Unbound won't listen on TLS port

Unbound
1

Hi,

I'm trying to get Unbound 1.9.0 on Debian 10 to provide a DoT interface
to clients on the LAN.

The configuration looks like so:

server:
  interface: ::
  interface: 0.0.0.0

  interface: ::@853
  interface: 0.0.0.0@853

  port: 53
  tls-port: 853

  interface-automatic: yes

  tls-service-key: /etc/ssl/letsencrypt/certs/router.example.com/privkey.pem
  tls-service-pem: /etc/ssl/letsencrypt/certs/router.example.com/fullchain.pem

  [...]

Unbound will simply not listen on port 853 and it also won't log why.

[1566410200] unbound[3017:0] debug: increased limit(open files) from 1024 to 4164
[1566410200] unbound[3017:0] debug: creating udp6 socket :: 53
[1566410200] unbound[3017:0] debug: creating tcp6 socket :: 53
[1566410200] unbound[3017:0] debug: creating udp4 socket 0.0.0.0 53
[1566410200] unbound[3017:0] debug: creating tcp4 socket 0.0.0.0 53
[1566410200] unbound[3017:0] debug: creating tcp4 socket 127.0.0.1 8953
[1566410200] unbound[3017:0] debug: creating tcp6 socket ::1 8953
[1566410200] unbound[3017:0] debug: setup SSL certificates
[1566410200] unbound[3017:0] error: cannot open pidfile /run/unbound.pid: Permission denied
[1566410200] unbound[3017:0] debug: chdir to /etc/unbound
[1566410200] unbound[3017:0] debug: drop user privileges, run as unbound
[...]

I've also tried out 1.9.3-rc1 but the behaviour was the same.

Can any provide insight into what happens here?

Best,

Martin

2

Hi Martin,

It is the "interface-automatic: yes" statement. It overrides the other
interface statements and listens on port 53. If you remove that I think
you have a better shot at making it work.

Best regards, Wouter

3

Hi Wouter,

It is the "interface-automatic: yes" statement. It overrides the other
interface statements and listens on port 53. If you remove that I think
you have a better shot at making it work.

I've had the same issue and got luck with interface-automatic. But I
would not have guessed from the manpage that listening-on-something and
interface-automatic is related in any way.

       interface-automatic: <yes or no>
              Detect source interface on UDP queries and copy them to replies.
              This feature is experimental, and needs support in your OS for
              particular socket options. Default value is no

Bernhard

4

Hi Wouter, hi Bernhard,

see my comments inline and below.

Hi Wouter,

It is the "interface-automatic: yes" statement. It overrides the other
interface statements and listens on port 53. If you remove that I think
you have a better shot at making it work.

Yes, that makes it work. Thanks alot.

I've had the same issue and got luck with interface-automatic. But I
would not have guessed from the manpage that listening-on-something and
interface-automatic is related in any way.

       interface-automatic: <yes or no>
              Detect source interface on UDP queries and copy them to replies.
              This feature is experimental, and needs support in your OS for
              particular socket options. Default value is no

Same here, I'd appreciate an addendum to the man page entry that clarifies the
behaviour.

I think I enabled interface-automatic ~2 years back when I saw Unbound reply with
the wrong source address to queries, thereby breaking client lookups.

If that happens again, you'll hear back from me. Thanks so far!

Bernhard

Best,

Martin