Comments (6)
kieranlittle667
commented on June 5, 2024
1
root@piholeVM:/home/klittle# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:5335
ACCEPT udp -- anywhere 172.17.0.2 udp dpt:5335
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
root@piholeVM:/home/klittle# ufw status
Status: inactive
root@piholeVM:/home/klittle# cat unbound/unbound.conf
include: "/usr/local/unbound/conf.d/*.conf"
include: "/usr/local/unbound/zones.d/*.conf"
server:
module-config: "validator iterator"
username: "_unbound"
directory: "/usr/local/unbound"
chroot: "/usr/local/unbound"
do-daemonize: no
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
root@piholeVM:/home/klittle#
I've attached my entire unbound dir
REMOVED
from unbound-docker.
kieranlittle667
commented on June 5, 2024
1
Thank you so much for your help, I had missed that in the logs and had missed that that directory was owned by root and not by my user. All working now, including DNSSEC validation.
Great container, keep up the good work!
from unbound-docker.
madnuttah
commented on June 5, 2024
Hello and thanks for contacting me.
It's hard to analyze your compose file, you can keep the formatting when using ``` before and after your yaml code.
If I remember correctly, I had issues too not using a /16 subnet mask for the bridge network (I guess need to fix this in my example, sorry for that):
...
# Indentations may not be correct
networks:
dns-network:
driver: bridge
driver_opts:
parent: ent3
ipam:
config:
- subnet: 172.20.0.0/16 #try this instead of /24
gateway: 172.20.0.1
Other than that, can you put your unbound ports like so:
...
unbound:
container_name: unbound
image: madnuttah/unbound:latest
hostname: unbound
domainname: solingen.local
ports:
- 5335:5335/tcp
- 5335:5335/udp
networks:
dns-network:
ipv4_address: 172.20.0.3
...
from unbound-docker.
kieranlittle667
commented on June 5, 2024
Hi,
Thanks so much for replying. I tried the /16 network and the adjusted port mapping syntax and it still didn't work.
I then tried running with a host network instead and it still didn't work.
docker run -d \
--name unbound \
--hostname unbound \
--domainname solingen.local \
--network host \
--env TZ=Europe/London \
--env ServerIP=192.168.100.211 \
--env VIRTUAL_HOST=unbound_vm.solingen.local \
-v /home/klittle/unbound/unbound.conf:/usr/local/unbound/unbound.conf:rw \
-v /home/klittle/unbound/conf.d/:/usr/local/unbound/conf.d/:rw \
-v /home/klittle/unbound/iana.d/:/usr/local/unbound/iana.d/:rw \
-v /home/klittle/unbound/log.d/unbound.log:/usr/local/unbound/log.d/unbound.log:rw \
-v /home/klittle/unbound/zones.d/:/usr/local/unbound/zones.d/:rw \
--restart unless-stopped \
madnuttah/unbound:latest
I think there's 2 separate issues here as if I nmap TCP port 5335 while the container is running in host mode the port is open, but I can't resolve a domain with it, however if I run with my bridged network UDP 5335 is open, but tcp 5335 shows as closed. If I run your default command as above with no volumes or variables I can resolve hostnames, and nmap -p 5335 shows the tcp port as open.
from unbound-docker.
madnuttah
commented on June 5, 2024
My pleasure!
Could you show me your unbound.conf please? ANd is there a firewall or apparmor active on your docker host?
from unbound-docker.
madnuttah
commented on June 5, 2024
I wasn't sure if there were sensitive content in that zip file so I removed it.
I can see an issue with permissions in your log: fatal error: could not open autotrust file for writing, /iana.d/root.key.1-1-7f7abfe46790: Permission denied. Please fix the permissions and ownership in your iana.d folder, the container won't spin up otherwise.
It is also possible that iptables blocks access to the internal IPv4 172.20.0.3 as I see only 172.17.0.2. Could you add rules for testing, please?
Here's an adapted security.conf for your environment:
server:
do-not-query-localhost: no
unblock-lan-zones: no
insecure-lan-zones: yes
private-domain: "solingen.local."
private-domain: "100.168.192.in-addr.arpa."
domain-insecure: "solingen.local."
domain-insecure: "100.168.192.in-addr.arpa."
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96
hide-identity: yes
identity: "server"
hide-version: yes
version: ""
aggressive-nsec: yes
qname-minimisation: yes
qname-minimisation-strict: no
disable-dnssec-lame-check: no
hide-trustanchor: yes
harden-algo-downgrade: yes
harden-below-nxdomain: yes
harden-dnssec-stripped: yes
harden-glue: yes
harden-large-queries: yes
harden-referral-path: yes
harden-short-bufsize: yes
minimal-responses: yes
deny-any: yes
use-caps-for-id: yes
val-clean-additional: yes
val-max-restart: 5
root-key-sentinel: yes
zonemd-permissive-mode: no
from unbound-docker.
Related Issues (20)
- New commits but no new release? HOT 2
- Container requires root under the rootless podman/docker container HOT 5
- Unable to start unbound container HOT 16
- healthcheck funktioniert nicht mehr HOT 3
- [Bug] fatal error: unable to chroot to /usr/local/unbound: Operation not permitted HOT 24
- [Bug] container unable to start without providing ubound.conf HOT 7
- The container reports "unhealthy" HOT 3
- [Bug] unbound is already running / unable to chroot HOT 10
- Help with redis configuration and a persistent cachedb.d volume HOT 36
- [Bug] Not enough permissions for /iana.d/ if default configuration is used HOT 2
- [Bug] healthcheck.sh will check container DNS, not unbound HOT 3
- unbound with redis cache does not start sucessfully on host server reboot HOT 3
- Help with healthcheck on redis container HOT 6
- [Planned] Making DNS diagnostic tools available soonβ’ HOT 2
- Container doesn't start on Port 53 with any version newer than 1.19.1-0 using Synology Container Manager HOT 26
- SERVFAIL for some domains HOT 10
- [Bug] Docker container did not start (root.key is missing) HOT 8
- [Bug] What is the purpose of UNBOUND_UID and UNBOUND_GID, when you do not set anything else other than 1000 (default) in the container ? HOT 6
- OCI runtime create failed: runc create failed HOT 18
- SERVFAIL on certain domains HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from unbound-docker.