On 2023-05-15, Joel Carnat <j...@carnat.net> wrote: > On Sun, May 14, 2023 at 10:32:15PM -0600, Zack Newman wrote: >> On 2023-05-14, Joel Carnat <j...@carnat.net> wrote: >> > I have unbound listening on lo0 (127.0.0.1, rdomain0) and resolv.conf >> > configured with "nameserver 127.0.0.1". >> >> You can also have unbound(8) listen on lo1.
Like most things, it doesn't listen "on" an interface, it listens to an address. The "Interface: int0" syntax looks up addresses on that interface and listens to them. > I have tried that but this seems to cause trouble with IPv6. > > # grep 'interface:' /var/unbound/etc/unbound.conf > #interface: 127.0.0.1 > interface: lo0 > interface: lo1 > #interface: ::1 > > # ifconfig lo0 > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768 > index 6 priority 0 llprio 3 > groups: lo > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 > inet 127.0.0.1 netmask 0xff000000 > > # ifconfig lo1 > lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> rdomain 1 mtu 32768 > index 13 priority 0 llprio 3 > groups: lo > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo1 prefixlen 64 scopeid 0xd > inet 127.0.0.1 netmask 0xff000000 > > # unbound-checkconf > [1684134988] unbound-checkconf[16790:0] fatal error: ::1 present twice, > cannot bind the same ports twice. The first entry is address ::1 from > interface: lo0 and the second is address ::1 from interface: lo1 Not surprised, unbound isn't rdomain / multiple rtable-aware. I think your options are 1) run a second copy (I suggest symlinking rc.d/unbound -> e.g. rc.d/unbound1, and setting unbound1_rtable=1), or 2) leak the traffic between tables using a PF rule, I have this on my laptop: pass out quick on rdomain 2 to 127.0.0.1 nat-to 127.0.0.1 rtable 0 (in my case I have a wg tunnel in rdomain 2 for certain traffic but would like to use unwind on the main table for DNS lookups).
