From owner-freebsd-questions@freebsd.org Sun Oct 15 17:26:55 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 09280E47571 for ; Sun, 15 Oct 2017 17:26:55 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from a-painless.mh.aa.net.uk (a-painless.mh.aa.net.uk [81.187.30.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C1B1980DA8 for ; Sun, 15 Oct 2017 17:26:53 +0000 (UTC) (envelope-from frank@woodcruft.co.uk) Received: from woodcruft.co.uk ([81.187.27.248] helo=lime.woodcruft.co.uk) by a-painless.mh.aa.net.uk with esmtp (Exim 4.89) (envelope-from ) id 1e3mgc-0005oc-Vq; Sun, 15 Oct 2017 18:26:51 +0100 Received: by lime.woodcruft.co.uk (Postfix, from userid 1001) id D95D93D11A; Sun, 15 Oct 2017 18:26:40 +0100 (BST) Date: Sun, 15 Oct 2017 18:26:40 +0100 From: Frank Shute To: "Ronald F. Guilmette" Cc: FreeBSD Questions Subject: Re: Unbound(8) caching resolver no workie on fresh install :-( Message-ID: <20171015172640.GA4360@woodcruft.co.uk> Reply-To: Frank Shute Mail-Followup-To: "Ronald F. Guilmette" , FreeBSD Questions References: <4172.1507827505@segfault.tristatelogic.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="0OAP2g/MAC+5xKAE" Content-Disposition: inline In-Reply-To: <4172.1507827505@segfault.tristatelogic.com> X-Face: *}~{PHnDTzvXPe'wl_-f%!@+r5; VLhb':*DsX%wEOPg\fDrXWQJf|2\,92"DdS%63t*BHDyQ|OWo@Gfjcd72eaN!4%NE{0]p)ihQ1MyFNtWL X-Operating-System: FreeBSD 11.1-RELEASE-p1 amd64 X-Organisation: 'woodcruft.co.uk' X-PGP-Key: http://woodcruft.co.uk/misc/pubkey.asc User-Agent: Mutt/1.9.1 (2017-09-22) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Oct 2017 17:26:55 -0000 --0OAP2g/MAC+5xKAE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Oct 12, 2017 at 09:58:25AM -0700, Ronald F. Guilmette wrote: > >=20 > In message > Erwan Legrand wrote: >=20 > >On Thu, Oct 12, 2017 at 6:57 AM, Ronald F. Guilmette > > wrote: > >> After the install finished and I booted the new system, I immediately > >> got some console errors indicating that the various default NTP servers > >> (I also enabled NTP) were not resolving. :-( > > > >This could happen if you forward queries to servers which strip DNSSEC > >signatures. If that is the case, you have two options: either you stop > >forwarding to these servers or your disable the DNSSEC support in > >Unbound. >=20 > OK, this is a little bit confusing to me, so please bear with me... >=20 > My *router* (Linksys E4200) has been configured to tell DHCP clients > to use the two public name servers of OpenDNS, i.e. 208.67.222.222 > and 208.67.220.220. >=20 > However I'm unclear on what, if anything, this ha to do with the Unbound(= 8) > caching resolver. If you're going to run unbound(8) then you want to tell your DHCP clients to use the local IP of the box unbound is running on. ie. a local (what used to be known as a 'Class C') address: 192.168.*.* or 10.*.*.* or 176...etc. ATM, all your clients are going out on the 'net to the OpenDNS servers for name resolution. What you need to do on the box running unbound, is configure your dhclient.conf(5) on that machine to have the following in it: interface "re0"{ prepend domain-name-servers 127.0.0.1; } Obviously, you may need to change "re0" to whatever NIC you use. For other clients on the LAN, I'd suggest you configure the dhcp server on your router to give them the local address of your unbound machine as the nameserver followed by something out on the 'net in-case your unbound machine goes down. In unbound.conf(5) you need: forward-zone: name: "." forward-addr: 208.67.222.222 # OpenDNS forward-addr: 208.67.220.220 # OpenDNS Personally, I prefer to use my ISP's nameservers. They're closer and no shenanigans. It's also worth grabbing root.hints: # fetch https://www.internic.net/domain/named.root -o /var/unbound/named.ro= ot # chown unbound:wheel /var/unbound/named.root (maybe make it a monthly cron job) and in unbound.conf you need: server: root-hints: "/var/unbound/named.root" >=20 > During this (fresh) install, I -never- explicitly selected any option that > would obcviously hav the effect of telling unbound to forward/route all > of its DNS queries through any other specific name servers). So why on > earth would it be doing so? >=20 > I mean I -thought- that this was (mostly) the whole point of running a > local caching resolver, i.e. that *it* would do all of the DNS lookups > itself, traversing/descending its way, as necessary, down from the root > zone servers until it found what it was looking for. >=20 > I don't know if the OpenDNS server strip DNSSEC stuff or not, but again, > I don't see why Unbound(8) should even be using those servers anyway. > Just because my router is giving those two specific IPv4 addresses to > each of its DHCP clients, that doesn't mean that any of those clients > are in any way forced to use them. And I don't see why Unbound(8) would > be doing so. My understanding is that if you negotiate a lease from a dhcp server and it's configured to tell you which nameserver(s) to use, then by default your resolv.conf will be overwritten with the IPs of those nameserver(s) and the client's resolver will use them. Have a look at resolvconf(8) & the manpages referenced in the 'SEE ALSO:' of that manpage. Of course, you can change that behaviour. >=20 > If it isn't, and if unbound is, as I believed, traversing the DNS tree it= self, > starting from the root each time, then there is nobody and nothing between > it and the authoritative servers for whatever it happens to be looking > for -- thus, no filtering of DNSSEC, and thus, the resolutions failures > I described are still mysterious... to me anyway. >=20 > What am I missing? I can't tell you about DNSSEC because I don't use it. Regards, --=20 Frank --0OAP2g/MAC+5xKAE Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEXRpQZWMUMC1nxphkORvOAPtvi1oFAlnjmjEACgkQORvOAPtv i1oFqxAAglKk34xmjNPJfgeweTJQ4y+n5OnLGf8mR+q97qm3aliLgDs759KdoZbw isUUHOxeHLwkl5fHLFkYhZ0ASZhkcrAUyUV3AePPhn6YvhCMUjmU5bX4GBv5BiAC EHkNwTiGYwGYdZuQ9YfpMCQC+AkVp28e5HrFe913CqI+n5ORwyvWVQ5MQofs3p4f 6hPCEXH+wbfZsNGMUxsEDz2cwjty2Y4SuHJZIb2CgUkpf4Fi6lt7M7SAN3i1y0fg 1Qs+RkMmVUlRuSyrGNBdNXC51szMD0mqHlV9REuYsKwNYT8KfE2rVNeGHIKIXUbG FWvUzOo842hzi7iYLUMRM5lddVz/b9df9SmGeXqssuCm+e4/Sw2lgocxyasmuKgJ veZrQY26KPGHSU9IU/O6pJ7S96/LHuo0J4olu4QHkXF3sQTRQ6XWEtncwhXMai1b CWJIIffPlRi++hmr8iaoE5ckmoHiRcXZ9ZUr3UdXHGiK1750j5O8I7WP5w5cBrSu Glo30gdf9TcYT+OGnpIaQfDmxB6zv87ZYxkAEH5OVEak6zwzWdgosC1HsjsNAYFM KHbjqBIIa1esEN4SWeD7qT0mmMSLT3Ck8ffdSj19WWy4fHYh8mT2Q04J5oqf+AY/ XUaBP/y4Wudta6Ao3Z4TXbGE/qPM2moeVkVXEycJH4JfQvSvjSU= =qM6c -----END PGP SIGNATURE----- --0OAP2g/MAC+5xKAE--