hello list,

unbound refuses all requests on my machine.
google dns server works fine, tested already.

my unbound.conf looks like:

server:

statistics-cumulative: yes
extended-statistics: yes
log-queries: yes
log-servfail: yes
verbosity: 9
val-log-level: 2

interface: 192.168.100.250
interface: 116.202.87.165
interface: 192.168.120.251
interface: 192.168.110.250

outgoing-interface: 192.168.100.250
outgoing-interface: 192.168.110.250
outgoing-interface: 192.168.120.251
outgoing-interface: 116.202.87.165
num-threads: 2

include: /etc/unbound/unbound.conf.d/name_solving.conf
include: /etc/unbound/unbound.conf.d/privacy_options.conf
include: /etc/unbound/unbound.conf.d/cache_options.conf
include: /etc/unbound/unbound.conf.d/dnssec_options.conf
include: /etc/unbound/unbound.conf.d/blacklist.conf
include: /etc/unbound/unbound.conf.d/local_names.conf
include: /etc/unbound/unbound.conf.d/opennic_names.conf
include: /etc/unbound/unbound.conf.d/forwarders.conf

remote-control:
control-enable: yes

can anyone help with am idea?

best regards
marko

You are missing access-control: so only localhost is allowed access.

See man unbound.conf on syntax for access-control:

Paul

Hi Johannes,

Unbound by default only listens on localhost.
You would need to configure 'access-control:' to allow client netblocks to query Unbound.

From your example I guess that something like
  access-control: 192.168.0.0/16 allow
would allow most of your clients to connect.

Best regards,
-- George

Hey Paul,

thanks, i already added the access control, you can see above in the config
the access_control.conf looks like this:

access-control: 127.0.0.0/8 allow
access-control: 192.168.100.250 allow
access-control: “192.168.100.0/24” allow
access-control: “192.168.110.0/24” allow
access-control: “192.168.120.0/24” allow

the error i get in my unbound.log =

Nov 10 16:40:16 supabunka unbound: [5142:0] debug: refused query from ip4 192.168.100.250 port 49357 (len 16)
Nov 10 16:40:16 supabunka unbound: [5142:0] debug: refuse[49:0] 43290120000100000000000105776562676F0264650000010001000029100000000000000C000A00080436776A669C89B7
Nov 10 16:41:13 supabunka unbound: [5142:0] debug: refused query from ip4 192.168.100.250 port 41791 (len 16)
Nov 10 16:41:13 supabunka unbound: [5142:0] debug: refuse[49:0] 836E0120000100000000000105776562676F0264650000010001000029100000000000000C000A0008C262FD526020506C
Nov 10 16:42:38 supabunka unbound: [5142:1] debug: refused query from ip4 192.168.100.250 port 55452 (len 16)
Nov 10 16:42:38 supabunka unbound: [5142:1] debug: refuse[49:0] 5D5C0120000100000000000105776562676F0264650000010001000029100000000000000C000A00083AC515AEEE4DFAA9
Nov 10 16:42:39 supabunka unbound: [5142:1] debug: refused query from ip4 192.168.100.250 port 35626 (len 16)
Nov 10 16:42:39 supabunka unbound: [5142:1] debug: refuse[49:0] CFFA0120000100000000000105776562676F0264650000010001000029100000000000000C000A0008B6428F351D09CF7F
Nov 10 16:44:17 supabunka unbound: [5142:0] debug: refused query from ip4 192.168.110.250 port 55197 (len 16)
Nov 10 16:44:17 supabunka unbound: [5142:0] debug: refuse[49:0] FBFE012000010000000000010568656973650264650000010001000029100000000000000C000A00088556489A20B80DCE

i have no clue.
marko

even when i add your access config line:

supabunka /etc/unbound # dig @192.168.110.250 heise.de

; <<>> DiG 9.16.15 <<>> @192.168.110.250 heise.de
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21149
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 0 msec
;; SERVER: 192.168.110.250#53(192.168.110.250)
;; WHEN: Wed Nov 10 16:50:37 CET 2021
;; MSG SIZE rcvd: 12

get a little bit more weird…
now i restored my old /etc/unbound after recompiling unbound ( gentoo here )

and now it works, for 3-5 requests, the all gets refused for 2-5 time, then again it works …

Nov 10 17:45:40 supabunka unbound: [25308:1] debug: refused query from ip4 192.168.100.250 port 46375 (len 16)
Nov 10 17:45:40 supabunka unbound: [25308:1] debug: refuse[49:0] F8EF012000010000000000010568656973650264650000010001000029100000000000000C000A00088C5B88DE810B4E51
Nov 10 17:45:41 supabunka unbound: [25308:0] debug: refused query from ip4 192.168.100.250 port 35973 (len 16)
Nov 10 17:45:41 supabunka unbound: [25308:0] debug: refuse[49:0] E435012000010000000000010568656973650264650000010001000029100000000000000C000A00086F442F3E1085BEC4
Nov 10 17:45:42 supabunka unbound: [25308:0] debug: refused query from ip4 192.168.100.250 port 47549 (len 16)
Nov 10 17:45:42 supabunka unbound: [25308:0] debug: refuse[49:0] E282012000010000000000010568656973650264650000010001000029100000000000000C000A0008164EF19ADE91C82B
Nov 10 17:45:43 supabunka unbound: [15016:0] info: 192.168.100.250 heise.de. A IN
Nov 10 17:45:43 supabunka unbound: [15016:0] info: 192.168.100.250 heise.de. A IN
Nov 10 17:45:44 supabunka unbound: [15016:1] info: 192.168.100.250 heise.de. A IN
Nov 10 17:45:44 supabunka unbound: [15016:0] info: 192.168.100.250 heise.de. A IN
Nov 10 17:45:45 supabunka unbound: [25308:1] debug: refused query from ip4 192.168.100.250 port 42903 (len 16)
Nov 10 17:45:45 supabunka unbound: [25308:1] debug: refuse[49:0] 0405012000010000000000010568656973650264650000010001000029100000000000000C000A000802A39D4249FC8122
Nov 10 17:45:46 supabunka unbound: [15016:1] info: 192.168.100.250 heise.de. A IN
Nov 10 17:45:46 supabunka unbound: [15016:0] info: 192.168.100.250 heise.de. A IN
Nov 10 17:45:47 supabunka unbound: [15016:0] info: 192.168.100.250 heise.de. A IN
Nov 10 17:45:48 supabunka unbound: [25308:0] debug: refused query from ip4 192.168.100.250 port 60897 (len 16)
Nov 10 17:45:48 supabunka unbound: [25308:0] debug: refuse[49:0] 94F8012000010000000000010568656973650264650000010001000029100000000000000C000A0008FDE3D3761C97A8E6
Nov 10 17:45:48 supabunka unbound: [15016:1] info: 192.168.100.250 heise.de. A IN
Nov 10 17:45:49 supabunka unbound: [25308:1] debug: refused query from ip4 192.168.100.250 port 56333 (len 16)
Nov 10 17:45:49 supabunka unbound: [25308:1] debug: refuse[49:0] 5BA0012000010000000000010568656973650264650000010001000029100000000000000C000A0008E6D09CF006EB79CA
Nov 10 17:45:50 supabunka unbound: [25308:1] debug: refused query from ip4 192.168.100.250 port 51644 (len 16)
Nov 10 17:45:50 supabunka unbound: [25308:1] debug: refuse[49:0] D265012000010000000000010568656973650264650000010001000029100000000000000C000A000806A0F484B7116F44
Nov 10 17:45:50 supabunka unbound: [25308:0] debug: refused query from ip4 192.168.100.250 port 43169 (len 16)
Nov 10 17:45:50 supabunka unbound: [25308:0] debug: refuse[49:0] B03F012000010000000000010568656973650264650000010001000029100000000000000C000A00086D6B50DB2A5D793A
Nov 10 17:45:51 supabunka unbound: [25308:1] debug: refused query from ip4 192.168.100.250 port 46039 (len 16)
Nov 10 17:45:51 supabunka unbound: [25308:1] debug: refuse[49:0] E9C4012000010000000000010568656973650264650000010001000029100000000000000C000A0008E0C502BE546710D5
Nov 10 17:45:51 supabunka unbound: [25308:0] debug: refused query from ip4 192.168.100.250 port 58388 (len 16)
Nov 10 17:45:51 supabunka unbound: [25308:0] debug: refuse[49:0] 57E5012000010000000000010568656973650264650000010001000029100000000000000C000A00082D348BC4E793E329
Nov 10 17:45:52 supabunka unbound: [15016:1] info: 192.168.100.250 heise.de. A IN
Nov 10 17:45:53 supabunka unbound: [25308:1] debug: refused query from ip4 192.168.100.250 port 60796 (len 16)
Nov 10 17:45:53 supabunka unbound: [25308:1] debug: refuse[49:0] C4C1012000010000000000010568656973650264650000010001000029100000000000000C000A0008EB597D2D491C91B6
Nov 10 17:45:53 supabunka unbound: [25308:1] debug: refused query from ip4 192.168.100.250 port 58593 (len 16)
Nov 10 17:45:53 supabunka unbound: [25308:1] debug: refuse[49:0] 774B012000010000000000010568656973650264650000010001000029100000000000000C000A00085C4AD0BCF67BE7E9
Nov 10 17:45:54 supabunka unbound: [15016:0] info: 192.168.100.250 heise.de. A IN

any ideas?

marko

The refusals come from PID 25308 while PID 15016 processes the requests.

Do you have multiple daemons with different configurations and/or a DNS
balancer?

Hauke.

Due to "so-reuseport", enabled by Unbound's default configuration
on Linux platform,
multiple Unbound daemons can be launched (often mistakenly) on the host's 53/udp
instead of "can't bind socket: Address already in use" error.
  In this case queries for 53/udp are distributed to those daemons.

Hauke Lampe via Unbound-users <unbound-users@lists.nlnetlabs.nl>:

@hauke , damn ps aux showed me 2 running daemons…
and i found out, i “missed” to copy over the access.conf in unbound.conf.d/

now nearlyall is running fine..
only redis seems not to cache…

my unbound.conf.

server:

statistics-cumulative: yes
extended-statistics: yes
log-queries: yes
log-servfail: yes
verbosity: 3
val-log-level: 2
auto-trust-anchor-file: /etc/unbound/var/root-anchors.txt

interface: 127.0.0.1
interface: 192.168.100.250
interface: 192.168.120.251
interface: 192.168.110.250

outgoing-interface: 192.168.100.250
outgoing-interface: 192.168.110.250
outgoing-interface: 192.168.120.251
outgoing-interface: 116.202.87.165

num-threads: 8

include: /etc/unbound/unbound.conf.d/access_options.conf
include: /etc/unbound/unbound.conf.d/name_solving.conf
include: /etc/unbound/unbound.conf.d/privacy_options.conf
include: /etc/unbound/unbound.conf.d/cache_options.conf
include: /etc/unbound/unbound.conf.d/dnssec_options.conf
include: /etc/unbound/unbound.conf.d/blacklist.conf
include: /etc/unbound/unbound.conf.d/local_names.conf
include: /etc/unbound/unbound.conf.d/opennic_names.conf
include: /etc/unbound/unbound.conf.d/forwarders.conf

remote-control:
control-enable: yes

cachedb:
backend: “testframe”
secret-seed: “default”
redis-server-host: 127.0.0.1
redis-server-port: 6379
redis-timeout: 100
redis-expire-records: no

when i connect my redis server via “redis-cli” …

supabunka /etc/unbound # redis-cli
127.0.0.1:6379> keys *
(empty array)
127.0.0.1:6379>

seems nothing get cached…

any idea?

Hi Johannes,

I see a lot of configuration errors WRT redis in your unbound.conf.
Instead of me going over everything I would suggest to read the "Cache DB Module Options" section in the unbound.conf man page (Also online for the latest version: https://www.nlnetlabs.nl/documentation/unbound/unbound.conf/) as I believe it covers all the steps and configuration you need to make.

If you still have questions feel free to ask them here again.

Best regards,
-- George

hi george,

i tried it with that config now. (unbound starts)

server:

statistics-cumulative: yes
extended-statistics: yes
log-queries: yes
log-servfail: yes
verbosity: 3
val-log-level: 2
auto-trust-anchor-file: /etc/unbound/var/root-anchors.txt

interface: 127.0.0.1
interface: 192.168.100.250
interface: 116.202.87.165
interface: 192.168.120.251
interface: 192.168.110.250

outgoing-interface: 192.168.100.250
outgoing-interface: 192.168.110.250
outgoing-interface: 192.168.120.251
outgoing-interface: 116.202.87.165

num-threads: 8

include: /etc/unbound/unbound.conf.d/access_options.conf
include: /etc/unbound/unbound.conf.d/name_solving.conf
include: /etc/unbound/unbound.conf.d/privacy_options.conf
include: /etc/unbound/unbound.conf.d/cache_options.conf
include: /etc/unbound/unbound.conf.d/dnssec_options.conf
include: /etc/unbound/unbound.conf.d/blacklist.conf
include: /etc/unbound/unbound.conf.d/local_names.conf
include: /etc/unbound/unbound.conf.d/opennic_names.conf
include: /etc/unbound/unbound.conf.d/forwarders.conf

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
control-use-cert: “no”

#module-config: “validator cachedb iterator”

cachedb:
backend: “redis”
secret-seed: “default”
redis-server-host: 127.0.0.1
redis-server-port: 6379
redis-timeout: 100
redis-expire-records: no

BUT, unbound-control status
shows this:

supabunka /etc/unbound # unbound-control status
version: 1.13.2
verbosity: 3
threads: 8
modules: 2 [ validator iterator ]
uptime: 218 seconds
options: reuseport control
unbound (pid 31165) is running…

it does not load the cachedb module …
( i also found no way to list or to show available modules, maybe it has another name now )

on https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in
i found this:

Sorry the confusion… the ‘module-config’ was commented out…
Uncommented unbound dont starts with that config
but it was my understanding of the link above with the unbound.conf on git

best regards
marko

Hi Johannes,

The module-config option should be part of the "server:" section.

Best regards,
-- George