Comments (3)
Aha, I figured out what is happening. Unbound is replying from the wrong interface.
When Unbound is configured to listen on any interface (0.0.0.0
), then it uses the wildcard source address (0.0.0.0
) for the reply packet and allows the kernel to choose the source interface. Since DNS over UDP is connectionless, the kernel just chooses the first available interface and the client sees a reply from a different address than it queried. Any well-behaved client will reject that answer.
This is referenced in a question on the Unbound mailing list from September 2011:
http://www.nlnetlabs.nl/pipermail/unbound-users/2011-September/002061.html
The recommended solution is to explicitly list each interface. Then Unbound will reply using the same interface that it received the request on, instead of using the wildcard (0.0.0.0
) interface.
Also note that the option interface-automatic
technically does solve the problem as well, however it is NOT recommended because it is experimental, and it requires the availability of IPv6.
Going based on my own experience, the expected behavior is that Unbound should work on all interfaces unless otherwise specified. (Principle of least astonishment) Here are the options as I see them.
- This module could be modified to create an
interface
line for each active IP address. - Or, more simply, set the default interface to
${ipaddress}
so that any admin perusing the config file will quickly understand why it isn't working. Consider also adding a comment in the config file and an entry in the param documentation explaining why it's configured that way. Of course, the end user is still free to customize interfaces using the class parameter.
from puppet-unbound.
Most Linux distributions support a dual IP stack, with IPv6 as the default.
from puppet-unbound.
I believe this issue has been addressed by the inclusion of the interface
param in params.pp
.
from puppet-unbound.
Related Issues (20)
- Wrong quoting for local-data TXT records HOT 5
- version 2.4.3 breaks the configfile for tls-upstream on CentOS 7
- `unbound_version` fact needs a test HOT 1
- Debian: module change ownership of directory /run to unbound HOT 13
- add ability to define/generate local-data + override local-zone template HOT 3
- commit 5868593634371290ad013e4a3005f25cb8d7e1fe broke the module for me HOT 6
- Fix installation on Debian distribution - e.g. unbound option auto-trust-anchor-file is provided two times HOT 8
- Handle TXT records containing double quotes and white space
- Resource default statements in module HOT 17
- Drop EOL Debian 8
- Please support 'respip' in module_config HOT 1
- add deprecation message on the forge HOT 4
- unbound_version not set on first run causing unexpected config file setting HOT 1
- No support Static record mapping to multiple IP
- Documentation is misleading when using unbound::stub
- Outgoing port permit/avoid order wrong when outgoing_port_permit_first = false
- Option trust_anchor_file is not usable
- Allow to restart instead of reload on config changes
- $conf_d and $unbound_conf_d are not documented and unclear how they differ beyond their location HOT 2
- Newer versions of Unbound require the "include:" line in its own stanza HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from puppet-unbound.