3

This is my unbound.conf

server:
interface: 0.0.0.0
access-control: 10.0.0.0/8 allow_snoop
access-control: 127.0.0.1 allow_snoop
access-control: 192.168.0.0/16 allow_snoop
...

Reading the documentation, it should be enough. And then in resolv.conf:

nameserver 127.0.0.1

However this does not work. dig gives me

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 41485
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
...
SERVER: 127.0.0.1#53(127.0.0.1)

The problem can be resolved if I add access-control: <internet-ip-address-of-eth0> allow to unbound configuration, but this requires me to put the address into the config file, and that address might change.

Why doesn't this configuration simply make dig query the local server on 127.0.0.1? (Even though it says it did!).

It looks like unbound receives queries on 127.0.0.1, but then tries to respond on the internet ip? (It's from the syslog:)

Jan 11 11:26:28 hostname unbound: [25567:0] info: send_udp over interface: 1 127.0.0.1 127.0.0.1
Jan 11 11:26:39 hostname unbound: [25567:0] info: receive_udp on interface: 1 127.0.0.1 127.0.0.1
Jan 11 11:26:39 hostname unbound: [25567:0] debug: refused query from ip4 35.63.78.210 port 48650 (len 16)
Cray
  • 190
  • 2
  • 9
  • Try using `dig -b127.0.0.1 example.com +norecurse` to force the source address – pete Feb 24 '17 at 06:46
  • `dig -b127.0.0.1 example.com +norecurse` doesn't work for me. tcpdump shows the query comes in from the loopback interface, and unbound's reply is returned to 127.0.0.1. Strangely, when I use the +norecurse option I get status: REFUSED. – Mike S Dec 29 '20 at 16:45

1 Answers1

0

You need to set it to allow queries from localhost...

server:
      do-not-query-localhost: no

This will fix the issue you are having.

John Tate
  • 179
  • 4
  • 19