Unbound [SOLVED] Unbound not resolving anything

[inmtn]

Hi everyone,
I can't get Unbound to work. I've been researching some possible reasons but I'm stuck because my troubleshooting knowledge is only skin-deep.

Here's my setup:

• RT-AX86U running on Merlin 3004.388.4
• I did a factory reset (incl. initialize) and formatted JFFS partition
• I configured the router only so far as necessary to have an internet connection, i.e. WAN PPPoE credentials, Wifi SSID and PSK
• I enabled JFFS and SSH so I could use amtm
• in amtm I formatted my USB drive (a 128 GB SSD), installed Entware (64-bit as was recommended), created a 10 GB swap file, installed the disk check script

When installing unbound....

• I made sure all pre-reqs are fulfilled
• I went the default install path using option 1, enabled logging (not recommended, but necessary for troubleshooting, I figured) and performance tuning (recommended)

As soon as Unbound is running, all devices lose internet connectivity. Repeatedly viewing the statistics I can see the query queue fill up. Following the log I can see the queries coming in, but nothing ever gets resolved. At one point, the unbound log showed a "failed to get a delegation" error, but I was somehow unable to reproduce this.

This being basically a "fresh install" of the router to rule out tinkering by myself as the root cause, I'm slightly puzzled why the default settings everywhere don't seem to work. Can this be a model-specific issue? A couple of years ago I had both Diversion and unbound installed on a RT-AC3200 without issue. On the other hand, the RT-AX86U is a common and often-recommended model, so it seems unlikely to me that my issue would be model-specific.

Could anyone please guide me through the troubleshooting?

 

[dave14305]

First step is to understand how many DNS instances are active.

netstat -nltup | grep -E ':53 |unbound|dnsmasq'

 

[inmtn]

Hi Dave, thanks for taking me under your wing, I appreciate that.

The command yields this:

router@RT-AX86U-D318:/tmp/home/root# netstat -nltup | grep -E ':53 |unbound|dnsmasq'
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2146/dnsmasq
tcp        0      0 192.168.50.1:53         0.0.0.0:*               LISTEN      2146/dnsmasq
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      2117/unbound
tcp        0      0 127.0.0.1:53535         0.0.0.0:*               LISTEN      2117/unbound
udp        0      0 0.0.0.0:57390           0.0.0.0:*                           2146/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2146/dnsmasq
udp        0      0 192.168.50.1:53         0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:53814           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:20534           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:46159           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:12428           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:59600           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:14547           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:6936            0.0.0.0:*                           2146/dnsmasq
udp        0      0 127.0.0.1:53535         0.0.0.0:*                           2117/unbound
udp        0      0 0.0.0.0:55630           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:35666           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:13186           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:37766           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:13708           0.0.0.0:*                           2146/dnsmasq
udp        0      0 0.0.0.0:47554           0.0.0.0:*                           2146/dnsmasq

Is it correct that nothing listens via udp, only tcp?

 

[dave14305]

Next round of troubleshooting. Install dig.

opkg update
opkg install bind-dig
dig www.snbforums.com @192.168.50.1
dig www.snbforums.com @127.0.0.1 -p 53535

 

[dave14305]

I don’t understand why you have so many random listening udp ports from dnsmasq. What’s in /etc/dnsmasq.conf?

 

[ColinTaylor]

I don’t understand why you have so many random listening udp ports from dnsmasq. What’s in /etc/dnsmasq.conf?

That was confusing me as well. Through the power of Google I ended up here:

https://thekelleys.org.uk/dnsmasq/docs/FAQ

So I guess that's the reason (Second addendum) although I can't recreate it on my router (but I don't use Unbound). If Unbound is the upstream resolver and that's not responding...

 

[inmtn]

Since there is no internet connectivity with unbound running, I have to switch it on and off accordingly. So I did another round with unbound running.

First of all the netstat output again:

router@RT-AX86U-D318:/tmp/home/root# netstat -nltup | grep -E ':53 |unbound|dnsmasq'
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      6277/dnsmasq
tcp        0      0 192.168.50.1:53         0.0.0.0:*               LISTEN      6277/dnsmasq
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      6284/unbound
tcp        0      0 127.0.0.1:53535         0.0.0.0:*               LISTEN      6284/unbound
udp        0      0 127.0.0.1:53            0.0.0.0:*                           6277/dnsmasq
udp        0      0 192.168.50.1:53         0.0.0.0:*                           6277/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           6277/dnsmasq
udp        0      0 0.0.0.0:47260           0.0.0.0:*                           6277/dnsmasq
udp        0      0 0.0.0.0:51868           0.0.0.0:*                           6277/dnsmasq
udp        0      0 127.0.0.1:53535         0.0.0.0:*                           6284/unbound
udp        0      0 0.0.0.0:12190           0.0.0.0:*                           6277/dnsmasq

Now there are fewer udp ports than before.

Next up is /etc/dnsmasq.conf. I opened nano and read the file there. I hope this was correct?!

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=pptp*
no-dhcp-interface=pptp*
no-resolv
no-poll
no-negcache
cache-size=0
min-port=4096
domain=lan
expand-hosts
bogus-priv
domain-needed
local=/lan/
dhcp-range=lan,192.168.50.2,192.168.50.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.50.1
dhcp-option=lan,15,lan
dhcp-option=lan,252,"\n"
dhcp-option=lan,42,0.0.0.0
dhcp-authoritative
interface=br1
dhcp-range=br1,192.168.101.2,192.168.101.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.101.1
interface=br2
dhcp-range=br2,192.168.102.2,192.168.102.254,255.255.255.0,86400s
dhcp-option=br2,3,192.168.102.1
address=/use-application-dns.net/
address=/_dns.resolver.arpa/
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore
dhcp-script=/sbin/dhcpc_lease
script-arp
edns-packet-max=1232
server=127.0.0.1#53535

AFAIK, dig gets installed with unbound anyway, so I was able to input the commands without installing it first via opkg.

Here's the output with unbound running:

router@RT-AX86U-D318:/tmp/home/root# dig www.snbforums.com @192.168.50.1
;; communications error to 192.168.50.1#53: timed out
;; communications error to 192.168.50.1#53: timed out
;; communications error to 192.168.50.1#53: timed out

; <<>> DiG 9.18.16 <<>> www.snbforums.com @192.168.50.1
;; global options: +cmd
;; no servers could be reached

router@RT-AX86U-D318:/tmp/home/root# dig www.snbforums.com @127.0.0.1 -p 53535
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out

; <<>> DiG 9.18.16 <<>> www.snbforums.com @127.0.0.1 -p 53535
;; global options: +cmd
;; no servers could be reached

And, for what it's worth, here is the output with unbound stopped:

router@RT-AX86U-D318:/tmp/home/root# dig www.snbforums.com @192.168.50.1

; <<>> DiG 9.18.16 <<>> www.snbforums.com @192.168.50.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48177
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.snbforums.com.             IN      A

;; ANSWER SECTION:
www.snbforums.com.      60      IN      CNAME   snbforums.com.
snbforums.com.          60      IN      A       45.77.76.174

;; Query time: 14 msec
;; SERVER: 192.168.50.1#53(192.168.50.1) (UDP)
;; WHEN: Thu Oct 19 20:17:28 CEST 2023
;; MSG SIZE  rcvd: 76

router@RT-AX86U-D318:/tmp/home/root# dig www.snbforums.com @127.0.0.1 -p 53535
;; communications error to 127.0.0.1#53535: connection refused
;; communications error to 127.0.0.1#53535: connection refused
;; communications error to 127.0.0.1#53535: connection refused

; <<>> DiG 9.18.16 <<>> www.snbforums.com @127.0.0.1 -p 53535
;; global options: +cmd
;; no servers could be reached

 

[dave14305]

You need to be able to test Unbound on its own without disrupting dnsmasq. Then we can poke at Unbound until it is working fine.

unbound -c /opt/var/lib/unbound/unbound.conf

This should start Unbound without reconfiguring dnsmasq. Then run some digs against 127.0.0.1 -p 53535 and post the results. Also post the /opt/var/lib/unbound/unbound.conf file. And post some unbound logs to pastebin.com.

 

[inmtn]

Thank you, Dave. I did all of that and here is the response:

First of all the digs:

ASUSWRT-Merlin RT-AX86U 3004.388.4_0 Mon Aug 21 19:34:20 UTC 2023
router@RT-AX86U-D318:/tmp/home/root# unbound -c /opt/var/lib/unbound/unbound.conf
router@RT-AX86U-D318:/tmp/home/root# dig www.snbforums.com @127.0.0.1 -p 53535
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out

; <<>> DiG 9.18.16 <<>> www.snbforums.com @127.0.0.1 -p 53535
;; global options: +cmd
;; no servers could be reached

router@RT-AX86U-D318:/tmp/home/root# dig www.google.com @127.0.0.1 -p 53535
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out

; <<>> DiG 9.18.16 <<>> www.google.com @127.0.0.1 -p 53535
;; global options: +cmd
;; no servers could be reached

And these are the corresponding log entries:

Oct 20 09:01:38 unbound[15275:0] notice: init module 0: respip
Oct 20 09:01:38 unbound[15275:0] notice: init module 1: validator
Oct 20 09:01:38 unbound[15275:0] notice: init module 2: iterator
Oct 20 09:01:38 unbound[15275:0] info: start of service (unbound 1.17.1).
Oct 20 09:02:28 unbound[15275:0] error: SERVFAIL <www.internic.net. A IN>: failed to get a delegation (eg. prime failure)
Oct 20 09:02:28 unbound[15275:0] error: .: failed lookup, cannot transfer from master www.internic.net
Oct 20 09:02:28 unbound[15275:0] error: SERVFAIL <. DNSKEY IN>: failed to get a delegation (eg. prime failure)
Oct 20 09:02:59 unbound[15275:0] query: 127.0.0.1 www.snbforums.com. A IN
Oct 20 09:03:04 unbound[15275:0] query: 127.0.0.1 www.snbforums.com. A IN
Oct 20 09:03:09 unbound[15275:0] query: 127.0.0.1 www.snbforums.com. A IN
Oct 20 09:03:25 unbound[15275:0] query: 127.0.0.1 www.google.com. A IN
Oct 20 09:03:30 unbound[15275:0] query: 127.0.0.1 www.google.com. A IN
Oct 20 09:03:35 unbound[15275:0] query: 127.0.0.1 www.google.com. A IN
Oct 20 09:05:38 unbound[15275:0] error: SERVFAIL <www.google.com. A IN>: failed to get a delegation (eg. prime failure)
Oct 20 09:05:38 unbound[15275:0] error: SERVFAIL <www.internic.net. A IN>: failed to get a delegation (eg. prime failure)
Oct 20 09:05:38 unbound[15275:0] error: .: failed lookup, cannot transfer from master www.internic.net
Oct 20 09:05:38 unbound[15275:0] error: SERVFAIL <www.snbforums.com. A IN>: failed to get a delegation (eg. prime failure)

So unbound itself has no access to a DNS!?

Finally, I pasted my unbound.conf here. Mind you, this is as it was installed and setup by unbound_manager.

Pastebin - unbound.conf

 

[Mogsy]

Thank you, Dave. I did all of that and here is the response:

First of all the digs:

ASUSWRT-Merlin RT-AX86U 3004.388.4_0 Mon Aug 21 19:34:20 UTC 2023
router@RT-AX86U-D318:/tmp/home/root# unbound -c /opt/var/lib/unbound/unbound.conf
router@RT-AX86U-D318:/tmp/home/root# dig www.snbforums.com @127.0.0.1 -p 53535
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out

; <<>> DiG 9.18.16 <<>> www.snbforums.com @127.0.0.1 -p 53535
;; global options: +cmd
;; no servers could be reached

router@RT-AX86U-D318:/tmp/home/root# dig www.google.com @127.0.0.1 -p 53535
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out
;; communications error to 127.0.0.1#53535: timed out

; <<>> DiG 9.18.16 <<>> www.google.com @127.0.0.1 -p 53535
;; global options: +cmd
;; no servers could be reached

And these are the corresponding log entries:

Oct 20 09:01:38 unbound[15275:0] notice: init module 0: respip
Oct 20 09:01:38 unbound[15275:0] notice: init module 1: validator
Oct 20 09:01:38 unbound[15275:0] notice: init module 2: iterator
Oct 20 09:01:38 unbound[15275:0] info: start of service (unbound 1.17.1).
Oct 20 09:02:28 unbound[15275:0] error: SERVFAIL <www.internic.net. A IN>: failed to get a delegation (eg. prime failure)
Oct 20 09:02:28 unbound[15275:0] error: .: failed lookup, cannot transfer from master www.internic.net
Oct 20 09:02:28 unbound[15275:0] error: SERVFAIL <. DNSKEY IN>: failed to get a delegation (eg. prime failure)
Oct 20 09:02:59 unbound[15275:0] query: 127.0.0.1 www.snbforums.com. A IN
Oct 20 09:03:04 unbound[15275:0] query: 127.0.0.1 www.snbforums.com. A IN
Oct 20 09:03:09 unbound[15275:0] query: 127.0.0.1 www.snbforums.com. A IN
Oct 20 09:03:25 unbound[15275:0] query: 127.0.0.1 www.google.com. A IN
Oct 20 09:03:30 unbound[15275:0] query: 127.0.0.1 www.google.com. A IN
Oct 20 09:03:35 unbound[15275:0] query: 127.0.0.1 www.google.com. A IN
Oct 20 09:05:38 unbound[15275:0] error: SERVFAIL <www.google.com. A IN>: failed to get a delegation (eg. prime failure)
Oct 20 09:05:38 unbound[15275:0] error: SERVFAIL <www.internic.net. A IN>: failed to get a delegation (eg. prime failure)
Oct 20 09:05:38 unbound[15275:0] error: .: failed lookup, cannot transfer from master www.internic.net
Oct 20 09:05:38 unbound[15275:0] error: SERVFAIL <www.snbforums.com. A IN>: failed to get a delegation (eg. prime failure)

So unbound itself has no access to a DNS!?

Finally, I pasted my unbound.conf here. Mind you, this is as it was installed and setup by unbound_manager.

Pastebin - unbound.conf

Hi, do you have ntpMerlin installed?

 

[inmtn]

Hi, do you have ntpMerlin installed?

Not currently. Before I did a factory reset to get to the bottom of this issue, I had ntpMerlin installed (using chronyd and set to intercept all ntp requests). I remember playing around with it a little (installing/uninstalling it etc.) because I thought that it might be related to my unbound issue, but I didn't get anywhere just by tinkering around....

This is my current ntp config:

 

[joe scian]

nothing wrong or out of ordinary with unbound.conf or /etc/dnsmasq.conf.
You are listening on the correct tcp ports
You could try posting WAN DNS Settings on router. Failed to get delegation error could be something screwed with NTP Server.
Perhaps install NTPmerlin again choose chrony and make sure NTP is working and your Router date is correct.

After installing NTPmerlin issue command unbound_manager advanced and then ? about configuration - and post a screenshot
cheers




this is what you should get with the command you are trying. Have you tried doing a clean reinstall of unbound using amtm?

; <<>> DiG 9.18.16 <<>> www.snbforums.com @127.0.0.1 -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34424
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;www.snbforums.com. IN A

;; ANSWER SECTION:
www.snbforums.com. 1151 IN CNAME snbforums.com.
snbforums.com. 1151 IN A 45.77.76.174

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1) (UDP)
;; WHEN: Fri Oct 20 19:57:14 AEDT 2023
;; MSG SIZE rcvd: 76


also using my router address
joescian@RT-AC86U-6440:/tmp/home/root# dig www.snbforums.com @192.168.2.241

; <<>> DiG 9.18.16 <<>> www.snbforums.com @192.168.2.241
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9004
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.snbforums.com. IN A

;; ANSWER SECTION:
www.snbforums.com. 626 IN CNAME snbforums.com.
snbforums.com. 626 IN A 45.77.76.174

;; Query time: 0 msec
;; SERVER: 192.168.2.241#53(192.168.2.241) (UDP)
;; WHEN: Fri Oct 20 20:28:56 AEDT 2023
;; MSG SIZE rcvd: 76

 

[inmtn]

nothing wrong or out of ordinary with unbound.conf or /etc/dnsmasq.conf.
You are listening on the correct tcp ports

this is what you should get with the command you are trying. Have you tried doing a clean reinstall of unbound using amtm?

Thanks for chipping in, joe! Re clean install: This is very much the starting point of this thread - as much factory default as possible, only minimal configuration to setup the prerequisites of running unbound. That's why my issue puzzles me so much.

 

[joe scian]

Thanks for chipping in, joe! Re clean install: This is very much the starting point of this thread - as much factory default as possible, only minimal configuration to setup the prerequisites of running unbound. That's why my issue puzzles me so much.

i updated my post with a few more ideas. ps worthwhile installing scribe and then issuing scribe command under unbound_manager advanced.
Will make the organisation ond output of unbound logs much easier to read. While you are at it issue sgui command to install the graphing. I had issue that cache wasnt being updated in addons until i issued a refresh of sgui. You can of course install graphical stats via amtm also

 

[dave14305]

So unbound itself has no access to a DNS!?

Try adding these lines after the line zonefile: root.zone in the conf.

  master: 199.9.14.201         # b.root-servers.net
  master: 192.33.4.12          # c.root-servers.net
  master: 199.7.91.13          # d.root-servers.net
  master: 192.5.5.241          # f.root-servers.net
  master: 192.112.36.4         # g.root-servers.net
  master: 193.0.14.129         # k.root-servers.net
  master: 192.0.47.132         # xfr.cjr.dns.icann.org
  master: 192.0.32.132         # xfr.lax.dns.icann.org

 

[inmtn]

@dave14305: I figured I need to stop and restart unbound after changing the conf-file, correct? Anyway, I did it using unbound-control stop and then unbound -c /opt/var/lib/unbound/unbound.conf again.

However, no change:

Oct 20 14:34:46 unbound[27567:0] info: start of service (unbound 1.17.1).
Oct 20 14:34:53 unbound[27567:0] query: 127.0.0.1 www.internic.com. A IN
Oct 20 14:34:58 unbound[27567:0] query: 127.0.0.1 www.internic.com. A IN
Oct 20 14:35:03 unbound[27567:0] query: 127.0.0.1 www.internic.com. A IN
Oct 20 14:35:36 unbound[27567:0] error: SERVFAIL <www.internic.com. A IN>: failed to get a delegation (eg. prime failure)
Oct 20 14:35:36 unbound[27567:0] error: SERVFAIL <. DNSKEY IN>: failed to get a delegation (eg. prime failure)
Oct 20 14:37:19 unbound[27567:0] query: 127.0.0.1 www.snbforums.com. A IN
Oct 20 14:37:24 unbound[27567:0] query: 127.0.0.1 www.snbforums.com. A IN
Oct 20 14:37:29 unbound[27567:0] query: 127.0.0.1 www.snbforums.com. A IN
Oct 20 14:37:42 unbound[27567:0] query: 127.0.0.1 www.google.com. A IN
Oct 20 14:37:47 unbound[27567:0] query: 127.0.0.1 www.google.com. A IN
Oct 20 14:37:52 unbound[27567:0] query: 127.0.0.1 www.google.com. A IN
Oct 20 14:40:25 unbound[27567:0] error: SERVFAIL <www.google.com. A IN>: failed to get a delegation (eg. prime failure)
Oct 20 14:40:25 unbound[27567:0] error: SERVFAIL <www.snbforums.com. A IN>: failed to get a delegation (eg. prime failure)

So whenever unbound receives a query, it tries to do.... something for 2-3 minutes, then returns the error. Should I increase log verbosity?

@joe scian: I'll try your suggestions as soon as possible.

 

[dave14305]

Should I increase log verbosity?

Yes, please. Level 4.

Check the contents of /opt/var/lib/unbound/root.hints

Also try comment out this whole section.

auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

 

[inmtn]

OK, so I installed scribe and the log handling got indeed much easier. Thank you, @joe scian

So, on with the show The root.hints file contains domain names and IP addresses of 13 servers. The IPs match what you told me to add to the unbound.conf file (except the last two from your code, which are not in the root.hints file).

With the whole auth-zone part out-commented, the verbose log looks like this for one single dig for www.snbforums.com:
Pastebin: 2023-10-20_unbound.log_no-auth-zone

Later I reverted unbound.conf to the original state (no additional master entries, auth-zone NOT out-commented), installed ntpMerlin with chrony, rebooted, gave the router time to settle, and tried again:
Pastebin: 2023-10-20_unbound.log_chrony - I had to shorten the log at the end, but it essentially just keeps repeating
And spoiler: To me the logs look kind of the same.

This is also something I keep seeing when tailing the log: Even without a specific query, unbound keeps trying to resolve www.internic.net over and over and over, but always fails. The log entries look like the pastes above. It's like unbound is somehow blocked from accessing the internet.

Another question: I keep seeing "a dot" where.... something else should be, maybe? Might this be related to the issue?

Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: trust point . : 1
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: assembled 1 DS and 0 DNSKEYs
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: DS:: .    3600    IN    DS    20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: [  VALID  ] .    3600    IN    DS    20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D ;;state:2 ;;pending_count:0 last:Thu Jan  1 01:00:00 1970
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] debug: read zonefile root.zone for .
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] debug: no zonefile root.zone for .
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: DelegationPoint<.>: 13 names (0 missing), 26 addrs (0 result, 26 avail) parentNS
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] debug: auth zone . timeout in 0 seconds
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: autotrust probe . DNSKEY IN
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: respip operate: query . DNSKEY IN
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: validator operate: query . DNSKEY IN
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: resolving . DNSKEY IN
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: resolving (init part 2):  . DNSKEY IN
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: resolving (init part 3):  . DNSKEY IN
Oct 20 16:50:27 RT-AX86U-D318 unbound: [16279:0] info: processQueryTargets: . DNSKEY IN

 

[inmtn]

And, for what it's worth, here's my DNS config in the router GUI:

LAN --> DHCP:

DNS Director:

 

[dave14305]

What about a direct query to a root server?

dig NS . @199.9.14.201

Is there any chance your ISP is intercepting DNS queries?

If you run a leak test below, change your WAN DNS settings to Google or Cloudflare and re-run the test, can you see the results change?

DNS leak test

dnsleaktest.com