notice: send failed: Permission denied

Caroptions_Caroption · April 5, 2021, 9:20pm

Hi,

Probably it is discussed already, then sorry for reiterating the same problem, but I couldn’t find solution.

unbound 1.13.1

I block certain ASNs/IPs on firewall. unbound starts normally, then after some time flood log with messages:

unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
unbound[90575]: [90575:2] notice: send failed: Permission denied
unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
unbound[90575]: [90575:2] notice: send failed: Permission denied
unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
unbound[90575]: [90575:2] notice: send failed: Permission denied
unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53
unbound[90575]: [90575:2] notice: send failed: Permission denied
unbound[90575]: [90575:2] notice: remote address is xx.xx.xx.xx port 53

the SAME ip for hours. My firewall process CPU load jumps and stays on high level. unbound process CPU load high as well.

My temporary workaround is adding:

do-not-query-address: xx.xx.xx.xx

When I add new ip to this list it stays normal for some time till unbound find new NS server IP which is blocked on firewall and all loads jumps and flood log with “notice” messages.

In my understanding unbound should stop attempting to contact specific NS if it is not reachable/down?

Thanks,
John

Caroptions_Caroption · April 6, 2021, 1:48am

Important note, the firewall block rule is reject, not block …

Thanks,
John

Wouter · April 12, 2021, 9:20am

Hi John,

Fix code is in
https://github.com/NLnetLabs/unbound/commit/addd21f750b6042c40c2a92aef9b8919d8497532

This stops the logs messages unless you set a high verbosity level.
These error numbers did not get reported before, I guess because the
block rule is reject.

Best regards, Wouter

George_Yorgos_Thessa · April 12, 2021, 3:01pm

Hi John,

The error messages are coming from the system call itself, which your firewall seems to block. That way unbound will not record anything for the nameserver in the infra cache (used to record time outs among other options).
This will result in unbound trying a finite number of times every time that nameserver needs to be contacted.

If you lower the verbosity level to 2 (and with the fix I just committed https://github.com/NLnetLabs/unbound/commit/403d0551b7a65023e15be43ae5c1fd938edd6025) you will no longer see log messages related to contacting upstreams.

Unbound would still try to connect silently though before giving up.

If you also want to skip that, then indeed using `do-not-query-address:` is the way to go.

Best regards,
-- George

Caroptions_Caroption · April 13, 2021, 7:04pm

Hi George, Wouter,

Thank you for reply! The problem with this solution is that (even silently) unbound continue to contact blocked NS and as result load firewall filter significantly, as I mentioned before CPU load jumps to up to 50% and stays on this level till I reload unbound with appropriate do-not-query-address:.

Also strange thing that unbound (it seems) does not have any limit of how many times tries to ping specific name server (I observed once 5 hours in a row).

Is it (number of times to ping) configurable?

Thanks,
John