Issue with unbound 1.4.6 win32 package

404Error · August 4, 2010, 11:48am

I have installed unbound 1.4.6 win32 package with the default options on both Windows XP Professional SP3 and Windows Vista Ultimate SP2.

Using the unbound dns server (127.0.0.1) I cannot browse to http://www.isc.org/, I get a host name lookup failure error.

If I switch back to my ISP's DNS servers it works fine.

Here is my service.conf contents...

-->
# Unbound configuration file on windows.
# See example.conf for more settings and syntax
server:
# verbosity level 0-4 of logging
verbosity: 0

  # on Windows, this setting makes reports go into the Application log
  # found in ControlPanels - System tasks - Logs
  use-syslog: no

  # specify the interfaces to answer queries from by ip-address.
  # The default is to listen to localhost (127.0.0.1 and ::1).
  # specify 0.0.0.0 and ::0 to bind to all available interfaces.
  # specify every interface[@port] on a new 'interface:' labelled line.
  # The listen interfaces are not changed on reload, only on restart.
  interface: 127.0.0.1

# Enable IPv6, "yes" or "no".
do-ip6: no

# enable to not answer id.server and hostname.bind queries.
hide-identity: yes

# enable to not answer version.server and version.bind queries.
hide-version: yes

  # File with DLV trusted keys. Same format as trust-anchor-file.
  # There can be only one DLV configured, it is trusted from root down.
  # Download http://ftp.isc.org/www/dlv/dlv.isc.org.key
  dlv-anchor-file: "C:\Program Files\Unbound\dlv.isc.org.key"
<--

Wouter · August 4, 2010, 12:27pm

Hi,

That should work, can you set verbosity higher (level 4), and send me
the logfile (privately, it'll be large) afterwards? Unless the errors
are descriptive enough that you can solve it (level 2 is a summarized
debug level that may be nice for that).

If you delete the logfile before you start unbound, and set
logfile: "C:\unbound.log"
then debug information gets written there.

Best regards,
Wouter

Wouter · August 4, 2010, 3:35pm

Hi,

Thanks for that logfile. Seems like the response for www.isc.org from
its nameserver is timeout, probably because of PMTU problems. All
fragments get dropped and you get no larger packets than 1480 through.
rs.dns-oarc.net can help you measure that as well as netalyzer and other
tools.

Perhaps a firewall is (mis)configured to drop fragments and you can fix it?

Otherwise unbound has the following option that can help you:
edns-buffer-size: 1480

Best regards,
Wouter

user2 · August 4, 2010, 5:36pm

based on some other measurement (v6 tunnels etc.)
we have set our buf-size to 1220 bytes.

--bill