Re: unbound listening sporadically on 0.0.0.0 high ports when configured for 127.0.0.1 ?

2016-06-02 Thread Robert Edmonds via Unbound-users 
Paul Wouters via Unbound-users wrote:
> On Fri, 3 Jun 2016, Daisuke HIGASHI wrote:
> 
> > Subject: Re: unbound listening sporadically on 0.0.0.0 high ports when
> > configured for 127.0.0.1 ?
> 
> >   My guess is: UDP sockets for outgoing query
> > from Unbound to authoritative servers.
> > 
> >  I also see these "listening" UDP sockets at my laptop running unbound
> > when resolver is under load. And I see no them when no load.
> 
> That was my first thought too, but these entries do not have a
> destination IP or port, so it "appears" that these sockets are
> listening. Still it could be that perhaps these are sockets
> that are starting up for use or something?

Unbound doesn't connect() its UDP query sockets to the destination
IP/port, it uses sendto(), TTBOMK. So I wouldn't think the destination
would show up in netstat (or ss or lsof...) output.

-- 
Robert Edmonds
edmo...@debian.org

Re: unbound listening sporadically on 0.0.0.0 high ports when configured for 127.0.0.1 ?

2016-06-02 Thread Paul Wouters via Unbound-users 

On Fri, 3 Jun 2016, Daisuke HIGASHI wrote:


Subject: Re: unbound listening sporadically on 0.0.0.0 high ports when
configured for 127.0.0.1 ?



  My guess is: UDP sockets for outgoing query
from Unbound to authoritative servers.

 I also see these "listening" UDP sockets at my laptop running unbound
when resolver is under load. And I see no them when no load.


That was my first thought too, but these entries do not have a
destination IP or port, so it "appears" that these sockets are
listening. Still it could be that perhaps these are sockets
that are starting up for use or something?

Paul


--
Daisuke HIGASHI


2016-06-03 0:34 GMT+09:00 Paul Wouters via Unbound-users
:


See https://bugzilla.redhat.com/show_bug.cgi?id=1342105

from time to time "netstat -l" shows unbound listening on some
high-ports not
bound to 127.0.0.1 - that makes no sense when the service is
configured for
127.0.0.1 only as a local resolver on a inbound mailfilter

udp0  0 0.0.0.0:42663   0.0.0.0:*
563/unbound
udp0  0 127.0.0.1:530.0.0.0:*
563/unbound
udp0  0 0.0.0.0:12387   0.0.0.0:*
563/unbound

unbound.conf
 interface: 127.0.0.1
 access-control: 127.0.0.0/8 allow
 interface-automatic: no

Paul

Re: unbound listening sporadically on 0.0.0.0 high ports when configured for 127.0.0.1 ?

2016-06-02 Thread Daisuke HIGASHI via Unbound-users 
Hi,

   My guess is: UDP sockets for outgoing query
from Unbound to authoritative servers.

  I also see these "listening" UDP sockets at my laptop running unbound
when resolver is under load. And I see no them when no load.

--
 Daisuke HIGASHI


2016-06-03 0:34 GMT+09:00 Paul Wouters via Unbound-users
:
>
> See https://bugzilla.redhat.com/show_bug.cgi?id=1342105
>
> from time to time "netstat -l" shows unbound listening on some
> high-ports not
> bound to 127.0.0.1 - that makes no sense when the service is
> configured for
> 127.0.0.1 only as a local resolver on a inbound mailfilter
>
> udp0  0 0.0.0.0:42663   0.0.0.0:*
> 563/unbound
> udp0  0 127.0.0.1:530.0.0.0:*
> 563/unbound
> udp0  0 0.0.0.0:12387   0.0.0.0:*
> 563/unbound
>
> unbound.conf
>  interface: 127.0.0.1
>  access-control: 127.0.0.0/8 allow
>  interface-automatic: no
>
> Paul

unbound listening sporadically on 0.0.0.0 high ports when configured for 127.0.0.1 ?

2016-06-02 Thread Paul Wouters via Unbound-users 


See https://bugzilla.redhat.com/show_bug.cgi?id=1342105

from time to time "netstat -l" shows unbound listening on some 
high-ports not
bound to 127.0.0.1 - that makes no sense when the service is configured 
for
127.0.0.1 only as a local resolver on a inbound mailfilter

udp0  0 0.0.0.0:42663   0.0.0.0:*
563/unbound
udp0  0 127.0.0.1:530.0.0.0:*
563/unbound
udp0  0 0.0.0.0:12387   0.0.0.0:*
563/unbound

unbound.conf
 interface: 127.0.0.1
 access-control: 127.0.0.0/8 allow
 interface-automatic: no

Paul

Unbound 1.5.9rc1 pre-release

2016-06-02 Thread W.C.A. Wijngaards via Unbound-users 
Hi,

Unbound 1.5.9rc1 pre-release candidate 1 is available:
http://www.unbound.net/downloads/unbound-1.5.9rc1.tar.gz
sha1 216f9c9bd911822f97e45ecb4f5420d59316f653
sha256 606dcacfcb85c15f76c15798d3c54ccd150a9a0545fafd8a5fdff33888e1cb51
pgp http://www.unbound.net/downloads/unbound-1.5.9rc1.tar.gz.asc

This is the pre-release, for reporting build issues and their ilk.

New IPv6 address for one of the root servers in the default root server
configuration.  And a number of bug fixes, for CD flags to forwarders,
for 0x20 compatibility, for qname-minimisation with DNSSEC.

Features
generic edns option parse and store code.
Updated L root IPv6 address.
User defined pluggable event API for libunbound
ip_freebind: yesno option in unbound.conf sets IP_FREEBIND for
binding to an IP address while the interface or address is down.
OpenSSL 1.1.0 portability, --disable-dsa configure option.
disable-dnssec-lame-check config option from Charles Walker.

Bug Fixes
[bugzilla: 745 ]
Fix unbound.py - idn2dname throws UnicodeError when idnname contains
trailing dot.
configure tests for the weak attribute support by the compiler.
[bugzilla: 747 ]
Fix assert in outnet_serviced_query_stop.
Updated configure and ltmain.sh.
Fixup of compile fix for pluggable event API from P.Y. Adi Prasaja.
Fixup backend2str for libev.
Fix libev usage of dispatch return value.
No side effects in tolower() call, in case it is a macro.
Fix warnings in ifdef corner case, older or unknown libevent.
Fix ip-transparent for ipv6 on FreeBSD, thanks to Nick Hibma.
Fix ip-transparent for tcp on freebsd.
[bugzilla: 746 ]
Fix unbound sets CD bit on all forwards. If no trust anchors, it'll
not set CD bit when forwarding to another server. If a trust anchor, no
CD bit on the first attempt to a forwarder, but CD bit thereafter on
repeated attempts to get DNSSEC.
Limit number of QNAME minimisation iterations.
Validate QNAME minimised NXDOMAIN responses.
If QNAME minimisation is enabled, do cache lookup for QTYPE NS in
harden-below-nxdomain.
Fix compile of getentropy_linux for SLES11 servicepack 4.
Fix dnstap-log-resolver-response-messages, from Nikolay Edigaryev.
Fix test for openssl to use HMAC_Update for 1.1.0.
ERR_remove_state deprecated since openssl 1.0.0.
OPENSSL_config is deprecated, removing.
Document permit-small-holddown for 5011 debug.
[bugzilla: 749 ]
Fix unbound-checkconf gets SIGSEGV when use against a malformatted
conf file.
[bugzilla: 753 ]
Fix document dump_requestlist is for first thread.
Fix some malformed reponses to edns queries get fallback to nonedns.
[bugzilla: 759 ]
Fix 0x20 capsforid no longer checks type PTR, for compatibility with
cisco dns guard. This lowers false positives.
Fix sldns with static checking fixes copied from getdns.
Fix memory leak in out-of-memory conditions of local zone add.
[bugzilla: 761 ]
Fix DNSSEC LAME false positive resolving nic.club.
[bugzilla: 766 ]
Fix dns64 should synthesize results on timeout/errors.
No QNAME minimisation fall-back for NXDOMAIN answers from DNSSEC
signed zones.
[bugzilla: 767 ]
Fix Reference to an expired Internet-Draft in harden-below-nxdomain
documentation.
remove memory leak from lame-check patch.
[bugzilla: 770 ]
Fix Small subgroup attack on DH used in unix pipe on localhost if
unbound control uses a unix local named pipe.
Document write permission to directory of trust anchor needed.
[bugzilla: 768 ]
Fix Unbound Service Sometimes Can Not Shutdown Completely, WER
Report Shown Up. Close handle before closing WSA.
Fix time in case answer comes from cache in ub_resolve_event().
Fix windows service to be created run with limited rights, as a
network service account, from Mario Turschmann.
[bugzilla: 752 ]
Fix retry resource temporarily unavailable on control pipe.
iana ports fetched via https.
iana portlist update.

Best regards, Wouter



signature.asc
Description: OpenPGP digital signature