Stephen John Smoogen
2017-Dec-10 20:10 UTC
[CentOS] Problems with dnscrypt's package from EPEL
Not sure if this is a factor yet, but your forwardzone is looking for 3 ports but only 2 ports are configured in the systemd startup.. so are 1/3 of all lookups going to fail? Or is the 6355 a 'given' (aka it will be set up whether 6353 and 6354 are setup?) On 9 December 2017 at 16:45, C. L. Martinez <carlopmart at gmail.com> wrote:> On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez wrote: >> On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote: >> > On 9 December 2017 at 14:04, C. L. Martinez <carlopmart at gmail.com> wrote: >> > > Hi all, >> > > >> > > I have installed dnscrypt's rpm package from EPEL repo under a CentOS 7.4 and using unbound as a resolver. But, I see constant timeouts and responses are very slow ... Using same config in a Debian 9 virtual machine, all works ok. >> > > >> > > I think the problem is with dnscrypt's rpm package provided by EPEL. Anyone have seen similar problems? >> > > >> > >> > Can you give some more information on what you are seeing and how you >> > have it set up? I can try to duplicate it in EPEL and/or put in bugs >> > on the package. >> > >> > >> >> Of course and thanks in advance Stephen. My dnscrypt startup scripts use the following options: >> >> [Service] >> Type=forking >> PIDFile=/var/run/dnscrypt-cs.pid >> ExecStart=/usr/sbin/dnscrypt-proxy \ >> --daemonize \ >> --user=nobody \ >> --pidfile=/var/run/dnscrypt-cs.pid \ >> --ephemeral-keys \ >> --resolver-name=cs-fi \ >> --logfile=/tmp/cs.log \ >> --local-address=127.0.0.1:6354 >> Restart=on-abort >> >> [Service] >> Type=forking >> PIDFile=/var/run/dnscrypt-ipredator.pid >> ExecStart=/usr/sbin/dnscrypt-proxy \ >> --daemonize \ >> --user=nobody \ >> --pidfile=/var/run/dnscrypt-ipredator.pid \ >> --ephemeral-keys \ >> --resolver-name=ipredator \ >> --logfile=/tmp/ipredator.log \ >> --local-address=127.0.0.1:6353 >> Restart=on-abort >> >> And unbound.conf is: >> >> server: >> interface: 127.0.0.1 >> interface: 172.22.54.4 >> interface: ::1 >> port: 53 >> do-ip6: no >> do-udp: yes >> do-tcp: yes >> num-threads: 1 >> >> access-control: 0.0.0.0/0 refuse >> access-control: 127.0.0.0/8 allow >> access-control: ::0/0 refuse >> access-control: ::1 allow >> access-control: 172.22.54.0/29 allow >> access-control: 172.22.55.1 allow >> >> hide-identity: yes >> hide-version: yes >> >> do-not-query-localhost: no >> val-permissive-mode: yes >> val-clean-additional: yes >> module-config: "validator iterator" > > Oops .. sorry. There are more options in unbound.conf's file: > > remote-control: > control-enable: yes > control-use-cert: yes > control-interface: 127.0.0.1 > > forward-zone: > name: "." > forward-addr: 127.0.0.1 at 6353 > forward-addr: 127.0.0.1 at 6354 > forward-addr: 127.0.0.1 at 6355 > > Sorry. > > -- > Greetings, > C. L. Martinez > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-- Stephen J Smoogen.
Sorry Stephen. I have enabled another dnscrypt process in port 6355 to test ... But no luck. On the other side, I am not sure if dnscrypt the problem. I have replaced unbound by dnsmasq and voila! ... All it is working very fast (and dnsmasq only spends 75 MiB of RAM, when unbound spends 400 MiB). And no more SERVFAIL errors ... But I don't understand where is the problem with unbound.conf's file then. Using same config for dnscrypt and unbound in a FreeBSD vm, all works ok. On Sun, Dec 10, 2017 at 8:10 PM, Stephen John Smoogen <smooge at gmail.com> wrote:> Not sure if this is a factor yet, but your forwardzone is looking for > 3 ports but only 2 ports are configured in the systemd startup.. so > are 1/3 of all lookups going to fail? Or is the 6355 a 'given' (aka it > will be set up whether 6353 and 6354 are setup?) > > On 9 December 2017 at 16:45, C. L. Martinez <carlopmart at gmail.com> wrote: >> On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez wrote: >>> On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote: >>> > On 9 December 2017 at 14:04, C. L. Martinez <carlopmart at gmail.com> wrote: >>> > > Hi all, >>> > > >>> > > I have installed dnscrypt's rpm package from EPEL repo under a CentOS 7.4 and using unbound as a resolver. But, I see constant timeouts and responses are very slow ... Using same config in a Debian 9 virtual machine, all works ok. >>> > > >>> > > I think the problem is with dnscrypt's rpm package provided by EPEL. Anyone have seen similar problems? >>> > > >>> > >>> > Can you give some more information on what you are seeing and how you >>> > have it set up? I can try to duplicate it in EPEL and/or put in bugs >>> > on the package. >>> > >>> > >>> >>> Of course and thanks in advance Stephen. My dnscrypt startup scripts use the following options: >>> >>> [Service] >>> Type=forking >>> PIDFile=/var/run/dnscrypt-cs.pid >>> ExecStart=/usr/sbin/dnscrypt-proxy \ >>> --daemonize \ >>> --user=nobody \ >>> --pidfile=/var/run/dnscrypt-cs.pid \ >>> --ephemeral-keys \ >>> --resolver-name=cs-fi \ >>> --logfile=/tmp/cs.log \ >>> --local-address=127.0.0.1:6354 >>> Restart=on-abort >>> >>> [Service] >>> Type=forking >>> PIDFile=/var/run/dnscrypt-ipredator.pid >>> ExecStart=/usr/sbin/dnscrypt-proxy \ >>> --daemonize \ >>> --user=nobody \ >>> --pidfile=/var/run/dnscrypt-ipredator.pid \ >>> --ephemeral-keys \ >>> --resolver-name=ipredator \ >>> --logfile=/tmp/ipredator.log \ >>> --local-address=127.0.0.1:6353 >>> Restart=on-abort >>> >>> And unbound.conf is: >>> >>> server: >>> interface: 127.0.0.1 >>> interface: 172.22.54.4 >>> interface: ::1 >>> port: 53 >>> do-ip6: no >>> do-udp: yes >>> do-tcp: yes >>> num-threads: 1 >>> >>> access-control: 0.0.0.0/0 refuse >>> access-control: 127.0.0.0/8 allow >>> access-control: ::0/0 refuse >>> access-control: ::1 allow >>> access-control: 172.22.54.0/29 allow >>> access-control: 172.22.55.1 allow >>> >>> hide-identity: yes >>> hide-version: yes >>> >>> do-not-query-localhost: no >>> val-permissive-mode: yes >>> val-clean-additional: yes >>> module-config: "validator iterator" >> >> Oops .. sorry. There are more options in unbound.conf's file: >> >> remote-control: >> control-enable: yes >> control-use-cert: yes >> control-interface: 127.0.0.1 >> >> forward-zone: >> name: "." >> forward-addr: 127.0.0.1 at 6353 >> forward-addr: 127.0.0.1 at 6354 >> forward-addr: 127.0.0.1 at 6355 >> >> Sorry. >> >> -- >> Greetings, >> C. L. Martinez >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > > > > -- > Stephen J Smoogen. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos
Stephen John Smoogen
2017-Dec-14 18:40 UTC
[CentOS] Problems with dnscrypt's package from EPEL
Can you give more information on the unbound setup? We use unbound in Fedora Infrastructure on RHEL-7 servers. I know there is an selinux dance we have to do to start it properly without a special policy... but I don't know exactly the details on why. On 11 December 2017 at 03:56, C. L. Martinez <carlopmart at gmail.com> wrote:> Sorry Stephen. I have enabled another dnscrypt process in port 6355 to > test ... But no luck. > > On the other side, I am not sure if dnscrypt the problem. I have > replaced unbound by dnsmasq and voila! ... All it is working very fast > (and dnsmasq only spends 75 MiB of RAM, when unbound spends 400 MiB). > And no more SERVFAIL errors ... But I don't understand where is the > problem with unbound.conf's file then. Using same config for dnscrypt > and unbound in a FreeBSD vm, all works ok. > > On Sun, Dec 10, 2017 at 8:10 PM, Stephen John Smoogen <smooge at gmail.com> wrote: >> Not sure if this is a factor yet, but your forwardzone is looking for >> 3 ports but only 2 ports are configured in the systemd startup.. so >> are 1/3 of all lookups going to fail? Or is the 6355 a 'given' (aka it >> will be set up whether 6353 and 6354 are setup?) >> >> On 9 December 2017 at 16:45, C. L. Martinez <carlopmart at gmail.com> wrote: >>> On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez wrote: >>>> On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote: >>>> > On 9 December 2017 at 14:04, C. L. Martinez <carlopmart at gmail.com> wrote: >>>> > > Hi all, >>>> > > >>>> > > I have installed dnscrypt's rpm package from EPEL repo under a CentOS 7.4 and using unbound as a resolver. But, I see constant timeouts and responses are very slow ... Using same config in a Debian 9 virtual machine, all works ok. >>>> > > >>>> > > I think the problem is with dnscrypt's rpm package provided by EPEL. Anyone have seen similar problems? >>>> > > >>>> > >>>> > Can you give some more information on what you are seeing and how you >>>> > have it set up? I can try to duplicate it in EPEL and/or put in bugs >>>> > on the package. >>>> > >>>> > >>>> >>>> Of course and thanks in advance Stephen. My dnscrypt startup scripts use the following options: >>>> >>>> [Service] >>>> Type=forking >>>> PIDFile=/var/run/dnscrypt-cs.pid >>>> ExecStart=/usr/sbin/dnscrypt-proxy \ >>>> --daemonize \ >>>> --user=nobody \ >>>> --pidfile=/var/run/dnscrypt-cs.pid \ >>>> --ephemeral-keys \ >>>> --resolver-name=cs-fi \ >>>> --logfile=/tmp/cs.log \ >>>> --local-address=127.0.0.1:6354 >>>> Restart=on-abort >>>> >>>> [Service] >>>> Type=forking >>>> PIDFile=/var/run/dnscrypt-ipredator.pid >>>> ExecStart=/usr/sbin/dnscrypt-proxy \ >>>> --daemonize \ >>>> --user=nobody \ >>>> --pidfile=/var/run/dnscrypt-ipredator.pid \ >>>> --ephemeral-keys \ >>>> --resolver-name=ipredator \ >>>> --logfile=/tmp/ipredator.log \ >>>> --local-address=127.0.0.1:6353 >>>> Restart=on-abort >>>> >>>> And unbound.conf is: >>>> >>>> server: >>>> interface: 127.0.0.1 >>>> interface: 172.22.54.4 >>>> interface: ::1 >>>> port: 53 >>>> do-ip6: no >>>> do-udp: yes >>>> do-tcp: yes >>>> num-threads: 1 >>>> >>>> access-control: 0.0.0.0/0 refuse >>>> access-control: 127.0.0.0/8 allow >>>> access-control: ::0/0 refuse >>>> access-control: ::1 allow >>>> access-control: 172.22.54.0/29 allow >>>> access-control: 172.22.55.1 allow >>>> >>>> hide-identity: yes >>>> hide-version: yes >>>> >>>> do-not-query-localhost: no >>>> val-permissive-mode: yes >>>> val-clean-additional: yes >>>> module-config: "validator iterator" >>> >>> Oops .. sorry. There are more options in unbound.conf's file: >>> >>> remote-control: >>> control-enable: yes >>> control-use-cert: yes >>> control-interface: 127.0.0.1 >>> >>> forward-zone: >>> name: "." >>> forward-addr: 127.0.0.1 at 6353 >>> forward-addr: 127.0.0.1 at 6354 >>> forward-addr: 127.0.0.1 at 6355 >>> >>> Sorry. >>> >>> -- >>> Greetings, >>> C. L. Martinez >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> >> >> >> -- >> Stephen J Smoogen. >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-- Stephen J Smoogen.