Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Misleading error message on default access control causing refuse #1213

Open
madduck opened this issue Jan 9, 2025 · 2 comments
Open

Misleading error message on default access control causing refuse #1213

madduck opened this issue Jan 9, 2025 · 2 comments
Assignees
@gthess

Comments

@madduck
Copy link

madduck commented Jan 9, 2025

When a server on example IP 192.0.2.3 has access-control defined e.g. like this:

192.0.2.0/24 allow

and it receives a query from a different address, say 198.51.100.15, unbound will log:

unbound: [607563:0] debug: refused query from 198.51.100.15 port 9987 because of 192.0.2.3/32 refuse

This is misleading. The true reason is "because the default access control rule is to refuse".

If I add

0.0.0.0/0 refuse

after the above allow, then the log is correct:

unbound: [607563:0] debug: refused query from 198.51.100.15 port 9987 because of 0.0.0.0/0 refuse

System:

  • Unbound version: 1.17.1
  • OS: Debian stable
  • unbound -V output:
Configure line: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.15 3 Sep 2024
Linked modules: dns64 python subnetcache respip validator iterator
TCP Fastopen feature available
@gthess
Copy link
Member

gthess commented Jan 10, 2025

The first log output uses 192.0.2.3/32 because that is the listening interface. Default refuse access control is happening per listening interface. (Other access control actions can also be configured per interface as well).

The second log output uses 0.0.0.0/0 because this is a configured client network space; configured client networks have priority over listening interfaces.

The first log output can be misleading if you don't know how Unbound applies ACLs.
Would an output like the one below make things more clear?

unbound: [607563:0] debug: refused query from 198.51.100.15 port 9987 because of 192.0.2.3/32 (interface) refuse

@gthess gthess self-assigned this Jan 10, 2025
@madduck
Copy link
Author

madduck commented Jan 10, 2025

@gthess that would be a little bit of an improvement. I would prefer "because default ACLs on interface with IP 192.0.2.3"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gthess gthess

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@madduck @gthess