Unbound Permission denied for IPv6 Cloudflare DNS servers

SkipBoNZ · August 24, 2020, 1:45am

unbound is configured with a forward zone with DNS over TLS using Cloudflare DNS servers, IPv4 DNS servers are fine (1.1.1.1 and 1.0.0.1).
But I see these errors in unbound log:

Mon Aug 24 05:30:07 2020 daemon.err unbound: [20360:0] error: outgoing tcp: connect: Permission denied for 2606:4700:4700::1111 port 853
Mon Aug 24 05:30:07 2020 daemon.err unbound: [20360:0] error: outgoing tcp: connect: Permission denied for 2606:4700:4700::1001 port 853

Tested with openssl with this result:

root@OpenWrt:~# openssl s_client -tls1_3 -connect "[2606:4700:4700::1111]:853" -servername cloudflare-dns.com

3069257056:error:0200200D:system library:connect:Permission denied:crypto/bio/b_sock2.c:110:
3069257056:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=13

Google searches are not finding much.

Anyone know why this would be the case, I haven't posted in Cloudflare forum as yet?

vgaetera · August 24, 2020, 2:37am

ip -6 route show
ip -6 route get 2606:4700:4700::1111
traceroute6 2606:4700:4700::1111

SkipBoNZ · August 24, 2020, 7:09am

Thanks for the info.

ip -6 route show

fd0a:218f:b5b::/64 dev br-lan  metric 1024
unreachable fd0a:218f:b5b::/48 dev lo  metric 2147483647  error -113
fe80::/64 dev eth1  metric 256
fe80::/64 dev br-lan  metric 256
fe80::/64 dev ifb4pppoe-wan  metric 256
fe80::/64 dev wlan0  metric 256
fe80::/64 dev wlan0-1  metric 256
fe80::/64 dev ifb4wlan0-1  metric 256
fe80::/64 dev wlan1  metric 256
anycast fd0a:218f:b5b:: dev br-lan  metric 0
anycast fe80:: dev eth1  metric 0
anycast fe80:: dev br-lan  metric 0
anycast fe80:: dev ifb4pppoe-wan  metric 0
anycast fe80:: dev wlan0  metric 0
anycast fe80:: dev wlan0-1  metric 0
anycast fe80:: dev ifb4wlan0-1  metric 0
anycast fe80:: dev wlan1  metric 0
ff00::/8 dev br-lan  metric 256
ff00::/8 dev eth1  metric 256
ff00::/8 dev ifb4pppoe-wan  metric 256
ff00::/8 dev wlan0  metric 256
ff00::/8 dev wlan0-1  metric 256
ff00::/8 dev ifb4wlan0-1  metric 256
ff00::/8 dev wlan1  metric 256

Some sort of IPv6 config issue?

ip -6 route get 2606:4700:4700::1111

ip: RTNETLINK answers: Permission denied

traceroute6 2606:4700:4700::1111

traceroute6: can't connect to remote host: Permission denied

Well that answers that, ideas on how to fix this?

vgaetera · August 24, 2020, 7:34am

It looks like you have no IPv6 connectivity.
You can simply remove the IPv6 addresses for DoT to avoid errors.

SkipBoNZ · August 24, 2020, 7:43am

Ok, that'll make sense. ISP may not (does not) support IPv6. Removed entries.

Thanks for the support.

system · September 3, 2020, 7:43am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.