Solved - Re: It is the firewall rule? - Re: Ubuntu 24.04 unbound install problems -- resolv.conf
Robert Moskowitz
rgm at htt-consult.com
Thu Jun 12 14:11:22 UTC 2025
I, of all people, can't do my CIDR numbering.
ufw allow in from 192.168.0.0/16 to any port 53
Sigh.
I mean I was in the room when Tony Li and Jacov Rekhter were going at it
on however the mask rules would work....
And I took notes! I mean they are probably still around somewhere on my
current notebook.
Grumble.
Fun couple of guys! Even when they strongly disagreed on something.
On 6/12/25 10:00 AM, Robert Moskowitz via ubuntu-users wrote:
> I disabled ufw:
>
> ufw disable
>
> And now dig works for a local client.
>
> I have tried different set of firewall rules:
>
> ufw allow in from 23.123.122.144/28 to any port 53
> ufw allow in from 192.168.0.0/20 to any port 53
>
> and
>
> ufw allow in from 23.123.122.144/28 to any port 53 proto udp
> ufw allow in from 192.168.0.0/20 to any port 53 proto udp
> ufw allow in from 23.123.122.144/28 to any port 53 proto tcp
> ufw allow in from 192.168.0.0/20 to any port 53 proto tcp
>
> neither works. I get a timeout on dig with firewall enabled.
>
>
> On 6/12/25 8:47 AM, Robert Moskowitz via ubuntu-users wrote:
>> First, I am not skilled with Ubuntu. This is only my second Ubuntu
>> server, and my first was pretty much turn-key for Mail-in-a-Box with
>> Ubuntu 22. My decades of experience is with CentOS/Fedora. Thus at
>> times it is easy (general Linux), and other times I am lost as to
>> where things are.
>>
>> So:
>>
>> My unbound is on a public address on my home business network. You
>> should ping it at onlo.htt-consult.com. But firewall rules will
>> block you from accessing DNS. Also that is not my SSH port below...
>>
>> My plan is for all internal systems to point to it for DNS resolution.
>>
>> in unbound.conf, I have allowed access for my local systems:
>>
>> interface: 0.0.0.0
>>
>> access-control: 23.123.122.144/28 allow
>> access-control: 192.168.128.0/17 allow
>> access-control: 192.168.64.0/21 allow
>> access-control: 192.168.96.0/21 allow
>> access-control: 127.0.0.1/24 allow
>>
>> (BTW, I do play games with local RFC1918 IPv4 addrs. Afterall, I am
>> the lead author of that RFC. I also worked in the CIDR workgroup at
>> the time.)
>>
>> Then I opened up firewall for DNS:
>>
>> ufw allow in from 23.123.122.144/28 to any port 53
>> ufw allow in from 192.168.0.0/24 to any port 53
>>
>> I can't find out if this makes the rules permanent, but at the time
>> of testing, they were in force.
>>
>> But I can't dig from my notebook:
>>
>> dig @onlo.htt-consult.com <http://onlo.htt-consult.com> A
>> medon.htt-consult.com <http://medon.htt-consult.com>
>> ;; communications error to 23.123.122.146#53: timed out
>> ;; communications error to 23.123.122.146#53: timed out
>> ;; communications error to 23.123.122.146#53: timed out
>>
>> ; <<>> DiG 9.18.33 <<>> @onlo.htt-consult.com
>> <http://onlo.htt-consult.com> A medon.htt-consult.com
>> <http://medon.htt-consult.com>
>> ; (1 server found)
>> ;; global options: +cmd
>> ;; no servers could be reached
>>
>> And the unbound server's resolv.conf is not working? local nslookup
>> fails.
>>
>> So basically how do I trouble-shoot this?
>>
>> On 6/11/25 11:48 PM, Jared Norris wrote:
>>> Hi Robert,
>>>
>>> I use Unbound at home and might have a slightly different take. I
>>> point my local router at an Unbound instance (running on a Raspberry
>>> Pi) as the DNS service then set up Unbound using unbound.conf
>>>
>>> That way the whole network is using Unbound, not just my local PC.
>>> That also means there is no config on any computer, just set it up
>>> once on the router.
>>>
>>> I use it alongside Pihole and find it works well, they have
>>> documentation to help with the set up and they mention a
>>> resolve.conf issue with a workaround that may also help even if you
>>> want to still run it locally -
>>> https://docs.pi-hole.net/guides/dns/unbound/
>>>
>>> Regards,
>>>
>>> Jared Norris
>>>
>>> On Thu, 12 Jun 2025 at 08:29, Robert Moskowitz via ubuntu-users
>>> <ubuntu-users at lists.ubuntu.com> wrote:
>>>
>>> I have been following the cookbook at:
>>>
>>> https://www.linuxbabe.com/ubuntu/set-up-unbound-dns-resolver-on-ubuntu-20-04-server
>>>
>>> which is really for Ubuntu 22.
>>>
>>> I got through his getting unbounded running.
>>>
>>> systemctl status unbound
>>> ● unbound.service - Unbound DNS server
>>> Loaded: loaded (/usr/lib/systemd/system/unbound.service;
>>> enabled;
>>> preset: >
>>> Active: active (running) since Wed 2025-06-11 18:02:18
>>> EDT; 26s ago
>>> Docs: man:unbound(8)
>>> Process: 5494 ExecStartPre=/usr/libexec/unbound-helper
>>> chroot_setup
>>> (code=e>
>>> Process: 5496 ExecStartPre=/usr/libexec/unbound-helper
>>> root_trust_anchor_up>
>>> Main PID: 5499 (unbound)
>>> Tasks: 1 (limit: 928)
>>> Memory: 8.2M (peak: 8.6M)
>>> CPU: 89ms
>>> CGroup: /system.slice/unbound.service
>>> └─5499 /usr/sbin/unbound -d -p
>>>
>>> netstat -tulpn
>>> Active Internet connections (only servers)
>>> Proto Recv-Q Send-Q Local Address Foreign Address State
>>> PID/Program name
>>> tcp 0 0 0.0.0.0:53 <http://0.0.0.0:53> 0.0.0.0:* LISTEN
>>> 5499/unbound
>>> tcp6 0 0 :::7456 :::* LISTEN 1/init
>>> udp 0 0 0.0.0.0:53 <http://0.0.0.0:53> 0.0.0.0:*
>>> 5499/unbound
>>>
>>>
>>> And setting firewall rules:
>>>
>>> Status: active
>>>
>>> To Action From
>>> -- ------ ----
>>> 7456 ALLOW Anywhere
>>> 53 ALLOW 23.123.122.144/28
>>> <http://23.123.122.144/28>
>>> 53 ALLOW 192.168.0.0/24
>>> <http://192.168.0.0/24>
>>> 7456 (v6) ALLOW Anywhere (v6)
>>>
>>> Now I am up to resolv.conf.
>>>
>>> I thought to be smart and set nameserver 127.0.0.1in my netplan.
>>> Easy,
>>> as I am on a fixed plan
>>>
>>> But
>>>
>>> cat /etc/resolv.conf
>>> # This is /run/systemd/resolve/stub-resolv.conf managed by
>>> man:systemd-resolved(8).
>>> # Do not edit.
>>> #
>>> # This file might be symlinked as /etc/resolv.conf. If you're
>>> looking at
>>> # /etc/resolv.conf and seeing this text, you have followed the
>>> symlink.
>>> #
>>> # This is a dynamic resolv.conf file for connecting local
>>> clients to the
>>> # internal DNS stub resolver of systemd-resolved. This file
>>> lists all
>>> # configured search domains.
>>> #
>>> # Run "resolvectl status" to see details about the uplink DNS
>>> servers
>>> # currently in use.
>>> #
>>> # Third party programs should typically not access this file
>>> directly,
>>> but only
>>> # through the symlink at /etc/resolv.conf. To manage
>>> man:resolv.conf(5) in a
>>> # different way, replace this symlink by a static file or a
>>> different
>>> symlink.
>>> #
>>> # See man:systemd-resolved.service(8) for details about the
>>> supported
>>> modes of
>>> # operation for /etc/resolv.conf.
>>>
>>> nameserver 127.0.0.53
>>> options edns0 trust-ad
>>> search htt-consult.com <http://htt-consult.com>
>>>
>>> not 127.0.0.1
>>>
>>> So then I set my netplan back to the regular nameservers and
>>> tried to
>>> follow his instructions to
>>>
>>> systemctl restart unbound-resolvconf.service
>>>
>>> But this fails I am suppose to
>>>
>>> apt install openresolv
>>>
>>> But this has been pulled as of Ubuntu 23.
>>>
>>> So how do I finish up this unbound setup?
>>>
>>> I tried nslookup on my server. It times out. From my "allowed"
>>> local
>>> addresses I tried:
>>>
>>> dig @onlo.htt-consult.com <http://onlo.htt-consult.com> A
>>> medon.htt-consult.com <http://medon.htt-consult.com>
>>> ;; communications error to 23.123.122.146#53: timed out
>>> ;; communications error to 23.123.122.146#53: timed out
>>> ;; communications error to 23.123.122.146#53: timed out
>>>
>>> ; <<>> DiG 9.18.33 <<>> @onlo.htt-consult.com
>>> <http://onlo.htt-consult.com> A medon.htt-consult.com
>>> <http://medon.htt-consult.com>
>>> ; (1 server found)
>>> ;; global options: +cmd
>>> ;; no servers could be reached
>>>
>>> thank you for your help.
>>>
>>>
>>>
>>> --
>>> ubuntu-users mailing list
>>> ubuntu-users at lists.ubuntu.com
>>> Modify settings or unsubscribe at:
>>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>>
>>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20250612/8f8b0884/attachment.html>
More information about the ubuntu-users
mailing list