search

NLnetLabs / unbound

Unbound is a validating, recursive, and caching DNS resolver.
https://nlnetlabs.nl/unbound
BSD 3-Clause "New" or "Revised" License
3.13k stars 359 forks source link

"interface-automatic" config option causes unbound to bind to all interfaces, although configured otherwise #209

Closed WRMSRwasTaken closed 4 years ago

WRMSRwasTaken commented 4 years ago 
server:
        interface: 127.0.0.1
        interface: ::1

        interface-automatic: yes

causes unbound to bind to all interfaces:

udp     UNCONN   0        0                                     0.0.0.0:53                                           0.0.0.0:*                                   users:(("unbound",pid=76453,fd=5)) ino:1741706 sk:24 <->
udp     UNCONN   0        0                                        [::]:53                                              [::]:*                                   users:(("unbound",pid=76453,fd=3)) ino:1741704 sk:25 v6only:1 <->
tcp     LISTEN   0        256                                   0.0.0.0:53                                           0.0.0.0:*                                   users:(("unbound",pid=76453,fd=6)) ino:1741707 sk:26 <->
tcp     LISTEN   0        256                                      [::]:53                                              [::]:*                                   users:(("unbound",pid=76453,fd=4)) ino:1741705 sk:27 v6only:1 <->

as seen in the debug log (unbound -ddvvv):

[1585750149] unbound[60976:0] notice: Start of unbound 1.10.0.
[1585750149] unbound[60976:0] debug: increased limit(open files) from 1024 to 4152
[1585750149] unbound[60976:0] debug: creating udp6 socket :: 53
[1585750149] unbound[60976:0] debug: creating tcp6 socket :: 53
[1585750149] unbound[60976:0] debug: creating udp4 socket 0.0.0.0 53
[1585750149] unbound[60976:0] debug: creating tcp4 socket 0.0.0.0 53
[1585750149] unbound[60976:0] debug: chdir to /etc/unbound
[1585750149] unbound[60976:0] debug: chroot to /etc/unbound
[1585750149] unbound[60976:0] debug: drop user privileges, run as unbound

Version is:

Version 1.10.0

Configure line: --prefix=/usr --sysconfdir=/etc --localstatedir=/var --sbindir=/usr/bin --disable-rpath --enable-dnscrypt --enable-dnstap --enable-pie --enable-relro-now --enable-subnet --enable-systemd --enable-tfo-client --enable-tfo-server --enable-cachedb --with-libhiredis --with-conf-file=/etc/unbound/unbound.conf --with-pidfile=/run/unbound.pid --with-rootkey-file=/etc/trusted-key.key --with-libevent
Linked libs: libevent 2.1.11-stable (it uses epoll), OpenSSL 1.1.1e  17 Mar 2020
Linked modules: dns64 cachedb subnetcache respip validator iterator
DNSCrypt feature available
TCP Fastopen feature available

On Arch Linux running Kernel 5.5.11.a-1-hardened.

Setting interface-automatic to no or commenting it out has the correct behavior:

[1585750337] unbound[61011:0] notice: Start of unbound 1.10.0.
[1585750337] unbound[61011:0] debug: increased limit(open files) from 1024 to 4152
[1585750337] unbound[61011:0] debug: creating udp4 socket 127.0.0.1 53
[1585750337] unbound[61011:0] debug: creating tcp4 socket 127.0.0.1 53
[1585750337] unbound[61011:0] debug: creating udp6 socket ::1 53
[1585750337] unbound[61011:0] debug: creating tcp6 socket ::1 53
[1585750337] unbound[61011:0] debug: chdir to /etc/unbound
[1585750337] unbound[61011:0] debug: chroot to /etc/unbound

I'd really like to have this option enabled, because otherwise binding to fe80::1 will not work correctly (unbound is going to reply from the original link-local address which will be blocked by client firewalls because the answer didnt't come from fe80::1).

gthess commented 4 years ago

Recently there was a clarification in the man page wrt interface-automatic:(https://github.com/NLnetLabs/unbound/pull/207). Can you try the option ip-transparent:?

WRMSRwasTaken commented 4 years ago

Unfortunately, that didn't fix the issue for me.

Config:

server:
        interface: 127.0.0.1
        interface: ::1

        interface-automatic: yes
        ip-transparent: yes

It still binds to all interfaces on bootup:

[1585751836] unbound[61106:0] notice: Start of unbound 1.10.0.
[1585751836] unbound[61106:0] debug: increased limit(open files) from 1024 to 4152
[1585751836] unbound[61106:0] debug: creating udp6 socket :: 53
[1585751836] unbound[61106:0] debug: creating tcp6 socket :: 53
[1585751836] unbound[61106:0] debug: creating udp4 socket 0.0.0.0 53
[1585751836] unbound[61106:0] debug: creating tcp4 socket 0.0.0.0 53
[1585751836] unbound[61106:0] debug: chdir to /etc/unbound
[1585751836] unbound[61106:0] debug: chroot to /etc/unbound
[1585751836] unbound[61106:0] debug: drop user privileges, run as unbound
WRMSRwasTaken commented 4 years ago

Just enabling ip-transparent unfortunately doesn't help me here too, because unbound is still going to reply from the wrong source address:

16:39:39.551601 IP6 fe80::510a:4f7d:959f:cb2e.61843 > fe80::1.53: 1+ PTR? 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
16:39:39.551908 IP6 fe80::4c78:eeff:fe5a:c1a6.53 > fe80::510a:4f7d:959f:cb2e.61843: 1 NXDomain* 0/1/0 (149)
gthess commented 4 years ago

You should either use interface-automatic: or ip-transparent: based on your needs. Can you remove the interface-automatic: option and try again?

WRMSRwasTaken commented 4 years ago

Ok, disabling interface-automatic and enabling ip-transparent fixes this for me. Thanks for the clarification. So, with ip-transparent I now have to select all interfaces I want unbound to listen on.

However, I've stumbled across another issue: Setting the interface: to any link-local address explicitely is going to fail:

[1585753498] unbound[76871:0] notice: Start of unbound 1.10.0.
[1585753498] unbound[76871:0] debug: increased limit(open files) from 1024 to 4188
[1585753498] unbound[76871:0] debug: creating udp4 socket 10.10.10.1 53
[1585753498] unbound[76871:0] debug: creating tcp4 socket 10.10.10.1 53
[1585753498] unbound[76871:0] debug: creating udp4 socket 10.10.10.2 53
[1585753498] unbound[76871:0] debug: creating tcp4 socket 10.10.10.2 53
[1585753498] unbound[76871:0] debug: creating udp6 socket fe80::1 53
[1585753498] unbound[76871:0] warning: IPv6 protocol not available
[1585753498] unbound[76871:0] debug: creating udp6 socket fe80::4c78:eeff:fe5a:c1a6 53
[1585753498] unbound[76871:0] warning: IPv6 protocol not available

Here, I'm trying to bind to fe80::1 and fe80::4c78:eeff:fe5a:c1a6 with ip-transparent and also ip-freebind enabled. Those 2 addresses are on my interface.

Should I open another ticket for this?

WRMSRwasTaken commented 4 years ago

Adding scope identifiers fixes this problem. I'm going to close this. Thanks for your time and the clarification.