Unbound - Authoritative Recursive Caching DNS Server

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.
Status
Not open for further replies.

USer1245

New Around Here
With VPN constantly enabled, it doesn't make sense for a local DNS server.

But why it makes no sense, I mean when I am outside in a public wifi I can encrypt my traffic with the vpn, without the dns server the traffic goes to my ISP. And the Dns queries say sth about my traffic and so on. I dont know whether I get it right. I mean this test https://cmdns.dev.dns-oarc.net/ is more bad with the dns from ISP than with a unbound local server.

Which operating system is installed on rP?
Rasbian
 

rgnldo

Very Senior Member

Martineau

Part of the Furniture

USer1245

New Around Here
Raspbian is a Debian environment. Just configure the repository in sources.list.
Code:
apt-get update
apt-get install -y unbound dnsutils
Configure as needed.
Unfortunately, due to the forum's thematic focus, for ASUS routers, I will not extend too much guidance from other devices.
see: https://www.raspberrypi.org/forums/viewforum.php?f=66

Thank you for helping me and sorry that I ask you so much.
I tested your commands and on the Virtual machine it works, I will try it tomorrow with my RP.
But now I have some questions for understanding.
1. What does dnsutils do?
2. Can I still edit the config from unbound or would it cause trouble?
3. But normally the instructuion at beginning would work with PiHole or?

@Martineau I know how to install unbound the config was my problem.
 

Martineau

Part of the Furniture
@Martineau I know how to install unbound the config was my problem.
So your comment

"The script installer dont work as well, maybe you can help me."

refers to which script?
 

rgnldo

Very Senior Member
1. What does dnsutils do?
It is a set of dns diagnostic tools ( dig, nslookup, nsupdate...) It is for situations where Raspbian does not have it natively.
Can I still edit the config from unbound or would it cause trouble?
Try using the unbound.conf suggested in your link. It is enough to live with the Pi-hole. If you want a complete experience with Unbound, see the adblock script that I collaborated in organizing and is being commented on in the unbound_manager script-installer thread.
But normally the instructuion at beginning would work with PiHole or?
It is the same principle with Diversion - The Router Ad-Blocker script, organized here in the forum. Unbound interacts very well.
Follow the posts. Over time it gains knowledge.
 

Kingp1n

Very Senior Member
Apparently unbound wants an IPv6 for its IPv6 queries to the stub-zone. Since IPv6 is not always working I solved that using the local interface. Anyone interested in IPV6 can test.

Code:
    stub-zone:
        name: 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
        stub-addr: [email protected]
What does this do for those who have IPV6 enabled?
 

Markster

Senior Member
Last changes to the code - and I cannot pin it down - is big slow down on Unbound performance with VPN clients.

This is just started to happen with the new update. It is so bad that it takes 8 sec to load cnn.com over vpn.
When I configure the router and disable vpn client then everything is fast again. I have been setting vpn client DNS to disable and this was always working for me very well. Is there an additional settings I should apply in unbound.conf?
 

L&LD

Part of the Furniture
@Markster, I use OpenVPN every day back to my router from my phone and laptop and I don't see that issue. Quite the opposite actually, using OpenVPN makes the connection I'm on seem faster.
 

rgnldo

Very Senior Member
additional settings I should apply in unbound.conf?
There is no need.
This is just started to happen with the new update.
Neither unbound nor the script is to blame.
It is so bad that it takes 8 sec to load cnn.com over vpn.
Check these options on the WAN and VPN on Merlin FW:

- WAN:
Connect to DNS Server automatically:
NO
Set DNS add your VPN provider's primary and secondary static dns

set Save :)

- VPN Client:
Accept DNS Configuration:
strict

Set save :)

- Restart your Unbound.

Report the result here to help others.
 

Markster

Senior Member
@Markster, I use OpenVPN every day back to my router from my phone and laptop and I don't see that issue. Quite the opposite actually, using OpenVPN makes the connection I'm on seem faster.

For sure. I agree as I can also testify to that. Did the whole refresh as I was not certain what was causing the issue.
Did a complete rebuild, reset, manual configured everything and I noticed that as soon as I enable VPN client things get slow.
Chaning DNS Disabled on VPN client to Strict did not make a difference. However, I noticed in the crush.log some messages about 127.0.0.1 nord(something) messages. I did not have time to investigate further this morning as I was leaving to work.

I use NordVPN and sometimes they would update or change something on the servers so when I get home I will try to use a different server and
see how that goes. Then report back.
 

Markster

Senior Member
There is no need.

Neither unbound nor the script is to blame.

Check these options on the WAN and VPN on Merlin FW:

- WAN:
Connect to DNS Server automatically:
NO
Set DNS add your VPN provider's primary and secondary static dns

set Save :)

- VPN Client:
Accept DNS Configuration:
strict

Set save :)

- Restart your Unbound.

Report the result here to help others.

All setting confirmed as you mentioned. DNS Strict did not make a difference. I see some messages in the crush.log related to vpn on IP 127.0.0.1 but dont remember exact syntax. When I am home I will investigate further and try different vpn server (NordVPN).
 

rgnldo

Very Senior Member
Note: I don't use commercial VPN on the router. I have this NordVPN account from a friend.

(NordVPN)



On WAN keep automatic DNS.
Set on unbound.conf -> forward-zone, on final file.
Code:
forward-zone: 
       name: "."
       forward-addr: 103.86.96.100
       forward-addr: 103.86.99.100

Code:
% dig cnn.com

; <<>> DiG 9.10.6 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62057
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;cnn.com.            IN    A

;; ANSWER SECTION:
cnn.com.        38    IN    A    151.101.65.67
cnn.com.        38    IN    A    151.101.193.67
cnn.com.        38    IN    A    151.101.129.67
cnn.com.        38    IN    A    151.101.1.67

;; Query time: 2 msec
;; SERVER: 2804:4474:201:cb00::1#53(2804:4474:201:cb00::1)
;; WHEN: Fri Feb 28 14:34:45 -03 2020
;; MSG SIZE  rcvd: 100

Code:
[1582911543] unbound[19005:0] notice: init module 0: dns64
[1582911543] unbound[19005:0] notice: init module 1: validator
[1582911543] unbound[19005:0] notice: init module 2: iterator
[1582911543] unbound[19005:0] info: start of service (unbound 1.9.6).
[1582911543] unbound[19005:0] info: resolving duckduckgo.com. A IN
[1582911543] unbound[19005:0] info: resolving duckduckgo.com. AAAA IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. A IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: prime trust anchor
[1582911544] unbound[19005:0] info: generate keytag query _ta-4f66. NULL IN
[1582911544] unbound[19005:0] info: resolving . DNSKEY IN
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validate keys with anchor(DS): sec_status_secure
[1582911544] unbound[19005:0] info: Successfully primed trust anchor . DNSKEY IN
[1582911544] unbound[19005:0] info: resolving _ta-4f66. NULL IN
[1582911544] unbound[19005:0] info: query response was NXDOMAIN ANSWER
[1582911544] unbound[19005:0] info: resolving com. DS IN
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validated DS com. DS IN
[1582911544] unbound[19005:0] info: resolving com. DNSKEY IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. AAAA IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911544] unbound[19005:0] info: query response was nodata ANSWER
[1582911544] unbound[19005:0] info: validated DS com. DS IN
[1582911544] unbound[19005:0] info: response for com. DNSKEY IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validated DNSKEY com. DNSKEY IN
[1582911544] unbound[19005:0] info: validated DNSKEY com. DNSKEY IN
[1582911544] unbound[19005:0] info: resolving duckduckgo.com. DS IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. DS IN
[1582911550] unbound[19005:0] info: resolving cnn.com. A IN
[1582911550] unbound[19005:0] info: resolving cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: response for cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911550] unbound[19005:0] info: query response was ANSWER
[1582911550] unbound[19005:0] info: resolving cnn.com. DS IN
[1582911550] unbound[19005:0] info: response for cnn.com. A IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was ANSWER
[1582911550] unbound[19005:0] info: response for cnn.com. DS IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was nodata ANSWER
[1582911550] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911550] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911550] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911550] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911550] unbound[19005:0] info: resolving www.cnn.com. A IN
[1582911550] unbound[19005:0] info: resolving www.cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: response for www.cnn.com. A IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was CNAME
[1582911550] unbound[19005:0] info: resolving www.cnn.com. A IN
[1582911550] unbound[19005:0] info: response for www.cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911550] unbound[19005:0] info: query response was CNAME
[1582911550] unbound[19005:0] info: resolving www.cnn.com. AAAA IN
[1582911551] unbound[19005:0] info: response for www.cnn.com. A IN
[1582911551] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911551] unbound[19005:0] info: query response was ANSWER
[1582911551] unbound[19005:0] info: resolving cnn.com. DS IN
[1582911551] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911551] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911551] unbound[19005:0] info: resolving net. DS IN
[1582911551] unbound[19005:0] info: query response was ANSWER
 
Last edited:

Markster

Senior Member
Note: I don't use commercial VPN on the router. My VPN use is for private tunneling purposes on local, edge networks. I have this NordVPN account from a friend. To help those who use it. My VPN use is at the laptop level and only ProtonVPN, to access some forums with the boring Recaptcha.



On WAN keep automatic DNS.
Set on unbound.conf -> forward-zone, on final file.
Code:
forward-zone: 
       name: "."
       forward-addr: 103.86.96.100
       forward-addr: 103.86.99.100

Code:
% dig cnn.com

; <<>> DiG 9.10.6 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62057
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;cnn.com.            IN    A

;; ANSWER SECTION:
cnn.com.        38    IN    A    151.101.65.67
cnn.com.        38    IN    A    151.101.193.67
cnn.com.        38    IN    A    151.101.129.67
cnn.com.        38    IN    A    151.101.1.67

;; Query time: 2 msec
;; SERVER: 2804:4474:201:cb00::1#53(2804:4474:201:cb00::1)
;; WHEN: Fri Feb 28 14:34:45 -03 2020
;; MSG SIZE  rcvd: 100

Code:
[1582911543] unbound[19005:0] notice: init module 0: dns64
[1582911543] unbound[19005:0] notice: init module 1: validator
[1582911543] unbound[19005:0] notice: init module 2: iterator
[1582911543] unbound[19005:0] info: start of service (unbound 1.9.6).
[1582911543] unbound[19005:0] info: resolving duckduckgo.com. A IN
[1582911543] unbound[19005:0] info: resolving duckduckgo.com. AAAA IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. A IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: prime trust anchor
[1582911544] unbound[19005:0] info: generate keytag query _ta-4f66. NULL IN
[1582911544] unbound[19005:0] info: resolving . DNSKEY IN
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validate keys with anchor(DS): sec_status_secure
[1582911544] unbound[19005:0] info: Successfully primed trust anchor . DNSKEY IN
[1582911544] unbound[19005:0] info: resolving _ta-4f66. NULL IN
[1582911544] unbound[19005:0] info: query response was NXDOMAIN ANSWER
[1582911544] unbound[19005:0] info: resolving com. DS IN
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validated DS com. DS IN
[1582911544] unbound[19005:0] info: resolving com. DNSKEY IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. AAAA IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911544] unbound[19005:0] info: query response was nodata ANSWER
[1582911544] unbound[19005:0] info: validated DS com. DS IN
[1582911544] unbound[19005:0] info: response for com. DNSKEY IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validated DNSKEY com. DNSKEY IN
[1582911544] unbound[19005:0] info: validated DNSKEY com. DNSKEY IN
[1582911544] unbound[19005:0] info: resolving duckduckgo.com. DS IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. DS IN
[1582911550] unbound[19005:0] info: resolving cnn.com. A IN
[1582911550] unbound[19005:0] info: resolving cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: response for cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911550] unbound[19005:0] info: query response was ANSWER
[1582911550] unbound[19005:0] info: resolving cnn.com. DS IN
[1582911550] unbound[19005:0] info: response for cnn.com. A IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was ANSWER
[1582911550] unbound[19005:0] info: response for cnn.com. DS IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was nodata ANSWER
[1582911550] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911550] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911550] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911550] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911550] unbound[19005:0] info: resolving www.cnn.com. A IN
[1582911550] unbound[19005:0] info: resolving www.cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: response for www.cnn.com. A IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was CNAME
[1582911550] unbound[19005:0] info: resolving www.cnn.com. A IN
[1582911550] unbound[19005:0] info: response for www.cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911550] unbound[19005:0] info: query response was CNAME
[1582911550] unbound[19005:0] info: resolving www.cnn.com. AAAA IN
[1582911551] unbound[19005:0] info: response for www.cnn.com. A IN
[1582911551] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911551] unbound[19005:0] info: query response was ANSWER
[1582911551] unbound[19005:0] info: resolving cnn.com. DS IN
[1582911551] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911551] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911551] unbound[19005:0] info: resolving net. DS IN
[1582911551] unbound[19005:0] info: query response was ANSWER


I can see that you had your Nord VPN DNS IP in Unbound.conf file
forward-addr: 103.86.96.100
forward-addr: 103.86.99.100

This config would redirect all DNS queries to VPN provider. In may case all my network devices except a thermostat and TV go over VPN.
It would be no point to use Unbound if all these devices use Nord DNS.

Before I used Unbound my config was
1. VPN Client DNS = Disable
2. WAN DNS set to DNSSEC + DoT using Quad9
3. DNS Filter = Enable (Router)

With above setup, all devices were using DNSSEC + DoT from Quad9 and that included all VPN clients. Very fast, secure and efficient.
I also did use Diversion and Skynet.

When I first started using Unbound all I did was use a default config and all my devices were using the new Unbound DNS. It was impressive and I still am with the Unbound. Don't know what happened since then (2 days ago). I rebuild my config from scratch; reset, reboot, manually reconfig etc.Something is strange and I will try to dig into it. I have not tracked it down yet why VPN clients suddenly are so slow.
But I definitely have proven that it has something to do with VPN. If I disable VPN and let all clients be non-vpn the browsing and DNS queries are very fast. I will spend some time to figure it out why it was fine before and what is causing it. I will mention that in both cases VPN or not when I do DNS leak test it shows my WAN IP so I know unbound DNS is used. Something else is at work.

UPDATE:

When I came back home today everything works just fine. As I suspected NordVPN must have been doing some updates or my ISP, who knows. The moral of the whole store is if you have a config working and suddenly it does not .... wait a day :)

Thanks @rgnldo and @L&LD for suggestions. Much appreciated.
 
Last edited:

rgnldo

Very Senior Member
It would be no point to use Unbound if all these devices use Nord DNS.
In both situations, they work perfectly.
I exemplified to demonstrate that the problem is not unbound.
 

Ubimo

Senior Member
Hello
I noticed this line in syslog after a reboot.
Code:
Mar  1 18:27:52 kernel: warning: process `unbound' used the deprecated sysctl system call with 1.40.6.
Is this normal?

And another curiosity.
I typed reboot into ssh terminal and the router started to reboot.
During the shutdown procedure, all services stop or shutdown, but it looks like unbound wants to start again?

Code:
Mar  1 18:26:14 WEBDAV_Server: daemon is stopped
Mar  1 18:26:14 Mastiff: Got SIGTERM
Mar  1 18:26:14 Mastiff: Got SIGTERM
Mar  1 18:26:14 Mastiff: Got SIGTERM
Mar  1 18:26:15 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar  1 18:26:15 iTunes: daemon is stopped
Mar  1 18:26:15 FTP_Server: daemon is stopped
.....
Mar  1 18:26:17 S02haveged: Starting Haveged entropy /opt/etc/init.d/S02haveged
Mar  1 18:26:17 haveged: haveged: Stopping due to signal 15
....
Mar  1 18:26:28 FTP_Server: daemon is stopped
Mar  1 18:26:28 Samba_Server: smb daemon is stopped
Mar  1 18:26:28 Timemachine: daemon is stopped
Mar  1 18:26:36 custom_script: Running /jffs/scripts/unmount (args: /tmp/mnt/USB)
Mar  1 18:26:36 Diversion: disabling services for unmount
Mar  1 18:26:36 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar  1 18:26:36 S02haveged: Starting Haveged entropy /opt/etc/init.d/S02haveged
Is that normal too?
 
Last edited:
Status
Not open for further replies.

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top