What does this Unbound error mean? "error: outgoing tcp: connect: Permission denied for 1.1.1.1"
-
For some reason the forum spam filter is flagging this so I'm posing as a screenshot.
-
post your unbound config,
-
########################## # Unbound Configuration ########################## ## # Server configuration ## server: chroot: /var/unbound username: "unbound" directory: "/var/unbound" pidfile: "/var/run/unbound.pid" use-syslog: yes port: 53 verbosity: 1 hide-identity: yes hide-version: yes harden-glue: yes do-ip4: yes do-ip6: yes do-udp: yes do-tcp: yes do-daemonize: yes module-config: "validator iterator" unwanted-reply-threshold: 0 num-queries-per-thread: 512 jostle-timeout: 200 infra-host-ttl: 900 infra-cache-numhosts: 10000 outgoing-num-tcp: 10 incoming-num-tcp: 10 edns-buffer-size: 4096 cache-max-ttl: 86400 cache-min-ttl: 0 harden-dnssec-stripped: yes msg-cache-size: 4m rrset-cache-size: 8m num-threads: 4 msg-cache-slabs: 4 rrset-cache-slabs: 4 infra-cache-slabs: 4 key-cache-slabs: 4 outgoing-range: 4096 #so-rcvbuf: 4m auto-trust-anchor-file: /var/unbound/root.key prefetch: yes prefetch-key: yes use-caps-for-id: no serve-expired: no # Statistics # Unbound Statistics statistics-interval: 0 extended-statistics: yes statistics-cumulative: yes # SSL Configuration # Interface IP(s) to bind to interface: 192.168.1.1 interface: 192.168.3.1 interface: 192.168.10.1 interface: 192.168.20.1 interface: 192.168.30.1 interface: 192.168.40.1 interface: 192.168.50.1 interface: 127.0.0.1 interface: ::1 # Outgoing interfaces to be used outgoing-interface: WAN IP from ISP # DNS Rebinding # For DNS Rebinding prevention private-address: 10.0.0.0/8 private-address: ::ffff:a00:0/104 private-address: 172.16.0.0/12 private-address: ::ffff:ac10:0/108 private-address: 169.254.0.0/16 private-address: ::ffff:a9fe:0/112 private-address: 192.168.0.0/16 private-address: ::ffff:c0a8:0/112 private-address: fd00::/8 private-address: fe80::/10 # Access lists include: /var/unbound/access_lists.conf # Static host entries include: /var/unbound/host_entries.conf # dhcp lease entries include: /var/unbound/dhcpleases_entries.conf # OpenVPN client entries include: /var/unbound/openvpn.*.conf # Domain overrides include: /var/unbound/domainoverrides.conf # Forwarding forward-zone: name: "." forward-tls-upstream: yes forward-addr: 1.1.1.1@853 forward-addr: 1.0.0.1@853 # Unbound custom options server: private-domain: "unraid.net" private-domain: "plex.direct" server:include: /var/unbound/pfb_dnsbl.*conf ### # Remote Control Config ### include: /var/unbound/remotecontrol.conf -
i meant from the web interface.
can you confirm nslookup to 1.1.1.1:853 is working from pfsense? It appears the error you received may be related to the tls setup.
-
Yes, there's traffic from pfSense to 1.1.1.1:853. I did a packet capture and one thing stands out. One of the return packets from 1.1.1.1 for each session has an alert. I have no idea what that means if anything.
Frame 14: 85 bytes on wire (680 bits), 85 bytes captured (680 bits) Ethernet II, Src: AdiEngin_09:d4:45 (00:08:a2:09:d4:45), Dst: Casa_98:46:a2 (00:17:10:98:46:a2) Internet Protocol Version 4, Src: My WAN IP, Dst: one.one.one.one (1.1.1.1) Transmission Control Protocol, Src Port: 58432 (58432), Dst Port: domain-s (853), Seq: 515, Ack: 4094, Len: 31 Source Port: 58432 (58432) Destination Port: domain-s (853) [Stream index: 0] [TCP Segment Len: 31] Sequence number: 515 (relative sequence number) [Next sequence number: 546 (relative sequence number)] Acknowledgment number: 4094 (relative ack number) 0101 .... = Header Length: 20 bytes (5) Flags: 0x018 (PSH, ACK) 000. .... .... = Reserved: Not set ...0 .... .... = Nonce: Not set .... 0... .... = Congestion Window Reduced (CWR): Not set .... .0.. .... = ECN-Echo: Not set .... ..0. .... = Urgent: Not set .... ...1 .... = Acknowledgment: Set .... .... 1... = Push: Set .... .... .0.. = Reset: Not set .... .... ..0. = Syn: Not set .... .... ...0 = Fin: Not set [TCP Flags: 路路路路路路路AP路路路] Window size value: 513 [Calculated window size: 513] [Window size scaling factor: -1 (unknown)] Checksum: 0x11b8 [unverified] [Checksum Status: Unverified] Urgent pointer: 0 [SEQ/ACK analysis] [Timestamps] TCP payload (31 bytes) Secure Sockets Layer TLSv1.2 Record Layer: Encrypted Alert Content Type: Alert (21) Version: TLS 1.2 (0x0303) Length: 26 Alert Message: Encrypted AlertHere are the config screenshots:
-
are you following a guide for this? it looks like youre using the AirVPN cert on this DNS instance.
-
This config came about form a few sources, blogs/youtube/pfSense docs/hangouts, and my own understanding of how it should work.
it looks like youre using the AirVPN cert on this DNS instance.
I thought that setting was only used if "Enable SSL/TLS Service" was set, so that clients can query unbound over TLS, which I'm not doing.
-
my apologies, i thought the box was checked.
encrypted alerts are just notifications, although in this instance it may be the closing of that session.http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session
-
nice blog post!
That's probably what the alert is, just closing session. It happens near the end of each session.
Do you have any idea of what that error means? "Permission denied" by what? I just noticed that I can change the unbound log level. I'll do that and wait.
-
I'm not certain without more info. When I hear permissions, the first thing that comes to mind is the owner/permissions on a file were modified.
Earlier you posted an unbound config from terminal, can you verify if the file ownership has been changed? Change to that directory and run: ls -al
if it says root is the owner, try chowning the file to the unbound user. -
So are all these files supposed to be owned by unbound?
[2.4.4-RELEASE][root@pfsense.rhsjmm.com]/var/unbound: ls -la total 6313 drwxr-xr-x 3 unbound unbound 17 Feb 21 13:36 . drwxr-xr-x 26 root wheel 26 Jan 26 21:41 .. -rw-r--r-- 1 root unbound 447 Feb 21 13:22 access_lists.conf drwxr-xr-x 2 unbound unbound 2 Dec 12 20:17 conf.d -rw-r--r-- 1 root unbound 36 Feb 21 13:22 dhcpleases_entries.conf -rw-r--r-- 1 root unbound 3355 Jan 15 13:12 dnsbl_cert.pem -rw-r--r-- 1 root unbound 0 Feb 21 13:22 domainoverrides.conf -rw-r--r-- 1 root unbound 3209 Feb 21 13:22 host_entries.conf -rw-r--r-- 1 root unbound 26838979 Jan 20 18:04 pfb_dnsbl.conf -rw-r--r-- 1 root unbound 1498 Jan 23 11:50 pfb_dnsbl_lighty.conf -rw-r--r-- 1 root unbound 300 Jan 14 07:59 remotecontrol.conf -rw-r--r-- 1 unbound unbound 758 Feb 21 13:36 root.key -rw-r--r-- 1 root unbound 2393 Feb 21 13:22 unbound.conf -rw-r----- 1 unbound unbound 2455 Jan 14 07:59 unbound_control.key -rw-r----- 1 unbound unbound 1330 Jan 14 07:59 unbound_control.pem -rw-r----- 1 unbound unbound 2455 Jan 14 07:59 unbound_server.key -rw-r----- 1 unbound unbound 1318 Jan 14 07:59 unbound_server.pem -
yes. anything with group unbound should be owned by unbound.
-
Must be doing file ownership for unbound files different now because I did a quick install on VirtualBox and it's the same.
2.4.4-RELEASE][root@pfSense.localdomain]/var/unbound: ls -la total 48 drwxr-xr-x 3 unbound unbound 512 Feb 21 15:14 . drwxr-xr-x 26 root wheel 512 Feb 21 14:16 .. -rw-r--r-- 1 root unbound 177 Feb 21 15:14 access_lists.conf drwxr-xr-x 2 unbound unbound 512 Nov 26 16:42 conf.d -rw-r--r-- 1 root unbound 0 Feb 21 15:14 dhcpleases_entries.conf -rw-r--r-- 1 root unbound 0 Feb 21 15:14 domainoverrides.conf -rw-r--r-- 1 root unbound 398 Feb 21 15:14 host_entries.conf -rw-r--r-- 1 root unbound 300 Feb 21 14:17 remotecontrol.conf -rw-r--r-- 1 unbound unbound 166 Feb 21 15:14 root.key -rw-r--r-- 1 root unbound 1865 Feb 21 15:14 unbound.conf -rw-r----- 1 unbound unbound 2459 Feb 21 14:17 unbound_control.key -rw-r----- 1 unbound unbound 1330 Feb 21 14:17 unbound_control.pem -rw-r----- 1 unbound unbound 2455 Feb 21 14:17 unbound_server.key -rw-r----- 1 unbound unbound 1318 Feb 21 14:17 unbound_server.pem
