Tenho usado o unbound como servidor DNS recursivo local. Acabei de adicionar o nsd para configurar o DNS da LAN local. O nsd está escutando na porta 53530 e funciona bem:
$ dig @127.0.0.1 data2.datanet.home -p 53530
; <<>> DiG 9.9.2-P2 <<>> @127.0.0.1 data2.datanet.home -p 53530
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59577
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;data2.datanet.home. IN A
;; ANSWER SECTION:
data2.datanet.home. 600 IN A 192.168.1.62
;; AUTHORITY SECTION:
datanet.home. 600 IN NS ns1.datanet.home.
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53530(127.0.0.1)
;; WHEN: Mon Jun 15 07:16:24 2015
;; MSG SIZE rcvd: 81
Ao passar pelo unbound local não funciona:
$ dig @127.0.0.1 data2.datanet.home
; <<>> DiG 9.9.2-P2 <<>> @127.0.0.1 data2.datanet.home
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47645
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;data2.datanet.home. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 15 07:18:02 2015
;; MSG SIZE rcvd: 47
Aqui está o que estou obtendo no log não vinculado com verbosidade: 4
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: validator operate: query router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: validator: pass to next module
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: mesh_run: validator module exit state is module_wait_module
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iterator[module 1] operate: extstate:module_state_initial event:
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: process_request: new external request event
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iter_handle processing q with state INIT REQUEST STATE
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: resolving router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: request has dependency depth of 0
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: use stub datanet.home. NS IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: cache delegation returns delegpt
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: DelegationPoint<datanet.home.>: 0 names (0 missing), 1 addrs (0 r
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: ip4 127.0.0.1 port 53530 (len 16)
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iter_handle processing q with state INIT REQUEST STATE (stage 2)
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: resolving (init part 2): router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: use stub datanet.home. NS IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iter_handle processing q with state INIT REQUEST STATE (stage 3)
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: resolving (init part 3): router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: iter_handle processing q with state QUERY TARGETS STATE
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: processQueryTargets: router.datanet.home. A IN
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] info: DelegationPoint<datanet.home.>: 0 names (0 missing), 1 addrs (0 r
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: ip4 127.0.0.1 port 53530 (len 16)
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: attempt to get extra 3 targets
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: skip addr on the donotquery list ip4 127.0.0.1 port 53530 (len 1
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: No more query targets, attempting last resort
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: configured stub servers failed -- returning SERVFAIL
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: store error response in message cache
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: return error response SERVFAIL
Em particular, o que há com isso? [1947:0] debug: skip addr on the donotquery list ip4 127.0.0.1 port 53530 (len 1 Isso parece ser fundamental, mas não sei por que está dizendo isso.
Aqui está todo o meu unbound.conf:
server:
interface: 127.0.0.1
interface: 192.168.1.50
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
access-control: 192.168.1.0/24 allow
verbosity: 2
local-zone: "1.168.192.in-addr.arpa" nodefault
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
stub-zone:
name: "datanet.home"
stub-addr: 127.0.0.1@53530
# stub-first: yes
stub-zone:
name: "1.168.192.in-addr.arpa"
stub-addr: 127.0.0.1@53530
O nsd.conf tem muitos comentários, então não tenho certeza se devo colá-lo, mas de qualquer forma o nsd parece funcionar bem. É praticamente o mesmo que o exemplo incluído, exceto alterar a porta, ativar o controle e adicionar as zonas.
Estou perplexo com isso, então qualquer idéia seria apreciada!
Responder1
Esta linha do log indica o problema:
Jun 15 06:12:39 pizza.yoderdev.com unbound[1947]: [1947:0] debug: skip addr on the donotquery list ip4 127.0.0.1 port 53530 (len 1
Por padrão, o Unbound se recusa a enviar quaisquer consultas DNS ao host local. Para permitir que ele consulte localhost, defina do-not-query-localhostcomo nona serverseção -da configuração Unbound:
server:
interface: 127.0.0.1
interface: 192.168.1.50
[...]
do-not-query-localhost: no
Consulte a documentação paranão consolidado.confpara obter uma descrição da opção.
Responder2
Encontrei o mesmo problema no contexto DNS de horizonte dividido – o log Unbound indicou que um"pacote limpo de entrada"(obtido da NSD) continha o endereço IP/entrada CNAME em questão, mas depois"processamento de acabamento", este último não seria repassado.
Eventualmente, adicionar o equivalente a domain-insecure: "datanet.home"resolveu isso para mim usando Unbound v1.12.0 e NSD v4.3.3.
Responder3
Recebi mensagens de erro semelhantes com uma configuração quase idêntica, exceto que tinha a seguinte opção:
tls-upstream: yes
Essa opção fez com que o unbound esperasse que consultas upstream para zonas encaminhadas e stub fossem feitas por TLS apenas para transporte. No entanto, meu servidor autoritativo NSD que hospeda as zonas de stub foi configurado apenas para conexões locais e sem TLS. Isso também pode causar a resposta SERVFAIL.
A configuração adequada era definir tls-upstreamcomo noe, em vez disso, definir forward-tls-upstreamcomo yesdentro da forward-zoneseção se as zonas de stub também não estiverem configuradas para transporte TLS.