Re: stub-addr in unbound.conf & unbound man page wording

2017-07-27 Thread Stuart Henderson
On 2017-07-26, Damian McGuckin wrote: > > Theo, > > On Wed, 26 Jul 2017, Theo de Raadt wrote: > >> This is due to the socket pledge code, with SOCK_DNS. This area was >> damaged during the transition to pledge, and hasn't been repaired. /usr/bin/dig is certainly restricted by pledge. Compare wit

Re: "Re: stub-addr in unbound.conf & unbound man page wording"

2017-07-26 Thread Damian McGuckin
On Wed, 26 Jul 2017, Amelia A Lewis wrote: do-not-query-localhost: no That seems like one of those awkwardly-phrased directives. The manual says that the default is to assume that do-not-query-address: localhost i.e. 'localhost' is added to the do-not-query-address list by default.

Re: "Re: stub-addr in unbound.conf & unbound man page wording"

2017-07-26 Thread Amelia A Lewis
On Thu, 27 Jul 2017 04:58:02 +1000 (AEST), Damian McGuckin wrote: > On Wed, 26 Jul 2017, Damian Haehlen wrote: > >> do-not-query-localhost: no That seems like one of those awkwardly-phrased directives. "Do you not deny Satan and all his works?!" "YES! Wait, what? I mean, no, NO! I mean, deny, d

Re: "Re: stub-addr in unbound.conf & unbound man page wording"

2017-07-26 Thread Damian McGuckin
On Wed, 26 Jul 2017, Damian Haehlen wrote: do-not-query-localhost: no Damian - that fixed it. Not that I have a clue what is going on there. The default interface is 127.0.0.1 so I am amazed that it gets into a list that you cannot query by default. Yet again - I was doing something wrong.

"Re: stub-addr in unbound.conf & unbound man page wording"

2017-07-26 Thread Damian Haehlen
Hi Damian This helped me: do-not-query-localhost: no Greetings Damian

Re: stub-addr in unbound.conf & unbound man page wording

2017-07-26 Thread Damian McGuckin
Theo, On Wed, 26 Jul 2017, Theo de Raadt wrote: This is due to the socket pledge code, with SOCK_DNS. This area was damaged during the transition to pledge, and hasn't been repaired. I am not convinced it is. But I can always be proven wrong and often am. I think my problem is purely an is

Re: stub-addr in unbound.conf & unbound man page wording

2017-07-26 Thread Theo de Raadt
> then a 'dig' or 'nslookup' fails even though I can get to port 8053 on > 127.0.0.1. This is due to the socket pledge code, with SOCK_DNS. This area was damaged during the transition to pledge, and hasn't been repaired. Maybe one day. But for the moment, it is not getting fixed because it isn

stub-addr in unbound.conf & unbound man page wording

2017-07-26 Thread Damian McGuckin
STUB-ADDR (of unbound.conf): 127.0.0.1@PORT (fails) --- I can run NSD on port 8053 on the interface 127.0.0.1 for a domain say turkeys.com.au I can then query hat externally (with 'pf' doing an 'rdr' from some external IP 'rdr'd to 'lo0'