Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 26 Jun 2019 09:35:22 +0000
From:      bugzilla-noreply@freebsd.org
To:        bugs@FreeBSD.org
Subject:   [Bug 238819] local-unbound
Message-ID:  <bug-238819-227@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D238819

            Bug ID: 238819
           Summary: local-unbound
           Product: Base System
           Version: 12.0-STABLE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: conf
          Assignee: bugs@FreeBSD.org
          Reporter: tschweikle@gmail.com

Default setup as a local resolver leads to any addresses queried not answer=
ed.

After setting up local-unbound using

# sysrc local_unbound_enable=3DYES
# service local_unbound start

unbound is running, but querying 'google.com':

# host google.com
Host google.com not found: 2(SERVFAIL)

removing unbound, or avoiding it leads to:

# host google.com 10.161.18.34
Using domain server:
Name: 10.161.18.34
Address: 10.161.18.34#53
Aliases:

google.com has address 172.217.21.238
google.com has IPv6 address 2a00:1450:4001:81d::200e
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.

Unbound shall be configured to:
- allow at least localhost to query
- allow any network address including private ones to be returned
- allow any network reverse lookup including private ones to be returned

Unbound shall NOT:
- assume secure dns or anything else from /etc/resolv.conf found forwarder
- assume signed dns query or answers or any sucht stuff

Unbound may, indeed, warn is forwarders are not using signed answers.

The actual setup for using unbound as a local resolver is useless. Such sha=
ll
work out of the box, and leave it up to the OP to remove options or comment
them in for more security.

local-unbound generates configurations not adequate for most scenarios out =
in
the wild. Most people will stumble and remove it again, because it is not
working within their environment (maybe just because lack of signed dns from
their router/provider).

Local-unbound generated configuration:
# cat control.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
remote-control:
        control-enable: yes
        control-interface: /var/run/local_unbound.ctl
        control-use-cert: no

# cat forward.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
forward-zone:
        name: .
        forward-addr: 10.161.18.34
        forward-addr: 10.177.18.34

# cat lan-zones.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
        # Unblock reverse lookups for LAN addresses
        unblock-lan-zones: yes
        insecure-lan-zones: yes

# cat unbound.conf
# This file was generated by local-unbound-setup.
# Modifications will be overwritten.
server:
        username: unbound
        directory: /var/unbound
        chroot: /var/unbound
        pidfile: /var/run/local_unbound.pid
        auto-trust-anchor-file: /var/unbound/root.key

include: /var/unbound/forward.conf
include: /var/unbound/lan-zones.conf
include: /var/unbound/control.conf
include: /var/unbound/conf.d/*.conf

Missing are:
- allow localhost to query
- allow private addresses
- allow private addresses reverse lookup
- dont cache failed requests to forwarders (may lead to problems if your
printer was turned of, you tried to print, and then you notice it is turned=
 of.
You turn it on and then: printing just fails, because unbound did cache the
"notfound").

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-238819-227>