Unbound - not listening on configured IP address

[Morris Minor]

I have a vanilla 10.3 installation running inside VMWare Fusion Pro, on to which I installed Unbound. The object is to use this is a caching recursive DNS server. The IP bound to the NIC is 10.10.10.13. I can ping this from other hosts on the LAN without problem, and it also accepts remote SSH sessions fine.

Unbound however is not listening on 10.10.10.13:53, and I have not yet figured out why. As you can see from the sockstat output, it's listening on localhost 53, and I can resolve external host OK if I drill localhost. Any help gratefully accepted:

root@unboundrns:/ # cat /etc/rc.conf
hostname="unboundrns.testdomain.org"
ifconfig_em0="10.10.10.13 netmask 255.255.255.0"
defaultrouter="10.10.10.1"
ntpd_enable="YES"
sshd_enable="YES"
unbound_enable="YES"

root@unboundrns:/ # cat /etc/unbound/unbound.conf
## Simple recursive caching DNS
## unbound.conf -- https://calomel.org
#
server:
interface: 127.0.0.1
interface: 0.0.0.0
# interface: 10.10.10.13
access-control: 10.10.10.0/8 allow_snoop
access-control: 127.0.0.0/8 allow
## allow_snoop: 10.10.10.0/24
logfile: "/var/unbound/unbound.log"
log-queries: yes
verbosity: 3
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
root-hints: "/var/unbound/root.hints"
auto-trust-anchor-file: "/var/unbound/root.key"
hide-identity: yes
hide-version: yes
harden-dnssec-stripped: yes
harden-glue: yes
prefetch: yes
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2
rrset-cache-size: 256m
msg-cache-size: 128m
val-clean-additional: yes
unwanted-reply-threshold: 10000

root@unboundrns:/ # sockstat
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
unbound  unbound    745   3  udp6   ::1:53                *:*
unbound  unbound    745   4  tcp6   ::1:53                *:*
unbound  unbound    745   5  udp4   127.0.0.1:53          *:*
unbound  unbound    745   6  tcp4   127.0.0.1:53          *:*
unbound  unbound    745   7  dgram  -> /var/run/logpriv
unbound  unbound    745   8  stream -> ??
unbound  unbound    745   9  stream -> ??
root     sshd       709   3  tcp4   10.10.10.13:22        10.10.10.16:59859
root     login      652   3  dgram  -> /var/run/logpriv
smmsp    sendmail   599   3  dgram  -> /var/run/log
root     sendmail   596   3  tcp4   127.0.0.1:25          *:*
root     sendmail   596   4  dgram  -> /var/run/logpriv
root     sshd       593   3  tcp6   *:22                  *:*
root     sshd       593   4  tcp4   *:22                  *:*
root     syslogd    452   4  dgram  /var/run/log
root     syslogd    452   5  dgram  /var/run/logpriv
root     syslogd    452   6  udp6   *:514                 *:*
root     syslogd    452   7  udp4   *:514                 *:*
root     devd       307   4  stream /var/run/devd.pipe
root     devd       307   5  seqpac /var/run/devd.seqpacket.pipe
root     devd       307   7  dgram  -> /var/run/logpriv

root@unboundrns:/ # cat /etc/resolv.conf
search testdomain.org
nameserver 127.0.0.1
# nameserver 10.10.10.1
# nameserver 4.2.2.2

 

[aribi]

You are aware of (from unbound.conf())

The  interfaces  are not changed on a reload (kill -HUP) but only on restart.

Think this means change of interface in unbound.conf will not be activated through #service unbound reload
But stop/start cycle should do the trick.

 

[Morris Minor]

Thanks I did find that reference and have been cycling through #service unbound ttop (then start)
I've also checked the conf file (where my commenting stuff can be seen I as I've tried to fix this)

root@unboundrns:~ # unbound-checkconf
unbound-checkconf: no errors in /var/unbound/unbound.conf

 

[rigoletto@]

I have a vanilla 10.3 installation running inside VMWare Fusion Pro, on to which I installed Unbound.

Please, make clear if you really installed Unbound from ports or are trying to use the base one.

unbound_enable=YES

will start the port version and the config files are placed on /usr/local/etc/unbound.

So, the configuration you are doing are of the base version one:

/var/unbound

You may use the base version, what you already configured, and modify you rc.conf to have:

local_unbound_enable="YES"

Or move/copy the configurations to the right place in order to use the ports version.

Cheers!

 

[Morris Minor]

I installed it (ports version) using pkg a couple of days ago. I'm new to FreeBSD and had not realized Unbound was already included with the base OS.

So I'd been doing what you'd guessed, editing the wrong config in /var/unbound. As you suggested, I copied my config files from there to /usr/local/etc/unbound, rebooted the whole thing, and all is well.

Thanks so much!

 

[rigoletto@]

Unless you are looking for to use the last version I think there is no relevant difference between the base and port version. Usually, beyond version number, what make more interesting to use the port version is the ability to compile it with custom options, like libevent support - what is not present on base and pkg versions.

That said, I mean, may be more practical to simple use the base one.

Cheers!

EDIT: putting aside some specific exceptions, everything installed from ports are by default placed on /usr/local/.

 

[Morris Minor]

Late followup on this...

How would I remove/disable the base version should I want to go ahead & use the ports version compiled with custom options?
Regards!

 

[rigoletto@]

You can simple not start the local_unbound service, and it will be "disabled". However, if you really want to remove Unbound from the base system, basically you need to add WITHOUT_UNBOUND=YES on src.conf(5), and then rebuild the whole FreeBSD.

EDIT: It is important to point out if you do that you should not use freebsd-update anymore, you will need to update/upgrade kernel/base from svn, but still can use pkgs.

Cheers!