-
-
Notifications
You must be signed in to change notification settings - Fork 358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubernetes: Can not reach upstream, doesn't report a reason #1123
Comments
Perhaps with verbosity higher, like 4 and 5, it would log more details on the connection, eg. it looks like the connection times out. So much about the upstream connection, the issue is that there is no answer from the local zones. The config has a wildcard in it, but local zones are not implemented to deal with wildcards, I mean, with the 'local-data' statement it does not do wildcards. There are several other ways to get wildcard processing though. The simplest may be to change the config to:
This serves the 'A' record for all names under the birb.it zone, and that would work like the
It is also possible to get a solution using authority zones, the auth-zone config for a zone, then the data for birb.it would have to be in a zonefile, and the auth zone receives wildcard processing, for the |
also mvance image, have problem too. try else may madnuttah/unbound work? |
his unbound should work, it's the same unbound as from this repo, from the repo where you got it, there are just older versions, you can just as well compile it from here from the direct source and you'll be more up to date. |
That one's on me and my sleepy brain forgetting five minutes later that it can go much higher than three. No idea why I forgot that... Will retry, maybe it'll show me something.
They are not? Oh. I had just wanted to map everything to that host. The actual Basically, I configured myself a cheap man's Cloudflare Tunnel. My VPS runs Caddy which reverse proxies requests down to the services at home - but selectively. Here is a snippet to illustrate:
This way, only services I explicitly want to reach from not-at-home would be reached. But in reality, I have way more services there - for instance, the Postgres Operator frontend ( That is why I tried to implement a wildcard setup. However, I have no idea how to write plain zone files, so I attempted to cheat with a little bit of ChatGPT and reading the docs up and down and trying to figure something out. Since in CloudFlare's DNS settings I could just assign a wildcard domain, I was sure Unbound would let me do that too. Welp, it does not. x) I'll see if I can make the suggested As for the docker image, I just looked at Docker Hub for an arm64 version since I run on a set of RockChip RK3588 and my remote is an Ampere Altra (4 vCPU at Hetzner) - hence the usual amd64/x86_64 wouldn't work for me (though I could have configured binfmt/qemu but...thats a whole other can of worms right there). |
In your unbound config, the forward upstream is as follows: forward-zone: |
I did - and also increased verbosity. I haven't implement the other options yet. Looooong log
Config:
(ignore the indention, I copied it out of my |
The
Alright, almost there. How do I make only the subdomains respond with that IP - do I really have to go and just define all of them this very way? |
As far as I understand it, you simply wanted to encrypt the DNS requests in the local network, which are then forwarded so that no one can read them, right? And the result looks good, the server basically gave you an answer as to where you wanted to go (Claudflare). Tell me if I'm wrong. Yes, that's how you should set up an upstream server over unbound with DNS over TLS. |
The local zone can match the most specific match. So it is possible to define all of them, and also So with more specific entries, it is possible to give some local zone and local data handling to From the logs, I see it prints that the TLS handshake failed, the certificate fails. Also, the config snippet does not load certicate bundles, so perhaps it could be useful to have something like, |
Describe the bug
I wanted to deploy Unbound into my Kubernetes cluster in order to host a local network DNS server with a few predefined records that I could take advantage of between my home network and it's VPN. However, whenever I run a query, it doesn't give me any particular information as to why it can not reach an upstream - did the TLS handshake fail or could it not establish an outbound UDP connection or something else perhaps?
This is basically what I see across all configured upstreams:
To reproduce
You could use the kind tool in order to test this. Podman Desktop also has this option.
Once you have a cluster, deploy the following:
If you are on an x86_64 platform, remove the
-rpi
suffix from theimage:
. Further, you may need to adjust the local network CIDR (192.168.1.0/24
).After deploying, attempt to resolve
video.birb.it
.You should now see the output stating that an upstream connection failed - but with no further information.
Expected behavior
The expected value is the network local address as devined in the
local-network
view.System:
unbound -V
output:Additional information
None that come to mind, sorry.
The text was updated successfully, but these errors were encountered: