Unbound Multiple Sites not working with unbound

[zackattack784]

I’ve been using unbound for months, never had an issue. I noticed today I couldn’t load a lot of sites but my internet was still up. Some examples, cbs sports app couldn’t load scores, couldn’t connected to wemo or iRobot apps.

I started going through all my add-ons and turning them off one by one (Skynet, diversion, and unbound) and much to my surprise unbound was the culprit.

If I turn it off everything works fine but as soon as I turn it back on I have issues. My wife confirmed she was also having issues today. I tried completely uninstalling unbound and reinstalling without success.

Anybody else having issues with unbound? Any suggestions?

 

[Martineau]

I’ve been using unbound for months, never had an issue. I noticed today I couldn’t load a lot of sites but my internet was still up. Some examples, cbs sports app couldn’t load scores, couldn’t connected to wemo or iRobot apps.

I started going through all my add-ons and turning them off one by one (Skynet, diversion, and unbound) and much to my surprise unbound was the culprit.

If I turn it off everything works fine but as soon as I turn it back on I have issues. My wife confirmed she was also having issues today. I tried completely uninstalling unbound and reinstalling without success.

Anybody else having issues with unbound? Any suggestions?

Is there anything in the unbound log e.g. SERVFAIL or NXDOMAIN messages for the failing site URLs?

Does dig or (equivalent) provide any real-time diagnostics for the failing site URLs?

Are you running the latest unbound release?

 

[zackattack784]

Is there anything in the unbound log e.g. SERVFAIL or NXDOMAIN messages for the failing site URLs?

Does dig or (equivalent) provide any real-time diagnostics for the failing site URLs?

Are you running the latest unbound release?

How would I go about pulling logs? Yes it’s the latest version, 3.22. For additional info, I haven’t messed with the config file so all default settings with DNS firewall enabled. RTAX88U router.

 

[Martineau]

How would I go about pulling logs?

Advanced mode allows you to modify the logging - either basic to '/opt/var/lib/unbound/unbound.log or advanced to syslog-ng '/opt/var/log/unbound.log' (syslog-ng/scribe) .

If unbound logging was ENABLED during the initial install, the log may be viewed in both Easy and Advanced mode by using command 'l'

e.g. Whilst in Advanced mode I previously used the scribe command, but currently running in Easy mode..

E:Option ==> l

/opt/var/log/unbound.log (syslog-ng/scribe)     Press CTRL-C to stop

and I then used a browser to access 'www.ibm.com' to see the result

Spoiler: Log results

Nov  1 14:44:18 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 www.ibm.com. A IN
Nov  1 14:44:18 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 www.ibm.com. A IN
Nov  1 14:44:19 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 www.ibm.com. A IN NOERROR 0.639292 0 169
Nov  1 14:44:19 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 www.ibm.com. A IN NOERROR 0.672389 0 169
Nov  1 14:44:19 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 tunnel.cfw.trustedsource.org. A IN
Nov  1 14:44:19 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 tunnel.cfw.trustedsource.org. A IN NOERROR 0.000000 1 213
Nov  1 14:44:19 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 tunnel.cfw.trustedsource.org. AAAA IN
Nov  1 14:44:19 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 tunnel.cfw.trustedsource.org. AAAA IN NOERROR 0.000000 1 151
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 1.cms.s81c.com. A IN
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 1.cms.s81c.com. A IN
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 1.www.s81c.com. A IN
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 cdnapi.kaltura.com. A IN
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 1.www.s81c.com. A IN
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 cdnapi.kaltura.com. A IN
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 cdnapi.kaltura.com. A IN NOERROR 0.190105 0 129
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 cdnapi.kaltura.com. A IN NOERROR 0.219243 0 129
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 1.cms.s81c.com. A IN NOERROR 0.370856 0 200
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 1.cms.s81c.com. A IN NOERROR 0.410124 0 200
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 1.www.s81c.com. A IN NOERROR 0.441696 0 200
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 1.www.s81c.com. A IN NOERROR 0.468679 0 200
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 api.www.s81c.com. A IN
Nov  1 14:44:21 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 api.www.s81c.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 newsroom.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 developer.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 support.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 fonts.gstatic.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 fonts.gstatic.com. A IN NOERROR 0.000000 1 87
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 newsroom.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 support.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 developer.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 fonts.gstatic.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 fonts.gstatic.com. A IN NOERROR 0.000000 1 87
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 support.ibm.com. A IN NOERROR 0.052647 0 76
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 support.ibm.com. A IN NOERROR 0.052647 0 76
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 newsroom.ibm.com. A IN NOERROR 0.069054 0 146
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 newsroom.ibm.com. A IN NOERROR 0.069054 0 146
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 www.ibm.org. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 www.redbooks.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 www.redbooks.ibm.com. A IN NOERROR 0.074378 0 92
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 www.ibm.org. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 www.redbooks.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 www.redbooks.ibm.com. A IN NOERROR 0.000000 1 92
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 www.research.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 www.research.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 login.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 login.ibm.com. A IN
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 api.www.s81c.com. A IN NOERROR 0.782317 0 131
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 api.www.s81c.com. A IN NOERROR 0.782317 0 131
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 developer.ibm.com. A IN NOERROR 0.645690 0 155
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 developer.ibm.com. A IN NOERROR 0.645690 0 155
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 www.ibm.org. A IN NOERROR 0.451586 0 120
Nov  1 14:44:22 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 www.ibm.org. A IN NOERROR 0.574203 0 120
<snip>
Nov  1 14:44:28 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 ocsp.comodoca.com.cdn.cloudflare.net. A IN
Nov  1 14:44:28 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 ocsp.comodoca.com.cdn.cloudflare.net. A IN NOERROR 0.000000 0 86
Nov  1 14:44:28 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 ocsp.comodoca.com.cdn.cloudflare.net. AAAA IN
Nov  1 14:44:28 RT-AC86U-6160 unbound: [3153:0] query: 127.0.0.1 ocsp.comodoca.com.cdn.cloudflare.net. AAAA IN
Nov  1 14:44:28 RT-AC86U-6160 unbound: [3153:0] info: validation failure <ocsp.comodoca.com.cdn.cloudflare.net. AAAA IN>: no signatures from 198.41.223.31
Nov  1 14:44:28 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 ocsp.comodoca.com.cdn.cloudflare.net. AAAA IN SERVFAIL 0.276134 0 54
Nov  1 14:44:28 RT-AC86U-6160 unbound: [3153:0] reply: 127.0.0.1 ocsp.comodoca.com.cdn.cloudflare.net. AAAA IN SERVFAIL 0.309863 0 54

^C

so you can see that it was correctly resolved, so similar testing of the failing site URLs may provide a clue.

Yes it’s the latest version, 3.22.

There is a distinction between the unbound_manager version and the unbound module provided by NL Labs
i.e. v3.23bA and v1.13.2 so it is helpful to disclose both as shown below:

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.23bA by Martineau                     |
|                                                                      |
+======================================================================+
unbound (pid 3153) is running... uptime: 0 Days, 18:04:15 version: 1.13.2 # Version=v1.13 Martineau update (Date Loaded by unbound_manager Sun Oct 31 20:03:05 GMT 2021)

1  = Update unbound files and configuration                     5  = Uninstall Ad and Tracker blocker (Ad Block)
z  = Remove unbound/unbound_manager                             6  = Uninstall Graphical Statistics GUI Add-on TAB
3  = Stop unbound                                               7  = Disable   DNS Firewall [?]
4  = Show unbound statistics                                    8  = Install YouTube Ad blocker
                                                                9  = Install Safe Search e.g. google.com->forcesafesearch.google.com

?  = About Configuration              
v  = View ('/opt/var/lib/unbound/unbound.conf')

e  = Exit Script [?]

For additional info, default settings with DNS firewall enabled.

If you are using unbound_manager's Adblock or DNS Firewall feature, then they may be the cause of the blocking, so it may be prudent to disable them in unbound_manager to see if these are indeed the cause of the DNS failures.

 

[zackattack784]

I forgot to mention I did try disabling the dns firewall and that didn’t fix it. Thanks for the write up. I’ll reenable unbound when I get home this evening, check the logs, and verify the module.

 

[zackattack784]

@Martineau, appreciate your help. I re-installed unbound and enabled logging and of course everything that didn't work last night/this morning now works perfectly fine. Very odd. If anything changes I'll try to grab some logs now that I know how.

Thanks again!