DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default Unbound Troubleshoot

Hello all,

I had set up unbound according to online tutorial but unfortunately the dig command return error.

Quote:
?? Connection timed out. no server to reached
/var/unbound/etc/unbound.conf
Quote:
server:
interface: 192.168.1.1@53
do-ip4:yes
do-ip6: no
verbosity: 3
logfile: unbound.log
log-time-ascii: yes
log-queries: yes
prefetch: yes
prefetch-key: yes

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.1/8 allow
access-control: 192.168.1.0/24 allow

forward-zones:
name: "."
forward-addr: 202.188.0.133
/etc/resolv.conf
Quote:
nameserver 127.0.0.1
/etc/rc.conf.local
Quote:
unbound_flag = -c "/var/unbound/etc/unbound.conf"
"Top" command displayed unbound was running under _unbound user

Does anyone know how to troubleshoot? The log file does not contains any things.

Last edited by Peter_APIIT; 20th June 2015 at 02:17 AM. Reason: Added unbound configuration and troubleshoot steps
Reply With Quote
  #2   (View Single Post)  
Old 18th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

From your brief problem description, it appears unbound is not running.
Reply With Quote
  #3   (View Single Post)  
Old 18th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

I should probably point out two additional things.

Daemon management and the rc(8) system are discussed in FAQ 10.3. The FAQ should be your primary resource. It is faster, more accurate, and more complete than waiting for answers here.

The "Howto" you used is both out-of-date and incomplete. That site, in particular, has caused concerns among OpenBSD Project members and users because of misleading information it has provided. There have been many discussions about it on the misc@ mailing list, over many years.
Reply With Quote
  #4   (View Single Post)  
Old 18th June 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by Peter_APIIT View Post
Hello all,

I had set up unbound according to online tutorial but unfortunately the dig command return error.
Expected behaviour. Those "howtos" are bogus as pointed out many times on misc@openbsd by developers and power users alike. Why don't ask the guy who wrote the tutorial why is his tutorial not tested?



Quote:
Originally Posted by Peter_APIIT View Post
Does anyone know how to troubleshoot? The log file does not contains any things.
Yes I do. Setting Unbound on 5.7 is 2 minutes job but you don't give us any info to work with. Consequently I can give you just a generic advise. Start by reading man pages.
Reply With Quote
  #5   (View Single Post)  
Old 20th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Sorry to all of you. I had added the necessary configuration to the original thread. Please help me. Thanks.
Reply With Quote
  #6   (View Single Post)  
Old 20th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

It is clear that unbound(8) is not running.
Quote:
Originally Posted by Peter_APIIT View Post
Does anyone know how to troubleshoot? The log file does not contains any things.
Output from the daemon, if any, will be stored (via socket) according to the configuration in /etc/syslog.conf. Depending on the type of message, information may appear in /var/log/messages or in /var/log/daemon. Look in both files for information. You mention a log file ... there are two. But there may not be any data there.

The rc.d(8) subsystem includes a diagnostic -d option that can show you if there are startup errors. See the man page, and run /etc/rc.d/unbound with this option enabled. You may receive messages which tell you why unbound refuses to start.

Lastly, please read the unbound(8) man page. There are two things in it that I would like you to take note of:
  1. The unbound command has a -d option. Starting unbound manually, with this option, will show you any messages produced on your console, which, will enable you to make configuration changes and test them rapidly, without resorting to the rc.d(8) subsystem or rebooting, then hunting through log files.
  2. The SEE ALSO section mentions the unbound-checkconf(8) program. Please use that tool, because I believe your configuration is in error.
Reply With Quote
  #7   (View Single Post)  
Old 23rd June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

First of all, Thanks for jggmi giving such a good explanation.

I had tried to start unbound using -d option and it shows that it is log file permission error.
I'm created the log file using superuser and chown and chgrp to _unbound but the problem still persists.

On the other hands, I had also tried to removed the log file option and unbound was started successfully with the -d option. Then, I tried to dig and no server can reached error displayed again.

There is nothing displayed at the /var/log/messages
unbound-checkconf return no error.

What Wrong with it?
Reply With Quote
  #8   (View Single Post)  
Old 23rd June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Quote:
Originally Posted by Peter_APIIT View Post
What Wrong with it?
This:
Code:
$ unbound-checkconf Peter_APIIT.provided.file
pasted.file:16: error: unknown keyword 'forward-zones'
pasted.file:16: error: stray ':'
pasted.file:17: error: syntax error
read pasted.file failed: 3 errors in configuration file
$
If your syntax were correct, you would see the following results.
Code:
unbound-checkconf: no errors in <file>
Quote:
I had tried to start unbound using -d option and it shows that it is log file permission error.
I'm created the log file using superuser and chown and chgrp to _unbound but the problem still persists.
Can you show us the actual error? If you turn your head, you will notice that none of us are standing behind you, looking over your shoulder at your console. We only have what little information you provide here.

===

NOTE: in the configuration you pasted, you did not bother with a full path to the logfile. If that is still true with the configuration you are using, that is likely part of the problem. Without a full path, unbound will use a relative path to its working directory.

When started manually by you, this will be whatever working directory your shell happened to be using.

When started by the OS at boot ... it is possibly the root directory. But I'm unsure. I do not use relative paths in any of my system configuration files.

Edited to add:

I also do not use a logfile directive in any of my unbound configurations. Logging instead is via syslogd(8).

Last edited by jggimi; 23rd June 2015 at 07:15 AM. Reason: syslog mentioned
Reply With Quote
  #9   (View Single Post)  
Old 23rd June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Complicating file access, unbound is chrooted on this OS. Remove the logfile directive, and avoid chrooted file path management concerns.
Reply With Quote
Old 23rd June 2015
denta denta is offline
Shell Scout
 
Join Date: Nov 2009
Location: Sweden
Posts: 95
Default

Somehow I knew before clicking it that the online tutorial was indeed that site, whose name shall not be mentioned. And as a funny added insult, my xombrero core-dumps every time I visit it aswell.

Also, you specified 127.0.0.1 in resolv.conf, but not under interfaces in unbound.conf. So I'm guessing your querys are going to an interface where unbound is not running.
Reply With Quote
Old 23rd June 2015
Oko's Avatar
Oko Oko is offline
Rc.conf Instructor
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 1,102
Default

Quote:
Originally Posted by denta View Post
Somehow I knew before clicking it that the online tutorial was indeed that site, whose name shall not be mentioned. And as a funny added insult, my xombrero core-dumps every time I visit it aswell.

Also, you specified 127.0.0.1 in resolv.conf, but not under interfaces in unbound.conf. So I'm guessing your querys are going to an interface where unbound is not running.
This is how configuration file looks like for the Unbound serving my home network. This is a fairly complicated setup which abuses Unbound which enables me to do direct and reverse lookup on my local network without setting authoritative DNS server NSD. For the laptop you need to listen only on 127.0.0.1. However you will have to configure dhclient.conf to prepend DNS record with your DNS server so that you don't use somebody's else server.

Code:
# $OpenBSD: unbound.conf,v 1.4 2014/04/02 21:43:30 millert Exp $

server:
        interface: 127.0.0.1
        interface: ::1
        interface: 192.168.6.254        # listen on lan zone interface
        do-ip6: no

        access-control: 0.0.0.0/0 refuse
        access-control: 127.0.0.0/8 allow
        access-control: ::0/0 refuse
        access-control: ::1 allow
        access-control: 192.168.6.0/24 allow    # allow lan zone queries

        hide-identity: yes
        hide-version: yes

        # Uncomment to enable DNSSEC validation.
        #
        auto-trust-anchor-file: "/var/unbound/db/root.key"

        # Serve zones authoritatively from Unbound to resolver clients.
        # Not for external service.
        include: "/var/unbound/etc/oko_network/*"
/var/unbound/etc/oko_network/ should contain zone files
oko_network.org
Code:
# more oko_network.org
        # Auton Lab LAN zone file
        local-zone: "oko_network.org" static
        local-data: "lofty.oko_network.org IN A 192.168.6.1"
        local-data: "svnhub.oko_network.org IN A 192.168.6.2
6.168.192.in-addr.arpa
Code:
# more 6.168.192.in-addr.arpa 
        local-zone: "6.168.192.in-addr.arpa." static
        local-data-ptr: "192.168.6.1 lofty.oko_network.org"
        local-data-ptr: "192.168.6.2 svnhub.oko_network.org"
Reply With Quote
Old 23rd June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

Since we're sharing valid configurations, here is one of mine. It's pretty simple. This non-authoritative configuration supports domain resolutions for two subnets: 10.0.1/24 and 10.0.4/24, and also provides local resolution on the server itself via loopback. It uses Google's public nameservers at 8.8.8.8 and 8.8.4.4 for resolutions of domain names and IP addresses on the Internet.

All I've done here is redact the local system names and addresses, leaving only a single domain name and IP address to show the two blocks where they are located in the file.
Code:
server:

verbosity: 1

interface: 127.0.0.1
interface: 10.0.1.1
interface: 10.0.4.1

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow

root-hints: "/var/unbound/etc/named.cache"

local-zone: "jggimi.homeip.net." static

local-data: "gateway.jggimi.homeip.net. IN A 10.0.1.1"
.
.
.
[snip]
.
.
.

local-data-ptr: "10.0.1.1 gateway.jggimi.homeip.net"
.
.
.
[snip]
.
.
.

python:

remote-control:

forward-zone:
    name: "."
    forward-addr: 8.8.8.8
    forward-addr: 8.8.4.4
Reply With Quote
Old 26th June 2015
Peter_APIIT Peter_APIIT is offline
Shell Scout
 
Join Date: Jun 2008
Posts: 121
Default

Problem solved by added interface 127.0.0.1. Thanks jggmi.
Reply With Quote
Old 26th June 2015
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,977
Default

You should thank denta.

http://daemonforums.org/showthread.php?t=9170#post55133
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
directing DNS queries to local unbound? 22decembre OpenBSD Security 16 28th December 2014 04:52 AM
DNSCrypt and local Unbound resolver Oko OpenBSD Security 1 28th December 2014 12:54 AM
How to troubleshoot a hang in OpenBSD? quisquous OpenBSD General 11 1st January 2014 09:21 PM
unbound reverse lookup private zone Oko General software and network 2 20th November 2013 03:15 PM
How do I troubleshoot an internal interface BinarySpike OpenBSD General 3 1st September 2011 04:11 AM


All times are GMT. The time now is 02:49 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick