CentOS - Dec 2017 - Problems with dnscrypt's package from EPEL

On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen
wrote:
> On 9 December 2017 at 14:04, C. L. Martinez <carlopmart at gmail.com>
wrote:
> > Hi all,
> >
> >  I have installed dnscrypt's rpm package from EPEL repo under a
CentOS 7.4 and using unbound as a resolver. But, I see constant timeouts and
responses are very slow ... Using same config in a Debian 9 virtual machine, all
works ok.
> >
> >  I think the problem is with dnscrypt's rpm package provided by
EPEL. Anyone have seen similar problems?
> >
> 
> Can you give some more information on what you are seeing and how you
> have it set up? I can try to duplicate it in EPEL and/or put in bugs
> on the package.
> 
> 
Of course and thanks in advance Stephen. My dnscrypt startup scripts use the
following options:

[Service]
Type=forking
PIDFile=/var/run/dnscrypt-cs.pid
ExecStart=/usr/sbin/dnscrypt-proxy \
	--daemonize \
	--user=nobody \
	--pidfile=/var/run/dnscrypt-cs.pid \
	--ephemeral-keys \
	--resolver-name=cs-fi \
	--logfile=/tmp/cs.log \
	--local-address=127.0.0.1:6354
Restart=on-abort

[Service]
Type=forking
PIDFile=/var/run/dnscrypt-ipredator.pid
ExecStart=/usr/sbin/dnscrypt-proxy \
	--daemonize \
	--user=nobody \
	--pidfile=/var/run/dnscrypt-ipredator.pid \
	--ephemeral-keys \
	--resolver-name=ipredator \
	--logfile=/tmp/ipredator.log \
	--local-address=127.0.0.1:6353
Restart=on-abort

And unbound.conf is: 

server:
	interface: 127.0.0.1
	interface: 172.22.54.4
	interface: ::1
	port: 53
	do-ip6: no
	do-udp: yes
	do-tcp: yes
	num-threads: 1

	access-control: 0.0.0.0/0 refuse
	access-control: 127.0.0.0/8 allow
	access-control: ::0/0 refuse
	access-control: ::1 allow
	access-control: 172.22.54.0/29 allow
	access-control: 172.22.55.1 allow

	hide-identity: yes
	hide-version: yes

	do-not-query-localhost: no
	val-permissive-mode: yes
	val-clean-additional: yes
	module-config: "validator iterator"
-- 
Greetings,
C. L. Martinez

On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez
wrote:
> On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote:
> > On 9 December 2017 at 14:04, C. L. Martinez <carlopmart at
gmail.com> wrote:
> > > Hi all,
> > >
> > >  I have installed dnscrypt's rpm package from EPEL repo under
a CentOS 7.4 and using unbound as a resolver. But, I see constant timeouts and
responses are very slow ... Using same config in a Debian 9 virtual machine, all
works ok.
> > >
> > >  I think the problem is with dnscrypt's rpm package provided
by EPEL. Anyone have seen similar problems?
> > >
> > 
> > Can you give some more information on what you are seeing and how you
> > have it set up? I can try to duplicate it in EPEL and/or put in bugs
> > on the package.
> > 
> > 
> 
> Of course and thanks in advance Stephen. My dnscrypt startup scripts use
the following options:
> 
> [Service]
> Type=forking
> PIDFile=/var/run/dnscrypt-cs.pid
> ExecStart=/usr/sbin/dnscrypt-proxy \
> 	--daemonize \
> 	--user=nobody \
> 	--pidfile=/var/run/dnscrypt-cs.pid \
> 	--ephemeral-keys \
> 	--resolver-name=cs-fi \
> 	--logfile=/tmp/cs.log \
> 	--local-address=127.0.0.1:6354
> Restart=on-abort
> 
> [Service]
> Type=forking
> PIDFile=/var/run/dnscrypt-ipredator.pid
> ExecStart=/usr/sbin/dnscrypt-proxy \
> 	--daemonize \
> 	--user=nobody \
> 	--pidfile=/var/run/dnscrypt-ipredator.pid \
> 	--ephemeral-keys \
> 	--resolver-name=ipredator \
> 	--logfile=/tmp/ipredator.log \
> 	--local-address=127.0.0.1:6353
> Restart=on-abort
> 
> And unbound.conf is: 
> 
> server:
> 	interface: 127.0.0.1
> 	interface: 172.22.54.4
> 	interface: ::1
> 	port: 53
> 	do-ip6: no
> 	do-udp: yes
> 	do-tcp: yes
> 	num-threads: 1
> 
> 	access-control: 0.0.0.0/0 refuse
> 	access-control: 127.0.0.0/8 allow
> 	access-control: ::0/0 refuse
> 	access-control: ::1 allow
> 	access-control: 172.22.54.0/29 allow
> 	access-control: 172.22.55.1 allow
> 
> 	hide-identity: yes
> 	hide-version: yes
> 
> 	do-not-query-localhost: no
> 	val-permissive-mode: yes
> 	val-clean-additional: yes
> 	module-config: "validator iterator"
Oops .. sorry. There are more options in unbound.conf's file:

remote-control:
	control-enable: yes
	control-use-cert: yes
	control-interface: 127.0.0.1

forward-zone:
	name: "."
	forward-addr: 127.0.0.1 at 6353
	forward-addr: 127.0.0.1 at 6354
	forward-addr: 127.0.0.1 at 6355

Sorry.

-- 
Greetings,
C. L. Martinez

Not sure if this is a factor yet, but your forwardzone is looking for
3 ports but only 2 ports are configured in the systemd startup.. so
are 1/3 of all lookups going to fail? Or is the 6355 a 'given' (aka it
will be set up whether 6353 and 6354 are setup?)

On 9 December 2017 at 16:45, C. L. Martinez <carlopmart at gmail.com>
wrote:
> On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez wrote:
>> On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote:
>> > On 9 December 2017 at 14:04, C. L. Martinez <carlopmart at
gmail.com> wrote:
>> > > Hi all,
>> > >
>> > >  I have installed dnscrypt's rpm package from EPEL repo
under a CentOS 7.4 and using unbound as a resolver. But, I see constant timeouts
and responses are very slow ... Using same config in a Debian 9 virtual machine,
all works ok.
>> > >
>> > >  I think the problem is with dnscrypt's rpm package
provided by EPEL. Anyone have seen similar problems?
>> > >
>> >
>> > Can you give some more information on what you are seeing and how
you
>> > have it set up? I can try to duplicate it in EPEL and/or put in
bugs
>> > on the package.
>> >
>> >
>>
>> Of course and thanks in advance Stephen. My dnscrypt startup scripts
use the following options:
>>
>> [Service]
>> Type=forking
>> PIDFile=/var/run/dnscrypt-cs.pid
>> ExecStart=/usr/sbin/dnscrypt-proxy \
>>       --daemonize \
>>       --user=nobody \
>>       --pidfile=/var/run/dnscrypt-cs.pid \
>>       --ephemeral-keys \
>>       --resolver-name=cs-fi \
>>       --logfile=/tmp/cs.log \
>>       --local-address=127.0.0.1:6354
>> Restart=on-abort
>>
>> [Service]
>> Type=forking
>> PIDFile=/var/run/dnscrypt-ipredator.pid
>> ExecStart=/usr/sbin/dnscrypt-proxy \
>>       --daemonize \
>>       --user=nobody \
>>       --pidfile=/var/run/dnscrypt-ipredator.pid \
>>       --ephemeral-keys \
>>       --resolver-name=ipredator \
>>       --logfile=/tmp/ipredator.log \
>>       --local-address=127.0.0.1:6353
>> Restart=on-abort
>>
>> And unbound.conf is:
>>
>> server:
>>       interface: 127.0.0.1
>>       interface: 172.22.54.4
>>       interface: ::1
>>       port: 53
>>       do-ip6: no
>>       do-udp: yes
>>       do-tcp: yes
>>       num-threads: 1
>>
>>       access-control: 0.0.0.0/0 refuse
>>       access-control: 127.0.0.0/8 allow
>>       access-control: ::0/0 refuse
>>       access-control: ::1 allow
>>       access-control: 172.22.54.0/29 allow
>>       access-control: 172.22.55.1 allow
>>
>>       hide-identity: yes
>>       hide-version: yes
>>
>>       do-not-query-localhost: no
>>       val-permissive-mode: yes
>>       val-clean-additional: yes
>>       module-config: "validator iterator"
>
> Oops .. sorry. There are more options in unbound.conf's file:
>
> remote-control:
>         control-enable: yes
>         control-use-cert: yes
>         control-interface: 127.0.0.1
>
> forward-zone:
>         name: "."
>         forward-addr: 127.0.0.1 at 6353
>         forward-addr: 127.0.0.1 at 6354
>         forward-addr: 127.0.0.1 at 6355
>
> Sorry.
>
> --
> Greetings,
> C. L. Martinez
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos


-- 
Stephen J Smoogen.