On Mon, 30 Mar 2020 at 08:42, Carlos Lopez <clopmz@xxxxxxxxxxx> wrote:
> Hi Stephen,
>
> Many thanks for your answer. Unbound under OpenBSD is compiled with few
> options:
>
> Version 1.9.4
>
>
That may also be the difference. RHEL-8 is 1.7.3 so I don't know if that
added features or config options which the 1.9.4 has in it.
> Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr
> --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound
> --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key
> --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound
> --disable-shared --without-pthreads
> Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL
> 3.0.2
> Linked modules: dns64 respip validator iterator
>
> But, maybe this is not the problem ... Most relevance difference is
> "disable-rpath" flag under CentOS ... I have tried a RHEL 8.1 vm and
> problem is the same as is CentOS8 ...
>
>
OK I am going with version differences or config options. Are you using the
defaults with only an additional file mod for your local dns or something
else?
> --
> Regards,
> C. L. Martinez
>
> On 30/03/2020, 14:32, "CentOS on behalf of Stephen John Smoogen" <
> centos-bounces@xxxxxxxxxx on behalf of smooge@xxxxxxxxx> wrote:
>
> On Mon, 30 Mar 2020 at 03:47, Carlos Lopez <clopmz@xxxxxxxxxxx> wrote:
>
> > Good morning,
> >
> > I have detected two strange problems with unbound under CentOS8
> (fully
> > patched). I have tried same configuration in an OpenBSD host, and
> these
> > problems do not appear.
> >
> > a/ Error mesage “connection refused”. I am using this unbound server
> to
> > resolv DNS records for our internal domain (Bind9 is configured to
> listen
> > in localhost interface, port 5353 udp and in the same host where
> unbound
> > runs). When I try to run a nslookup query like this:
> >
> > > set q=any
> > > my.internal.dom
> > ;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom failed:
> > connection refused.
> > >
> > And I don’t understand why. Bind9 resolves this without problems, but
> > unbound returns connection refused. Unbound is configured to listen
> in
> > 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0
> allow). The
> > strange thing is that it only happens with that kind of request, any
> other
> > request works fine.
> >
> > b/ Unbound tries to connect to Root DNS servers directly. Every time
> > unbound starts, it tries to connect to root DNS servers directly and
> not
> > through internal DNS. I am using a second unbound server as a cache
> > nameserver in a DMZ zone and unbound anchor timer service is
> disabled. My
> > forward config is:
> >
> >
> So I have only set up unbound on RHEL, and this is how we have always
> expected it to work as a secure proxy. That would mean it is meant to
> talk
> to the ROOT domains and also give bad answers for zones which the ROOT
> zones do not have a subdomain for.
>
> The CentOS-8 version is compiled with the following options which may
> be
> causing some of this (would need to see how the openbsd is compiled)
>
> configure_args --with-libevent --with-pthreads --with-ssl \\\
> --disable-rpath --disable-static \\\
> --enable-relro-now --enable-pie \\\
> --enable-subnet --enable-ipsecmod \\\
> --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
> --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
> \\\
> --enable-sha2 --disable-gost --enable-ecdsa \\\
> --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
>
>
> The centos-7 is
>
> %configure --with-libevent --with-pthreads --with-ssl \
> --disable-rpath --disable-static \
> --enable-subnet --enable-ipsecmod \
> --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
> --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
> %if %{with_python}
> --with-pythonmodule --with-pyunbound \
> %endif
> --enable-sha2 --disable-gost --enable-ecdsa \
> --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
>
>
> Looking through the default configs, it seems this is the 'default' in
> many
> ways (getting the root items to get the latest keys etc need to be
> turned
> off) and you need to change a lot of flags to do otherwise. You would
> need
> to see what all the differences between the OpenBSD and the RHEL ones
> are.
>
> Sorry I can't be of much more help.
>
>
> forward-zone:
> > name: "."
>
> forward-addr: 172.22.54.6@53<mailto:172.22.54.6@53>
> >
> > Any idea why these problems occur?
> >
> > --
> > Regards,
> > C. L. Martinez
> > _______________________________________________
> > CentOS mailing list
> > CentOS@xxxxxxxxxx
> > https://lists.centos.org/mailman/listinfo/centos
> >
>
>
> --
> Stephen J Smoogen.
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
--
Stephen J Smoogen.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
