On Thu, 29 Sep 2016, Gregory Edigarov wrote: > Hi, > > Need an advice. > > I have a bgp router with 3 interfaces: > > em0 (xxx.yyy,zzz.1/24), > em1, em2 - looking at uplinks > > bgp is up and running, packets are forwarded just fine. also there is nsd, > listening on both em1,em2 serving my reverse zone. > > so far everything works. > > now I want this host also be a resolver for lan, that sits on xxx.yyy,zzz.1 > > here is what I have in unbound.conf > > > server: > verbosity: 1 > outgoing-interface: 0.0.0.0 > interface: 127.0.0.1 > interface: > access-control: 127.0.0.0/8 allow > access-control: xxx.yyy.zzz.0/24 allow > access-control: ::1 allow > access-control: ::ffff:127.0.0.1 allow > root-hints: /etc/unbound/root.hints > > some hosts are resolving correctly, for example google.com, but many have > SERVFAIL. > > if I have > outgoing-interface: xxx.yyy.zzz.1 > > nothing works. > > > so the question is: how to make unbound work in such setup?
I can't speak specifically to unbound, but check the source and destination IPs very carefully in tcpdump. I recently had similar trouble with nsd. Binding to 0.0.0.0 or ::1 is not enough: it will use the same IP for all responses no matter where they came to. I had to explicitly state the IPs I wanted to listen on so that the responses came from the right IP. (I would check both directions: clients -> unbound and unbound -> nameservers.) Martin
