-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Andrew,
On 12/08/2010 01:35 AM, Andrew Savchenko wrote: > I'm trying to setup simple caching resolver using unbound-1.4.7, but > it fails to work and seems to fall into infinite loop. This is my > config: Not an infinite loop: waiting for data, and getting timeouts. > server: > interface: 0.0.0.0 > access-control: 127.0.0.1/32 allow > verbosity: 5 > do-ip6: no This config should resolve names. > Then I run unbound-host kernel.org -C /etc/unbound/unbound.conf > > unbound.log 2>&1 to test. You can see what happens in the attached > file unbound.log. Program was terminated using ^C eventually. Running > unbound daemon gives the same result. > > Via tcpdump I can see all these packets sent (see unbound.log), but > no replies. Bind on the same host works without any problems. I tried > to stop bind during testing using unbound-host to exclude any > interference, but this does not help. So, unbound tries to send queries to root servers. But it never receives replies. There is thus some sort of over-active firewall, that blocks queries towards the DNS root servers. (it does not block queries to google DNS, apparently, so the firewall does not make sense). > I tried to fetch the latest root hints from > ftp://FTP.INTERNIC.NET/domain/named.cache and add a path to config > file: > root-hints: "/etc/unbound/named.cache" > but this doesn't help a bit. > > Of course, my final setup will be more complicated. It's a sore fact, > but more complicated things work, while simple resolver fails. When > I use nsd daemon for local zone it works well (for local zone > queries): Yes because then queries to campus.local do not require the root DNS servers. Those root servers are still unreachable. > And another note: without "do-not-query-localhost: no" option nsd > running on 127.0.0.1:10053 will not be queried, this is not so > obvious and it will be great to point it out somewhere in the > documentation. Thanks for that. > But I want to use unbound's own resolver, and I have absolutely no > idea what to do now: either I hit some grave bug or I deeply > misunderstand how unbound should work. Any help will be appreciated. Your network has strange firewalls. If you dig @<address of root server> +dnssec +cdflag then you send the exact packet that unbound is also sending out. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkz/L/cACgkQkDLqNwOhpPiY/wCfQCh+XAAkGNCT7udwD4ZS6XxI vhUAoI2B18Iq8jBw3lbTlyjVgRdl6GQb =xz9X -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
