Replacing DNSMasq DNS with Unbound

[kvic]

I believe in you guys... Unbound will bring us into the early 2000's!

The web experience back then was not good frankly.
Right now with HTML5 and H2 (soon) is much better experience

 

[XIII]

Entware had updates for several packages today, including unbound 1.7.3.

Unfortunately name verification still does not work:

Sep 13 22:49:00 unbound: [31939:0] error: no name verification functionality in ssl library, ignored name for 9.9.9.9@853#dns.quad9.net

What version of OpenSSL would be needed for that?

(Entware updated to openssl-util - 1.0.2p-1)

 

[Xentrk]

Thinking of tackling DNSMASQ + Unbound + Stubby on Asuswrt-Merlin using this guide as a starting point.

TL;DR
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).

 

[sfx2000]

Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).

Actually it's not so simple there...

The info you shared is a bit old - and even within LEDE/OpenWRT - it's pretty straightforward to configure DNSSEC and DNS-over-TLS...

https://blog.cloudflare.com/dns-over-tls-for-openwrt/

 

[Xentrk]

Actually it's not so simple there...

The info you shared is a bit old - and even within LEDE/OpenWRT - it's pretty straightforward to configure DNSSEC and DNS-over-TLS...

https://blog.cloudflare.com/dns-over-tls-for-openwrt/

Muchos gracias Señor! I have an Lede/Openwrt travel router and can try it out there first. No mention of stubby though. This link also does not use stubby:

https://forum.openwrt.org/t/tutorial-dns-over-tls-with-dnsmasq-and-stubby-no-need-for-unbound/18663

 

[kappagus2]

Thinking of tackling DNSMASQ + Unbound + Stubby on Asuswrt-Merlin using this guide as a starting point.

TL;DR
Unbound can be run as a local caching forwarder, configured to use SSL upstream, however it cannot yet authenticate upstreams, re-use TCP/TLS connections, be configured for Opportunistic mode or send several of the privacy related options (padding, ECS privacy) etc. Some users combine Unbound (as a caching proxy with other features such as DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).

Dear Xentrk.
Hello and I hope that you are well. I wrote the tutorial you referred to here: https://torguard.net/forums/index.p...nwrtlede-featuring-unbound-getdns-and-stubby/
So, I have been playing around with my Asus RT-AC68U - and I really like your Stubby Installer. I - for the life of me - can not get Unbound working. I would like to set up DNSMASQ + Unbound + Stubby on EntWare. So, please reply and give me a few pointers as to how to get Unbound running - as you said that you already have achieved this. Thanks -

directnupe

 

[Xentrk]

Dear Xentrk.
Hello and I hope that you are well. I wrote the tutorial you referred to here: https://torguard.net/forums/index.p...nwrtlede-featuring-unbound-getdns-and-stubby/
So, I have been playing around with my Asus RT-AC68U - and I really like your Stubby Installer. I - for the life of me - can not get Unbound working. I would like to set up DNSMASQ + Unbound + Stubby on EntWare. So, please reply and give me a few pointers as to how to get Unbound running - as you said that you already have achieved this. Thanks -

directnupe

Glad to meet you! I read many of your posts when researching Stubby on OpwenWRT forums.

Some members on the forum have Stubby working on Asuswrt-Merlin firmware. I hope one of them can share their unbound.conf file. @XIII perhaps?

I made a few feeble attempts at it with no luck. I was in the midst of other projects and put it on the back burner. So, I can't be much help at this point. It is not something I have forgotten about though. The stubby installer appears to have resolved the concern with DNS privacy. However, Unbound may be a fix for the DNS Leak issue that occurs when using the VPN Client with Policy Rules and also require DNSMASQ so the Diversion Ad-Blocker will work. I have Unbound working great on my pfSense router to send all queries over the VPN tunnels and have no leaks. My next step was to use my pfSense Unbound config as a starting point and see if I can replicate my success on Asuswrt.

I'll add the effort back on my to-do list after the first of the year and keep you posted on what I find out..

 

[XIII]

I hope one of them can share their unbound.conf file. @XIII perhaps?

I don't use Stubby; only Dnsmasq + unbound (and I'm still not sure my setup is correct).

 

[Xentrk]

I don't use Stubby; only Dnsmasq + unbound (and I'm still not sure my setup is correct).

I came across this resource as a method to test if Unbound is working:
http://troubleshooters.com/linux/unbound_nsd/unbound.htm#helloworld

 

[XIII]

Ah,

# unbound-checkconf /opt/etc/unbound/unbound.conf
[1544694745] unbound-checkconf[6303:0] error: no name verification functionality in ssl library, ignored name for 149.112.112.112@853#dns.quad9.net
[1544694745] unbound-checkconf[6303:0] error: no name verification functionality in ssl library, ignored name for 9.9.9.9@853#dns.quad9.net
unbound-checkconf: no errors in /opt/etc/unbound/unbound.conf

As expected, as the version of OpenSSL used on the router is (unfortunately) still too old for this...

 

[Xentrk]

Ah,


As expected, as the version of OpenSSL used on the router is (unfortunately) still too old for this...

Well, that sucks! I recall the discussion on the OpenSSL version back in Oct 2018. Here is the link.

 

[XIII]

I hope it’s just a coincidence, but unbound (or rather Quad9? No time to check now) is very unresponsive after running that check script (even after rebooting my router).

Lots of failing DNS requests...

 

[Xentrk]

I hope it’s just a coincidence, but unbound (or rather Quad9? No time to check now) is very unresponsive after running that check script (even after rebooting my router).

Lots of failing DNS requests...

Yikes!

dnsperf - DNS Performance Comparison

 

[XIII]

For now I think it's a Quad9 (server) issue, as weird as that sounds...

DNS queries resolve super slow, on two different routers, in two different geolocations, with two different internet providers.

DNS queries resolve at normal speed again when I use Cloudflare instead of Quad9 (both using DNS over TLS).

 

[Xentrk]

For now I think it's a Quad9 (server) issue, as weird as that sounds...

DNS queries resolve super slow, on two different routers, in two different geolocations, with two different internet providers.

DNS queries resolve at normal speed again when I use Cloudflare instead of Quad9 (both using DNS over TLS).

@bbunge has been testing Stubby DNS over TLS using Quad 9 with similar issues. No issues with Cloudflare.

 

[XIII]

@bbunge Quad9 asked me to run "tracert 9.9.9.9". One of the hops took more than 2 seconds, instead of a few milliseconds...

How's that for you?

 

[bbunge]

@bbunge Quad9 asked me to run "tracert 9.9.9.9". One of the hops took more than 2 seconds, instead of a few milliseconds...

How's that for you?

Quad9 tracert definitely slower than Cloudflare. Ping to Quad9 40ms avg. To Cloudflare 23ms avg.
My ISP routes me to Quad9 and Cloudflare in the ORD data center. ORD is Chicago and I am near Harrisburg, Pa. Even though Cloudflare has servers in Pittsburgh, Pa.

Sent from my SM-T380 using Tapatalk

 

[sfx2000]

Quad9 tracert definitely slower than Cloudflare. Ping to Quad9 40ms avg. To Cloudflare 23ms avg.
My ISP routes me to Quad9 and Cloudflare in the ORD data center. ORD is Chicago and I am near Harrisburg, Pa. Even though Cloudflare has servers in Pittsburgh, Pa.

Sent from my SM-T380 using Tapatalk

Don't do traceroutes - they won't compare...

The CDN oriented DNS's - CloudFlare and Google DNS excel here - OpenDNS is close, and Quad9 (149.112.112.112 is the backup/alt for Quad9) needs some work...

Final benchmark results, sorted by nameserver performance:
 (average cached name retrieval speed, fastest to slowest)

    1.  1.  1.  1 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  + Cached Name   | 0.006 | 0.009 | 0.013 | 0.002 | 100.0 |
  + Uncached Name | 0.011 | 0.056 | 0.200 | 0.054 | 100.0 |
  + DotCom Lookup | 0.018 | 0.023 | 0.041 | 0.004 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                     one.one.one.one
          CLOUDFLARENET - Cloudflare, Inc., US


    1.  0.  0.  1 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  + Cached Name   | 0.009 | 0.011 | 0.016 | 0.001 | 100.0 |
  + Uncached Name | 0.015 | 0.056 | 0.200 | 0.047 | 100.0 |
  + DotCom Lookup | 0.021 | 0.024 | 0.031 | 0.002 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                     one.one.one.one
          CLOUDFLARENET - Cloudflare, Inc., US


    8.  8.  4.  4 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.010 | 0.012 | 0.017 | 0.001 | 100.0 |
  - Uncached Name | 0.036 | 0.089 | 0.303 | 0.059 | 100.0 |
  - DotCom Lookup | 0.057 | 0.068 | 0.104 | 0.012 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
             google-public-dns-b.google.com
                 GOOGLE - Google LLC, US


    8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.011 | 0.013 | 0.018 | 0.001 | 100.0 |
  - Uncached Name | 0.037 | 0.084 | 0.259 | 0.052 | 100.0 |
  - DotCom Lookup | 0.057 | 0.072 | 0.104 | 0.014 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
             google-public-dns-a.google.com
                 GOOGLE - Google LLC, US


  208. 67.222.222 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.019 | 0.021 | 0.029 | 0.002 | 100.0 |
  - Uncached Name | 0.020 | 0.063 | 0.189 | 0.046 | 100.0 |
  - DotCom Lookup | 0.028 | 0.058 | 0.194 | 0.031 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                  resolver1.opendns.com
               OPENDNS - OpenDNS, LLC, US


  208. 67.220.220 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.021 | 0.023 | 0.028 | 0.001 | 100.0 |
  - Uncached Name | 0.022 | 0.068 | 0.181 | 0.049 | 100.0 |
  - DotCom Lookup | 0.031 | 0.056 | 0.102 | 0.026 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                  resolver2.opendns.com
               OPENDNS - OpenDNS, LLC, US


    9.  9.  9.  9 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.091 | 0.114 | 0.128 | 0.008 |  95.8 |
  - Uncached Name | 0.099 | 0.147 | 0.304 | 0.053 |  97.8 |
  - DotCom Lookup | 0.106 | 0.124 | 0.162 | 0.010 |  97.8 |
  ---<-------->---+-------+-------+-------+-------+-------+
                      dns.quad9.net
                 QUAD9-AS-1 - Quad9, US


  149.112.112.112 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.107 | 0.119 | 0.125 | 0.004 |  95.9 |
  - Uncached Name | 0.113 | 0.160 | 0.306 | 0.060 |  97.9 |
  - DotCom Lookup | 0.112 | 0.130 | 0.170 | 0.012 |  97.8 |
  ---<-------->---+-------+-------+-------+-------+-------+
           rpz-public-resolver1.rrdns.pch.net
                 QUAD9-AS-1 - Quad9, US

 

[sfx2000]

The CDN oriented DNS's - CloudFlare and Google DNS excel here - OpenDNS is close, and Quad9 (149.112.112.112 is the backup/alt for Quad9) needs some work...

And numbers there on with Unbound with DNSSEC on pfSense 2.4.4 on Intel Rangely...

 

[sfx2000]

I hope it’s just a coincidence, but unbound (or rather Quad9? No time to check now) is very unresponsive after running that check script (even after rebooting my router).

Lots of failing DNS requests...

If you're running Unbound, then you need to sort DNSMasq - otherwise both are fighting on the same port...