Hi Bruce, I have configured a test server at Men & Mice with: interface: 10.99.9...@9000
and output of netstat -na | grep 9000 tcp 0 0 10.99.99.1:9000 0.0.0.0:* LISTEN udp 0 0 10.99.99.1:9000 0.0.0.0:* Notice that UDP ports never display the "LISTEN" state as the TCP ports are. > and sees it listening (netstat -na|grep -I listen or netstat -tnlp | grep > unbound or netstat -anlp | grep unbound) I can't quite see from your command there below, but in your grep command is using a -i switch (lower case i for case-insensitive). Hope this helps! Best regards Arni. Arni Birgisson Professional Services Men & Mice Address: Noatun 17, IS-105, Reykjavik, Iceland Phone: +354-412-1500 Email: [email protected] www.menandmice.com Men & Mice We bring control and flexibility to network management Disclaimer: www.menandmice.com/disclaimer On Oct 27, 2010, at 7:56 PM, Hayward, Bruce wrote: > Before I spend more on this (I even have Iptables firewall logs running as > well as the usual assortment) > > Is there someone out there that has configured an interface in the > unbound.conf to a port other than 53? (something in the private/dynamic range) > > Per the unbound.conf man: > interface: <ip addre...@port]> > > and sees it listening (netstat -na|grep -I listen or netstat -tnlp | grep > unbound or netstat -anlp | grep unbound) > > ? > > Thanks > > Bruce > > Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) > [email protected] > > > -----Original Message----- > From: Ondřej Surý [mailto:[email protected]] > Sent: October 27, 2010 12:46 PM > To: Hayward, Bruce > Cc: [email protected] > Subject: Re: [Unbound-users] Unbound and Bind Views > > Hi, > > On Wed, Oct 27, 2010 at 19:32, Hayward, Bruce > <[email protected]> wrote: >> Hi >> >> Would then: >> >> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 53 -j REDIRECT >> --to-port 49152 > > I think so, but it's a long time since I had to use iptables. > >> regardless of IP address direct any ip hitting port 53 to redirect to port >> 49152? >> >> Also do not see the port showing up with the netstat regardless of options - >> does unbound not open that port when configured? > > Try: netstat -tnlp and -unlp and if the port doesn't show up then > check the logs. (Well check the log file anyway as a first thing when > something doesn't work as expected...) > > r...@ookami:~# netstat -tnlp | grep unbound > tcp 0 0 127.0.0.1:53 0.0.0.0:* > LISTEN 1715/unbound > tcp 0 0 127.0.0.1:953 0.0.0.0:* > LISTEN 1715/unbound > tcp6 0 0 ::1:53 :::* > LISTEN 1715/unbound > tcp6 0 0 ::1:953 :::* > LISTEN 1715/unbound > r...@ookami:~# netstat -anlp | grep unbound > tcp 0 0 127.0.0.1:53 0.0.0.0:* > LISTEN 1715/unbound > tcp 0 0 127.0.0.1:953 0.0.0.0:* > LISTEN 1715/unbound > tcp6 0 0 ::1:53 :::* > LISTEN 1715/unbound > tcp6 0 0 ::1:953 :::* > LISTEN 1715/unbound > udp 0 0 127.0.0.1:53 0.0.0.0:* > 1715/unbound > udp6 0 0 ::1:53 :::* > 1715/unbound > unix 3 [ ] STREAM CONNECTED 9599 1715/unbound > unix 3 [ ] STREAM CONNECTED 9598 1715/unbound > unix 2 [ ] DGRAM 9586 1715/unbound > > >> -----Original Message----- >> From: Ondřej Surý [mailto:[email protected]] >> Sent: October 27, 2010 12:22 PM >> To: Hayward, Bruce >> Cc: [email protected] >> Subject: Re: [Unbound-users] Unbound and Bind Views >> >> On Wed, Oct 27, 2010 at 19:14, Hayward, Bruce >> <[email protected]> wrote: >>> Hi >>> >>> I been hammering my way through this. >>> >>> The tool that I have on the RHEL servers is iptables (not something that we >>> normally use) >>> >>> I have figured out enough to know that I cannot use port forwarding as this >>> is to localhost. But must use thee port redirect option E.g. >>> iptables -t nat -A PREROUTING -p tcp -d 142.161.130.xxx --dport 53 -j >>> REDIRECT --to-ports 49152 >>> iptables -t nat -A PREROUTING -p udp -d 142.161.130.xxx --dport 53 -j >>> REDIRECT --to-ports 49152 >>> >>> Means if 142.161.130.xxx will connect at port 53 of this server then it >>> will actually connected to 49152 >> >> I think you need -s 142... and not -d 142... here. -s is source >> address, -d is destination address. >> >>> And in the unbound.conf file I have setup >>> interface: 142.161.130....@49152 >>> interface: 142.161.130....@49152 >>> interface: 127.0....@53 >>> interface: 127.0....@49152 >>> >>> When I do a netstat -na|grep -i listen - I do not see the port 49152 >>> listening. >> >>> What am I missing? >> >> -l switch to nestat. >> >>> Bruce >>> >>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) >>> [email protected] >>> >>> >>> -----Original Message----- >>> From: Ondřej Surý [mailto:[email protected]] >>> Sent: October 25, 2010 8:33 AM >>> To: Hayward, Bruce >>> Cc: [email protected] >>> Subject: Re: [Unbound-users] Unbound and Bind Views >>> >>> Hi Bruce, >>> >>> it should be fairly easy to accomplish both option using DNAT on linux >>> (or using other translation mechanisms either on the router or on the >>> end box). >>> >>> f.e. on linux you can use: >>> >>> - 10.10.10.1 is the normal address >>> - 10.10.10.2 is extra address you use to serve internal clients (can >>> be localhost if NATed on the box) >>> - 192.168.1.1/32 is the specific CIDR >>> >>> iptables -t nat -A PREROUTING -s 192.168.1.1/32 -d 10.10.10.1 -j DNAT >>> --to-destination 10.10.14.2 >>> >>> If you do the NAT on the router before, it has the added benefit of >>> splitting the load (so you can provide less loaded service to your >>> customers... etc.) >>> >>> Ondrej >>> >>> On Mon, Oct 25, 2010 at 15:18, Hayward, Bruce >>> <[email protected]> wrote: >>>> Hey >>>> >>>> On specific resolvers we use bind views to direct those who come from an >>>> IP in a specific CIDR to use a specific zone. We have two cases of these >>>> views. >>>> >>>> We also use views to isolate those that should only use internal zones >>>> versus those that should not use internal zones (external customers) >>>> >>>> Those that do not come from an IP in a specific CIDR use a global zone. >>>> >>>> "Views" were introduced in Bind 9. >>>> >>>> http://oreilly.com/pub/a/oreilly/networking/news/views_0501.html >>>> >>>> Bruce >>>> >>>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) >>>> [email protected] >>>> >>>> >>>> -----Original Message----- >>>> From: [email protected] >>>> [mailto:[email protected]] On Behalf Of Ondrej Surý >>>> Sent: October 21, 2010 9:52 AM >>>> To: [email protected] >>>> Subject: Re: [Unbound-users] Unbound and Bind Views >>>> >>>> Hey Bruce, >>>> >>>> I think that it's pretty well documented in the mail you sent a >>>> link... you setup two unbound instances and mangle the traffic from >>>> set of ip addresses using standard firewall/nat features your >>>> operating system has. >>>> >>>> Anyway maybe if you can explain what you are trying to accomplish then >>>> we can propose alternative without views. >>>> >>>> Ondrej >>>> >>>> On Thu, Oct 21, 2010 at 15:32, Hayward, Bruce >>>> <[email protected]> wrote: >>>>> >>>>> One area of Bind that we use is views to direct traffic. >>>>> >>>>> Before we can switch to Unbound, we would need a means of emulating >>>>> views. >>>>> >>>>> In researching this (on Google) I came across a thread discussing this: >>>>> http://www.mail-archive.com/[email protected]/msg00337.html >>>>> >>>>> Has anyone documented steps to accomplish this? >>>>> >>>>> Thanks >>>>> >>>>> Bruce >>>>> >>>>> Bruce Hayward, MTS Allstream Inc., (p) 204-958-1983 (e) >>>>> [email protected] >>>>> >>>>> >>>>> >>>>> >>>>> Is it really necessary to print this email? >>>>> >>>>> MTS ALLSTREAM INC. CONFIDENTIALITY WARNING: This email message is >>>>> confidential and intended only for the named recipient(s). If you are >>>>> not the intended recipient, or an agent responsible for delivering it to >>>>> the intended recipient, or if this message has been sent to you in error, >>>>> you are hereby notified that any review, use, dissemination, distribution >>>>> or copying of this message or its contents is strictly prohibited. If >>>>> you have received this message in error, please notify the sender >>>>> immediately and delete the original message. If there is an agreement >>>>> attached with this message, such agreement will not be binding until it >>>>> is signed by all parties named therein. >>>>> >>>>> _______________________________________________ >>>>> Unbound-users mailing list >>>>> [email protected] >>>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >>>> >>>> >>>> >>>> -- >>>> Ondřej Surý <[email protected]> >>>> >>>> _______________________________________________ >>>> Unbound-users mailing list >>>> [email protected] >>>> http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users >>>> >>> >>> >>> >>> -- >>> Ondřej Surý <[email protected]> >>> >> >> >> >> -- >> Ondřej Surý <[email protected]> >> > > > > -- > Ondřej Surý <[email protected]> > > _______________________________________________ > Unbound-users mailing list > [email protected] > http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
