Unbound(8) caching resolver no workie on fresh install :-(

Frank Shute frank at woodcruft.co.uk
Sun Oct 15 17:26:55 UTC 2017 

On Thu, Oct 12, 2017 at 09:58:25AM -0700, Ronald F. Guilmette wrote:
>
> 
> In message <CA+4G5KY727cJ=Lp-hU77DH03d+Kw9iHD9cpBUqT24h7jWDPYLw at mail.gmail.com>
> Erwan Legrand <freebsd at erwanlegrand.com> wrote:
> 
> >On Thu, Oct 12, 2017 at 6:57 AM, Ronald F. Guilmette
> ><rfg at tristatelogic.com> wrote:
> >> After the install finished and I booted the new system, I immediately
> >> got some console errors indicating that the various default NTP servers
> >> (I also enabled NTP) were not resolving. :-(
> >
> >This could happen if you forward queries to servers which strip DNSSEC
> >signatures. If that is the case, you have two options: either you stop
> >forwarding to these servers or your disable the DNSSEC support in
> >Unbound.
> 
> OK, this is a little bit confusing to me, so please bear with me...
> 
> My *router* (Linksys E4200) has been configured to tell DHCP clients
> to use the two public name servers of OpenDNS, i.e. 208.67.222.222
> and 208.67.220.220.
> 
> However I'm unclear on what, if anything, this ha to do with the Unbound(8)
> caching resolver.

If you're going to run unbound(8) then you want to tell your DHCP clients
to use the local IP of the box unbound is running on. ie. a local (what
used to be known as a 'Class C') address: 192.168.*.* or 10.*.*.* or
176...etc.

ATM, all your clients are going out on the 'net to the OpenDNS servers for
name resolution.

What you need to do on the box running unbound, is configure
your dhclient.conf(5) on that machine to have the following in it:

interface "re0"{
prepend domain-name-servers 127.0.0.1;
}

Obviously, you may need to change "re0" to whatever NIC you use.

For other clients on the LAN, I'd suggest you configure the dhcp server on
your router to give them the local address of your unbound machine as the
nameserver followed by something out on the 'net in-case your unbound
machine goes down.

In unbound.conf(5) you need:

forward-zone:
      name: "."
      forward-addr: 208.67.222.222  # OpenDNS
      forward-addr: 208.67.220.220  # OpenDNS

Personally, I prefer to use my ISP's nameservers. They're closer and no
shenanigans.

It's also worth grabbing root.hints:

# fetch https://www.internic.net/domain/named.root -o /var/unbound/named.root
# chown unbound:wheel /var/unbound/named.root

(maybe make it a monthly cron job)

and in unbound.conf you need:

server:
	root-hints: "/var/unbound/named.root"


> 
> During this (fresh) install, I -never- explicitly selected any option that
> would obcviously hav the effect of telling unbound to forward/route all
> of its DNS queries through any other specific name servers).  So why on
> earth would it be doing so?
> 
> I mean I -thought- that this was (mostly) the whole point of running a
> local caching resolver, i.e. that *it* would do all of the DNS lookups
> itself, traversing/descending its way, as necessary, down from the root
> zone servers until it found what it was looking for.
> 
> I don't know if the OpenDNS server strip DNSSEC stuff or not, but again,
> I don't see why Unbound(8) should even be using those servers anyway.
> Just because my router is giving those two specific IPv4 addresses to
> each of its DHCP clients, that doesn't mean that any of those clients
> are in any way forced to use them.  And I don't see why Unbound(8) would
> be doing so.

My understanding is that if you negotiate a lease from a dhcp server and
it's configured to tell you which nameserver(s) to use, then by default
your resolv.conf will be overwritten with the IPs of those nameserver(s)
and the client's resolver will use them. Have a look at resolvconf(8) &
the manpages referenced in the 'SEE ALSO:' of that manpage.

Of course, you can change that behaviour.

> 
> If it isn't, and if unbound is, as I believed, traversing the DNS tree itself,
> starting from the root each time, then there is nobody and nothing between
> it and the authoritative servers for whatever it happens to be looking
> for -- thus, no filtering of DNSSEC, and thus, the resolutions failures
> I described are still mysterious... to me anyway.
> 
> What am I missing?

I can't tell you about DNSSEC because I don't use it.


Regards,

-- 

Frank


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20171015/613e2702/attachment.sig>

More information about the freebsd-questions mailing list