Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server) - General questions / discussion thread 2

[pdc]

the 0-1usec spike should be sizable (the tallest/longest), and the majority of the other bars (assuming you're not using the Pie Chart option) should be on the faster side. (my next tallest spike is 16-32ms, and then 32-65ms followed by 65-131ms... 0-1usec is roughly 2x as tall, but it's an order of magnitude faster. not unremarkable in the least, that)

I hadn't noticed before, but it's effectively a logarithmic scale, each bar is twice the time of the bar prior. The 0-1µs is thus ~30,000x the 16-32/32-64ms ranges. That's actually FOUR orders of magnitude faster! Caching is awesome . Even so, 200ms passes in the blink of an eye...

Is your cache hit ratio around 80%? Given it's just DNS for my household I would expect the same sites to be hit consistently, and thus a higher hit ratio.

 

[heysoundude]

I hadn't noticed before, but it's effectively a logarithmic scale, each bar is twice the time of the bar prior. The 0-1µs is thus ~30,000x the 16-32/32-64ms ranges. That's actually FOUR orders of magnitude faster! Caching is awesome . Even so, 200ms passes in the blink of an eye...

Is your cache hit ratio around 80%? Given it's just DNS for my household I would expect the same sites to be hit consistently, and thus a higher hit ratio.

You did the math - thanks for that. unbound is pretty awesome!
yes, I'm around 80%.

 

[heysoundude]

Is anyone else having this happen?


after hitting the update stats button in the GUI:


I take it something in my .conf is messed up...help?

UPDATE - for those finding this happening to their charts, just keep rebooting the router. I don't know what the issue is, but it sorted itself out after a number of reboots over a few days. mine are back to populating with data correctly/as expected.

 

[joe scian]

Hi Any reason why most of the IPV6 tests available on web fail when using Unbound as recursive resolver? Eg http://ip.bieringer.de/cgn-test.html
PS - I have uncommented IPV6 section in Unbound.conf and enabled Native IPV6 on Router.

 

[SomeWhereOverTheRainBow]

Hi Any reason why most of the IPV6 tests available on web fail when using Unbound as recursive resolver? Eg http://ip.bieringer.de/cgn-test.html
PS - I have uncommented IPV6 section in Unbound.conf and enabled Native IPV6 on Router.

It could be isp related or it could be related to having an additional incompatible/unnecessary ipv6 option enabled within your unbound conf meaning there are several additional ipv6 options for the unbound config that go beyond just enabled ipv6 that a native ipv6 would not necessarily need(or maybe it does need it and you dont have them enabled).

What may be breaking your ipv6 is this addition
# v1.01 Martineau - Add 'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:' and 'module-config: "dns64 ..."'
# Add If IPv6 detected, auto ENABLE 'dns64-prefix:' and modify to include 'module-config: "dns64 ..."'

Make sure you do not have these lines uncomment in your .conf. they need to be commented out, The dns64 option may be breaking your ipv6. Native Ipv6 does not need these extra options.

#module-config: "dns64 respip validator iterator"      # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                            # v1.03 v1.01

All you need uncommented for native ipv6 is:

module-config: "respip validator iterator"  # v1.08 add 'respip' for rpz feature @juched
do-ip6: yes
interface: ::0
access-control: ::0/0 refuse
access-control: ::1 allow
private-address: fd00::/8
private-address: fe80::/10

make sure the additional lines above that are commented out:

#do-ip6: no
#private-address: ::/0                                 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses

 

[joe scian]

Thanks commented out as per above but still sites like https://ipv6test.google.com/ https://ipv6-test.com/ and http://ip.bieringer.de/cgn-test.html still show IPV6 unsupported. Exetel is my ISP and Im sure they support Native IPV6. It must be the web sites reporting wrong. Do you have success with those sites?

 

[SomeWhereOverTheRainBow]

Thanks commented out as per above but still sites like https://ipv6test.google.com/ https://ipv6-test.com/ and http://ip.bieringer.de/cgn-test.html still show IPV6 unsupported. Exetel is my ISP and Im sure they support Native IPV6

keep in mind after making the correct changes to your unbound conf file, you may be required to reboot/ reconnect clients/ clear cache/ etc. This is very touchy thing controlled at the DNS level.

 

[joe scian]

keep in mind after making the correct changes to your unbound conf file, you may be required to reboot/ reconnect clients/ clear cache/ etc. This is very touchy thing controlled at the DNS level.

well I am restarting unbound by using rs - no change in those particular sites - there are some sites that report ok though

 

[MvW]

I've just (finally) installed unbound for the first time. On first run I was confronted with two pre-requisites who weren't met, which I corrected before continuing. It were the options "Enable DNSSEC support en Enable DNS Rebind Protection" which I both was suggested to disable. I removed NextDNS Cli Client before installation and rebooted my router. I don't want to use unbound as a forwarder, but solely as what it was designed for originally: a validating, recursive, caching DNS resolver.

I re-ran the install, all signs where green now, and installation went without problems. However, now I'm try to restart unbound and I get these errors:

Apr 18 18:09:21 unbound[24235:0] error: can't bind socket: Address already in use for 127.0.0.1 port 953
Apr 18 18:09:21 unbound[24235:0] error: cannot open control interface 127.0.0.1 953
Apr 18 18:09:21 unbound[24235:0] fatal error: could not open ports

I understand from this error it can't bind to port 953, but I don't know what's using that port, as I don't have anything else related installed and I was under the impression that the unbound 'Easy' install would be foolproof and that this would be configured automagically.

Can some can help me started? I read most of thread 1 and most of thread 2 but there's just too much info to find out what I need to do next. DNS resolutions still works btw.

DNSFilter is set to Router

WAN DNS is set to 'Auto'

If you need more info or screenshots please let me know.

Best regards,
Marco

Edit: Ehrm.... I just found out you need to run

unbound_manager

instead of just

unbound

Leaving this here for other idiots who forget what was on the first page of the first thread...

 

[MvW]

Okay, seems like I need your help anyway. Unbound is active, but doesn't resolve a thing. Ipleak and DNSleak show my ISP's DNS-servers instead of my own IP-address and #queries remain 0. How do I get unbound to start resolving queries, because right now, dnsmasq is forwarding every request to my ISP and allthough unbound is active and give no errors, appears to be doing nothing. Where to start? Is there a guide for unbound noobs? I expected 'Easy mode' to work out of the box, but with me it doesn't. I've shut the VPN down for now, to make sure everything is handled by the router, DNSFilter is set to router. Connect to DNS automatically is enabled but I don't know how to get Unbound to start doing what it's good at.

Your help is much appreciated.

Best regards,
Marco

 

[dave14305]

Okay, seems like I need your help anyway. Unbound is active, but doesn't resolve a thing. Ipleak and DNSleak show my ISP's DNS-servers instead of my own IP-address and #queries remain 0. How do I get unbound to start resolving queries, because right now, dnsmasq is forwarding every request to my ISP and allthough unbound is active and give no errors, appears to be doing nothing. Where to start? Is there a guide for unbound noobs? I expected 'Easy mode' to work out of the box, but with me it doesn't. I've shut the VPN down for now, to make sure everything is handled by the router, DNSFilter is set to router. Connect to DNS automatically is enabled but I don't know how to get Unbound to start doing what it's good at.

Your help is much appreciated.

Best regards,
Marco

Some things to check:

1. service restart_dnsmasq
2. Check there are unbound-related entries in dnsmasq.postconf.
3. Check that the unbound script referenced in dnsmasq.postconf exists.

 

[MvW]

Some things to check:

1. service restart_dnsmasq
2. Check there are unbound-related entries in dnsmasq.postconf.
3. Check that the unbound script referenced in dnsmasq.postconf exists.

I just restored my backup, because my kid needs internet tomorrow for home schooling. So I'll give it another try, another time. I did notice that resolving on the router was no issue (for example with the netstat tools), but none of the clients would resolve anything, despite them having the router as primary DNS. I used unbound-checkconf several times, to make sure all was fine, only to find out that after I restarted it, it would terminate within minutes with fatal errors. Less easy to setup than I expected it to be, and the fact the many things have changed apparently (compare to thread 1 and Github) doesn't really help.

I find the config file very confusing and besides two threads of 150 pages each there's little information to begin with it to be found on the forum as well as on @Martineau's Github pages. Reading about 'the easy install' in the first threads, I thought I'd managed this within a few hours, but lost all DNS-resolution, except on the router outself. I did notice in the config that the was being referred to your minimal config, but I couldn't find it anywhere, so if you can remember where it's at, that would be much appreciated, @dave14305.

Well, I'll stop complaining now. Just frustrated I spent my entire evening only to roll back with my last back-up. Not my strongest point.

 

[chongnt]

I just restored my backup, because my kid needs internet tomorrow for home schooling. So I'll give it another try, another time. I did notice that resolving on the router was no issue (for example with the netstat tools), but none of the clients would resolve anything, despite them having the router as primary DNS. I used unbound-checkconf several times, to make sure all was fine, only to find out that after I restarted it, it would terminate within minutes with fatal errors. Less easy to setup than I expected it to be, and the fact the many things have changed apparently (compare to thread 1 and Github) doesn't really help.

I find the config file very confusing and besides two threads of 150 pages each there's little information to begin with it to be found on the forum as well as on @Martineau's Github pages. Reading about 'the easy install' in the first threads, I thought I'd managed this within a few hours, but lost all DNS-resolution, except on the router outself. I did notice in the config that the was being referred to your minimal config, but I couldn't find it anywhere, so if you can remember where it's at, that would be much appreciated, @dave14305.

Well, I'll stop complaining now. Just frustrated I spent my entire evening only to roll back with my last back-up. Not my strongest point.

From my experience, router itself will use DNS set in WAN DNS settings. In your case, you lost all DNS resolution except router itself may suggest unbound is not working properly. After SSH into router, you can try

 unbound_manager advanced

. It will show if unbound Is running and its uptime. Then you can use dig command in unbound. For example:

 dig snbforums.com

, it will show DNS resolution from both WAN DNS and unbound itself.

Spoiler

+======================================================================+
|  Welcome to the unbound Manager/Installation script (Asuswrt-Merlin) |
|                                                                      |
|                      Version 3.22 by Martineau                       |
|                                                                      |
+======================================================================+


unbound (pid 13196) is running... uptime: 0 Days, 14:25:31 version: 1.13.1 # Version=v1.12 Martineau update (Date Loaded by unbound_manager Mon Apr 19 00:12:33 MYT 2021)

i  = Update unbound and configuration ('/opt/var/lib/unbound/')         l  = Show unbound LIVE (Loglevel=1) log entries (lx=Disable Logging)
z  = Remove unbound/unbound_manager                                     v  = View ('/opt/var/lib/unbound/') unbound Configuration (vx=Edit;vh=help)
3  = Advanced Tools                                                     rl = Reload Configuration (Doesn't halt unbound) e.g. 'rl test1[.conf]' (Recovery use 'rl reset/user')
?  = About Configuration                                                oq = Query unbound Configuration option e.g 'oq verbosity' (ox=Set) e.g. 'ox log-queries yes'

rs = Restart (or Start) unbound (use 'rs nocache' to flush cache)       s  = Show unbound Extended statistics (s=Summary Totals; sa=All; http://192.168.1.1:80/user1.asp)

e  = Exit Script [?]

A:Option ==> dig snbforums.com


; <<>> DiG 9.17.10 <<>> txt snbforums.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2903
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;snbforums.com.                 IN      TXT

;; ANSWER SECTION:
snbforums.com.          300     IN      TXT     "google-site-verification=ra34QSeMdJhXPDWBnnmY5-na5cKujAxvUR9chYmhFL0"

;; Query time: 359 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Mon Apr 19 14:38:16 MYT 2021
;; MSG SIZE  rcvd: 123


; <<>> DiG 9.17.10 <<>> snbforums.com @127.0.0.1 -p 53535
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32559
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;snbforums.com.                 IN      A

;; ANSWER SECTION:
snbforums.com.          2826    IN      A       104.26.8.66
snbforums.com.          2826    IN      A       172.67.69.81
snbforums.com.          2826    IN      A       104.26.9.66

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1) (UDP)
;; WHEN: Mon Apr 19 14:38:16 MYT 2021
;; MSG SIZE  rcvd: 90

Alternatively, you can also use the dig command directly after SSH into the router to test the WAN DNS and unbound.

dig snbforums.com
dig -p 53535 @127.0.0.1 snbforums.com

 

[Martineau]

unbound.conf v1.13 is available
see @SomeWhereOverTheRainBow's 3-commit Pull-request

Update unbound.conf by jumpsmm7 · Pull Request #17 · MartineauUK/Unbound-Asuswrt-Merlin

Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream. This makes sure that the expired records will be served as long as there ...

github.com

To upgrade use

e  = Exit Script [?]

A:Option ==> i config

 

[pdc]

From my experience, router itself will use DNS set in WAN DNS settings. In your case, you lost all DNS resolution except router itself may suggest unbound is not working properly. [...]

Alternatively, you can also use the dig command directly after SSH into the router to test the WAN DNS and unbound.

dig snbforums.com
dig -p 53535 @127.0.0.1 snbforums.com

Thanks @chongnt, always handy to have another tool in the toolbox

I found the key is to run dig on a client and make sure it shows resolution by the router. For example, with no additional options, dig reports my external DNS on the router (as you mentioned), but on my local client it shows the server is my router IP, and 1ms shows it is served from the cache (the external DNS for me was more like 40ms).

FYI, on a Linux client install dnsutils to get dig. i.e. for a Raspberry Pi, sudo apt install dnsutils.

Spoiler

> dig snbforums.com

; <<>> DiG 9.11.5-P4-5.1+deb10u3-Raspbian <<>> snbforums.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62495
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1280
;; QUESTION SECTION:
;snbforums.com. IN A

;; ANSWER SECTION:
snbforums.com. 744 IN A 172.67.69.81
snbforums.com. 744 IN A 104.26.8.66
snbforums.com. 744 IN A 104.26.9.66

;; Query time: 1 msec
;; SERVER: <router_IP>#53(<router_IP>)
;; WHEN: Mon Apr 19 09:49:51 CDT 2021
;; MSG SIZE rcvd: 90

 

[jsbeddow]

Something odd is going on with the interaction of Unbound and 386.2_2 that wasn't happening prior to upgrading (from 386.2_0) about a week ago. It may be so rare that I might even be the only one to notice it, but this combination was preventing the proper authentication of my Polycom/Obi200 VOIP ATA with Google Voice (and ONLY Google Voice, other SIP providers worked fine). I spent the last several days troubleshooting this, most of that time not even believing it could be due to a DNS issue. I do have Diversion (small blocking list) and Skynet as well, but those were fully disabled during testing with no change in behavior, and now that Unbound has been disabled, my Google Voice service can again authenticate even with Diversion and Skynet active.

Somehow Unbound is the blocking factor in this: it is either preventing proper resolution of the addresses needed to generate and authenticate the needed Google Auth and Refresh Tokens or otherwise interfering in some way. This is true even though I cannot detect any other unusual DNS issues: in other words Unbound seems to resolve essentially every other address (99.9+% success?). Not sure if smarter minds (@Martineau ? or @RMerlin ? ) might see what change could be behind this, as this all worked perfectly for many years, even running with Unbound for at least the last 8-9 months or more with no trouble. It seemed to occur shortly after the upgrade to 386.2_2 about a week ago, and yet the resolution was initially through disabling Unbound (and ultimately uninstalling it, after testing showed that disabling Unbound again allowed Google Voice to authenticate). I did not test the inverse: running Unbound again with a rollback to 386.2_0, but clearly it worked previously.

Incidentally, my local network is all pure IP4, IP6 is disabled on the LAN in the router.

This is probably not a big deal for anyone else at the moment, but I would sure like to know what really caused this issue.

 

[Martineau]

Somehow Unbound is the blocking factor in this: it is either preventing proper resolution of the addresses needed to generate and authenticate the needed Google Auth and Refresh Tokens or otherwise interfering in some way. This is true even though I cannot detect any other unusual DNS issues: in other words Unbound seems to resolve essentially every other address (99.9+% success?). Not sure if smarter minds (@Martineau ? or @RMerlin ? ) might see what change could be behind this, as this all worked perfectly for many years,

This is probably not a big deal for anyone else at the moment, but I would sure like to know what really caused this issue.

If enabling unbound logging does not provide a clue as to the cause of the spurious perceived DNS resolution issue, usually dig, either from the Advanced unbound_manager menu or via the command line should provide additional diagnostics.

or even this online unbound tester

Check DNS results from Unbound

may provide a benchmark for log comparison and/or basic debugging for your unbound configuration

If none of the above can identify the cause then you may need to resort to tcpdump port 53 packet analysis.

 

[jsbeddow]

If enabling unbound logging does not provide a clue as to the cause of the spurious perceived DNS resolution issue, usually dig, either from the Advanced unbound_manager menu or via the command line should provide additional diagnostics.

or even this online unbound tester

may provide a benchmark for log comparison and/or basic debugging for your unbound configuration

If none of the above can identify the cause then you may need to resort to tcpdump port 53 packet analysis.

Thanks for the extensive troubleshooting steps @Martineau . I did one more re-install of Unbound yesterday, and still had the same Google Voice authentication error, but didn't have a long window of opportunity to troubleshoot (family needs and complaints of "why are you still tinkering with this?"). However, after uninstalling Unbound, I did a check of Entware updates/upgrades, and sure enough, it found a number of those to install, even though I swear I had done those quite recently and it found none. I almost wondered if my previous multiple install/uninstall roundtrips of Unbound had downgraded some packages (if that is possible)???

In any case, with these now updated/upgraded Entware packages, I took one more stab at a re-install of Unbound. Sure enough, I now have no more issues of the Google Voice authentication errors that were happening previously (for about a week). Not sure what to make of this, but I'm satisfied with the end result .

EDIT: Never mind, I just noticed that Entware updates were actually just released yesterday. I still don't get why the previous uninstall/re-install of Unbound didn't sort out my issue, but it did today.

 

[Matthew Patrick]

Hey guys. So I'm really new to unbound. Never used it before but very interested.

Mainly I was interested in having unbound as a recursive DNS but I want it to be as a secondary DNS instead of my primary. I'd like to have cloudflare DNS over TLS as my primary DNS and unbound running in the background as my secondary if the cloudflare DNS is down (which happens quite a lot. Sometimes from cloudflare itself or sometimes it's my ISP's connection problem to cloudflare itself)

So is it possible? If it is. How would I do that? Thank you!!

PS : Currently I am running Merlin's normal DNS over TLS ..

 

[SomeWhereOverTheRainBow]

Hey guys. So I'm really new to unbound. Never used it before but very interested.

Mainly I was interested in having unbound as a recursive DNS but I want it to be as a secondary DNS instead of my primary. I'd like to have cloudflare DNS over TLS as my primary DNS and unbound running in the background as my secondary if the cloudflare DNS is down (which happens quite a lot. Sometimes from cloudflare itself or sometimes it's my ISP's connection problem to cloudflare itself)

So is it possible? If it is. How would I do that? Thank you!!

PS : Currently I am running Merlin's normal DNS over TLS ..

You could just use unbound as a forwarder with DoT to cloudflare. Use the forward first option and if it fails to forward upstream to cloudflare it will fall back to being a recursive dns server. The downside to this method is you lose out on the primary benefit of unbound which is its ability to be responsive and private due to its cache as you will always be forwarding to cloudflare first and not caching anything until unbound has to act recursively. All your recursive lookups (if any) will be delayed since it is not being reliably cached.
forward-first: <yes or no>
If a forwarded query is met with a SERVFAIL error, and this op-
tion is enabled, unbound will fall back to normal recursive res-
olution for this query as if no query forwarding had been speci-
fied. The default is "no".