Theo,
On Wed, 26 Jul 2017, Theo de Raadt wrote:
This is due to the socket pledge code, with SOCK_DNS. This area was
damaged during the transition to pledge, and hasn't been repaired.
I am not convinced it is. But I can always be proven wrong and often am.
I think my problem is purely an issue with unbound or maybe the way I am
using/configuring it.
On a machine, let's call it Oz, ....
NSD is listening on port 8053 on both 127.0.0.1 and 10.10.10.10, Oz's
internal interface. 'PF' on Oz's external interface (X.Y.Z.T) redirects
port 53 to port 8053 on lo0 (127.0.0.1) and DNS queries through that
external interface work. So NSD is working, and on 127.0.0.1, it would
seem.
Unbound is listening on port 53 on both 127.0.0.1 and 10.10.10.10.
With the following entry in unbound.conf
stub-zone:
name: "turkeys.com.au."
stub-addr: 10.10.10.10@8053
I can resolve 'roasted.turkeys.com.au' perfectly with dig or nslookup
which do queries on port 53. So, I know that the host is in the file and
it would appear that I have not screwed up my unbound configuration too
badly.
But changing unbound.conf ever so slightly to
stub-zone:
name: "turkeys.com.au."
stub-addr: 127.0.0.1@8053
and queries on port 53 for 'roasted.turkeys.com.au' fails. And yes, the
lines for 'access-control' are correct. Unless I need some other special
command or option for 127.0.0.1 such as 'private-domain' or something? I
know that a query through the external interface RDR'd to 127.0.0.1@8053
resolves perfectly.
Am I silly? What is difference in the above context between
10.10.10.10 and 127.0.0.1
Doesn't 'pledge' just thinks they are IP addresses?
Host names have been changed to protect the guilty!
Regards - Damian
Pacific Engineering Systems International, 277-279 Broadway, Glebe NSW 2037
Ph:+61-2-8571-0847 .. Fx:+61-2-9692-9623 | unsolicited email not wanted here
Views & opinions here are mine and not those of any past or present employer
