Unbound - Authoritative Recursive Caching DNS Server

[dave14305]

I think this is a good explanation how Unbound cannot do DNS-over-TLS while also doing recursive lookups.

https://lists.nlnetlabs.nl/pipermail/unbound-users/2020-February/006617.html

 

[rgnldo]

Well, I can be wrong. For me, it doesn't work.

# certificates
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

auth-zone:
    name: "."
    url: "https://www.internic.net/domain/root.zone"
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    zonefile: root.zone

@rgnldo:/tmp/home/root# unbound-checkconf -f /opt/var/lib/unbound/unbound.conf
/opt/var/lib/unbound/unbound.conf:95: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file

@rgnldo:/tmp/home/root# /opt/etc/init.d/rc.unslung check
 Checking suricata...             alive.
 Checking clamav...              alive.
 Checking haveged...              alive.
 Checking unbound...              dead.

 

[dave14305]

Well, I can be wrong. For me, it doesn't work.

# certificates
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

auth-zone:
    name: "."
    url: "https://www.internic.net/domain/root.zone"
    fallback-enabled: yes
    for-downstream: no
    for-upstream: yes
    zonefile: root.zone

@rgnldo:/tmp/home/root# unbound-checkconf -f /opt/var/lib/unbound/unbound.conf
/opt/var/lib/unbound/unbound.conf:95: error: syntax error
read /opt/var/lib/unbound/unbound.conf failed: 1 errors in configuration file

@rgnldo:/tmp/home/root# /opt/etc/init.d/rc.unslung check
 Checking suricata...             alive.
 Checking clamav...              alive.
 Checking haveged...              alive.
 Checking unbound...              dead.

Is tls-cert-bundle still within the server: section of the config file?

 

[rgnldo]

Is tls-cert-bundle still within the server: section of the config file?

I'm at work. At night I check. Thank you for your contribution.

 

[Skeptical.me]

I have installed Unbound.

It appears to be working, I checked the "l" "Show unbound LIVE log entries" and I saw entries coming in.

But when I check my DNS being used I see NextDNS and my ISP's DNS ... would anyone know why this is occurring?

 

[dave14305]

I have installed Unbound.

It appears to be working, I checked the "l" "Show unbound LIVE log entries" and I saw entries coming in.

But when I check my DNS being used I see NextDNS and my ISP's DNS ... would anyone know why this is occurring?

If NextDNS is still installed, it hooks into dnsmasq the same way unbound does, so your queries might go either place. Stop or uninstall nextdns to verify that. Are you sure the ISP address shown isn’t your own WAN IP and not your ISP DNS IP? Your WAN IP should show up as your DNS server in leak tests, which may not be good for you since you are concerned about leaks.

 

[Skeptical.me]

If NextDNS is still installed, it hooks into dnsmasq the same way unbound does, so your queries might go either place. Stop or uninstall nextdns to verify that. Are you sure the ISP address shown isn’t your own WAN IP and not your ISP DNS IP? Your WAN IP should show up as your DNS server in leak tests, which may not be good for you since you are concerned about leaks.

Yes! I just checked, It's actually the ISP's WAN IP ... so that should happen? Is there no way to stop that?

Edit: Unbound stops NextDNS from working too

 

[JemTheWire]

It’s the same for me. LeakTest shows MY WAN IP (only), which I assumed is correct.

By my WAN IP I mean the one given to me from my ISP.

 

[dave14305]

Yes! I just checked, It's actually the ISP's WAN IP ... so that should happen? Is there no way to stop that?

Edit: Unbound stops NextDNS from working too

It’s the whole idea of Unbound. You become your own DNS server with no middlemen anymore.

Unbound isn’t meant to be used with any upstream resolvers like NextDNS when it is setup as a recursive resolver.

 

[Skeptical.me]

It’s the whole idea of Unbound. You become your own DNS server with no middlemen anymore.

Unbound isn’t meant to be used with any upstream resolvers like NextDNS when it is setup as a recursive resolver.

Ahh, of course. I have noticed that web pages are opening much faster.

 

[thelonelycoder]

For those expecting amtm support soon for Unbound
The good: Unbound will make it into amtm at some point in the future.
The bad: At the moment I have to concentrate on more pressing matters regarding my own scripts, they have precedence at the moment.
I am a one man show and have only limited resources. I hope you folks understand and let me code in peace.
Thanks

 

[Smokey613]

How well does Unbound use IPv6? I had been running IPv6 but disabled it a couple of weeks ago. Is there a performance benefit with IPv6?

 

[Treadler]

How well does Unbound use IPv6? I had been running IPv6 but disabled it a couple of weeks ago. Is there a performance benefit with IPv6?

Works fine now. Enable IPv6, install Unbound, it knows what to do.

Performance benefit? A big question. Not noticeably, but if we all live that long, ipv6 will be how the internet rolls!

 

[thelonelycoder]

amtm 3.1.2 is now available

What's new
- Adds unbound Manager as supported script

I am pleased to add the first script from @Martineau to amtm: unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
unbound Manager is a front end for @rgnldo 's Unbound - Authoritative Recursive Caching DNS Server

How to update amtm
Use u to update to this latest version.

 

[kernol]

amtm 3.1.2 is now available

What's new
- Adds unbound Manager as supported script

I am pleased to add the first script from @Martineau to amtm: unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)
unbound Manager is a front end for @rgnldo 's Unbound - Authoritative Recursive Caching DNS Server

How to update amtm
Use u to update to this latest version.

Updated mine - and confirm ... as usual ... works a treat right out of the box .

 

[gattaca]

So I've read quite a bit today and it sounds like unbound is an "in-router" recursive DNS.
> But what I do not understand is at some points it's gotta reference an upstream DNS?
> I've read posts that say Unbound + NextDNS is not recommended but it unclear to me why.. it seems that Unbound would deliver great cached speeds while NextDNS can provide the ad-blocking/filtering.
> What am I missing? I'm far from a DNS expert so speaking laymen would be awesome.
Thanks.

 

[dave14305]

So I've read quite a bit today and it sounds like unbound is an "in-router" recursive DNS.
> But what I do not understand is at some points it's gotta reference an upstream DNS?
> I've read posts that say Unbound + NextDNS is not recommended but it unclear to me why.. it seems that Unbound would deliver great cached speeds while NextDNS can provide the ad-blocking/filtering.
> What am I missing? I'm far from a DNS expert so speaking laymen would be awesome.
Thanks.

Instead of relying on a Google DNS, Cloudflare, Quad9 or NextDNS, Unbound will let you perform the same DNS functions as those public resolvers. Unbound will deal directly with the authoritative name server (i.e. domain owner) instead of relying on a third-party to do that. You cut out that middle-man. If you only want to use Unbound as another forwarder, it won't really offer much benefit over the built-in dnsmasq.

When Unbound gets a DNS request from a client, it will not use a single upstream server like you may be used to. Say it gets a request to lookup www.snbforums.com. First it will query the root DNS servers to see what server is the owner of the .com top-level domain. Once it knows that server identity, it will query that one to see which DNS nameserver owns snbforums.com within the .com domain. Once it gets that response, it will query the snbforums.com DNS server to get the IP for www within snbforums.com.

It does all that directly between you and those servers, without sharing your DNS query data with a third-party DNS resolver like the ones I mentioned earlier.

 

[Kingp1n]

Instead of relying on a Google DNS, Cloudflare, Quad9 or NextDNS, Unbound will let you perform the same DNS functions as those public resolvers. Unbound will deal directly with the authoritative name server (i.e. domain owner) instead of relying on a third-party to do that. You cut out that middle-man. If you only want to use Unbound as another forwarder, it's won't really offer much benefit over the built-in dnsmasq.

When Unbound gets a DNS request from a client, it will not use a single upstream server like you may be used to. Say it gets a request to lookup www.snbforums.com. First it will query the root DNS servers to see what server is the owner of the .com top-level domain. Once it knows that server identity, it will query that one to see which DNS nameserver owns snbforums.com within the .com domain. Once it gets that response, it will query the snbforums.com DNS server to get the IP for www within snbforums.com.

It does all that directly between you and those servers, without sharing your DNS query data with a third-party DNS resolver like the ones I mentioned earlier.

Add this to the Q&A

 

[gattaca]

^^^ TY. Your explanation helped immensely! Unbound is essentially a private recursive DNS server running on our ASUS routers! WOW! Killer!

By all reports here and in several other forums I've read this weekend, Unbound is an AWESOME addition the AMTM toolset and Asus-Merlin community. It is something I'd usually already have jumped into. But since my personal priority is to layer NextDNS's filtering on top of Skynet/Diversion/Pixelserv etc.. The posts here and in NextDNS infer I need to leave Unbound boxed up - at least for now.

I get that Unbound "consulting" NextDNS would sort of defeat the "no dependencies" and "who do you trust" angles. I was hoping that it could sort of act as a caching element after it had consulted say NextDNS and make things load even faster but IDK if that's smart, crazy or totally defeats the expected use of Unbound. You know users, do crazy things, often far outside a programmer's scope of intended uses!

Thanks for continuing to make amtm one of the best support communities! Peace.

 

[ICDeadPpl]

How come when I install Unbound, the address https://www.asrock.com/ doesn't work?
Both pre-install and after-uninstall makes the site work again.