Hi Stephen,
Many thanks for your answer. Unbound under OpenBSD is compiled with few
options:
Version 1.9.4
Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr
--with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound
--with-pidfile= --with-rootkey-file=/var/unbound/db/root.key
--with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound
--disable-shared --without-pthreads
Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 3.0.2
Linked modules: dns64 respip validator iterator
But, maybe this is not the problem ... Most relevance difference is
"disable-rpath" flag under CentOS ... I have tried a RHEL 8.1 vm and
problem is the same as is CentOS8 ...
--
Regards,
C. L. Martinez
?On 30/03/2020, 14:32, "CentOS on behalf of Stephen John Smoogen"
<centos-bounces at centos.org on behalf of smooge at gmail.com> wrote:
On Mon, 30 Mar 2020 at 03:47, Carlos Lopez <clopmz at outlook.com>
wrote:
> Good morning,
>
> I have detected two strange problems with unbound under CentOS8 (fully
> patched). I have tried same configuration in an OpenBSD host, and these
> problems do not appear.
>
> a/ Error mesage ?connection refused?. I am using this unbound server to
> resolv DNS records for our internal domain (Bind9 is configured to
listen
> in localhost interface, port 5353 udp and in the same host where
unbound
> runs). When I try to run a nslookup query like this:
>
> > set q=any
> > my.internal.dom
> ;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom failed:
> connection refused.
> >
> And I don?t understand why. Bind9 resolves this without problems, but
> unbound returns connection refused. Unbound is configured to listen in
> 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0 allow).
The
> strange thing is that it only happens with that kind of request, any
other
> request works fine.
>
> b/ Unbound tries to connect to Root DNS servers directly. Every time
> unbound starts, it tries to connect to root DNS servers directly and
not
> through internal DNS. I am using a second unbound server as a cache
> nameserver in a DMZ zone and unbound anchor timer service is disabled.
My
> forward config is:
>
>
So I have only set up unbound on RHEL, and this is how we have always
expected it to work as a secure proxy. That would mean it is meant to talk
to the ROOT domains and also give bad answers for zones which the ROOT
zones do not have a subdomain for.
The CentOS-8 version is compiled with the following options which may be
causing some of this (would need to see how the openbsd is compiled)
configure_args --with-libevent --with-pthreads --with-ssl \\\
--disable-rpath --disable-static \\\
--enable-relro-now --enable-pie \\\
--enable-subnet --enable-ipsecmod \\\
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
--enable-sha2 --disable-gost --enable-ecdsa \\\
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key
The centos-7 is
%configure --with-libevent --with-pthreads --with-ssl \
--disable-rpath --disable-static \
--enable-subnet --enable-ipsecmod \
--with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
%if %{with_python}
--with-pythonmodule --with-pyunbound \
%endif
--enable-sha2 --disable-gost --enable-ecdsa \
--with-rootkey-file=%{_sharedstatedir}/unbound/root.key
Looking through the default configs, it seems this is the 'default'
in many
ways (getting the root items to get the latest keys etc need to be turned
off) and you need to change a lot of flags to do otherwise. You would need
to see what all the differences between the OpenBSD and the RHEL ones are.
Sorry I can't be of much more help.
forward-zone:
> name: "."
forward-addr: 172.22.54.6 at 53<mailto:172.22.54.6 at
53>
>
> Any idea why these problems occur?
>
> --
> Regards,
> C. L. Martinez
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
--
Stephen J Smoogen.
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos
Stephen John Smoogen
2020-Mar-30 12:49 UTC
[CentOS] Some problems with Unbound under CentOS8
On Mon, 30 Mar 2020 at 08:42, Carlos Lopez <clopmz at outlook.com> wrote:> Hi Stephen, > > Many thanks for your answer. Unbound under OpenBSD is compiled with few > options: > > Version 1.9.4 > >That may also be the difference. RHEL-8 is 1.7.3 so I don't know if that added features or config options which the 1.9.4 has in it.> Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr > --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound > --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key > --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound > --disable-shared --without-pthreads > Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL > 3.0.2 > Linked modules: dns64 respip validator iterator > > But, maybe this is not the problem ... Most relevance difference is > "disable-rpath" flag under CentOS ... I have tried a RHEL 8.1 vm and > problem is the same as is CentOS8 ... > >OK I am going with version differences or config options. Are you using the defaults with only an additional file mod for your local dns or something else?> -- > Regards, > C. L. Martinez > > ?On 30/03/2020, 14:32, "CentOS on behalf of Stephen John Smoogen" < > centos-bounces at centos.org on behalf of smooge at gmail.com> wrote: > > On Mon, 30 Mar 2020 at 03:47, Carlos Lopez <clopmz at outlook.com> wrote: > > > Good morning, > > > > I have detected two strange problems with unbound under CentOS8 > (fully > > patched). I have tried same configuration in an OpenBSD host, and > these > > problems do not appear. > > > > a/ Error mesage ?connection refused?. I am using this unbound server > to > > resolv DNS records for our internal domain (Bind9 is configured to > listen > > in localhost interface, port 5353 udp and in the same host where > unbound > > runs). When I try to run a nslookup query like this: > > > > > set q=any > > > my.internal.dom > > ;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom failed: > > connection refused. > > > > > And I don?t understand why. Bind9 resolves this without problems, but > > unbound returns connection refused. Unbound is configured to listen > in > > 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0 > allow). The > > strange thing is that it only happens with that kind of request, any > other > > request works fine. > > > > b/ Unbound tries to connect to Root DNS servers directly. Every time > > unbound starts, it tries to connect to root DNS servers directly and > not > > through internal DNS. I am using a second unbound server as a cache > > nameserver in a DMZ zone and unbound anchor timer service is > disabled. My > > forward config is: > > > > > So I have only set up unbound on RHEL, and this is how we have always > expected it to work as a secure proxy. That would mean it is meant to > talk > to the ROOT domains and also give bad answers for zones which the ROOT > zones do not have a subdomain for. > > The CentOS-8 version is compiled with the following options which may > be > causing some of this (would need to see how the openbsd is compiled) > > configure_args --with-libevent --with-pthreads --with-ssl \\\ > --disable-rpath --disable-static \\\ > --enable-relro-now --enable-pie \\\ > --enable-subnet --enable-ipsecmod \\\ > --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ > --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid > \\\ > --enable-sha2 --disable-gost --enable-ecdsa \\\ > --with-rootkey-file=%{_sharedstatedir}/unbound/root.key > > > The centos-7 is > > %configure --with-libevent --with-pthreads --with-ssl \ > --disable-rpath --disable-static \ > --enable-subnet --enable-ipsecmod \ > --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \ > --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \ > %if %{with_python} > --with-pythonmodule --with-pyunbound \ > %endif > --enable-sha2 --disable-gost --enable-ecdsa \ > --with-rootkey-file=%{_sharedstatedir}/unbound/root.key > > > Looking through the default configs, it seems this is the 'default' in > many > ways (getting the root items to get the latest keys etc need to be > turned > off) and you need to change a lot of flags to do otherwise. You would > need > to see what all the differences between the OpenBSD and the RHEL ones > are. > > Sorry I can't be of much more help. > > > forward-zone: > > name: "." > > forward-addr: 172.22.54.6 at 53<mailto:172.22.54.6 at 53> > > > > Any idea why these problems occur? > > > > -- > > Regards, > > C. L. Martinez > > _______________________________________________ > > CentOS mailing list > > CentOS at centos.org > > https://lists.centos.org/mailman/listinfo/centos > > > > > -- > Stephen J Smoogen. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- Stephen J Smoogen.
Many thanks Stepehn. I am using the following options:
server:
interface: 0.0.0.0
do-ip6: no
access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: ::0/0 refuse
access-control: ::1 allow
access-control: 172.22.55.0/27 allow
hide-identity: yes
hide-version: yes
do-tcp: no
do-not-query-localhost: no
extended-statistics: yes
so-reuseport: yes
use-caps-for-id: yes
unblock-lan-zones: yes
insecure-lan-zones: yes
--
Regards,
C. L. Martinez
?On 30/03/2020, 14:50, "CentOS on behalf of Stephen John Smoogen"
<centos-bounces at centos.org on behalf of smooge at gmail.com> wrote:
On Mon, 30 Mar 2020 at 08:42, Carlos Lopez <clopmz at outlook.com>
wrote:
> Hi Stephen,
>
> Many thanks for your answer. Unbound under OpenBSD is compiled with
few
> options:
>
> Version 1.9.4
>
>
That may also be the difference. RHEL-8 is 1.7.3 so I don't know if that
added features or config options which the 1.9.4 has in it.
> Configure line: --enable-allsymbols --with-ssl=/usr
--with-libevent=/usr
> --with-libexpat=/usr --without-pythonmodule
--with-chroot-dir=/var/unbound
> --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key
> --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound
> --disable-shared --without-pthreads
> Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue),
LibreSSL
> 3.0.2
> Linked modules: dns64 respip validator iterator
>
> But, maybe this is not the problem ... Most relevance difference is
> "disable-rpath" flag under CentOS ... I have tried a RHEL 8.1
vm and
> problem is the same as is CentOS8 ...
>
>
OK I am going with version differences or config options. Are you using the
defaults with only an additional file mod for your local dns or something
else?
> --
> Regards,
> C. L. Martinez
>
> On 30/03/2020, 14:32, "CentOS on behalf of Stephen John
Smoogen" <
> centos-bounces at centos.org on behalf of smooge at gmail.com>
wrote:
>
> On Mon, 30 Mar 2020 at 03:47, Carlos Lopez <clopmz at
outlook.com> wrote:
>
> > Good morning,
> >
> > I have detected two strange problems with unbound under
CentOS8
> (fully
> > patched). I have tried same configuration in an OpenBSD host,
and
> these
> > problems do not appear.
> >
> > a/ Error mesage ?connection refused?. I am using this unbound
server
> to
> > resolv DNS records for our internal domain (Bind9 is
configured to
> listen
> > in localhost interface, port 5353 udp and in the same host
where
> unbound
> > runs). When I try to run a nslookup query like this:
> >
> > > set q=any
> > > my.internal.dom
> > ;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom
failed:
> > connection refused.
> > >
> > And I don?t understand why. Bind9 resolves this without
problems, but
> > unbound returns connection refused. Unbound is configured to
listen
> in
> > 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0
> allow). The
> > strange thing is that it only happens with that kind of
request, any
> other
> > request works fine.
> >
> > b/ Unbound tries to connect to Root DNS servers directly.
Every time
> > unbound starts, it tries to connect to root DNS servers
directly and
> not
> > through internal DNS. I am using a second unbound server as a
cache
> > nameserver in a DMZ zone and unbound anchor timer service is
> disabled. My
> > forward config is:
> >
> >
> So I have only set up unbound on RHEL, and this is how we have
always
> expected it to work as a secure proxy. That would mean it is meant
to
> talk
> to the ROOT domains and also give bad answers for zones which the
ROOT
> zones do not have a subdomain for.
>
> The CentOS-8 version is compiled with the following options which
may
> be
> causing some of this (would need to see how the openbsd is
compiled)
>
> configure_args --with-libevent --with-pthreads --with-ssl \\\
> --disable-rpath --disable-static \\\
> --enable-relro-now --enable-pie \\\
> --enable-subnet --enable-ipsecmod \\\
> --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf
\\\
>
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
> \\\
> --enable-sha2 --disable-gost --enable-ecdsa \\\
> --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
>
>
> The centos-7 is
>
> %configure --with-libevent --with-pthreads --with-ssl \
> --disable-rpath --disable-static \
> --enable-subnet --enable-ipsecmod \
> --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
>
--with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
> %if %{with_python}
> --with-pythonmodule --with-pyunbound \
> %endif
> --enable-sha2 --disable-gost --enable-ecdsa \
> --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
>
>
> Looking through the default configs, it seems this is the
'default' in
> many
> ways (getting the root items to get the latest keys etc need to be
> turned
> off) and you need to change a lot of flags to do otherwise. You
would
> need
> to see what all the differences between the OpenBSD and the RHEL
ones
> are.
>
> Sorry I can't be of much more help.
>
>
> forward-zone:
> > name: "."
>
> forward-addr: 172.22.54.6 at
53<mailto:172.22.54.6 at 53>
> >
> > Any idea why these problems occur?
> >
> > --
> > Regards,
> > C. L. Martinez
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
>
> --
> Stephen J Smoogen.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
--
Stephen J Smoogen.
_______________________________________________
CentOS mailing list
CentOS at centos.org
https://lists.centos.org/mailman/listinfo/centos