Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Kubernetes: Can not reach upstream, doesn't report a reason #1123

Open
IngwiePhoenix opened this issue Aug 16, 2024 · 9 comments
Open

Kubernetes: Can not reach upstream, doesn't report a reason #1123

IngwiePhoenix opened this issue Aug 16, 2024 · 9 comments

Comments

@IngwiePhoenix
Copy link

Describe the bug
I wanted to deploy Unbound into my Kubernetes cluster in order to host a local network DNS server with a few predefined records that I could take advantage of between my home network and it's VPN. However, whenever I run a query, it doesn't give me any particular information as to why it can not reach an upstream - did the TLS handshake fail or could it not establish an outbound UDP connection or something else perhaps?

This is basically what I see across all configured upstreams:

...
[1723780424] unbound[1:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
[1723780424] unbound[1:0] info: iterator operate: query video.birb.it. A IN
[1723780424] unbound[1:0] info: processQueryTargets: video.birb.it. A IN
[1723780424] unbound[1:0] info: sending query: video.birb.it. A IN
[1723780424] unbound[1:0] debug: sending to target: <.> 1.0.0.1#853
[1723780424] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=4884 val=33216
[1723780430] unbound[1:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
[1723780430] unbound[1:0] info: iterator operate: query video.birb.it. A IN
[1723780430] unbound[1:0] info: processQueryTargets: video.birb.it. A IN
[1723780430] unbound[1:0] info: sending query: video.birb.it. A IN
[1723780430] unbound[1:0] debug: sending to target: <.> 1.1.1.1#853
[1723780430] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=4884 val=33216
...

To reproduce
You could use the kind tool in order to test this. Podman Desktop also has this option.
Once you have a cluster, deploy the following:

apiVersion: v1
kind: Namespace
metadata:
  name: unbound
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: unbound-config
  namespace: unbound
data:
  unbound.conf: |
    server:
      verbosity: 3
      use-syslog: no
      logfile: ""
      interface: 0.0.0.0
      port: 5353
      do-ip6: yes
      access-control: 192.168.1.0/24 allow
      access-control: 100.64.0.0/24 allow
      access-control: 0.0.0.0/0 refuse
      do-not-query-localhost: yes
      private-domain: "birb.it"
      local-zone: "birb.it." transparent
      local-data-ptr: "192.168.1.3 birb.it"
      local-data-ptr: "100.64.0.2 birb.it"
      access-control-view: 192.168.1.0/24 local-network
      access-control-view: 100.64.0.0/24 overlay-network

    forward-zone:
      name: "."
      forward-first: no
      forward-addr: 1.1.1.1@853#cloudflare-dns.com
      forward-addr: 1.0.0.1@853#cloudflare-dns.com
      forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
      forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com

    view:
    name: "local-network"
    local-zone: "birb.it." transparent
    #access-control: "192.168.1.0/24" allow
    local-data: "*.birb.it. IN A 192.168.1.3"
    #access-control: 100.64.0.0/24 deny

    view:
    name: "overlay-network"
    local-zone: "birb.it." transparent
    #access-control: 100.64.0.0/24 allow
    local-data: "*.birb.it. IN A 100.64.0.2"
    #access-control: 192.168.1.0/24 deny
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: unbound-app
  namespace: unbound
spec:
  selector:
    matchLabels:
      app: unbound
  template:
    metadata:
      labels:
        app: unbound
    spec:
      tolerations:
        # these tolerations are to have the daemonset runnable on control plane nodes
        # remove them if your control plane nodes should not run pods
        - key: node-role.kubernetes.io/control-plane
          operator: Exists
          effect: NoSchedule
        - key: node-role.kubernetes.io/master
          operator: Exists
          effect: NoSchedule
      hostNetwork: true
      containers:
      - name: unbound
        image: mvance/unbound-rpi:latest
        securityContext:
            privileged: true
        volumeMounts:
        - name: config-volume
          mountPath: /opt/unbound/etc/unbound/unbound.conf
          subPath: unbound.conf
      volumes:
      - name: config-volume
        configMap:
          name: unbound-config

If you are on an x86_64 platform, remove the -rpi suffix from the image:. Further, you may need to adjust the local network CIDR (192.168.1.0/24).
After deploying, attempt to resolve video.birb.it.
You should now see the output stating that an upstream connection failed - but with no further information.

Expected behavior
The expected value is the network local address as devined in the local-network view.

System:

# kubectl exec -it -n unbound daemonset/unbound-app -- unbound -V
Version 1.19.2

Configure line: --disable-dependency-tracking --prefix=/opt/unbound --with-pthreads --with-username=_unbound --with-ssl=/opt/openssl --with-libevent --with-libnghttp2 --enable-tfo-server --enable-tfo-client --enable-event-api
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.2.1 30 Jan 2024
Linked modules: dns64 respip validator iterator
TCP Fastopen feature available

BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues

Additional information
None that come to mind, sorry.

@wcawijngaards
Copy link
Member

Perhaps with verbosity higher, like 4 and 5, it would log more details on the connection, eg. it looks like the connection times out. So much about the upstream connection, the issue is that there is no answer from the local zones. The config has a wildcard in it, but local zones are not implemented to deal with wildcards, I mean, with the 'local-data' statement it does not do wildcards. There are several other ways to get wildcard processing though.

The simplest may be to change the config to:

    local-zone: "birb.it." redirect
    local-data: "birb.it. IN A 192.168.1.3"

This serves the 'A' record for all names under the birb.it zone, and that would work like the *.birb.it notation seems to suggest. The wildcards actually work differently from regular expressions in DNS. The redirect feature is not that wildcard processing, it answers for all subdomains with the data from the domain, and also for the domain itself. And then for the overlay network the config would be

    local-zone: "birb.it." redirect
    local-data: "birb.it. IN A 100.64.0.2"

It is also possible to get a solution using authority zones, the auth-zone config for a zone, then the data for birb.it would have to be in a zonefile, and the auth zone receives wildcard processing, for the *.birb.it element. That would perform, DNS wildcard processing, for the wildcard for that name. I think the result is likely similar to the redirect local zone. In addition an RPZ zone can be used to superimpose answers. Both of these are not view specific, but the local zone redirect is view specific.

@submonic
Copy link

also mvance image, have problem too. try else may madnuttah/unbound work?

@Aura67
Copy link

Aura67 commented Aug 16, 2024

his unbound should work, it's the same unbound as from this repo, from the repo where you got it, there are just older versions, you can just as well compile it from here from the direct source and you'll be more up to date.

@IngwiePhoenix
Copy link
Author

Perhaps with verbosity higher, like 4 and 5,

That one's on me and my sleepy brain forgetting five minutes later that it can go much higher than three. No idea why I forgot that... Will retry, maybe it'll show me something.

The config has a wildcard in it, but local zones are not implemented to deal with wildcards,

They are not? Oh. I had just wanted to map everything to that host. The actual birb.it host is my Headscale host, so I need it to retain it's actual IP - the subdomains, however, should point to my host at home. I'll explain what I tried to do in a bit.


Basically, I configured myself a cheap man's Cloudflare Tunnel. My VPS runs Caddy which reverse proxies requests down to the services at home - but selectively. Here is a snippet to illustrate:

*.birb.it {
  import cloudflare_dns
  respond "...o.o..."
}

video.birb.it {
  reverse_proxy * http://100.64.0.11:8096
}

This way, only services I explicitly want to reach from not-at-home would be reached. But in reality, I have way more services there - for instance, the Postgres Operator frontend (ps.birb.it) - but since it has no form of authorization, I wanted to make sure that I could only access it while at home, or while in the VPN - which is why the Unbound config was ment to span both. Headscale allows me to define a DNS server within the VPN that will be used - by doing that, I was hoping to resolve those services directly to my home maschine instead of going through the "public" one instead, which would obviously not allow this request to pass.

That is why I tried to implement a wildcard setup. However, I have no idea how to write plain zone files, so I attempted to cheat with a little bit of ChatGPT and reading the docs up and down and trying to figure something out. Since in CloudFlare's DNS settings I could just assign a wildcard domain, I was sure Unbound would let me do that too. Welp, it does not. x)

I'll see if I can make the suggested local-zone/local-data work though. Thank you for that suggestion!

As for the docker image, I just looked at Docker Hub for an arm64 version since I run on a set of RockChip RK3588 and my remote is an Ampere Altra (4 vCPU at Hetzner) - hence the usual amd64/x86_64 wouldn't work for me (though I could have configured binfmt/qemu but...thats a whole other can of worms right there).

@Aura67
Copy link

Aura67 commented Aug 16, 2024

In your unbound config, the forward upstream is as follows: forward-zone:
name: "."
forward-first: no
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
replace the upper part with mine and try it to see if you can get an SSL connection to claudflare:
forward-zone:
name: "."
forward-tls-upstream: yes
forward-first: no
forward-addr: 1.1.1.1@853#one.one.one.one
forward-addr: 1.0.0.1@853#one.one.one.one
forward-addr: 2606:4700:4700::1111@853#one.one.one.one
forward-addr: 2606:4700:4700::1001@853#one.one.one.one

@IngwiePhoenix
Copy link
Author

I did - and also increased verbosity. I haven't implement the other options yet.

Looooong log
kubectl logs -f -n unbound daemonsets/unbound-app
Found 2 pods, using pod/unbound-app-6n6kh
[1723851238] unbound[1:0] debug: creating udp4 socket 0.0.0.0 5353
[1723851238] unbound[1:0] debug: creating tcp4 socket 0.0.0.0 5353
[1723851238] unbound[1:0] debug: chdir to /opt/unbound/etc/unbound
[1723851238] unbound[1:0] debug: chroot to /opt/unbound/etc/unbound
[1723851238] unbound[1:0] debug: drop user privileges, run as _unbound
[1723851238] unbound[1:0] debug: switching log to stderr
[1723851238] unbound[1:0] debug: module config: "validator iterator"
[1723851238] unbound[1:0] notice: init module 0: validator
[1723851238] unbound[1:0] debug: validator nsec3cfg keysz 1024 mxiter 150
[1723851238] unbound[1:0] debug: validator nsec3cfg keysz 2048 mxiter 150
[1723851238] unbound[1:0] debug: validator nsec3cfg keysz 4096 mxiter 150
[1723851238] unbound[1:0] notice: init module 1: iterator
[1723851238] unbound[1:0] debug: target fetch policy for level 0 is 3
[1723851238] unbound[1:0] debug: target fetch policy for level 1 is 2
[1723851238] unbound[1:0] debug: target fetch policy for level 2 is 1
[1723851238] unbound[1:0] debug: target fetch policy for level 3 is 0
[1723851238] unbound[1:0] debug: target fetch policy for level 4 is 0
[1723851238] unbound[1:0] debug: donotq: 127.0.0.0/8
[1723851238] unbound[1:0] debug: donotq: ::1
[1723851238] unbound[1:0] debug: total of 59446 outgoing ports available
[1723851238] unbound[1:0] debug: start threads
[1723851238] unbound[1:0] debug: libevent 2.1.12-stable uses epoll method.
[1723851238] unbound[1:0] debug: Forward zone server list:
[1723851238] unbound[1:0] info: DelegationPoint<.>: 0 names (0 missing), 4 addrs (0 result, 4 avail) parentNS
[1723851238] unbound[1:0] debug:   [one.one.one.one] ip4 1.1.1.1 port 853 (len 16)
[1723851238] unbound[1:0] debug:   [one.one.one.one] ip4 1.0.0.1 port 853 (len 16)
[1723851238] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851238] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851238] unbound[1:0] debug: no config, using builtin root hints.
[1723851238] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=3968 val=33216
[1723851238] unbound[1:0] info: start of service (unbound 1.19.2).
[1723851281] unbound[1:0] debug: udp request from ip4 192.168.1.3 port 57815 (len 16)
[1723851281] unbound[1:0] debug: mesh_run: start
[1723851281] unbound[1:0] debug: validator[module 0] operate: extstate:module_state_initial event:module_event_new
[1723851281] unbound[1:0] info: validator operate: query video.birb.it. A IN
[1723851281] unbound[1:0] debug: validator: pass to next module
[1723851281] unbound[1:0] debug: mesh_run: validator module exit state is module_wait_module
[1723851281] unbound[1:0] debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
[1723851281] unbound[1:0] debug: process_request: new external request event
[1723851281] unbound[1:0] debug: iter_handle processing q with state INIT REQUEST STATE
[1723851281] unbound[1:0] info: resolving video.birb.it. A IN
[1723851281] unbound[1:0] debug: request has dependency depth of 0
[1723851281] unbound[1:0] debug: forwarding request
[1723851281] unbound[1:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1723851281] unbound[1:0] info: processQueryTargets: video.birb.it. A IN
[1723851281] unbound[1:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 0
[1723851281] unbound[1:0] info: DelegationPoint<.>: 0 names (0 missing), 4 addrs (0 result, 4 avail) parentNS
[1723851281] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851281] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851281] unbound[1:0] debug:   [one.one.one.one] ip4 1.0.0.1 port 853 (len 16)
[1723851281] unbound[1:0] debug:   [one.one.one.one] ip4 1.1.1.1 port 853 (len 16)
[1723851281] unbound[1:0] debug: attempt to get extra 3 targets
[1723851281] unbound[1:0] debug: rpz: iterator module callback: have_rpz=0
[1723851281] unbound[1:0] debug: selrtt 376
[1723851281] unbound[1:0] info: sending query: video.birb.it. A IN
[1723851281] unbound[1:0] debug: sending to target: <.> 1.1.1.1#853
[1723851281] unbound[1:0] debug: dnssec status: not expected
[1723851281] unbound[1:0] debug: mesh_run: iterator module exit state is module_wait_reply
[1723851281] unbound[1:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1723851281] unbound[1:0] info: 0RDd mod1 rep video.birb.it. A IN
[1723851281] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=3968 val=33216
[1723851281] unbound[1:0] debug: serviced send timer
[1723851281] unbound[1:0] debug: pending_tcp_query
[1723851281] unbound[1:0] debug: reuse_tcp_find
[1723851281] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851281] unbound[1:0] debug: pending_tcp_query: new fd, connect
[1723851281] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851281] unbound[1:0] debug: reuse_tcp_insert 1.1.1.1#853 fd -1
[1723851281] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851281] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851281] unbound[1:0] debug: startlistening 10 mode rw
[1723851281] unbound[1:0] debug: comm point listen_for_rw 10 0
[1723851281] unbound[1:0] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
[1723851281] unbound[1:0] notice: ssl handshake failed ip4 1.1.1.1 port 853 (len 16)
[1723851281] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851281] unbound[1:0] debug: close fd 10
[1723851281] unbound[1:0] debug: outnettcp cb
[1723851281] unbound[1:0] debug: outnettcp got tcp error -1
[1723851281] unbound[1:0] debug: reuse_move_writewait_away current video.birb.it. 0 bytes were written
[1723851281] unbound[1:0] debug: outnet_tcp_cb reuse after cb
[1723851281] unbound[1:0] debug: outnet_tcp_cb reuse after cb: decommission it
[1723851281] unbound[1:0] debug: decommission_pending_tcp
[1723851281] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851281] unbound[1:0] debug: reuse_tcp_find
[1723851281] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851281] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851281] unbound[1:0] debug: reuse_tcp_insert 1.1.1.1#853 fd -1
[1723851281] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851281] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851281] unbound[1:0] debug: startlistening 10 mode rw
[1723851281] unbound[1:0] debug: comm point listen_for_rw 10 0
[1723851281] unbound[1:0] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
[1723851281] unbound[1:0] notice: ssl handshake failed ip4 1.1.1.1 port 853 (len 16)
[1723851281] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851281] unbound[1:0] debug: close fd 10
[1723851281] unbound[1:0] debug: outnettcp cb
[1723851281] unbound[1:0] debug: outnettcp got tcp error -1
[1723851281] unbound[1:0] debug: outnet_tcp_cb reuse after cb
[1723851281] unbound[1:0] debug: outnet_tcp_cb reuse after cb: decommission it
[1723851281] unbound[1:0] debug: decommission_pending_tcp
[1723851281] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851281] unbound[1:0] debug: tcp error for address ip4 1.1.1.1 port 853 (len 16)
[1723851281] unbound[1:0] debug: svcd callbacks start
[1723851281] unbound[1:0] debug: worker svcd callback for qstate 0x151e7a0
[1723851281] unbound[1:0] debug: mesh_run: start
[1723851281] unbound[1:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
[1723851281] unbound[1:0] info: iterator operate: query video.birb.it. A IN
[1723851281] unbound[1:0] debug: process_response: new external response event
[1723851281] unbound[1:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1723851281] unbound[1:0] debug: query response was timeout
[1723851281] unbound[1:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1723851281] unbound[1:0] info: processQueryTargets: video.birb.it. A IN
[1723851281] unbound[1:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 1
[1723851281] unbound[1:0] info: DelegationPoint<.>: 0 names (0 missing), 4 addrs (4 result, 0 avail) parentNS
[1723851281] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851281] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851281] unbound[1:0] debug:   [one.one.one.one] ip4 1.0.0.1 port 853 (len 16)
[1723851281] unbound[1:0] debug:   [one.one.one.one] ip4 1.1.1.1 port 853 (len 16)
[1723851281] unbound[1:0] debug: attempt to get extra 3 targets
[1723851281] unbound[1:0] debug: rpz: iterator module callback: have_rpz=0
[1723851281] unbound[1:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
[1723851281] unbound[1:0] debug:    rtt=752
[1723851281] unbound[1:0] debug: selrtt 376
[1723851281] unbound[1:0] info: sending query: video.birb.it. A IN
[1723851281] unbound[1:0] debug: sending to target: <.> 2606:4700:4700::1111#853
[1723851281] unbound[1:0] debug: dnssec status: not expected
[1723851281] unbound[1:0] debug: mesh_run: iterator module exit state is module_wait_reply
[1723851281] unbound[1:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1723851281] unbound[1:0] info: 0RDd mod1 rep video.birb.it. A IN
[1723851281] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=4197 val=33216
[1723851281] unbound[1:0] debug: svcd callbacks end
[1723851281] unbound[1:0] debug: serviced_delete
[1723851281] unbound[1:0] debug: serviced send timer
[1723851281] unbound[1:0] debug: pending_tcp_query
[1723851281] unbound[1:0] debug: reuse_tcp_find
[1723851281] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851281] unbound[1:0] debug: pending_tcp_query: new fd, connect
[1723851281] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851281] unbound[1:0] debug: reuse_tcp_insert 2606:4700:4700::1111#853 fd -1
[1723851281] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851281] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851281] unbound[1:0] debug: startlistening 10 mode rw
[1723851284] unbound[1:0] debug: outnet_tcptimer
[1723851284] unbound[1:0] debug: decommission_pending_tcp
[1723851284] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851284] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851284] unbound[1:0] debug: close fd 10
[1723851284] unbound[1:0] debug: tcp error for address ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851284] unbound[1:0] debug: svcd callbacks start
[1723851284] unbound[1:0] debug: worker svcd callback for qstate 0x151e7a0
[1723851284] unbound[1:0] debug: mesh_run: start
[1723851284] unbound[1:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
[1723851284] unbound[1:0] info: iterator operate: query video.birb.it. A IN
[1723851284] unbound[1:0] debug: process_response: new external response event
[1723851284] unbound[1:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1723851284] unbound[1:0] debug: query response was timeout
[1723851284] unbound[1:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1723851284] unbound[1:0] info: processQueryTargets: video.birb.it. A IN
[1723851284] unbound[1:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 2
[1723851284] unbound[1:0] info: DelegationPoint<.>: 0 names (0 missing), 4 addrs (4 result, 0 avail) parentNS
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip4 1.1.1.1 port 853 (len 16)
[1723851284] unbound[1:0] debug: attempt to get extra 3 targets
[1723851284] unbound[1:0] debug: rpz: iterator module callback: have_rpz=0
[1723851284] unbound[1:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
[1723851284] unbound[1:0] debug:    rtt=752
[1723851284] unbound[1:0] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851284] unbound[1:0] debug:    rtt=752
[1723851284] unbound[1:0] debug: selrtt 376
[1723851284] unbound[1:0] info: sending query: video.birb.it. A IN
[1723851284] unbound[1:0] debug: sending to target: <.> 1.0.0.1#853
[1723851284] unbound[1:0] debug: dnssec status: not expected
[1723851284] unbound[1:0] debug: mesh_run: iterator module exit state is module_wait_reply
[1723851284] unbound[1:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1723851284] unbound[1:0] info: 0RDd mod1 rep video.birb.it. A IN
[1723851284] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=4426 val=33216
[1723851284] unbound[1:0] debug: svcd callbacks end
[1723851284] unbound[1:0] debug: serviced_delete
[1723851284] unbound[1:0] debug: serviced send timer
[1723851284] unbound[1:0] debug: pending_tcp_query
[1723851284] unbound[1:0] debug: reuse_tcp_find
[1723851284] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851284] unbound[1:0] debug: pending_tcp_query: new fd, connect
[1723851284] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851284] unbound[1:0] debug: reuse_tcp_insert 1.0.0.1#853 fd -1
[1723851284] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851284] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851284] unbound[1:0] debug: startlistening 10 mode rw
[1723851284] unbound[1:0] debug: comm point listen_for_rw 10 0
[1723851284] unbound[1:0] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
[1723851284] unbound[1:0] notice: ssl handshake failed ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851284] unbound[1:0] debug: close fd 10
[1723851284] unbound[1:0] debug: outnettcp cb
[1723851284] unbound[1:0] debug: outnettcp got tcp error -1
[1723851284] unbound[1:0] debug: reuse_move_writewait_away current video.birb.it. 0 bytes were written
[1723851284] unbound[1:0] debug: outnet_tcp_cb reuse after cb
[1723851284] unbound[1:0] debug: outnet_tcp_cb reuse after cb: decommission it
[1723851284] unbound[1:0] debug: decommission_pending_tcp
[1723851284] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851284] unbound[1:0] debug: reuse_tcp_find
[1723851284] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851284] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851284] unbound[1:0] debug: reuse_tcp_insert 1.0.0.1#853 fd -1
[1723851284] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851284] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851284] unbound[1:0] debug: startlistening 10 mode rw
[1723851284] unbound[1:0] debug: comm point listen_for_rw 10 0
[1723851284] unbound[1:0] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
[1723851284] unbound[1:0] notice: ssl handshake failed ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851284] unbound[1:0] debug: close fd 10
[1723851284] unbound[1:0] debug: outnettcp cb
[1723851284] unbound[1:0] debug: outnettcp got tcp error -1
[1723851284] unbound[1:0] debug: outnet_tcp_cb reuse after cb
[1723851284] unbound[1:0] debug: outnet_tcp_cb reuse after cb: decommission it
[1723851284] unbound[1:0] debug: decommission_pending_tcp
[1723851284] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851284] unbound[1:0] debug: tcp error for address ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug: svcd callbacks start
[1723851284] unbound[1:0] debug: worker svcd callback for qstate 0x151e7a0
[1723851284] unbound[1:0] debug: mesh_run: start
[1723851284] unbound[1:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
[1723851284] unbound[1:0] info: iterator operate: query video.birb.it. A IN
[1723851284] unbound[1:0] debug: process_response: new external response event
[1723851284] unbound[1:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1723851284] unbound[1:0] debug: query response was timeout
[1723851284] unbound[1:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1723851284] unbound[1:0] info: processQueryTargets: video.birb.it. A IN
[1723851284] unbound[1:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 3
[1723851284] unbound[1:0] info: DelegationPoint<.>: 0 names (0 missing), 4 addrs (4 result, 0 avail) parentNS
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip4 1.1.1.1 port 853 (len 16)
[1723851284] unbound[1:0] debug: rpz: iterator module callback: have_rpz=0
[1723851284] unbound[1:0] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851284] unbound[1:0] debug:    rtt=752
[1723851284] unbound[1:0] debug: servselect ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug:    rtt=752
[1723851284] unbound[1:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
[1723851284] unbound[1:0] debug:    rtt=752
[1723851284] unbound[1:0] debug: selrtt 376
[1723851284] unbound[1:0] info: sending query: video.birb.it. A IN
[1723851284] unbound[1:0] debug: sending to target: <.> 1.0.0.1#853
[1723851284] unbound[1:0] debug: dnssec status: not expected
[1723851284] unbound[1:0] debug: mesh_run: iterator module exit state is module_wait_reply
[1723851284] unbound[1:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1723851284] unbound[1:0] info: 0RDd mod1 rep video.birb.it. A IN
[1723851284] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=4655 val=33216
[1723851284] unbound[1:0] debug: svcd callbacks end
[1723851284] unbound[1:0] debug: serviced_delete
[1723851284] unbound[1:0] debug: serviced send timer
[1723851284] unbound[1:0] debug: pending_tcp_query
[1723851284] unbound[1:0] debug: reuse_tcp_find
[1723851284] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851284] unbound[1:0] debug: pending_tcp_query: new fd, connect
[1723851284] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851284] unbound[1:0] debug: reuse_tcp_insert 1.0.0.1#853 fd -1
[1723851284] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851284] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851284] unbound[1:0] debug: startlistening 10 mode rw
[1723851284] unbound[1:0] debug: comm point listen_for_rw 10 0
[1723851284] unbound[1:0] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
[1723851284] unbound[1:0] notice: ssl handshake failed ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851284] unbound[1:0] debug: close fd 10
[1723851284] unbound[1:0] debug: outnettcp cb
[1723851284] unbound[1:0] debug: outnettcp got tcp error -1
[1723851284] unbound[1:0] debug: reuse_move_writewait_away current video.birb.it. 0 bytes were written
[1723851284] unbound[1:0] debug: outnet_tcp_cb reuse after cb
[1723851284] unbound[1:0] debug: outnet_tcp_cb reuse after cb: decommission it
[1723851284] unbound[1:0] debug: decommission_pending_tcp
[1723851284] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851284] unbound[1:0] debug: reuse_tcp_find
[1723851284] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851284] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851284] unbound[1:0] debug: reuse_tcp_insert 1.0.0.1#853 fd -1
[1723851284] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851284] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851284] unbound[1:0] debug: startlistening 10 mode rw
[1723851284] unbound[1:0] debug: comm point listen_for_rw 10 0
[1723851284] unbound[1:0] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
[1723851284] unbound[1:0] notice: ssl handshake failed ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851284] unbound[1:0] debug: close fd 10
[1723851284] unbound[1:0] debug: outnettcp cb
[1723851284] unbound[1:0] debug: outnettcp got tcp error -1
[1723851284] unbound[1:0] debug: outnet_tcp_cb reuse after cb
[1723851284] unbound[1:0] debug: outnet_tcp_cb reuse after cb: decommission it
[1723851284] unbound[1:0] debug: decommission_pending_tcp
[1723851284] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851284] unbound[1:0] debug: tcp error for address ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug: svcd callbacks start
[1723851284] unbound[1:0] debug: worker svcd callback for qstate 0x151e7a0
[1723851284] unbound[1:0] debug: mesh_run: start
[1723851284] unbound[1:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
[1723851284] unbound[1:0] info: iterator operate: query video.birb.it. A IN
[1723851284] unbound[1:0] debug: process_response: new external response event
[1723851284] unbound[1:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1723851284] unbound[1:0] debug: query response was timeout
[1723851284] unbound[1:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1723851284] unbound[1:0] info: processQueryTargets: video.birb.it. A IN
[1723851284] unbound[1:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 4
[1723851284] unbound[1:0] info: DelegationPoint<.>: 0 names (0 missing), 4 addrs (4 result, 0 avail) parentNS
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug:   [one.one.one.one] ip4 1.1.1.1 port 853 (len 16)
[1723851284] unbound[1:0] debug: rpz: iterator module callback: have_rpz=0
[1723851284] unbound[1:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
[1723851284] unbound[1:0] debug:    rtt=752
[1723851284] unbound[1:0] debug: servselect ip4 1.0.0.1 port 853 (len 16)
[1723851284] unbound[1:0] debug:    rtt=1504
[1723851284] unbound[1:0] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851284] unbound[1:0] debug:    rtt=752
[1723851284] unbound[1:0] debug: selrtt 376
[1723851284] unbound[1:0] info: sending query: video.birb.it. A IN
[1723851284] unbound[1:0] debug: sending to target: <.> 2606:4700:4700::1001#853
[1723851284] unbound[1:0] debug: dnssec status: not expected
[1723851284] unbound[1:0] debug: mesh_run: iterator module exit state is module_wait_reply
[1723851284] unbound[1:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 1 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1723851284] unbound[1:0] info: 0RDd mod1 rep video.birb.it. A IN
[1723851284] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=4655 val=33216
[1723851284] unbound[1:0] debug: svcd callbacks end
[1723851284] unbound[1:0] debug: serviced_delete
[1723851284] unbound[1:0] debug: serviced send timer
[1723851284] unbound[1:0] debug: pending_tcp_query
[1723851284] unbound[1:0] debug: reuse_tcp_find
[1723851284] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851284] unbound[1:0] debug: pending_tcp_query: new fd, connect
[1723851284] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851284] unbound[1:0] debug: reuse_tcp_insert 2606:4700:4700::1001#853 fd -1
[1723851284] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851284] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851284] unbound[1:0] debug: startlistening 10 mode rw
[1723851286] unbound[1:0] debug: udp request from ip4 192.168.1.3 port 34951 (len 16)
[1723851286] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=4884 val=33216
[1723851287] unbound[1:0] debug: outnet_tcptimer
[1723851287] unbound[1:0] debug: decommission_pending_tcp
[1723851287] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851287] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851287] unbound[1:0] debug: close fd 10
[1723851287] unbound[1:0] debug: tcp error for address ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851287] unbound[1:0] debug: svcd callbacks start
[1723851287] unbound[1:0] debug: worker svcd callback for qstate 0x151e7a0
[1723851287] unbound[1:0] debug: mesh_run: start
[1723851287] unbound[1:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
[1723851287] unbound[1:0] info: iterator operate: query video.birb.it. A IN
[1723851287] unbound[1:0] debug: process_response: new external response event
[1723851287] unbound[1:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1723851287] unbound[1:0] debug: query response was timeout
[1723851287] unbound[1:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1723851287] unbound[1:0] info: processQueryTargets: video.birb.it. A IN
[1723851287] unbound[1:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 5
[1723851287] unbound[1:0] info: DelegationPoint<.>: 0 names (0 missing), 4 addrs (4 result, 0 avail) parentNS
[1723851287] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851287] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851287] unbound[1:0] debug:   [one.one.one.one] ip4 1.0.0.1 port 853 (len 16)
[1723851287] unbound[1:0] debug:   [one.one.one.one] ip4 1.1.1.1 port 853 (len 16)
[1723851287] unbound[1:0] debug: rpz: iterator module callback: have_rpz=0
[1723851287] unbound[1:0] debug: servselect ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851287] unbound[1:0] debug:    rtt=752
[1723851287] unbound[1:0] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851287] unbound[1:0] debug:    rtt=752
[1723851287] unbound[1:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
[1723851287] unbound[1:0] debug:    rtt=752
[1723851287] unbound[1:0] debug: servselect ip4 1.0.0.1 port 853 (len 16)
[1723851287] unbound[1:0] debug:    rtt=1504
[1723851287] unbound[1:0] debug: selrtt 752
[1723851287] unbound[1:0] info: sending query: video.birb.it. A IN
[1723851287] unbound[1:0] debug: sending to target: <.> 1.1.1.1#853
[1723851287] unbound[1:0] debug: dnssec status: not expected
[1723851287] unbound[1:0] debug: mesh_run: iterator module exit state is module_wait_reply
[1723851287] unbound[1:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 2 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1723851287] unbound[1:0] info: 0RDd mod1 rep video.birb.it. A IN
[1723851287] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=4884 val=33216
[1723851287] unbound[1:0] debug: svcd callbacks end
[1723851287] unbound[1:0] debug: serviced_delete
[1723851287] unbound[1:0] debug: serviced send timer
[1723851287] unbound[1:0] debug: pending_tcp_query
[1723851287] unbound[1:0] debug: reuse_tcp_find
[1723851287] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851287] unbound[1:0] debug: pending_tcp_query: new fd, connect
[1723851287] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851287] unbound[1:0] debug: reuse_tcp_insert 1.1.1.1#853 fd -1
[1723851287] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851287] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851287] unbound[1:0] debug: startlistening 10 mode rw
[1723851287] unbound[1:0] debug: comm point listen_for_rw 10 0
[1723851287] unbound[1:0] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
[1723851287] unbound[1:0] notice: ssl handshake failed ip4 1.1.1.1 port 853 (len 16)
[1723851287] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851287] unbound[1:0] debug: close fd 10
[1723851287] unbound[1:0] debug: outnettcp cb
[1723851287] unbound[1:0] debug: outnettcp got tcp error -1
[1723851287] unbound[1:0] debug: reuse_move_writewait_away current video.birb.it. 0 bytes were written
[1723851287] unbound[1:0] debug: outnet_tcp_cb reuse after cb
[1723851287] unbound[1:0] debug: outnet_tcp_cb reuse after cb: decommission it
[1723851287] unbound[1:0] debug: decommission_pending_tcp
[1723851287] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851287] unbound[1:0] debug: reuse_tcp_find
[1723851287] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851287] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851287] unbound[1:0] debug: reuse_tcp_insert 1.1.1.1#853 fd -1
[1723851287] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851287] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851287] unbound[1:0] debug: startlistening 10 mode rw
[1723851287] unbound[1:0] debug: comm point listen_for_rw 10 0
[1723851287] unbound[1:0] error: ssl handshake failed crypto error:0A000086:SSL routines::certificate verify failed
[1723851287] unbound[1:0] notice: ssl handshake failed ip4 1.1.1.1 port 853 (len 16)
[1723851287] unbound[1:0] debug: comm_point_close of 10: event_del
[1723851287] unbound[1:0] debug: close fd 10
[1723851287] unbound[1:0] debug: outnettcp cb
[1723851287] unbound[1:0] debug: outnettcp got tcp error -1
[1723851287] unbound[1:0] debug: outnet_tcp_cb reuse after cb
[1723851287] unbound[1:0] debug: outnet_tcp_cb reuse after cb: decommission it
[1723851287] unbound[1:0] debug: decommission_pending_tcp
[1723851287] unbound[1:0] debug: reuse_tcp_remove_tree_list
[1723851287] unbound[1:0] debug: tcp error for address ip4 1.1.1.1 port 853 (len 16)
[1723851287] unbound[1:0] debug: svcd callbacks start
[1723851287] unbound[1:0] debug: worker svcd callback for qstate 0x151e7a0
[1723851287] unbound[1:0] debug: mesh_run: start
[1723851287] unbound[1:0] debug: iterator[module 1] operate: extstate:module_wait_reply event:module_event_noreply
[1723851287] unbound[1:0] info: iterator operate: query video.birb.it. A IN
[1723851287] unbound[1:0] debug: process_response: new external response event
[1723851287] unbound[1:0] debug: iter_handle processing q with state QUERY RESPONSE STATE
[1723851287] unbound[1:0] debug: query response was timeout
[1723851287] unbound[1:0] debug: iter_handle processing q with state QUERY TARGETS STATE
[1723851287] unbound[1:0] info: processQueryTargets: video.birb.it. A IN
[1723851287] unbound[1:0] debug: processQueryTargets: targetqueries 0, currentqueries 0 sentcount 6
[1723851287] unbound[1:0] info: DelegationPoint<.>: 0 names (0 missing), 4 addrs (4 result, 0 avail) parentNS
[1723851287] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851287] unbound[1:0] debug:   [one.one.one.one] ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851287] unbound[1:0] debug:   [one.one.one.one] ip4 1.0.0.1 port 853 (len 16)
[1723851287] unbound[1:0] debug:   [one.one.one.one] ip4 1.1.1.1 port 853 (len 16)
[1723851287] unbound[1:0] debug: rpz: iterator module callback: have_rpz=0
[1723851287] unbound[1:0] debug: servselect ip4 1.1.1.1 port 853 (len 16)
[1723851287] unbound[1:0] debug:    rtt=1504
[1723851287] unbound[1:0] debug: servselect ip6 2606:4700:4700::1111 port 853 (len 28)
[1723851287] unbound[1:0] debug:    rtt=752
[1723851287] unbound[1:0] debug: servselect ip6 2606:4700:4700::1001 port 853 (len 28)
[1723851287] unbound[1:0] debug:    rtt=752
[1723851287] unbound[1:0] debug: servselect ip4 1.0.0.1 port 853 (len 16)
[1723851287] unbound[1:0] debug:    rtt=1504
[1723851287] unbound[1:0] debug: selrtt 752
[1723851287] unbound[1:0] info: sending query: video.birb.it. A IN
[1723851287] unbound[1:0] debug: sending to target: <.> 2606:4700:4700::1001#853
[1723851287] unbound[1:0] debug: dnssec status: not expected
[1723851287] unbound[1:0] debug: mesh_run: iterator module exit state is module_wait_reply
[1723851287] unbound[1:0] info: mesh_run: end 1 recursion states (1 with reply, 0 detached), 2 waiting replies, 0 recursion replies sent, 0 replies dropped, 0 states jostled out
[1723851287] unbound[1:0] info: 0RDd mod1 rep video.birb.it. A IN
[1723851287] unbound[1:0] debug: cache memory msg=33056 rrset=33056 infra=4884 val=33216
[1723851287] unbound[1:0] debug: svcd callbacks end
[1723851287] unbound[1:0] debug: serviced_delete
[1723851287] unbound[1:0] debug: serviced send timer
[1723851287] unbound[1:0] debug: pending_tcp_query
[1723851287] unbound[1:0] debug: reuse_tcp_find
[1723851287] unbound[1:0] debug: reuse_tcp_find: num reuse streams 0
[1723851287] unbound[1:0] debug: pending_tcp_query: new fd, connect
[1723851287] unbound[1:0] debug: the query is using TLS encryption, for one.one.one.one
[1723851287] unbound[1:0] debug: reuse_tcp_insert 2606:4700:4700::1001#853 fd -1
[1723851287] unbound[1:0] debug: outnet_tcp_take_query_setup: setup packet to write len 128 timeout 3000 msec
[1723851287] unbound[1:0] debug: comm point start listening 10 (-1 msec)
[1723851287] unbound[1:0] debug: startlistening 10 mode rw

Config:

    server:
      verbosity: 5
      use-syslog: no
      logfile: ""
      interface: 0.0.0.0
      port: 5353
      do-ip6: yes
      access-control: 192.168.1.0/24 allow
      access-control: 100.64.0.0/24 allow
      access-control: 0.0.0.0/0 refuse
      do-not-query-localhost: yes
      private-domain: "birb.it"
      local-zone: "birb.it." transparent
      local-data-ptr: "192.168.1.3 birb.it"
      local-data-ptr: "100.64.0.2 birb.it"
      access-control-view: 192.168.1.0/24 local-network
      access-control-view: 100.64.0.0/24 overlay-network

    forward-zone:
      name: "."
      forward-tls-upstream: yes
      forward-first: no
      forward-addr: 1.1.1.1@853#one.one.one.one
      forward-addr: 1.0.0.1@853#one.one.one.one
      forward-addr: 2606:4700:4700::1111@853#one.one.one.one
      forward-addr: 2606:4700:4700::1001@853#one.one.one.one

    view:
    name: "local-network"
    local-zone: "birb.it." transparent
    #access-control: "192.168.1.0/24" allow
    local-data: "*.birb.it. IN A 192.168.1.3"
    #access-control: 100.64.0.0/24 deny

    view:
    name: "overlay-network"
    local-zone: "birb.it." transparent
    #access-control: 100.64.0.0/24 allow
    local-data: "*.birb.it. IN A 100.64.0.2"
    #access-control: 192.168.1.0/24 deny

(ignore the indention, I copied it out of my ConfigMap)

@IngwiePhoenix
Copy link
Author

The local-zone/local-data version works - but, as described, it know also responds on birb.it itself:

root@cluserboi ~# dig -p 5353 @192.168.1.3 birb.it

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> -p 5353 @192.168.1.3 birb.it
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10682
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;birb.it.                       IN      A

;; ANSWER SECTION:
birb.it.                3600    IN      A       192.168.1.3

;; Query time: 0 msec
;; SERVER: 192.168.1.3#5353(192.168.1.3) (UDP)
;; WHEN: Sat Aug 17 01:39:12 CEST 2024
;; MSG SIZE  rcvd: 52

Alright, almost there. How do I make only the subdomains respond with that IP - do I really have to go and just define all of them this very way?

@Aura67
Copy link

Aura67 commented Aug 17, 2024

As far as I understand it, you simply wanted to encrypt the DNS requests in the local network, which are then forwarded so that no one can read them, right? And the result looks good, the server basically gave you an answer as to where you wanted to go (Claudflare). Tell me if I'm wrong. Yes, that's how you should set up an upstream server over unbound with DNS over TLS.

@wcawijngaards
Copy link
Member

The local zone can match the most specific match. So it is possible to define all of them, and also birb.it, and have specific handling for each of them. For example with a local-zone: "birb.it" transparent and local-zone: "video.birb.it" redirect. It is also possible to put it like local-zone: "birb.it" transparent and then use local-data for the individual elements, if the local data matches that is returned, and if not it uses the 'local-zone transparent' setting, by adding the local-data local-data: "video.birb.it A 192.0.2.1" with the IP address.

So with more specific entries, it is possible to give some local zone and local data handling to birb.it and other entries for handling the subdomains of birb.it. That needs listing them all.

From the logs, I see it prints that the TLS handshake failed, the certificate fails. Also, the config snippet does not load certicate bundles, so perhaps it could be useful to have something like, tls-system-cert: yes to load the system default TLS certificate bundle. With tls-cert-bundle: "bundle.pem" the certificate bundle can be loaded with a specified filename to load from.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants