Problems with unbound

Matthew Seaman m.seaman at infracaninophile.co.uk
Tue Mar 15 15:19:09 UTC 2016 

On 03/15/16 11:28, Andrea Brancatelli wrote:
> Hello everybody, 
> 
> we're suddenly having problems with unbound on almost all of our servers
> and I cannot really understand why. 
> 
> To make a long story short, we use this forward.conf: 
> 
> root at dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf
> # This file was generated by local-unbound-setup.
> # Modifications will be overwritten.
> forward-zone:
> name: .
> forward-addr: 8.8.8.8
> forward-addr: 8.8.4.4 
> 
> Enabling this: 
> 
>  auto-trust-anchor-file: /var/unbound/root.key 
> 
> in /etc/unbound/unbound.conf gives me this: 
> 
> root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org
> ;; connection timed out; no servers could be reached 
> 
> simply disabling that line gives me this: 
> 
> root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org
> update.freebsd.org is an alias for update5.freebsd.org.
> update5.freebsd.org has address 204.9.55.80
> update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750
> update5.freebsd.org mail is handled by 0 . 
> 
> What's going on? 
> 
> root at dbengine-ent-rm-01:/var/unbound # freebsd-version
> 10.2-RELEASE-p13 

Do you have a firewall between those machines and the Internet?   Does
it assume that DNS queries never use anything more than 512byte UDP
packets?  Does it try and rewrite data in DNS queries?  Doing either of
those things will cause breakage when using a DNSSEC enabled DNS
resolver -- and DNSSEC support is pretty much the whole point of
local_unbound.

If you go here: https://www.dns-oarc.net/oarc/services/replysizetest it
should show you if you have any problems with reply lengths.  Firewalls
that try and modify DNS queries on the fly just need to be eradicated.
It's a dumb idea and indistinguishable from certain types of malicious
attack.

	Cheers,

	Matthew



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-stable/attachments/20160315/243e3177/attachment.sig>

More information about the freebsd-stable mailing list