search

MatthewVance / unbound-docker-rpi

Run Unbound with latest version of OpenSSL on Raspberry Pi with Docker.
MIT License
136 stars 23 forks source link

RPI image not resolving DNSSEC (recursive server) #43

Open fede843 opened 1 year ago

fede843 commented 1 year ago

Describe the bug RPI image does not resolve insecure DNS properly when used as recursive server.

To Reproduce Steps to reproduce the behaviour:

  1. Composite file: 
    unbound:
image: mvance/unbound-rpi:1.17.0
container_name: unbound
hostname: unbound
restart: always
volumes:
- /home/pi/docker/volumes/unbound:/opt/unbound/etc/unbound
networks:
  mainnet:
    ipv4_address: 172.20.0.10 # Used in Pi-Hole "Upstream DNS Servers" config
ports:
  - "5335:53/tcp"
  - "5335:53/udp"
  2. Customizations (config files) 
    server:
logfile: "/opt/unbound/etc/unbound/unbound.log"
verbosity: 2
port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
prefer-ip6: no
root-hints: "/opt/unbound/etc/unbound/root.hints"
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: no
edns-buffer-size: 1232
prefetch: yes
num-threads: 1
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
access-control: 172.16.0.0/12 allow_snoop
interface: 0.0.0.0@53
chroot: "/opt/unbound/etc/unbound"
directory: "/opt/unbound/etc/unbound"
auto-trust-anchor-file: "var/root.key"
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
cache-max-ttl: 86400
cache-min-ttl: 300
remote-control:
control-enable: no

Expected behavior Running from the host RPI system:

dig fail01.dnssec.works @127.0.0.1 -p 5335

; <<>> DiG 9.16.37-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46756
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works.       IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Feb 14 09:55:58 -03 2023
;; MSG SIZE  rcvd: 48

Error messages Running from the host RPI system:

dig fail01.dnssec.works @127.0.0.1 -p 5335 +trace

; <<>> DiG 9.16.37-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335 +trace
;; global options: +cmd
.           86317   IN  NS  j.root-servers.net.
.           86317   IN  NS  k.root-servers.net.
.           86317   IN  NS  l.root-servers.net.
.           86317   IN  NS  m.root-servers.net.
.           86317   IN  NS  a.root-servers.net.
.           86317   IN  NS  b.root-servers.net.
.           86317   IN  NS  c.root-servers.net.
.           86317   IN  NS  d.root-servers.net.
.           86317   IN  NS  e.root-servers.net.
.           86317   IN  NS  f.root-servers.net.
.           86317   IN  NS  g.root-servers.net.
.           86317   IN  NS  h.root-servers.net.
.           86317   IN  NS  i.root-servers.net.
.           86317   IN  RRSIG   NS 8 0 518400 20230227050000 20230214040000 951 . VXSm59w17QNYoRwEE0GiV2q7+rjstTER5+axR8/FdNNUGy4CeRkgNsde Hf8Z7w76aAev6NeZeRIAkhQBDzxlqruMR1t+7u3X+d+xp1eF9qib4Avd v8FnnHE1kUN8/uux6kN8vZ+aBM4eZ9pCyC2XdRz2IKVNsDOrasxEMl1x E0hBDD6EU/KPYwOiAf+B1XeKtSYf640mdG4FEgdhKvjeV1TofcMjZT9e KNEUoSi7oQqQEYllR/58TcoOf0S8zo1U9YnRniG9NzW30XjIXeZ9VK5U LdQ++X9oMP1foSvV7jpuSr8fxmqqjT7+zx/Wg/tTByTgxCPp2fNCbjmt AVXwtg==
;; Received 525 bytes from 127.0.0.1#5335(127.0.0.1) in 15 ms

;; connection timed out; no servers could be reached

Additional context Host RPI is

Linux raspberrypi 6.1.11-v8+ #1630 SMP PREEMPT Fri Feb 10 12:11:31 GMT 2023 aarch64 GNU/Linux

To add more into this, it works intermittently. At random intervals it resolves as expected, and many other times it does not. Maybe a missconfiguration on my side?

hqnicolas commented 1 year ago

dear friend, you are sending request to 127.0.0.1 LOCAL MACHINE you need to send this request to 192.168.0.XXX THE CONTAINER

fede843 commented 1 year ago

Hi @hqnicolas thanks for reaching out.

I am using dig from the raspberry host itself. Also I am mapping 5335 port to the internal resolver. Request to my local RPI are passed trough unbound container this way. I am using this setup exposing the port externally just for testing purposes.