Some Problems With Unbound Under CentOS8

Home » CentOS » Some Problems With Unbound Under CentOS8
CentOS 4 Comments

Good morning,

I have detected two strange problems with unbound under CentOS8 (fully patched). I have tried same configuration in an OpenBSD host, and these problems do not appear.

a/ Error mesage “connection refused”. I am using this unbound server to resolv DNS records for our internal domain (Bind9 is configured to listen in localhost interface, port 5353 udp and in the same host where unbound runs). When I try to run a nslookup query like this:

;; Connection to 127.0.0.1#53(127.0.0.1) for my.internal.dom failed: connection refused. And I don’t understand why. Bind9 resolves this without problems, but unbound returns connection refused. Unbound is configured to listen in 0.0.0.0 and allow all connections (access-control: 0.0.0.0/0 allow). The strange thing is that it only happens with that kind of request, any other request works fine.

b/ Unbound tries to connect to Root DNS servers directly. Every time unbound starts, it tries to connect to root DNS servers directly and not through internal DNS. I am using a second unbound server as a cache nameserver in a DMZ zone and unbound anchor timer service is disabled. My forward config is:

forward-zone:
name: “.”
forward-addr: 172.22.54.6@53

Any idea why these problems occur?

4 thoughts on - Some Problems With Unbound Under CentOS8

  • So I have only set up unbound on RHEL, and this is how we have always expected it to work as a secure proxy. That would mean it is meant to talk to the ROOT domains and also give bad answers for zones which the ROOT
    zones do not have a subdomain for.

    The CentOS-8 version is compiled with the following options which may be causing some of this (would need to see how the openbsd is compiled)

    configure_args –with-libevent –with-pthreads –with-ssl \\\
    –disable-rpath –disable-static \\\
    –enable-relro-now –enable-pie \\\
    –enable-subnet –enable-ipsecmod \\\
    –with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\
    –with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\
    –enable-sha2 –disable-gost –enable-ecdsa \\\
    –with-rootkey-file=%{_sharedstatedir}/unbound/root.key

    The CentOS-7 is

    %configure –with-libevent –with-pthreads –with-ssl \
    –disable-rpath –disable-static \
    –enable-subnet –enable-ipsecmod \
    –with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \
    –with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \
    %if %{with_python}
    –with-pythonmodule –with-pyunbound \
    %endif
    –enable-sha2 –disable-gost –enable-ecdsa \
    –with-rootkey-file=%{_sharedstatedir}/unbound/root.key

    Looking through the default configs, it seems this is the ‘default’ in many ways (getting the root items to get the latest keys etc need to be turned off) and you need to change a lot of flags to do otherwise. You would need to see what all the differences between the OpenBSD and the RHEL ones are.

    Sorry I can’t be of much more help.

    forward-zone:

    forward-addr: 172.22.54.6@53


    Stephen J Smoogen.

  • Hi Stephen,

    Many thanks for your answer. Unbound under OpenBSD is compiled with few options:

    Version 1.9.4

    Configure line: –enable-allsymbols –with-ssl=/usr –with-libevent=/usr –with-libexpat=/usr –without-pythonmodule –with-chroot-dir=/var/unbound –with-pidfile= –with-rootkey-file=/var/unbound/db/root.key –with-conf-file=/var/unbound/etc/unbound.conf –with-username=_unbound –disable-shared –without-pthreads Linked libs: pluggable-libevent 1.4.15-stable (it uses kqueue), LibreSSL 3.0.2
    Linked modules: dns64 respip validator iterator

    But, maybe this is not the problem … Most relevance difference is “disable-rpath” flag under CentOS … I have tried a RHEL 8.1 vm and problem is the same as is CentOS8 …

  • That may also be the difference. RHEL-8 is 1.7.3 so I don’t know if that added features or config options which the 1.9.4 has in it.

    OK I am going with version differences or config options. Are you using the defaults with only an additional file mod for your local dns or something else?


    Stephen J Smoogen.

  • Many thanks Stepehn. I am using the following options:

    server:
    interface: 0.0.0.0
    do-ip6: no

    access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: 172.22.55.0/27 allow

    hide-identity: yes hide-version: yes

    do-tcp: no do-not-query-localhost: no extended-statistics: yes so-reuseport: yes use-caps-for-id: yes unblock-lan-zones: yes insecure-lan-zones: yes