Unbound Why Unbound works on router but not on Windows client?

[gjf]

I understand the question is quite off-topic, but it really deals with Unbound.

I have successfully installed Unbound on Asus RT-AC68U and it works like a charm.

Also I decided to install Unbound on Windows system to have a working DNS that does not relies on provider. It would be quite useful during my trips.

However Unbound does not work. I've tried the latest Unbound 1.13.0 (both x32 and x64) using on Windows 7 Ultimate x64 and Windows 10 Pro x64 (both are clean installs) - in fact "nslookup www.google.com 127.0.0.1" that should work from the scratch (as official manual states) gives an error.

Deeper investigation in logs shows numerous errors like:

19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] error: udp connect failed: No error for 2001:503:c27::2:30 port 53
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: error sending query to auth server 2001:503:c27::2:30 port 53
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] error: udp connect failed: No error for 2001:500:a8::e port 53
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: error sending query to auth server 2001:500:a8::e port 53
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: response for . NS IN
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: reply from <.> 192.33.4.12#53
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: query response was THROWAWAY
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: response for . NS IN
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: reply from <.> 199.7.91.13#53
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: query response was THROWAWAY
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] error: udp connect failed: No error for 2001:500:a8::e port 53
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: error sending query to auth server 2001:500:a8::e port 53
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: response for . NS IN
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: reply from <.> 198.41.0.4#53
19.12.2020 3:34:10 C:\Program Files\Unbound\unbound.exe[15248:0] info: query response was THROWAWAY

Neither official mailing list nor github gave a good answer on it. The only I have obtained:

DNS root access seems to be blocked. Try to establish a forwarding to some public dns resolvers, e.g. 8.8.8.8 and/or 1.1.1.1.

OK - but why Unbound works on router in this case?

Very strange situation...

Any idea here?

 

[JGrana]

If you are using unbound-manager to install and configure unbound - it’s mainly due to the fact that a well configured Unbound takes a lot of work and unbound-manager hides a ton of that from the user.
I have tried to install Unbound on a Raspberry Pi running a version of Debian. Like you, I could never get it running as well as on Asuswrt-Merlin...

 

[dave14305]

Do you have DNSFilter enabled on the router this Windows PC is connected to?

 

[gjf]

Do you have DNSFilter enabled on the router this Windows PC is connected to?

Damn it, that was an issue! Thanks mate.

 

[dave14305]

Damn it, that was an issue! Thanks mate.

Did you turn it off, or just add a “No filtering” exception for the PC’s MAC address?

 

[gjf]

Did you turn it off, or just add a “No filtering” exception for the PC’s MAC address?

I turned it off.
I see no sense in this option since Unbound was installed as addon. Just forgot to disable it and I wonder why Unbound installation scrpit didn't check it.

 

[Martineau]

I turned it off.
I see no sense in this option since Unbound was installed as addon. Just forgot to disable it and I wonder why Unbound installation scrpit didn't check it.

unbound_manager does a simple check for the DNS Filter to be enabled (recommended for ALL devices via the router)... but honours the individual LAN device settings chosen by the user - what else could the scrpit [sic] do?

e  = Exit Script [?]

A:Option ==> ?

    Version=3.22b3                    (Change Log: https://github.com/MartineauUK/Unbound-Asuswrt-Merlin/commits/dev/unbound_manager.sh)
    Local                        md5=42d59f6802386a38c516d764e97d5db4
    Github                        md5=f215ba4853c609fb2c3c2bdb53a22309
    /jffs/addons/unbound/unbound_manager.md5    md5=42d59f6802386a38c516d764e97d5db4

    Router Configuration recommended pre-reqs status:

    [✔] Swapfile=2097148 kB
    [✖] ***ERROR DNS Filter is OFF!                          see http://192.168.1.1:80/DNSFilter.asp LAN->DNSFilter Enable DNS-based Filtering
    [✖] Warning WAN: Use local caching DNS server as system resolver=YES          see http://192.168.1.1:80/Tools_OtherSettings.asp ->Advanced Tweaks and Hacks
    [✔] Entware NTP server 'S77chronyd' is running
    [✔] Enable DNS Rebind protection=NO
    [✔] Enable DNSSEC support=NO

    Options: Auto Reply='y' for User Selectable Options ('1 3 4') unbound Logging,Ad Block,Performance Tweaks

    [✔] unbound Logging
    [✔] Ad and Tracker Blocking (No. of Adblock domains=58425,Blocked Hosts=0,Allowlist=19,Blocked Country=0, - Warning Diversion is also ACTIVE)
    [✔] unbound CPU/Memory Performance tweaks
    [✔] Router Graphical GUI statistics TAB installed
    [✔] unbound-control FAST response ENABLED
    [✔] YouTube Ad Blocking (Forcing to use YT IP 176.255.192.141, No. of YouTube Video Ad domains=20)

    unbound Memory/Cache:

    'key-cache-size:'    8388608 (8.00 MB)
    'msg-cache-size:'    8388608 (8.00 MB)    4% used 403243    (393.79 KB)
    'rrset-cache-size:'    16777216 (16.00 MB)    6% used 1088933    (1.04 MB)

 

[gjf]

unbound_manager does a simple check for the DNS Filter to be enabled (recommended for ALL devices via the router)... but honours the individual LAN device settings chosen by the user - what else could the scrpit [sic] do?

I am talking about this setting:


I don't understand what is the sense to leave it ON if Unbound becomes the only DNS ressolver.
Or Unbound respects the policy that was set in this setting? I suspect no.