Home / ubuntu / Questions / 1531438
Accepted
Sun Bear
Asked: 2024-10-29 10:49:26 +0800 CST

Why is interface: 0.0.0.0 causing failure in restarting unbound.service?

  • 772

unbound.service runs w/o error when these 3 default files (created after installing unbound) are used:

root@DNS:/etc/unbound# cat unbound.conf
# Unbound configuration file for Debian.
#
# See the unbound.conf(5) man page.
#
# See /usr/share/doc/unbound/examples/unbound.conf for a commented
# reference config file.
#
# The following line includes additional configuration files from the
# /etc/unbound/unbound.conf.d directory.
include-toplevel: "/etc/unbound/unbound.conf.d/*.conf"
root@DNS:/etc/unbound# cat unbound.conf.d/remote-control.conf 
remote-control:
  control-enable: yes
  # by default the control interface is is 127.0.0.1 and ::1 and port 8953
  # it is possible to use a unix socket too
  control-interface: /run/unbound.ctl
root@DNS:/etc/unbound# cat unbound.conf.d/root-auto-trust-anchor-file.conf 
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

However, when these 3 files are removed and the content of /etc/unbound/unbound.conf made to contain

# unbound.conf(5) config file for unbound(8).
server:
    directory: "/etc/unbound"
    username: "unbound"
    # make sure unbound can access entropy from inside the chroot.
    # e.g. on linux the use these commands (on BSD, devfs(8) is used):
    #      mount --bind -n /dev/urandom /etc/unbound/dev/urandom
    # and  mount --bind -n /dev/log /etc/unbound/dev/log
    #chroot: "/etc/unbound"
    # logfile: "/etc/unbound/unbound.log"  #uncomment to use logfile.
    pidfile: "/etc/unbound/unbound.pid"
    # verbosity: 1      # uncomment and increase to get more logging.
    # listen on all interfaces, answer queries from the local subnet.
    interface: 0.0.0.0
    interface: ::0
    access-control: 10.0.0.0/8 allow
    #access-control: 2001:DB8::/64 allow

unbound.service fails to restart using service unbound restart. e.g.

root@DNS:/etc/unbound# service unbound restart
Job for unbound.service failed because the control process exited with error code.
See "systemctl status unbound.service" and "journalctl -xeu unbound.service" for details.
root@DNS:/etc/unbound# systemctl status unbound.service
× unbound.service - Unbound DNS server
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; disabled; preset: enabled)
     Active: failed (Result: exit-code) since Mon 2024-10-28 16:01:59 UTC; 18s ago
   Duration: 50min 13.453s
       Docs: man:unbound(8)
    Process: 3385 ExecStartPre=/usr/libexec/unbound-helper chroot_setup (code=exited, status=0/SUCCESS)
    Process: 3388 ExecStartPre=/usr/libexec/unbound-helper root_trust_anchor_update (code=exited, status=0/SUCCESS)
    Process: 3391 ExecStart=/usr/sbin/unbound -d -p $DAEMON_OPTS (code=exited, status=1/FAILURE)
    Process: 3393 ExecStopPost=/usr/libexec/unbound-helper chroot_teardown (code=exited, status=0/SUCCESS)
   Main PID: 3391 (code=exited, status=1/FAILURE)
        CPU: 168ms

Oct 28 16:01:59 DNS systemd[1]: unbound.service: Scheduled restart job, restart counter is at 5.
Oct 28 16:01:59 DNS systemd[1]: unbound.service: Start request repeated too quickly.
Oct 28 16:01:59 DNS systemd[1]: unbound.service: Failed with result 'exit-code'.
Oct 28 16:01:59 DNS systemd[1]: Failed to start unbound.service - Unbound DNS server.

To troubleshoot, I commented out every line, followed by uncommenting each line until unbound.service failed to restart. I discovered that the line interface: 0.0.0.0 is the cause of the error. I can't figure out why 0.0.0.0 is causing the issue. Why is this ip address causing this issue?

System:

  • Unbound version: 1.19.2
  • OS: Linux DNS 6.1.63 #218 SMP Thu Nov 30 20:48:04 CST 2023 aarch64 aarch64 aarch64 GNU/Linux in Ubuntu Server 24.04.1
  • unbound -V output:
root@DNS::/etc/unbound# unbound -V
Version 1.19.2

Configure line: --build=aarch64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/aarch64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-pythonmodule --with-pyunbound --enable-subnet --enable-dnstap --enable-systemd --enable-cachedb --with-libhiredis --with-libnghttp2 --with-chroot-dir= --with-dnstap-socket-path=/run/dnstap.sock --disable-rpath --with-pidfile=/run/unbound.pid --with-libevent --enable-tfo-client --with-rootkey-file=/usr/share/dns/root.key --disable-flto --enable-tfo-server
Linked libs: libevent 2.1.12-stable (it uses epoll), OpenSSL 3.0.13 30 Jan 2024
Linked modules: dns64 python cachedb subnetcache respip validator iterator
TCP Fastopen feature available


BSD licensed, see LICENSE in source package for details.
Report bugs to [email protected] or https://github.com/NLnetLabs/unbound/issues

Update:

root@DNS:/etc/unbound# unbound -d -vv -c /etc/unbound/unbound.conf
[1730176049] unbound[4263:0] notice: Start of unbound 1.19.2.
[1730176049] unbound[4263:0] error: can't bind socket: Address already in use for 0.0.0.0 port 53
[1730176049] unbound[4263:0] fatal error: could not open ports
networking

2 Answers

  1. Best Answer
    error: can't bind socket: Address already in use for 0.0.0.0 port 53

    This is likely due to systemd-resolved's stub DNS listener listening on the same address / port (as hinted at also by your previous question).

    The logical course of action would be:

    1. Configuring Unbound to start on a different port (even a high one, just for testing), by adding, say, port: 3000 to /etc/unbound/unbound.conf;
    2. Completing Unbound's configuration;
    3. Starting Unbound: 
      systemctl start unbound
    4. Testing DNS resolution on port #3000 using dig -p3000 [...];
    5. Once everything is working, disabling systemd-resolved's listener, removing port: 3000 from /etc/unbound/unbound.conf and restarting both systemd-resolved and Unbound.

    To disable systemd-resolved's listener, create a directory /etc/systemd/resolved.conf.d containing a file named, e.g., 10-disable-listener.conf containing the following:

    [Resolve]
DNSStubListener=no

    Then, to restart both systemd-resolved and Unbound:

    systemctl restart systemd-resolved unbound
    • 2

  2. Appreciate @kos for his answer.

    After resolving the port issue, another issue that arose was that the file /etc/unbound/unbound.log did not have the correct file permission, given that "unbound" and not "root" was declared as the username: in /etc/unbound/unbound.conf. Hence, the unbound.service still failed to start.

    To resolve this issue, I did the following:

    1. Stopped and disabled unbound.service.

      systemctl stop unbound.service
systemctl disable unbound.service

    2. Created a new user called unbound as the primary member of a new group called unbound using this command:

      useradd -r -U -u 997 -c Unbound -d /etc/unbound/ -s /sbin/nologin unbound

    3. Changed the group membership of directory /etc/unbound and all its children files and directories from root to unbound with this command:

      chgrp -hR unbound /etc/unbound/

    4. Gave write-permission to the group membership of directory /etc/unbound and all its children files and directories:

      chmod -R g+w /etc/unbound/

    Running the command unbound -d -vv -c /etc/unbound/unbound.conf to start the service in debug mode confirmed that the /etc/unbound/unbound.log permission failure was resolved. Thereafter, I restarted unbound.service with the command systemctl restart unbound.service.

    • 1