unbound is configured with a forward zone with DNS over TLS using Cloudflare DNS servers, IPv4 DNS servers are fine (1.1.1.1 and 1.0.0.1).
But I see these errors in unbound log:
Mon Aug 24 05:30:07 2020 daemon.err unbound: [20360:0] error: outgoing tcp: connect: Permission denied for 2606:4700:4700::1111 port 853
Mon Aug 24 05:30:07 2020 daemon.err unbound: [20360:0] error: outgoing tcp: connect: Permission denied for 2606:4700:4700::1001 port 853
Tested with openssl with this result:
root@OpenWrt:~# openssl s_client -tls1_3 -connect "[2606:4700:4700::1111]:853" -servername cloudflare-dns.com
3069257056:error:0200200D:system library:connect:Permission denied:crypto/bio/b_sock2.c:110:
3069257056:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=13
Google searches are not finding much.
Anyone know why this would be the case, I haven't posted in Cloudflare forum as yet?
ip -6 route show
ip -6 route get 2606:4700:4700::1111
traceroute6 2606:4700:4700::1111
1 Like
Thanks for the info.
ip -6 route show
fd0a:218f:b5b::/64 dev br-lan metric 1024
unreachable fd0a:218f:b5b::/48 dev lo metric 2147483647 error -113
fe80::/64 dev eth1 metric 256
fe80::/64 dev br-lan metric 256
fe80::/64 dev ifb4pppoe-wan metric 256
fe80::/64 dev wlan0 metric 256
fe80::/64 dev wlan0-1 metric 256
fe80::/64 dev ifb4wlan0-1 metric 256
fe80::/64 dev wlan1 metric 256
anycast fd0a:218f:b5b:: dev br-lan metric 0
anycast fe80:: dev eth1 metric 0
anycast fe80:: dev br-lan metric 0
anycast fe80:: dev ifb4pppoe-wan metric 0
anycast fe80:: dev wlan0 metric 0
anycast fe80:: dev wlan0-1 metric 0
anycast fe80:: dev ifb4wlan0-1 metric 0
anycast fe80:: dev wlan1 metric 0
ff00::/8 dev br-lan metric 256
ff00::/8 dev eth1 metric 256
ff00::/8 dev ifb4pppoe-wan metric 256
ff00::/8 dev wlan0 metric 256
ff00::/8 dev wlan0-1 metric 256
ff00::/8 dev ifb4wlan0-1 metric 256
ff00::/8 dev wlan1 metric 256
Some sort of IPv6 config issue?
ip -6 route get 2606:4700:4700::1111
ip: RTNETLINK answers: Permission denied
traceroute6 2606:4700:4700::1111
traceroute6: can't connect to remote host: Permission denied
Well that answers that, ideas on how to fix this?
1 Like
It looks like you have no IPv6 connectivity.
You can simply remove the IPv6 addresses for DoT to avoid errors.
2 Likes
Ok, that'll make sense. ISP may not (does not) support IPv6. Removed entries.
Thanks for the support.
1 Like
system
Closed
September 3, 2020, 7:43am
6
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.