[CentOS] Problems with dnscrypt's package from EPEL
Hi all, I have installed dnscrypt's rpm package from EPEL repo under a CentOS 7.4 and using unbound as a resolver. But, I see constant timeouts and responses are very slow ... Using same config in a Debian 9 virtual machine, all works ok. I think the problem is with dnscrypt's rpm package provided by EPEL. Anyone have seen similar problems? Thanks. -- Greetings, C. L. Martinez ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems with dnscrypt's package from EPEL
On 9 December 2017 at 14:04, C. L. Martinez wrote: > Hi all, > > I have installed dnscrypt's rpm package from EPEL repo under a CentOS 7.4 > and using unbound as a resolver. But, I see constant timeouts and responses > are very slow ... Using same config in a Debian 9 virtual machine, all works > ok. > > I think the problem is with dnscrypt's rpm package provided by EPEL. Anyone > have seen similar problems? > Can you give some more information on what you are seeing and how you have it set up? I can try to duplicate it in EPEL and/or put in bugs on the package. > Thanks. > > -- > Greetings, > C. L. Martinez > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems with dnscrypt's package from EPEL
On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote: > On 9 December 2017 at 14:04, C. L. Martinez wrote: > > Hi all, > > > > I have installed dnscrypt's rpm package from EPEL repo under a CentOS 7.4 > > and using unbound as a resolver. But, I see constant timeouts and responses > > are very slow ... Using same config in a Debian 9 virtual machine, all > > works ok. > > > > I think the problem is with dnscrypt's rpm package provided by EPEL. > > Anyone have seen similar problems? > > > > Can you give some more information on what you are seeing and how you > have it set up? I can try to duplicate it in EPEL and/or put in bugs > on the package. > > Of course and thanks in advance Stephen. My dnscrypt startup scripts use the following options: [Service] Type=forking PIDFile=/var/run/dnscrypt-cs.pid ExecStart=/usr/sbin/dnscrypt-proxy \ --daemonize \ --user=nobody \ --pidfile=/var/run/dnscrypt-cs.pid \ --ephemeral-keys \ --resolver-name=cs-fi \ --logfile=/tmp/cs.log \ --local-address=127.0.0.1:6354 Restart=on-abort [Service] Type=forking PIDFile=/var/run/dnscrypt-ipredator.pid ExecStart=/usr/sbin/dnscrypt-proxy \ --daemonize \ --user=nobody \ --pidfile=/var/run/dnscrypt-ipredator.pid \ --ephemeral-keys \ --resolver-name=ipredator \ --logfile=/tmp/ipredator.log \ --local-address=127.0.0.1:6353 Restart=on-abort And unbound.conf is: server: interface: 127.0.0.1 interface: 172.22.54.4 interface: ::1 port: 53 do-ip6: no do-udp: yes do-tcp: yes num-threads: 1 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: 172.22.54.0/29 allow access-control: 172.22.55.1 allow hide-identity: yes hide-version: yes do-not-query-localhost: no val-permissive-mode: yes val-clean-additional: yes module-config: "validator iterator" -- Greetings, C. L. Martinez ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems with dnscrypt's package from EPEL
On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez wrote: > On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote: > > On 9 December 2017 at 14:04, C. L. Martinez wrote: > > > Hi all, > > > > > > I have installed dnscrypt's rpm package from EPEL repo under a CentOS > > > 7.4 and using unbound as a resolver. But, I see constant timeouts and > > > responses are very slow ... Using same config in a Debian 9 virtual > > > machine, all works ok. > > > > > > I think the problem is with dnscrypt's rpm package provided by EPEL. > > > Anyone have seen similar problems? > > > > > > > Can you give some more information on what you are seeing and how you > > have it set up? I can try to duplicate it in EPEL and/or put in bugs > > on the package. > > > > > > Of course and thanks in advance Stephen. My dnscrypt startup scripts use the > following options: > > [Service] > Type=forking > PIDFile=/var/run/dnscrypt-cs.pid > ExecStart=/usr/sbin/dnscrypt-proxy \ > --daemonize \ > --user=nobody \ > --pidfile=/var/run/dnscrypt-cs.pid \ > --ephemeral-keys \ > --resolver-name=cs-fi \ > --logfile=/tmp/cs.log \ > --local-address=127.0.0.1:6354 > Restart=on-abort > > [Service] > Type=forking > PIDFile=/var/run/dnscrypt-ipredator.pid > ExecStart=/usr/sbin/dnscrypt-proxy \ > --daemonize \ > --user=nobody \ > --pidfile=/var/run/dnscrypt-ipredator.pid \ > --ephemeral-keys \ > --resolver-name=ipredator \ > --logfile=/tmp/ipredator.log \ > --local-address=127.0.0.1:6353 > Restart=on-abort > > And unbound.conf is: > > server: > interface: 127.0.0.1 > interface: 172.22.54.4 > interface: ::1 > port: 53 > do-ip6: no > do-udp: yes > do-tcp: yes > num-threads: 1 > > access-control: 0.0.0.0/0 refuse > access-control: 127.0.0.0/8 allow > access-control: ::0/0 refuse > access-control: ::1 allow > access-control: 172.22.54.0/29 allow > access-control: 172.22.55.1 allow > > hide-identity: yes > hide-version: yes > > do-not-query-localhost: no > val-permissive-mode: yes > val-clean-additional: yes > module-config: "validator iterator" Oops .. sorry. There are more options in unbound.conf's file: remote-control: control-enable: yes control-use-cert: yes control-interface: 127.0.0.1 forward-zone: name: "." forward-addr: 127.0.0.1@6353 forward-addr: 127.0.0.1@6354 forward-addr: 127.0.0.1@6355 Sorry. -- Greetings, C. L. Martinez ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems with dnscrypt's package from EPEL
Not sure if this is a factor yet, but your forwardzone is looking for 3 ports but only 2 ports are configured in the systemd startup.. so are 1/3 of all lookups going to fail? Or is the 6355 a 'given' (aka it will be set up whether 6353 and 6354 are setup?) On 9 December 2017 at 16:45, C. L. Martinez wrote: > On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez wrote: >> On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote: >> > On 9 December 2017 at 14:04, C. L. Martinez wrote: >> > > Hi all, >> > > >> > > I have installed dnscrypt's rpm package from EPEL repo under a CentOS >> > > 7.4 and using unbound as a resolver. But, I see constant timeouts and >> > > responses are very slow ... Using same config in a Debian 9 virtual >> > > machine, all works ok. >> > > >> > > I think the problem is with dnscrypt's rpm package provided by EPEL. >> > > Anyone have seen similar problems? >> > > >> > >> > Can you give some more information on what you are seeing and how you >> > have it set up? I can try to duplicate it in EPEL and/or put in bugs >> > on the package. >> > >> > >> >> Of course and thanks in advance Stephen. My dnscrypt startup scripts use the >> following options: >> >> [Service] >> Type=forking >> PIDFile=/var/run/dnscrypt-cs.pid >> ExecStart=/usr/sbin/dnscrypt-proxy \ >> --daemonize \ >> --user=nobody \ >> --pidfile=/var/run/dnscrypt-cs.pid \ >> --ephemeral-keys \ >> --resolver-name=cs-fi \ >> --logfile=/tmp/cs.log \ >> --local-address=127.0.0.1:6354 >> Restart=on-abort >> >> [Service] >> Type=forking >> PIDFile=/var/run/dnscrypt-ipredator.pid >> ExecStart=/usr/sbin/dnscrypt-proxy \ >> --daemonize \ >> --user=nobody \ >> --pidfile=/var/run/dnscrypt-ipredator.pid \ >> --ephemeral-keys \ >> --resolver-name=ipredator \ >> --logfile=/tmp/ipredator.log \ >> --local-address=127.0.0.1:6353 >> Restart=on-abort >> >> And unbound.conf is: >> >> server: >> interface: 127.0.0.1 >> interface: 172.22.54.4 >> interface: ::1 >> port: 53 >> do-ip6: no >> do-udp: yes >> do-tcp: yes >> num-threads: 1 >> >> access-control: 0.0.0.0/0 refuse >> access-control: 127.0.0.0/8 allow >> access-control: ::0/0 refuse >> access-control: ::1 allow >> access-control: 172.22.54.0/29 allow >> access-control: 172.22.55.1 allow >> >> hide-identity: yes >> hide-version: yes >> >> do-not-query-localhost: no >> val-permissive-mode: yes >> val-clean-additional: yes >> module-config: "validator iterator" > > Oops .. sorry. There are more options in unbound.conf's file: > > remote-control: > control-enable: yes > control-use-cert: yes > control-interface: 127.0.0.1 > > forward-zone: > name: "." > forward-addr: 127.0.0.1@6353 > forward-addr: 127.0.0.1@6354 > forward-addr: 127.0.0.1@6355 > > Sorry. > > -- > Greetings, > C. L. Martinez > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems with dnscrypt's package from EPEL
Sorry Stephen. I have enabled another dnscrypt process in port 6355 to test ... But no luck. On the other side, I am not sure if dnscrypt the problem. I have replaced unbound by dnsmasq and voila! ... All it is working very fast (and dnsmasq only spends 75 MiB of RAM, when unbound spends 400 MiB). And no more SERVFAIL errors ... But I don't understand where is the problem with unbound.conf's file then. Using same config for dnscrypt and unbound in a FreeBSD vm, all works ok. On Sun, Dec 10, 2017 at 8:10 PM, Stephen John Smoogen wrote: > Not sure if this is a factor yet, but your forwardzone is looking for > 3 ports but only 2 ports are configured in the systemd startup.. so > are 1/3 of all lookups going to fail? Or is the 6355 a 'given' (aka it > will be set up whether 6353 and 6354 are setup?) > > On 9 December 2017 at 16:45, C. L. Martinez wrote: >> On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez wrote: >>> On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote: >>> > On 9 December 2017 at 14:04, C. L. Martinez wrote: >>> > > Hi all, >>> > > >>> > > I have installed dnscrypt's rpm package from EPEL repo under a CentOS >>> > > 7.4 and using unbound as a resolver. But, I see constant timeouts and >>> > > responses are very slow ... Using same config in a Debian 9 virtual >>> > > machine, all works ok. >>> > > >>> > > I think the problem is with dnscrypt's rpm package provided by EPEL. >>> > > Anyone have seen similar problems? >>> > > >>> > >>> > Can you give some more information on what you are seeing and how you >>> > have it set up? I can try to duplicate it in EPEL and/or put in bugs >>> > on the package. >>> > >>> > >>> >>> Of course and thanks in advance Stephen. My dnscrypt startup scripts use >>> the following options: >>> >>> [Service] >>> Type=forking >>> PIDFile=/var/run/dnscrypt-cs.pid >>> ExecStart=/usr/sbin/dnscrypt-proxy \ >>> --daemonize \ >>> --user=nobody \ >>> --pidfile=/var/run/dnscrypt-cs.pid \ >>> --ephemeral-keys \ >>> --resolver-name=cs-fi \ >>> --logfile=/tmp/cs.log \ >>> --local-address=127.0.0.1:6354 >>> Restart=on-abort >>> >>> [Service] >>> Type=forking >>> PIDFile=/var/run/dnscrypt-ipredator.pid >>> ExecStart=/usr/sbin/dnscrypt-proxy \ >>> --daemonize \ >>> --user=nobody \ >>> --pidfile=/var/run/dnscrypt-ipredator.pid \ >>> --ephemeral-keys \ >>> --resolver-name=ipredator \ >>> --logfile=/tmp/ipredator.log \ >>> --local-address=127.0.0.1:6353 >>> Restart=on-abort >>> >>> And unbound.conf is: >>> >>> server: >>> interface: 127.0.0.1 >>> interface: 172.22.54.4 >>> interface: ::1 >>> port: 53 >>> do-ip6: no >>> do-udp: yes >>> do-tcp: yes >>> num-threads: 1 >>> >>> access-control: 0.0.0.0/0 refuse >>> access-control: 127.0.0.0/8 allow >>> access-control: ::0/0 refuse >>> access-control: ::1 allow >>> access-control: 172.22.54.0/29 allow >>> access-control: 172.22.55.1 allow >>> >>> hide-identity: yes >>> hide-version: yes >>> >>> do-not-query-localhost: no >>> val-permissive-mode: yes >>> val-clean-additional: yes >>> module-config: "validator iterator" >> >> Oops .. sorry. There are more options in unbound.conf's file: >> >> remote-control: >> control-enable: yes >> control-use-cert: yes >> control-interface: 127.0.0.1 >> >> forward-zone: >> name: "." >> forward-addr: 127.0.0.1@6353 >> forward-addr: 127.0.0.1@6354 >> forward-addr: 127.0.0.1@6355 >> >> Sorry. >> >> -- >> Greetings, >> C. L. Martinez >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > > > > -- > Stephen J Smoogen. > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Problems with dnscrypt's package from EPEL
Can you give more information on the unbound setup? We use unbound in Fedora Infrastructure on RHEL-7 servers. I know there is an selinux dance we have to do to start it properly without a special policy... but I don't know exactly the details on why. On 11 December 2017 at 03:56, C. L. Martinez wrote: > Sorry Stephen. I have enabled another dnscrypt process in port 6355 to > test ... But no luck. > > On the other side, I am not sure if dnscrypt the problem. I have > replaced unbound by dnsmasq and voila! ... All it is working very fast > (and dnsmasq only spends 75 MiB of RAM, when unbound spends 400 MiB). > And no more SERVFAIL errors ... But I don't understand where is the > problem with unbound.conf's file then. Using same config for dnscrypt > and unbound in a FreeBSD vm, all works ok. > > On Sun, Dec 10, 2017 at 8:10 PM, Stephen John Smoogen > wrote: >> Not sure if this is a factor yet, but your forwardzone is looking for >> 3 ports but only 2 ports are configured in the systemd startup.. so >> are 1/3 of all lookups going to fail? Or is the 6355 a 'given' (aka it >> will be set up whether 6353 and 6354 are setup?) >> >> On 9 December 2017 at 16:45, C. L. Martinez wrote: >>> On Sat, Dec 09, 2017 at 10:25:41PM +0100, C. L. Martinez wrote: On Sat, Dec 09, 2017 at 03:03:52PM -0500, Stephen John Smoogen wrote: > On 9 December 2017 at 14:04, C. L. Martinez wrote: > > Hi all, > > > > I have installed dnscrypt's rpm package from EPEL repo under a CentOS > > 7.4 and using unbound as a resolver. But, I see constant timeouts and > > responses are very slow ... Using same config in a Debian 9 virtual > > machine, all works ok. > > > > I think the problem is with dnscrypt's rpm package provided by EPEL. > > Anyone have seen similar problems? > > > > Can you give some more information on what you are seeing and how you > have it set up? I can try to duplicate it in EPEL and/or put in bugs > on the package. > > Of course and thanks in advance Stephen. My dnscrypt startup scripts use the following options: [Service] Type=forking PIDFile=/var/run/dnscrypt-cs.pid ExecStart=/usr/sbin/dnscrypt-proxy \ --daemonize \ --user=nobody \ --pidfile=/var/run/dnscrypt-cs.pid \ --ephemeral-keys \ --resolver-name=cs-fi \ --logfile=/tmp/cs.log \ --local-address=127.0.0.1:6354 Restart=on-abort [Service] Type=forking PIDFile=/var/run/dnscrypt-ipredator.pid ExecStart=/usr/sbin/dnscrypt-proxy \ --daemonize \ --user=nobody \ --pidfile=/var/run/dnscrypt-ipredator.pid \ --ephemeral-keys \ --resolver-name=ipredator \ --logfile=/tmp/ipredator.log \ --local-address=127.0.0.1:6353 Restart=on-abort And unbound.conf is: server: interface: 127.0.0.1 interface: 172.22.54.4 interface: ::1 port: 53 do-ip6: no do-udp: yes do-tcp: yes num-threads: 1 access-control: 0.0.0.0/0 refuse access-control: 127.0.0.0/8 allow access-control: ::0/0 refuse access-control: ::1 allow access-control: 172.22.54.0/29 allow access-control: 172.22.55.1 allow hide-identity: yes hide-version: yes do-not-query-localhost: no val-permissive-mode: yes val-clean-additional: yes module-config: "validator iterator" >>> >>> Oops .. sorry. There are more options in unbound.conf's file: >>> >>> remote-control: >>> control-enable: yes >>> control-use-cert: yes >>> control-interface: 127.0.0.1 >>> >>> forward-zone: >>> name: "." >>> forward-addr: 127.0.0.1@6353 >>> forward-addr: 127.0.0.1@6354 >>> forward-addr: 127.0.0.1@6355 >>> >>> Sorry. >>> >>> -- >>> Greetings, >>> C. L. Martinez >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> >> >> >> -- >> Stephen J Smoogen. >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos -- Stephen J Smoogen. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
