From owner-freebsd-questions@freebsd.org Wed Aug 19 11:11:35 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C5C4C9BC8C5 for ; Wed, 19 Aug 2015 11:11:35 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-la0-f51.google.com (mail-la0-f51.google.com [209.85.215.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5673914C for ; Wed, 19 Aug 2015 11:11:34 +0000 (UTC) (envelope-from ml@my.gd) Received: by lagz9 with SMTP id z9so701897lag.3 for ; Wed, 19 Aug 2015 04:11:27 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=R5L56vNCFo4LCj63ZjKy6Fif6HnRLVgfco/jmREhfgE=; b=R695PfIWtckZn4dtDhBgZzQWie3pTgsTrLot7YSIR++tNV/zqCJCnIqAcBus0wstof Ti1COc1KjA/zn7u84r6GOk1gPno156qKzXzK6xIJygitzbO6m4PagKeWP8ItefEtsP0o giQUue1Zd1lCHC3xhyGH65xoq0TkG6oQvdBm5vLQ5ILgOYopcjzJWnGQk7MCrDI06A7E wkk+SYSKgY8Fnsy7woH/pEG5y4Qu7u9DcU0gy86PlvVnJNC1UsGkIlKsirAfYNGzoR+a LOf8jqzqHiTe4n+4CEENlRyvW51F6AhSWpmW7RwOBFIkDydDT+5q6zThQ5hcuBfaDaW8 fIgg== X-Gm-Message-State: ALoCoQkE+Sw1YdA/4hh3I5+w4DB187tMLDZ1yWC9nlyAuhavDB64EZSVaT7aLMS8xq/1PKWsUybJ MIME-Version: 1.0 X-Received: by 10.112.163.102 with SMTP id yh6mr6284607lbb.54.1439982211585; Wed, 19 Aug 2015 04:03:31 -0700 (PDT) Received: by 10.112.60.34 with HTTP; Wed, 19 Aug 2015 04:03:31 -0700 (PDT) In-Reply-To: References: Date: Wed, 19 Aug 2015 13:03:31 +0200 Message-ID: Subject: Re: unbound setup questions From: Damien Fleuriot To: nightrecon@hotmail.com Cc: "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 19 Aug 2015 11:11:35 -0000 On 19 August 2015 at 01:59, Michael Powell wrote: > Antoine Kallab wrote: > > > Hi all, > > > > I can't seem to get unbound to resolve DNS requests coming from any > > machine other than localhost. I am not sure what I'm doing wrong, and > > would appreciate some guidance. > > > > The other computer that's asking for resolution has an IP address of > > 10.33.2.2/24. > > It can ping Internet IP addresses, it just can't resolve domain names. > > Its address, DNS, and gateway settings are all being handled by the > > DHCP server also running on my BSD server. > > > > (It felt impolite dumping all of my files in to an E-Mail, so I put > > them on Pastebin. Hope that's okay) > > > > Here's my /var/unbound/unbound.conf: > > http://pastebin.com/ZKqsn5dV > > > > The relevant sections of my /etc/rc.conf that deal with setting > > addresses for the NICs: > > http://pastebin.com/n5RxzePF > > > > Here is my /usr/local/etc/dhcpd.conf: > > http://pastebin.com/CQydK4MC > > > > I double and triple checked to make sure my firewall wasn't getting in > the > > way. But just in case, here's my /etc/pf.conf: > > http://pastebin.com/Ews1t9QN > > > > I just began looking at replacing Bind since after last portupgrade to the > latest and greatest broke the named chroot environment which has served me > well for so long. Waiting to see if it is going to be fixed, or if bind is > going to be ignored from now on. Hedging my bets with a plan B. > > The unbound that ships with the OS is really only designed to be a resolver > for the local machine, at least as far as I know at this point in my meager > research. If you need services more like you may have been accustomed to > with Bind you may wish to take a look at the unbound in the ports tree: > /usr/ports/dns/unound. Didn't know about this one until some wise chap on > irc hit me with the clue bat. > > -Mike > > I have to disagree here. Been using local_unbound as a forwarding resolver for client hosts and it works just fine. Find below the configuration. /etc/rc.conf : local_unbound_enable="YES" /var/unbound.conf : interface: 127.0.0.1 interface: 10.104.40.254 interface: 10.104.41.254 interface: 10.104.42.254 interface: 10.104.43.254 interface: 10.104.44.254 interface: 10.104.45.254 interface: 10.104.46.254 interface: 10.104.48.254 access-control: 10.104.0.0/16 allow access-control: 127.0.0.1/32 allow /var/unbound/forward.conf forward-zone: name: . forward-addr: 195.[snip] forward-addr: 195.[snip] Note that I've had to specifically put each of my interfaces in the config otherwise I ran into problems. The .254 interfaces are CARPs and if I use "interface : 0.0.0.0" , Unbound receives the query on its CARP and replies via its physical address, which the client rejects.