search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.11k stars 357 forks source link

SERVFAIL to queries from localhost #1172

Open saloniamatteo opened 2 hours ago

saloniamatteo commented 2 hours ago

Describe the bug Greetings, Unbound answers SERVFAIL to ALL queries from localhost (127.0.0.1, ::1, 192.168.1.88).

No matter which settings I modify (including interfaces:), only queries to my external IP actually contain an answer...

(For context, what I really need is for port 8080 (HTTPS) to be available ONLY for localhost, however, that seems to not be the case...)

To reproduce Relevant /etc/unbound/unbound.conf:

server:
    interface: lo@8080
    interface: eth0@53
    interface: eth0@853
    port: 53

    prefer-ip4: yes
    outgoing-port-avoid: "3200-3208"
    so-reuseport: yes
    udp-connect: yes
    cache-min-ttl: 60

    access-control: 127.0.0.1 allow
    access-control: ::1 allow
    access-control: ::ffff:127.0.0.1 allow
    access-control: 192.168.1.0/24 allow

    root-hints: "/etc/unbound/root.hints"
    hide-trustanchor: yes
    harden-dnssec-stripped: yes
    qname-minimisation: yes

    do-not-query-localhost: yes

    prefetch: yes
    prefetch-key: yes

    auto-trust-anchor-file: "/etc/unbound/root-anchors.txt"
    trust-anchor-signaling: yes
    root-key-sentinel: yes
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;example.com.                   IN      A

;; Query time: 3 msec
;; SERVER: ::1#53(::1) (UDP)
;; WHEN: Sat Nov 02 00:49:25 CET 2024
;; MSG SIZE  rcvd: 40

Expected behavior Running dig @localhost example.com should return valid results, just like how dig @(external IP) example.com does already:

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
; COOKIE: e383007f25ecdecf3acbbe4967256b627c73bec4a688ea26 (good)
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            1514    IN      A       93.184.215.14

;; Query time: 31 msec
;; SERVER: (external IP)#53((external IP)) (UDP)
;; WHEN: Sat Nov 02 00:59:30 CET 2024
;; MSG SIZE  rcvd: 84

System:

Version 1.20.0

Configure line: --prefix=/usr --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --datarootdir=/usr/share --disable-static --docdir=/usr/share/doc/unbound-1.20.0 --htmldir=/usr/share/doc/unbound-1.20.0/html --with-sysroot=/ --libdir=/usr/lib64 --disable-debug --disable-gost --disable-dnscrypt --disable-dnstap --enable-ecdsa --disable-subnet --disable-cachedb --disable-static --disable-systemd --without-pythonmodule --without-pyunbound --with-pthreads --with-libnghttp2 --enable-tfo-client --enable-tfo-server --disable-flto --disable-rpath --enable-event-api --enable-ipsecmod --with-libevent=/usr --without-libhiredis --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc/dnssec/root-anchors.txt --with-ssl=/usr --with-libexpat=/usr
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.2.2 4 Jun 2024
Linked modules: dns64 ipsecmod respip validator iterator
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues

Additional information (dig @localhost example.com, SERVFAIL) tcpdump -i lo -n port 53 -vvv:

00:54:24.526647 IP (tos 0x0, ttl 64, id 28229, offset 0, flags [none], proto UDP (17), length 80)
127.0.0.1.35017 > 127.0.0.1.53: [bad udp cksum 0xfe4f -> 0x3c85!] 42989+ [1au] A? example.com. ar: . OPT UDPsize=1232 [COOKIE c1e35a51547e4ea9] (52)
00:54:24.530333 IP (tos 0x0, ttl 64, id 38182, offset 0, flags [none], proto UDP (17), length 68)
127.0.0.1.53 > 127.0.0.1.35017: [bad udp cksum 0xfe43 -> 0x7bb5!] 42989 ServFail q: A? example.com. 0/0/1 ar: . OPT UDPsize=1232 (40)

(dig @(external IP) example.com, success) tcpdump -i eth0 -n port 53 -vvv:

01:02:15.420040 IP (tos 0x0, ttl 64, id 55959, offset 0, flags [none], proto UDP (17), length 80)
192.168.1.88.47723 > (external ip).53: [udp sum ok] 40442+ [1au] A? example.com. ar: . OPT UDPsize=1232 [COOKIE 9cdf698e58a68662] (52)
01:02:15.421020 IP (tos 0x0, ttl 64, id 42059, offset 0, flags [DF], proto UDP (17), length 84)
(external IP).53 > 192.168.1.88.47723: [udp sum ok] 40442 q: A? example.com. 1/0/1 example.com. [22m29s] A 93.184.215.14 ar: . OPT UDPsize=4096 (56)
saloniamatteo commented 2 hours ago

I would also like to point out that this is a unique behavior I have never seen in my life -- I have other services listening on localhost, and they work fine!

P.S. Yes, I do have a firewall. No, it does not have weird rules that prevent localhost from talking to itself. Yes, I have checked.