Unbound Unbound causing weirdness with facebook and netflix

michaels2408

Occasional Visitor
Morning,
Just did a fresh install of newest 386.5 firmware on my Asus RT-AC3100 with a clean format of my USB drive. Now when I install unbound it is interfering with Netflix and Facebook. Unbound is the culprit as bypassing unbound in the router DNS filter using custom dns of 8.8.8.8 or just completely turning it off the problems stop. With or with out other add blocking software like diversion running.
I tried to add forward zones to my unbound.conf file but for some reason it only lets me add one forward-zone: name: forward-addr line.
forward-zone: name: "facebook.com" forward-addr: 8.8.8.8 # sometimes this works, sometimes partially loads the page, sometimes I get a white blank page.
If I add a second forward-zone:
forward-zone: name: "fbcdn.net" forward-addr: 8.8.8.8 #found this on a reddit discussion about this issue.
this causes the following error:
***ERROR unbound configuration contains DUPLICATES - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

Per unbound documentation I should be allowed to have multiple forward statements in the config file.

Here is some more weirdness surrounding my problem. Netflix fails with unbound on my Roku devices unless I turn it off or bypass the device in dns filter. However, Netflix runs just fine on my phone and laptop. Facebook fails on my laptop in multiple browsers (edge and firefox) unless I turn it off or bypass in dns filter but works on my phone. Some discussions I have seen are saying ECS could be the culprit and this module is not active in Unbound loaded from the AMTM menu.

I have completely reset my router and done formats on my usb drive. Basically multiple formats of the jffs partition, usb was formatted as NTFS on my laptop then formatted as ext4 on my router. With factory defaults loaded before and after I flashed clean firmware with md5 verified.

Web page error message shows
DNS_PROBE_FINISHED_NXDOMAIN

unbound.log shows:
Mar 14 09:35:14 unbound[21333:0] error: SERVFAIL <graph.facebook.com. A IN>: all servers for this domain failed, at zone facebook.com. upstream server timeout


I do not deeply understand unbound and have been digging and experimenting for hours. I tap out. Looking for some help, thoughts, or solutions I might have missed in my research.

Thanks in advance for any help,
Mike
 

John Fitzgerald

Senior Member
I didn't see that you installed Entware via the built in AMTM.

If you have not, install it, then from inside the Unbound script run option 1 to update Unbound.
 

dave14305

Part of the Furniture
The unbound manger script doesn’t allow multiple forward-addr lines, although it’s probably incorrect to do so.

You can probably cheat by putting your forward-zones in another file and adding an include: line at the end of unbound.conf.

Is there a good reason to forward facebook to Google DNS?
 

Martineau

Part of the Furniture
If I add a second forward-zone:​
forward-zone: name: "fbcdn.net" forward-addr: 8.8.8.8 #found this on a reddit discussion about this issue.
this causes the following error:
***ERROR unbound configuration contains DUPLICATES - use option 'vx' to correct 'unbound.conf' or 'rl' to load a valid configuration file

Per unbound documentation I should be allowed to have multiple forward statements in the config file.
unbound_manager was designed to follow the same documented
process used to amend the configs for common router services such as dnsmasq given a major frustration is realising your hard efforts to customise a configuration has been inconveniently wiped/lost following either a new install or an upgrade..

i.e. Use menu option 1. Update unbound files and configuration
Code:
e  = Exit Script [?]

E:Option ==> 1
Now selecting the option will hopefully preserve the current configuration, whilst resetting 'unbound.conf' to the installation default.

So if you wish to customise using unbound_manager, rather than using vx to edit '/opt/var/lib/unbound/unbound.conf' direct (very easy to bork unbound - typos/misplaced directives etc.), you can place your custom directives in

'/opt/share/unbound/configs/unbound.conf.add'

and the directives (duplicates allowed ;)) will take precedence over those found in '/opt/var/lib/unbound/unbound.conf' when unbound_manager is restarted.

As a bonus, if unbound fails to start; simply rename '/opt/share/unbound/configs/unbound.conf.add' to quickly get unbound back up and running whilst you can hopefully very quickly correct the much smaller (and less complex?) configuration file.

NOTE: As per the Wiki
for more advanced control over tweaking, you can create script '/opt/share/unbound/configs/unbound.postconf' and it will be executed when necessary, however usually the desired customisation can be more easily applied simply using '/opt/share/unbound/configs/unbound.conf.add'
 
Last edited:

michaels2408

Occasional Visitor
unbound_manager was designed to follow the same documented
process used to amend the configs for common router services such as dnsmasq given a major frustration is realising your hard efforts to customise a configuration has been inconveniently wiped/lost following either a new install or an upgrade..

i.e. Use menu option 1. Update unbound files and configuration
Code:
e  = Exit Script [?]

E:Option ==> 1
Now selecting the option will hopefully preserve the current configuration, whilst resetting 'unbound.conf' to the installation default.

So if you wish to customise using unbound_manager, rather than using vx to edit '/opt/var/lib/unbound/unbound.conf' direct (very easy to bork unbound - typos/misplaced directives etc.), you can place your custom directives in

'/opt/share/unbound/configs/unbound.conf.add'

and the directives (duplicates allowed ;)) will take precedence over those found in '/opt/var/lib/unbound/unbound.conf' when unbound_manager is restarted.

As a bonus, if unbound fails to start; simply rename '/opt/share/unbound/configs/unbound.conf.add' to quickly get unbound back up and running whilst you can hopefully very quickly correct the much smaller (and less complex?) configuration file.

NOTE: As per the Wiki
for more advanced control over tweaking, you can create script '/opt/share/unbound/configs/unbound.postconf' and it will be executed when necessary, however usually the desired customisation can be more easily applied simply using '/opt/share/unbound/configs/unbound.conf.add'
 

michaels2408

Occasional Visitor
Thank you for the information. I realized reinstalling unbound thru amtm reset the config file each time to a default, which is a good thing. I have the jffs config scripts enabled and added the following:

Code:
[email protected]:/jffs/configs# ls

dnsmasq.conf.add  unbound.conf.add

[email protected]:/jffs/configs# cat unbound.conf.add

forward-zone: name: "facebook.com" forward-addr: 1.1.1.1

forward-zone: name: "fbcdn.net"    forward-addr: 1.1.1.1


[email protected]:/jffs/configs#

However, it is not working, which is odd because when I put either of these forwards in my unbound.conf directly it works. Is there something else that needs to be done for these config files to be appended? there is a dnsmasq.conf.add creatd by other install scripts that seems to work just fine.
 

Martineau

Part of the Furniture
Thank you for the information. I realized reinstalling unbound thru amtm reset the config file each time to a default, which is a good thing. I have the jffs config scripts enabled and added the following:

Code:
[email protected]:/jffs/configs# ls

dnsmasq.conf.add  unbound.conf.add

[email protected]:/jffs/configs# cat unbound.conf.add

forward-zone: name: "facebook.com" forward-addr: 1.1.1.1

forward-zone: name: "fbcdn.net"    forward-addr: 1.1.1.1


[email protected]:/jffs/configs#

However, it is not working, which is odd because when I put either of these forwards in my unbound.conf directly it works. Is there something else that needs to be done for these config files to be appended? there is a dnsmasq.conf.add creatd by other install scripts that seems to work just fine.
Reread post #4....unbound_manager is not part of the firmware, so it uses the Entware repository...so should survive a router reset/wipe.

Hint: the correct location is listed in the post highlighted in bold three times.
 
Last edited:

chongnt

Very Senior Member
I have similar issue with TVBAnywhere. It works on all devices except my Google TV. After bypass unbound and use local ISP DNS, it works fine on tv. I just added forward zone in unbound.conf.add, will check again tomorrow if the issue is gone.

Update: Turns out it was a different issue. I have to whitelist imasdk.googleapis.com for it to work on Google/Android TV.
 
Last edited:

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top