Re: Some problems with Unbound under CentOS8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 30 Mar 2020 at 08:42, Carlos Lopez <clopmz@xxxxxxxxxxx> wrote:

> Hi Stephen,
>
>  Many thanks for your answer. Unbound under OpenBSD is compiled with few
> options:
>
> Version 1.9.4
>
>
That may also be the difference. RHEL-8 is 1.7.3 so I don't know if that
added features or config options which the 1.9.4 has in it.



> Configure line: --enable-allsymbols --with-ssl=/usr --with-libevent=/usr
> --with-libexpat=/usr --without-pythonmodule --with-chroot-dir=/var/unbound
> --with-pidfile= --with-rootkey-file=/var/unbound/db/root.key
> --with-conf-file=/var/unbound/etc/unbound.conf --with-username=_unbound
> --disable-shared --without-pthreads
> Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL
> 3.0.2
> Linked modules: dns64 respip validator iterator
>
>  But, maybe this is not the problem ... Most relevance difference is
> "disable-rpath" flag under CentOS ... I have tried a RHEL 8.1 vm and
> problem is the same as is CentOS8 ...
>
>
OK I am going with version differences or config options. Are you using the
defaults with only an additional file mod for your local dns or something
else?



> --
> Regards,
> C. L. Martinez
>
> On 30/03/2020, 14:32, "CentOS on behalf of Stephen John Smoogen" <
> centos-bounces@xxxxxxxxxx on behalf of smooge@xxxxxxxxx> wrote:
>
>     On Mon, 30 Mar 2020 at 03:47, Carlos Lopez <clopmz@xxxxxxxxxxx> wrote:
>
>     > Good morning,
>     >
>     > I have detected two strange problems with unbound under CentOS8
> (fully
>     > patched). I have tried same configuration in an OpenBSD host, and
> these
>     > problems do not appear.
>     >
>     > a/ Error mesage “connection refused”. I am using this unbound server
> to
>     > resolv DNS records for our internal domain (Bind9 is configured to
> listen
>     > in localhost interface, port 5353 udp and in the same host where
> unbound
>     > runs). When I try to run a nslookup query like this:
>     >
>     > > set q=any
>     > > my.internal.dom
>     > ;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom  failed:
>     > connection refused.
>     > >
>     > And I don’t understand why. Bind9 resolves this without problems, but
>     > unbound returns connection refused. Unbound is configured to listen
> in
>     > 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0
> allow). The
>     > strange thing is that it only happens with that kind of request, any
> other
>     > request works fine.
>     >
>     > b/ Unbound tries to connect to Root DNS servers directly. Every time
>     > unbound starts, it tries to connect to root DNS servers directly and
> not
>     > through internal DNS. I am using a second unbound server as a cache
>     > nameserver in a DMZ zone and unbound anchor timer service is
> disabled. My
>     > forward config is:
>     >
>     >
>     So I have only set up unbound on RHEL, and this is how we have always
>     expected it to work as a secure proxy. That would mean it is meant to
> talk
>     to the ROOT domains and also give bad answers for zones which the ROOT
>     zones do not have a subdomain for.
>
>     The CentOS-8 version is compiled with the following options which may
> be
>     causing some of this (would need to see how the openbsd is compiled)
>
>     configure_args --with-libevent --with-pthreads --with-ssl \\\
>                 --disable-rpath --disable-static \\\
>                 --enable-relro-now --enable-pie \\\
>                 --enable-subnet --enable-ipsecmod \\\
>                 --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
>                 --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid
> \\\
>                 --enable-sha2 --disable-gost --enable-ecdsa \\\
>                 --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
>
>
>     The centos-7 is
>
>     %configure  --with-libevent --with-pthreads --with-ssl \
>                 --disable-rpath --disable-static \
>                 --enable-subnet --enable-ipsecmod \
>                 --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
>                 --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
>     %if %{with_python}
>                 --with-pythonmodule --with-pyunbound \
>     %endif
>                 --enable-sha2 --disable-gost --enable-ecdsa \
>                 --with-rootkey-file=%{_sharedstatedir}/unbound/root.key
>
>
>     Looking through the default configs, it seems this is the 'default' in
> many
>     ways (getting the root items to get the latest keys etc need to be
> turned
>     off) and you need to change a lot of flags to do otherwise. You would
> need
>     to see what all the differences between the OpenBSD and the RHEL ones
> are.
>
>     Sorry I can't be of much more help.
>
>
>     forward-zone:
>     >                 name: "."
>
>                     forward-addr: 172.22.54.6@53<mailto:172.22.54.6@53>
>     >
>     > Any idea why these problems occur?
>     >
>     > --
>     > Regards,
>     > C. L. Martinez
>     > _______________________________________________
>     > CentOS mailing list
>     > CentOS@xxxxxxxxxx
>     > https://lists.centos.org/mailman/listinfo/centos
>     >
>
>
>     --
>     Stephen J Smoogen.
>     _______________________________________________
>     CentOS mailing list
>     CentOS@xxxxxxxxxx
>     https://lists.centos.org/mailman/listinfo/centos
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Stephen J Smoogen.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux