Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Unbound DNS server behind a VIP - solving reply from unexpected source
Friday - Feb 17th 2017 - by - (0 comments)

In my previous post I wrote about getting Unbound to work without Internet connection (Get Unbound DNS lookups working in Ubuntu 16.04 Xenial, understand SERVFAIL). For the blog post I simplified the setup, but in reality the DNS architecture was built on a "cluster" on two Xenial hosts running KeepAliveD and sharing a virtual IP address (VIP).

After a couple of tests, I stumbled across the following problem:

$ dig -t A www.claudiokuenzler.com @192.168.10.10
;; reply from unexpected source: 192.168.10.11#53, expected 192.168.10.10#53
;; reply from unexpected source: 192.168.10.11#53, expected 192.168.10.10#53
;; reply from unexpected source: 192.168.10.11#53, expected 192.168.10.10#53

You've guessed it right. 192.168.10.10 is the VIP on which I tried to run the DNS lookup. But the DNS response came back from the active server's primary IP address 192.168.10.11. Dig correctly says "dude, something's not right" and doesn't accept the answer.

I already thought I had to set up some weird masquerading NAT to always respond with the VIP but that would cause problems on the second host, the VRRP BACKUP host. And also it would prevent local lookups to work (by default, if I wouldn't add yet another masquerading hack for localhost). Already by trying to write down my ideas of potential masquerading rules you can guess that this would be nothing else than a hack to make something work - which should be simple and work out of the box.

Luckily I read through the manpage of unbound.conf again and I found something very interesting:

       interface-automatic:
              Detect source interface on UDP queries and copy them to replies.  This feature is experimental, and needs support in your OS for particular
              socket options.  Default value is no.

The description sounds pretty much what I need, so I gave it a shot and added "interface-automatic: yes" into the config:

server:
        interface: 0.0.0.0
        interface-automatic: yes
        access-control: 10.0.0.0/16 allow
        access-control: 127.0.0.0/8 allow
        access-control: 172.16.0.0/12 allow
        access-control: 192.168.0.0/16 allow
        verbosity: 1
        domain-insecure: *
        root-hints: /var/lib/unbound/root.hints

After a restart of Unbound I tried it again - with success:

$ dig -t A www.claudiokuenzler.com @192.168.10.10

; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> -t A www.claudiokuenzler.com @192.168.10.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32099
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.claudiokuenzler.com.       IN      A

;; ANSWER SECTION:
www.claudiokuenzler.com. 28636  IN      A       144.76.83.23

;; Query time: 4 msec
;; SERVER: 192.168.10.10#53(192.168.10.10)
;; WHEN: Fri Feb 17 11:14:33 CET 2017
;; MSG SIZE  rcvd: 68

And it still works on the primary IP of the cluster hosts, too:

$ dig -t A www.claudiokuenzler.com @192.168.10.11

; <<>> DiG 9.9.5-3ubuntu0.11-Ubuntu <<>> -t A www.claudiokuenzler.com @192.168.10.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62942
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.claudiokuenzler.com.       IN      A

;; ANSWER SECTION:
www.claudiokuenzler.com. 28493  IN      A       144.76.83.23

;; Query time: 0 msec
;; SERVER: 192.168.10.11#53(192.168.10.11)
;; WHEN: Fri Feb 17 11:16:54 CET 2017
;; MSG SIZE  rcvd: 68

Well done, Unbound! I'm positively surprised that this config option is available!

PS: I also tried to set the Unbound listener to the VIP by setting "interface" to the virtual ip address in unbound.conf (instead of using all interfaces 0.0.0.0). But as the VIP is only assigned once Unbound runs correctly (I added specific DNS checks in keepalived.conf), Unbound was not able to start and failed with:

unbound[32235]: [1487320777] unbound[32535:0] error: can't bind socket: Cannot assign requested address for 192.168.10.10
unbound[32235]: [1487320777] unbound[32535:0] fatal error: could not open ports
unbound[32235]:    ...fail!

 

Add a comment

Show form to leave a comment

Comments (newest first):

No comments yet.

Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

7576 Days
until Death of Computers
Why?