Hi Andreas, On 18/04/2025 23:28, A. Schulze via nsd-users wrote:> I added #437 to my build. It works, somehow... > > I cannot imagine a scenario for any (resolver?) software to implicitly > send a SOA probe over UDP to port 853 / not port 53 > Could you clarify this, please?Unbound is an example when configured with auth zones, it will send the SOA prove over UDP before starting a zone transfer.> > There is also a difference to the same solution for that problem in > unbound: > While "netstat -lnpu" does not show open UDP sockets for DoT and DoH on > unbound, NSD is different: > "netstat -lnpu" shows an open Port for Do53 and DoT. Do53/UDP does > timeout on Port 853, though.Just to be clear with terminology (Do53 does not help if the port is not 53 :), you want to say that when a #437-patched NSD is configured for TLS over port 853 you expect to see only TCP open on 853 but you also see UDP open on 853? If that is the case, the PR also needs more work apparently :)> > It looks like #437 works very different the the code implemented in > unbound.Unbound and NSD are very different on how they setup listening interfaces. Best regards, -- Yorgos
Hello Yorgos, Am 22.04.25 um 15:20 schrieb Yorgos Thessalonikefs via nsd-users:> Unbound is an example when configured with auth zones, it will send the SOA prove over UDP before starting a zone transfer.correct, I verified that by such an unbound.conf (10.0.0.2 is an NSD serving the zone 'example.' over 53/UDP, 53/TCP and 853/TLS = TCP ) auth-zone: name: "example." for-downstream: no for-upstream: yes fallback-enabled: yes primary: 10.0.0.2 at 853#nsd zonefile: "/spool/auth-zones/example" with tcpdump I saw unbound - asking 10.0.0.2 at 53 via UDP for a SOA-Record then - transfering the zone over a TLS conection to 10.0.0.2 at 853 / TCP I do not saw any traffic to 10.0.0.2 at 853 / UDP> ... you expect to see only TCP open on 853 but you also see UDP open on 853?yes NSD even write it to my log: nsd_1 | [2025-04-23 21:54:21.848] nsd[1]: notice: nsd starting (NSD 4.12.0) nsd_1 | [2025-04-23 21:54:21.848] nsd[1]: notice: listen on ip-address 10.0.0.2 at 53 (udp) with server(s): * nsd_1 | [2025-04-23 21:54:21.848] nsd[1]: notice: listen on ip-address 10.0.0.2 at 53 (tcp) with server(s): * nsd_1 | [2025-04-23 21:54:21.848] nsd[1]: notice: listen on ip-address 10.0.0.2 at 853 (udp) with server(s): - nsd_1 | [2025-04-23 21:54:21.848] nsd[1]: notice: listen on ip-address 10.0.0.2 at 853 (tcp) with server(s): * nsd_1 | [2025-04-23 21:54:21.848] nsd[1]: info: creating unix socket /run/nsd-control.socket nsd_1 | [2025-04-23 21:54:21.871] nsd[20]: info: zone . read with success nsd_1 | [2025-04-23 21:54:21.871] nsd[20]: info: zone example. read with success nsd_1 | [2025-04-23 21:54:21.871] nsd[20]: notice: nsd started (NSD 4.12.0), pid 1 Notice the '-' at the end of the 853-UDP line, while the other lines end with '*' No idea, what that means... In the NSD-Container I run: root at nsd:/# netstat -lnpt | grep 10.0.0.2 tcp 0 0 10.0.0.2:53 0.0.0.0:* LISTEN - tcp 0 0 10.0.0.2:853 0.0.0.0:* LISTEN - root at nsd:/# netstat -lnpu | grep 10.0.0.2 udp 0 0 10.0.0.2:53 0.0.0.0:* - udp 0 0 10.0.0.2:853 0.0.0.0:* - Andreas