What does this Unbound error mean? "error: outgoing tcp: connect: Permission denied for 1.1.1.1"



  • For some reason the forum spam filter is flagging this so I'm posing as a screenshot. 馃槧

    0_1550745296614_6f09c400-511a-4ed2-b610-0a1d66e84341-image.png



  • post your unbound config,



  • ##########################
    # Unbound Configuration
    ##########################
    
    ##
    # Server configuration
    ##
    server:
    
    chroot: /var/unbound
    username: "unbound"
    directory: "/var/unbound"
    pidfile: "/var/run/unbound.pid"
    use-syslog: yes
    port: 53
    verbosity: 1
    hide-identity: yes
    hide-version: yes
    harden-glue: yes
    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes
    do-daemonize: yes
    module-config: "validator iterator"
    unwanted-reply-threshold: 0
    num-queries-per-thread: 512
    jostle-timeout: 200
    infra-host-ttl: 900
    infra-cache-numhosts: 10000
    outgoing-num-tcp: 10
    incoming-num-tcp: 10
    edns-buffer-size: 4096
    cache-max-ttl: 86400
    cache-min-ttl: 0
    harden-dnssec-stripped: yes
    msg-cache-size: 4m
    rrset-cache-size: 8m
    
    num-threads: 4
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    outgoing-range: 4096
    #so-rcvbuf: 4m
    auto-trust-anchor-file: /var/unbound/root.key
    prefetch: yes
    prefetch-key: yes
    use-caps-for-id: no
    serve-expired: no
    # Statistics
    # Unbound Statistics
    statistics-interval: 0
    extended-statistics: yes
    statistics-cumulative: yes
    
    # SSL Configuration
    
    # Interface IP(s) to bind to
    interface: 192.168.1.1
    interface: 192.168.3.1
    interface: 192.168.10.1
    interface: 192.168.20.1
    interface: 192.168.30.1
    interface: 192.168.40.1
    interface: 192.168.50.1
    interface: 127.0.0.1
    interface: ::1
    
    # Outgoing interfaces to be used
    outgoing-interface: WAN IP from ISP
    
    # DNS Rebinding
    # For DNS Rebinding prevention
    private-address: 10.0.0.0/8
    private-address: ::ffff:a00:0/104
    private-address: 172.16.0.0/12
    private-address: ::ffff:ac10:0/108
    private-address: 169.254.0.0/16
    private-address: ::ffff:a9fe:0/112
    private-address: 192.168.0.0/16
    private-address: ::ffff:c0a8:0/112
    private-address: fd00::/8
    private-address: fe80::/10
    
    
    # Access lists
    include: /var/unbound/access_lists.conf
    
    # Static host entries
    include: /var/unbound/host_entries.conf
    
    # dhcp lease entries
    include: /var/unbound/dhcpleases_entries.conf
    
    # OpenVPN client entries
    include: /var/unbound/openvpn.*.conf
    
    # Domain overrides
    include: /var/unbound/domainoverrides.conf
    # Forwarding
    forward-zone:
    	name: "."
    	forward-tls-upstream: yes
    	forward-addr: 1.1.1.1@853
    	forward-addr: 1.0.0.1@853
    
    
    # Unbound custom options
    server:
    private-domain: "unraid.net"
    private-domain: "plex.direct"
    server:include: /var/unbound/pfb_dnsbl.*conf
    
    
    ###
    # Remote Control Config
    ###
    include: /var/unbound/remotecontrol.conf
    
    


  • i meant from the web interface.

    can you confirm nslookup to 1.1.1.1:853 is working from pfsense? It appears the error you received may be related to the tls setup.



  • Yes, there's traffic from pfSense to 1.1.1.1:853. I did a packet capture and one thing stands out. One of the return packets from 1.1.1.1 for each session has an alert. I have no idea what that means if anything.

    Frame 14: 85 bytes on wire (680 bits), 85 bytes captured (680 bits)
    Ethernet II, Src: AdiEngin_09:d4:45 (00:08:a2:09:d4:45), Dst: Casa_98:46:a2 (00:17:10:98:46:a2)
    Internet Protocol Version 4, Src: My WAN IP, Dst: one.one.one.one (1.1.1.1)
    Transmission Control Protocol, Src Port: 58432 (58432), Dst Port: domain-s (853), Seq: 515, Ack: 4094, Len: 31
        Source Port: 58432 (58432)
        Destination Port: domain-s (853)
        [Stream index: 0]
        [TCP Segment Len: 31]
        Sequence number: 515    (relative sequence number)
        [Next sequence number: 546    (relative sequence number)]
        Acknowledgment number: 4094    (relative ack number)
        0101 .... = Header Length: 20 bytes (5)
        Flags: 0x018 (PSH, ACK)
            000. .... .... = Reserved: Not set
            ...0 .... .... = Nonce: Not set
            .... 0... .... = Congestion Window Reduced (CWR): Not set
            .... .0.. .... = ECN-Echo: Not set
            .... ..0. .... = Urgent: Not set
            .... ...1 .... = Acknowledgment: Set
            .... .... 1... = Push: Set
            .... .... .0.. = Reset: Not set
            .... .... ..0. = Syn: Not set
            .... .... ...0 = Fin: Not set
            [TCP Flags: 路路路路路路路AP路路路]
        Window size value: 513
        [Calculated window size: 513]
        [Window size scaling factor: -1 (unknown)]
        Checksum: 0x11b8 [unverified]
        [Checksum Status: Unverified]
        Urgent pointer: 0
        [SEQ/ACK analysis]
        [Timestamps]
        TCP payload (31 bytes)
    Secure Sockets Layer
        TLSv1.2 Record Layer: Encrypted Alert
            Content Type: Alert (21)
            Version: TLS 1.2 (0x0303)
            Length: 26
            Alert Message: Encrypted Alert
    

    Here are the config screenshots:
    0_1550752628513_71559d11-a5c2-4fa1-9334-7c9e826195ac-image.png

    0_1550752730865_74ec24dc-b09e-4310-9b7b-3fe7b10ffae0-image.png

    0_1550752673906_82dea94a-2806-47d1-a8d9-bb43a915ee6d-image.png

    0_1550752702334_ea150a8e-da52-4cf4-9003-a555e52bcdd6-image.png



  • are you following a guide for this? it looks like youre using the AirVPN cert on this DNS instance.



  • This config came about form a few sources, blogs/youtube/pfSense docs/hangouts, and my own understanding of how it should work.

    it looks like youre using the AirVPN cert on this DNS instance.

    I thought that setting was only used if "Enable SSL/TLS Service" was set, so that clients can query unbound over TLS, which I'm not doing.



  • my apologies, i thought the box was checked.
    encrypted alerts are just notifications, although in this instance it may be the closing of that session.

    http://blog.fourthbit.com/2014/12/23/traffic-analysis-of-an-ssl-slash-tls-session



  • nice blog post!

    That's probably what the alert is, just closing session. It happens near the end of each session.

    Do you have any idea of what that error means? "Permission denied" by what? I just noticed that I can change the unbound log level. I'll do that and wait.



  • I'm not certain without more info. When I hear permissions, the first thing that comes to mind is the owner/permissions on a file were modified.

    Earlier you posted an unbound config from terminal, can you verify if the file ownership has been changed? Change to that directory and run: ls -al
    if it says root is the owner, try chowning the file to the unbound user.



  • So are all these files supposed to be owned by unbound?

    [2.4.4-RELEASE][root@pfsense.rhsjmm.com]/var/unbound: ls -la
    total 6313
    drwxr-xr-x   3 unbound  unbound        17 Feb 21 13:36 .
    drwxr-xr-x  26 root     wheel          26 Jan 26 21:41 ..
    -rw-r--r--   1 root     unbound       447 Feb 21 13:22 access_lists.conf
    drwxr-xr-x   2 unbound  unbound         2 Dec 12 20:17 conf.d
    -rw-r--r--   1 root     unbound        36 Feb 21 13:22 dhcpleases_entries.conf
    -rw-r--r--   1 root     unbound      3355 Jan 15 13:12 dnsbl_cert.pem
    -rw-r--r--   1 root     unbound         0 Feb 21 13:22 domainoverrides.conf
    -rw-r--r--   1 root     unbound      3209 Feb 21 13:22 host_entries.conf
    -rw-r--r--   1 root     unbound  26838979 Jan 20 18:04 pfb_dnsbl.conf
    -rw-r--r--   1 root     unbound      1498 Jan 23 11:50 pfb_dnsbl_lighty.conf
    -rw-r--r--   1 root     unbound       300 Jan 14 07:59 remotecontrol.conf
    -rw-r--r--   1 unbound  unbound       758 Feb 21 13:36 root.key
    -rw-r--r--   1 root     unbound      2393 Feb 21 13:22 unbound.conf
    -rw-r-----   1 unbound  unbound      2455 Jan 14 07:59 unbound_control.key
    -rw-r-----   1 unbound  unbound      1330 Jan 14 07:59 unbound_control.pem
    -rw-r-----   1 unbound  unbound      2455 Jan 14 07:59 unbound_server.key
    -rw-r-----   1 unbound  unbound      1318 Jan 14 07:59 unbound_server.pem
    


  • yes. anything with group unbound should be owned by unbound.



  • Must be doing file ownership for unbound files different now because I did a quick install on VirtualBox and it's the same.

    2.4.4-RELEASE][root@pfSense.localdomain]/var/unbound: ls -la
    total 48
    drwxr-xr-x   3 unbound  unbound   512 Feb 21 15:14 .
    drwxr-xr-x  26 root     wheel     512 Feb 21 14:16 ..
    -rw-r--r--   1 root     unbound   177 Feb 21 15:14 access_lists.conf
    drwxr-xr-x   2 unbound  unbound   512 Nov 26 16:42 conf.d
    -rw-r--r--   1 root     unbound     0 Feb 21 15:14 dhcpleases_entries.conf
    -rw-r--r--   1 root     unbound     0 Feb 21 15:14 domainoverrides.conf
    -rw-r--r--   1 root     unbound   398 Feb 21 15:14 host_entries.conf
    -rw-r--r--   1 root     unbound   300 Feb 21 14:17 remotecontrol.conf
    -rw-r--r--   1 unbound  unbound   166 Feb 21 15:14 root.key
    -rw-r--r--   1 root     unbound  1865 Feb 21 15:14 unbound.conf
    -rw-r-----   1 unbound  unbound  2459 Feb 21 14:17 unbound_control.key
    -rw-r-----   1 unbound  unbound  1330 Feb 21 14:17 unbound_control.pem
    -rw-r-----   1 unbound  unbound  2455 Feb 21 14:17 unbound_server.key
    -rw-r-----   1 unbound  unbound  1318 Feb 21 14:17 unbound_server.pem
    

Log in to reply