[Bug 238819] local-unbound
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Wed Jun 26 09:35:25 UTC 2019
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238819
Bug ID: 238819
Summary: local-unbound
Product: Base System
Version: 12.0-STABLE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: conf
Assignee: bugs at FreeBSD.org
Reporter: tschweikle at gmail.com
Default setup as a local resolver leads to any addresses queried not answered.
After setting up local-unbound using
# sysrc local_unbound_enable=YES
# service local_unbound start
unbound is running, but querying 'google.com':
# host google.com
Host google.com not found: 2(SERVFAIL)
removing unbound, or avoiding it leads to:
# host google.com 10.161.18.34
Using domain server:
Name: 10.161.18.34
Address: 10.161.18.34#53
Aliases:
google.com has address 172.217.21.238
google.com has IPv6 address 2a00:1450:4001:81d::200e
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
Unbound shall be configured to:
- allow at least localhost to query
- allow any network address including private ones to be returned
- allow any network reverse lookup including private ones to be returned
Unbound shall NOT:
- assume secure dns or anything else from /etc/resolv.conf found forwarder
- assume signed dns query or answers or any sucht stuff
Unbound may, indeed, warn is forwarders are not using signed answers.
The actual setup for using unbound as a local resolver is useless. Such shall
work out of the box, and leave it up to the OP to remove options or comment
them in for more security.
local-unbound generates configurations not adequate for most scenarios out in
the wild. Most people will stumble and remove it again, because it is not
working within their environment (maybe just because lack of signed dns from
their router/provider).
Local-unbound generated configuration:
# cat control.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
remote-control:
control-enable: yes
control-interface: /var/run/local_unbound.ctl
control-use-cert: no
# cat forward.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
name: .
forward-addr: 10.161.18.34
forward-addr: 10.177.18.34
# cat lan-zones.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
# Unblock reverse lookups for LAN addresses
unblock-lan-zones: yes
insecure-lan-zones: yes
# cat unbound.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
username: unbound
directory: /var/unbound
chroot: /var/unbound
pidfile: /var/run/local_unbound.pid
auto-trust-anchor-file: /var/unbound/root.key
include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf
Missing are:
- allow localhost to query
- allow private addresses
- allow private addresses reverse lookup
- dont cache failed requests to forwarders (may lead to problems if your
printer was turned of, you tried to print, and then you notice it is turned of.
You turn it on and then: printing just fails, because unbound did cache the
"notfound").
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list