It is the firewall rule? - Re: Ubuntu 24.04 unbound install problems -- resolv.conf
Robert Moskowitz
rgm at htt-consult.com
Thu Jun 12 14:00:34 UTC 2025
I disabled ufw:
ufw disable
And now dig works for a local client.
I have tried different set of firewall rules:
ufw allow in from 23.123.122.144/28 to any port 53
ufw allow in from 192.168.0.0/20 to any port 53
and
ufw allow in from 23.123.122.144/28 to any port 53 proto udp
ufw allow in from 192.168.0.0/20 to any port 53 proto udp
ufw allow in from 23.123.122.144/28 to any port 53 proto tcp
ufw allow in from 192.168.0.0/20 to any port 53 proto tcp
neither works. I get a timeout on dig with firewall enabled.
On 6/12/25 8:47 AM, Robert Moskowitz via ubuntu-users wrote:
> First, I am not skilled with Ubuntu. This is only my second Ubuntu
> server, and my first was pretty much turn-key for Mail-in-a-Box with
> Ubuntu 22. My decades of experience is with CentOS/Fedora. Thus at
> times it is easy (general Linux), and other times I am lost as to
> where things are.
>
> So:
>
> My unbound is on a public address on my home business network. You
> should ping it at onlo.htt-consult.com. But firewall rules will block
> you from accessing DNS. Also that is not my SSH port below...
>
> My plan is for all internal systems to point to it for DNS resolution.
>
> in unbound.conf, I have allowed access for my local systems:
>
> interface: 0.0.0.0
>
> access-control: 23.123.122.144/28 allow
> access-control: 192.168.128.0/17 allow
> access-control: 192.168.64.0/21 allow
> access-control: 192.168.96.0/21 allow
> access-control: 127.0.0.1/24 allow
>
> (BTW, I do play games with local RFC1918 IPv4 addrs. Afterall, I am
> the lead author of that RFC. I also worked in the CIDR workgroup at
> the time.)
>
> Then I opened up firewall for DNS:
>
> ufw allow in from 23.123.122.144/28 to any port 53
> ufw allow in from 192.168.0.0/24 to any port 53
>
> I can't find out if this makes the rules permanent, but at the time of
> testing, they were in force.
>
> But I can't dig from my notebook:
>
> dig @onlo.htt-consult.com <http://onlo.htt-consult.com> A
> medon.htt-consult.com <http://medon.htt-consult.com>
> ;; communications error to 23.123.122.146#53: timed out
> ;; communications error to 23.123.122.146#53: timed out
> ;; communications error to 23.123.122.146#53: timed out
>
> ; <<>> DiG 9.18.33 <<>> @onlo.htt-consult.com
> <http://onlo.htt-consult.com> A medon.htt-consult.com
> <http://medon.htt-consult.com>
> ; (1 server found)
> ;; global options: +cmd
> ;; no servers could be reached
>
> And the unbound server's resolv.conf is not working? local nslookup
> fails.
>
> So basically how do I trouble-shoot this?
>
> On 6/11/25 11:48 PM, Jared Norris wrote:
>> Hi Robert,
>>
>> I use Unbound at home and might have a slightly different take. I
>> point my local router at an Unbound instance (running on a Raspberry
>> Pi) as the DNS service then set up Unbound using unbound.conf
>>
>> That way the whole network is using Unbound, not just my local PC.
>> That also means there is no config on any computer, just set it up
>> once on the router.
>>
>> I use it alongside Pihole and find it works well, they have
>> documentation to help with the set up and they mention a resolve.conf
>> issue with a workaround that may also help even if you want to still
>> run it locally - https://docs.pi-hole.net/guides/dns/unbound/
>>
>> Regards,
>>
>> Jared Norris
>>
>> On Thu, 12 Jun 2025 at 08:29, Robert Moskowitz via ubuntu-users
>> <ubuntu-users at lists.ubuntu.com> wrote:
>>
>> I have been following the cookbook at:
>>
>> https://www.linuxbabe.com/ubuntu/set-up-unbound-dns-resolver-on-ubuntu-20-04-server
>>
>> which is really for Ubuntu 22.
>>
>> I got through his getting unbounded running.
>>
>> systemctl status unbound
>> ● unbound.service - Unbound DNS server
>> Loaded: loaded (/usr/lib/systemd/system/unbound.service;
>> enabled;
>> preset: >
>> Active: active (running) since Wed 2025-06-11 18:02:18 EDT;
>> 26s ago
>> Docs: man:unbound(8)
>> Process: 5494 ExecStartPre=/usr/libexec/unbound-helper
>> chroot_setup
>> (code=e>
>> Process: 5496 ExecStartPre=/usr/libexec/unbound-helper
>> root_trust_anchor_up>
>> Main PID: 5499 (unbound)
>> Tasks: 1 (limit: 928)
>> Memory: 8.2M (peak: 8.6M)
>> CPU: 89ms
>> CGroup: /system.slice/unbound.service
>> └─5499 /usr/sbin/unbound -d -p
>>
>> netstat -tulpn
>> Active Internet connections (only servers)
>> Proto Recv-Q Send-Q Local Address Foreign Address State
>> PID/Program name
>> tcp 0 0 0.0.0.0:53 <http://0.0.0.0:53> 0.0.0.0:* LISTEN
>> 5499/unbound
>> tcp6 0 0 :::7456 :::* LISTEN 1/init
>> udp 0 0 0.0.0.0:53 <http://0.0.0.0:53> 0.0.0.0:*
>> 5499/unbound
>>
>>
>> And setting firewall rules:
>>
>> Status: active
>>
>> To Action From
>> -- ------ ----
>> 7456 ALLOW Anywhere
>> 53 ALLOW 23.123.122.144/28
>> <http://23.123.122.144/28>
>> 53 ALLOW 192.168.0.0/24
>> <http://192.168.0.0/24>
>> 7456 (v6) ALLOW Anywhere (v6)
>>
>> Now I am up to resolv.conf.
>>
>> I thought to be smart and set nameserver 127.0.0.1in my netplan.
>> Easy,
>> as I am on a fixed plan
>>
>> But
>>
>> cat /etc/resolv.conf
>> # This is /run/systemd/resolve/stub-resolv.conf managed by
>> man:systemd-resolved(8).
>> # Do not edit.
>> #
>> # This file might be symlinked as /etc/resolv.conf. If you're
>> looking at
>> # /etc/resolv.conf and seeing this text, you have followed the
>> symlink.
>> #
>> # This is a dynamic resolv.conf file for connecting local clients
>> to the
>> # internal DNS stub resolver of systemd-resolved. This file lists all
>> # configured search domains.
>> #
>> # Run "resolvectl status" to see details about the uplink DNS servers
>> # currently in use.
>> #
>> # Third party programs should typically not access this file
>> directly,
>> but only
>> # through the symlink at /etc/resolv.conf. To manage
>> man:resolv.conf(5) in a
>> # different way, replace this symlink by a static file or a
>> different
>> symlink.
>> #
>> # See man:systemd-resolved.service(8) for details about the
>> supported
>> modes of
>> # operation for /etc/resolv.conf.
>>
>> nameserver 127.0.0.53
>> options edns0 trust-ad
>> search htt-consult.com <http://htt-consult.com>
>>
>> not 127.0.0.1
>>
>> So then I set my netplan back to the regular nameservers and
>> tried to
>> follow his instructions to
>>
>> systemctl restart unbound-resolvconf.service
>>
>> But this fails I am suppose to
>>
>> apt install openresolv
>>
>> But this has been pulled as of Ubuntu 23.
>>
>> So how do I finish up this unbound setup?
>>
>> I tried nslookup on my server. It times out. From my "allowed"
>> local
>> addresses I tried:
>>
>> dig @onlo.htt-consult.com <http://onlo.htt-consult.com> A
>> medon.htt-consult.com <http://medon.htt-consult.com>
>> ;; communications error to 23.123.122.146#53: timed out
>> ;; communications error to 23.123.122.146#53: timed out
>> ;; communications error to 23.123.122.146#53: timed out
>>
>> ; <<>> DiG 9.18.33 <<>> @onlo.htt-consult.com
>> <http://onlo.htt-consult.com> A medon.htt-consult.com
>> <http://medon.htt-consult.com>
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; no servers could be reached
>>
>> thank you for your help.
>>
>>
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> Modify settings or unsubscribe at:
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20250612/fb972cc0/attachment-0001.html>
More information about the ubuntu-users
mailing list