I thought it was a firewall issue, but unbound-control fails even locally when I query the backend IP, as well as from the remote machine on the LAN. I had opened up port 8953 to all transports on all interfaces.
Is there a setting in unbound.conf *on* the machine that is running unbound to specify what interface it should listen for remote control connections? 


On Mon, 23 May 2016, W.C.A. Wijngaards via Unbound-users wrote:


Hi Fongaboo,

On 21/05/16 00:30, Fongaboo via Unbound-users wrote:


I have (the stock*) Unbound running on FreeBSD 10. I have
unbound-control setup on the Unbound server itself and am successfully 
controlling via localhost.

But I have another machine connected to the server via a backend
connection on the 10.x.x.x private network. I want to run
unbound-control on that machine and control the remote (albeit one
backend hop away) server.
I've been looking at docs and tutorials, and it's not clear what has to 
be configured where for this scenario.

I've run unbound-control on the remote client and it complains that I
have no unbound.conf file. But is that file ONLY for the configuration 
of a server? Would I need to have an unbound.conf file on the client
machine?
A couple things are not clear to me... Do I run unbound-control-setup on the client machine? I assume I'd have to copy keys to the server? But if so, how do I store them and refer to them without breaking my localhost 
control for unbound-control on the server itself?

I tried adding 'control-interface: <server backend IP>' to the
remote-control section of unbound.conf on the server. I interpreted this to be that it should listen for control connections on that interface. 
But I got:
[1463783089] unbound-control[83533:0] error: connect: Connection refused 
for <server IP>


I suppose I might have some firewall concerns. But before I go off on
that tangent, I'd just like to get straight:

1) Do I run unbound-control on the client machine?


Yes with -c some_other_config_file that has the appropriate settings.
2) What should I have in unbound.conf on the client machine (if at all)? 

That some_other_config_file has a remote-control section.  The
control-interface there specifies the ip-address of the server machine
that it controls.  Then you need the cert and pem files, (but not the
private server key file).  Copy those files from the server machine to
some location on the client.  Set the pathnames correct for those 3
files (server cert, client pem, client cert).


3) What should I have in unbound.conf on the server?
4) What key exchanging and referencing (in config files) do I need to
keep control with unbound-control going on both the remote client and
localhost?


If you copy the files you can have any number of controlling clients.

(It is possible to sign a separate certificate for every controlling
client, i.e. this is PKIX cert stuff; but you can also just copy the
client cert that the localhost on the server was using). If you want to 
create more client certs; move away the client certs and re-run
unbound-control-setup; that will preserve the server cert and
re-generate a new client cert for you; creating a new one.

Best regards, Wouter



TIA



 -------------------------------------------------------------------------
shot through the heart ooh baby do you know what that's worth and you're to blame ooh heaven is a place on earth darling you give love they say in heaven love comes first a bad name we'll make heaven a place on earth ORBITAL "Halcyon Live"

Reply via email to