DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 20th October 2016
junkym
-Guest-
 
Posts: n/a
Default Unbound and states

I'm running Unbound with the following configuration file:
Code:
# unbound.conf ~ DNS resolver configuration file

server:
    interface: 10.0.20.15
    interface: 127.0.0.1
    do-ip6: no

    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: 10.0.5.0/24 allow
    access-control: 10.0.10.0/24 allow
    access-control: 10.0.20.0/24 allow
    access-control: ::0/0 refuse

    hide-identity: yes
    hide-version: yes

    # Enable DNSSEC validation.
    auto-trust-anchor-file: "/var/unbound/db/root.key"

    # Use root DNS servers
    root-hints: "/var/unbound/etc/root.hints"
I had "systat states" open on my second monitor and was surfing on my laptop. From time to time, the number of states jumps from say 10 to 300 or more. Most of them are to port 53 to many different ip addresses.

I'm thinking that Unbound is querying the root DNS servers, but 300+ states?
Reply With Quote
  #2   (View Single Post)  
Old 20th October 2016
IdOp's Avatar
IdOp IdOp is offline
Too dumb for a smartphone
 
Join Date: May 2008
Location: twisting on the daemon's fork(2)
Posts: 1,027
Default

I don't know anything about unbound, but perhaps the cause is your web browser. Some browsers do "DNS prefetch" by default, meaning they will look up the IP addresses of all domains referenced in a web page when you load that page ... whether you will use them or not. You can turn this off in firefox by going into about:config and setting

Code:
network.dns.disablePrefetch --> true
Maybe that will help?
Reply With Quote
  #3   (View Single Post)  
Old 22nd October 2016
junkym
-Guest-
 
Posts: n/a
Default

I set that to "true" but it did not work. In fact, the next avalanche of states was over 1,000. The states expire in a couple of minutes.

It has to be the root DNS servers branching out to other DNS servers for name resolution.
Reply With Quote
  #4   (View Single Post)  
Old 22nd October 2016
TronDD TronDD is offline
Spam Deminer
 
Join Date: Sep 2014
Posts: 304
Default

You can turn up unbound's logging to see all the domains it is resolving.

Or you can can watch the interface with tcpdump which also shows you the domain being requested.

Tim.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unbound Database daemonbak OpenBSD General 2 21st July 2015 03:28 AM
Unbound Troubleshoot Peter_APIIT OpenBSD General 13 26th June 2015 02:00 AM
directing DNS queries to local unbound? 22decembre OpenBSD Security 16 28th December 2014 04:52 AM
DNSCrypt and local Unbound resolver Oko OpenBSD Security 1 28th December 2014 12:54 AM
flush states pfctl joostvgh OpenBSD Security 3 27th January 2010 06:50 PM


All times are GMT. The time now is 11:04 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick