Problems with unbound

Andrea Brancatelli abrancatelli at schema31.it
Wed Mar 16 11:13:34 UTC 2016 

This doesn't seems to be the case: 

root at dbengine-ent-rm-01:~ # dig +short rs.dns-oarc.net txt
rst.x1008.rs.dns-oarc.net.
rst.x1968.x1008.rs.dns-oarc.net.
rst.x2454.x1968.x1008.rs.dns-oarc.net.
"74.125.47.142 DNS reply size limit is at least 2454"
"74.125.47.142 sent EDNS buffer size 4096"
"Tested at 2016-03-16 11:09:54 UTC"
root at dbengine-ent-rm-01:~ # 

Is there any "simple" way to do a EDNS query directly to a specific DNS?
Ok, I'll ask google about that :) 

---

Andrea Brancatelli
Schema31 S.p.a.
Responsabile IT

ROMA - BO - FI - PA 
ITALY
Tel: +39. 06.98.358.472
Cell: +39 331.2488468
Fax: +39. 055.71.880.466
Società del Gruppo SC31 ITALIA

Il 2016-03-15 13:53 Matthew Seaman ha scritto:

> On 03/15/16 11:28, Andrea Brancatelli wrote: 
> 
>> Hello everybody, 
>> 
>> we're suddenly having problems with unbound on almost all of our servers
>> and I cannot really understand why. 
>> 
>> To make a long story short, we use this forward.conf: 
>> 
>> root at dbengine-ent-rm-01:/var/unbound # cat /etc/unbound/forward.conf
>> # This file was generated by local-unbound-setup.
>> # Modifications will be overwritten.
>> forward-zone:
>> name: .
>> forward-addr: 8.8.8.8
>> forward-addr: 8.8.4.4 
>> 
>> Enabling this: 
>> 
>> auto-trust-anchor-file: /var/unbound/root.key 
>> 
>> in /etc/unbound/unbound.conf gives me this: 
>> 
>> root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org
>> ;; connection timed out; no servers could be reached 
>> 
>> simply disabling that line gives me this: 
>> 
>> root at dbengine-ent-rm-01:/var/unbound # host update.freebsd.org
>> update.freebsd.org is an alias for update5.freebsd.org.
>> update5.freebsd.org has address 204.9.55.80
>> update5.freebsd.org has IPv6 address 2001:4978:1:420::cc09:3750
>> update5.freebsd.org mail is handled by 0 . 
>> 
>> What's going on? 
>> 
>> root at dbengine-ent-rm-01:/var/unbound # freebsd-version
>> 10.2-RELEASE-p13
> 
> Do you have a firewall between those machines and the Internet?   Does
> it assume that DNS queries never use anything more than 512byte UDP
> packets?  Does it try and rewrite data in DNS queries?  Doing either of
> those things will cause breakage when using a DNSSEC enabled DNS
> resolver -- and DNSSEC support is pretty much the whole point of
> local_unbound.
> 
> If you go here: https://www.dns-oarc.net/oarc/services/replysizetest it
> should show you if you have any problems with reply lengths.  Firewalls
> that try and modify DNS queries on the fly just need to be eradicated.
> It's a dumb idea and indistinguishable from certain types of malicious
> attack.
> 
> Cheers,
> 
> Matthew

More information about the freebsd-stable mailing list