Hi all,
Whilst watching exim logs scroll past on an MTA of my acquaintance, I saw this:
2008-09-17 01:48:03 H=(felix.hopcount.ca) [204.152.186.101] sender verify defer for <nanog-bounces@nanog.org>: host lookup did not complete
2008-09-17 01:48:03 H=(felix.hopcount.ca) [204.152.186.101] F=<nanog-bounces@nanog.org > temporarily rejected RCPT <mjabhop@monster.hopcount.ca>: Could not complete sender verify
which made me scratch my chin. The box in question is running unbound 1.0.2, installed on FreeBSD 7.0 from ports, and /etc/resolv.conf contains "nameserver 127.0.0.1". On the box in question, on an empty cache:
[monster:~]% dig @127.0.0.1 nanog.org soa +short
dns.merit.net. dns.merit.net. 2008090300 28800 14400 2419200 14400
[monster:~]%
and
[monster:~]% dig @127.0.0.1 nanog.org ns +short
dns1.merit.net.
dns2.merit.net.
dns3.merit.net.
[monster:~]%
and other such things are wonderful and as expected, but
[monster:~]% dig @127.0.0.1 nanog.org mx
; <<>> DiG 9.4.2 <<>> @127.0.0.1 nanog.org mx
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
[monster:~]%
fails, consistently. BIND9 resolvers on the same network have no such problem:
[calamari:~]% dig @127.0.0.1 version.bind ch txt +short
"9.4.2-P2"
[calamari:~]% dig @127.0.0.1 nanog.org mx
; <<>> DiG 9.4.2-P2 <<>> @127.0.0.1 nanog.org mx
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6129
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 5
;; QUESTION SECTION:
;nanog.org. IN MX
;; ANSWER SECTION:
nanog.org. 1800 IN MX 0 s0.nanog.org.
;; AUTHORITY SECTION:
nanog.org. 9454 IN NS dns2.merit.net.
nanog.org. 9454 IN NS dns3.merit.net.
nanog.org. 9454 IN NS dns1.merit.net.
;; ADDITIONAL SECTION:
s0.nanog.org. 12559 IN A 198.108.95.20
s0.nanog.org. 12559 IN AAAA 2001:48a8:6880:95::20
dns2.merit.net. 167854 IN A 198.109.64.250
dns3.merit.net. 167854 IN A 207.72.112.10
dns1.merit.net. 167854 IN A 198.108.1.43
;; Query time: 1565 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Sep 16 22:01:03 2008
;; MSG SIZE rcvd: 204
[calamari:~]%
Something seems to be going on. Unbound is logging nothing to syslog (but daemon.* is definitely being recorded; I've tested using logger(1)). I am short on ideas of other ways to gather data and figure out what is going on.
Any ideas?
Joe
[monster:~]% uname -a
FreeBSD monster.hopcount.ca 7.0-RELEASE-p4 FreeBSD 7.0-RELEASE-p4 #8: Sat Sep 6 01:12:37 UTC 2008 root@monster.hopcount.ca:/usr/obj/usr/src/sys/GENERIC i386
[monster:~]%
[monster:~]% diff -u /usr/local/etc/unbound/unbound.conf.sample \ > /usr/local/etc/unbound/unbound.conf
--- /usr/local/etc/unbound/unbound.conf.sample 2008-08-15 00:49:47.000000000 +0000
+++ /usr/local/etc/unbound/unbound.conf 2008-09-17 01:33:08.000000000 +0000
@@ -33,6 +33,8 @@
# interface: 192.0.2.153
# interface: 192.0.2.154
# interface: 2001:DB8::5
+ interface: 127.0.0.1
+ interface: 199.212.90.6
# enable this feature to copy the source address of queries to reply.
# Socket options not be supported on all platforms. experimental.
@@ -47,6 +49,7 @@
# outgoing-interface: 192.0.2.153
# outgoing-interface: 2001:DB8::5
# outgoing-interface: 2001:DB8::6
+ outgoing-interface: 199.212.90.4
# number of ports to allocate per thread, determines the size of the
# port range that can be open simultaneously.
@@ -140,6 +143,7 @@
# access-control: ::0/0 refuse
# access-control: ::1 allow
# access-control: ::ffff:127.0.0.1 allow
+ access-control: 199.212.90.0/24 allow
# if given, a chroot(2) is done to the given directory.
# i.e. you can chroot to the working directory, for example,
@@ -183,7 +187,7 @@
# use-syslog: yes
# the pid file.
- # pidfile: "/usr/local/etc/unbound/unbound.pid"
+ # pidfile: "/var/run/unbound/unbound.pid"
# file to read root hints from.
# get one from ftp://FTP.INTERNIC.NET/domain/named.cache
[monster:~]%
)