unbound-docker-rpi
unbound-docker-rpi copied to clipboard
MatthewVance
RPI image not resolving DNSSEC (recursive server)
Describe the bug RPI image does not resolve insecure DNS properly when used as recursive server.
To Reproduce Steps to reproduce the behaviour:
- Composite file:
unbound:
image: mvance/unbound-rpi:1.17.0
container_name: unbound
hostname: unbound
restart: always
volumes:
- /home/pi/docker/volumes/unbound:/opt/unbound/etc/unbound
networks:
mainnet:
ipv4_address: 172.20.0.10 # Used in Pi-Hole "Upstream DNS Servers" config
ports:
- "5335:53/tcp"
- "5335:53/udp"
- Customizations (config files)
server:
logfile: "/opt/unbound/etc/unbound/unbound.log"
verbosity: 2
port: 53
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
prefer-ip6: no
root-hints: "/opt/unbound/etc/unbound/root.hints"
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: no
edns-buffer-size: 1232
prefetch: yes
num-threads: 1
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
private-address: fd00::/8
private-address: fe80::/10
access-control: 172.16.0.0/12 allow_snoop
interface: 0.0.0.0@53
chroot: "/opt/unbound/etc/unbound"
directory: "/opt/unbound/etc/unbound"
auto-trust-anchor-file: "var/root.key"
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
cache-max-ttl: 86400
cache-min-ttl: 300
remote-control:
control-enable: no
Expected behavior Running from the host RPI system:
dig fail01.dnssec.works @127.0.0.1 -p 5335
; <<>> DiG 9.16.37-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46756
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fail01.dnssec.works. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1)
;; WHEN: Tue Feb 14 09:55:58 -03 2023
;; MSG SIZE rcvd: 48
Error messages Running from the host RPI system:
dig fail01.dnssec.works @127.0.0.1 -p 5335 +trace
; <<>> DiG 9.16.37-Debian <<>> fail01.dnssec.works @127.0.0.1 -p 5335 +trace
;; global options: +cmd
. 86317 IN NS j.root-servers.net.
. 86317 IN NS k.root-servers.net.
. 86317 IN NS l.root-servers.net.
. 86317 IN NS m.root-servers.net.
. 86317 IN NS a.root-servers.net.
. 86317 IN NS b.root-servers.net.
. 86317 IN NS c.root-servers.net.
. 86317 IN NS d.root-servers.net.
. 86317 IN NS e.root-servers.net.
. 86317 IN NS f.root-servers.net.
. 86317 IN NS g.root-servers.net.
. 86317 IN NS h.root-servers.net.
. 86317 IN NS i.root-servers.net.
. 86317 IN RRSIG NS 8 0 518400 20230227050000 20230214040000 951 . VXSm59w17QNYoRwEE0GiV2q7+rjstTER5+axR8/FdNNUGy4CeRkgNsde Hf8Z7w76aAev6NeZeRIAkhQBDzxlqruMR1t+7u3X+d+xp1eF9qib4Avd v8FnnHE1kUN8/uux6kN8vZ+aBM4eZ9pCyC2XdRz2IKVNsDOrasxEMl1x E0hBDD6EU/KPYwOiAf+B1XeKtSYf640mdG4FEgdhKvjeV1TofcMjZT9e KNEUoSi7oQqQEYllR/58TcoOf0S8zo1U9YnRniG9NzW30XjIXeZ9VK5U LdQ++X9oMP1foSvV7jpuSr8fxmqqjT7+zx/Wg/tTByTgxCPp2fNCbjmt AVXwtg==
;; Received 525 bytes from 127.0.0.1#5335(127.0.0.1) in 15 ms
;; connection timed out; no servers could be reached
Additional context Host RPI is
Linux raspberrypi 6.1.11-v8+ #1630 SMP PREEMPT Fri Feb 10 12:11:31 GMT 2023 aarch64 GNU/Linux
To add more into this, it works intermittently. At random intervals it resolves as expected, and many other times it does not. Maybe a missconfiguration on my side?
dear friend, you are sending request to 127.0.0.1 LOCAL MACHINE you need to send this request to 192.168.0.XXX THE CONTAINER
Hi @hqnicolas thanks for reaching out.
I am using dig from the raspberry host itself. Also I am mapping 5335 port to the internal resolver. Request to my local RPI are passed trough unbound container this way. I am using this setup exposing the port externally just for testing purposes.