What's new

Unbound [SOLVED] Unbound not resolving anything

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

What about a direct query to a root server?
Code:
dig NS . @199.9.14.201
Is there any chance your ISP is intercepting DNS queries?

If you run a leak test below, change your WAN DNS settings to Google or Cloudflare and re-run the test, can you see the results change?


Yes the only difference between your wan config and mine is that I have 1.1.1.1 and 8.8.8.8 assigned under manual setting in WAN dns list. could be worth posting your root.hints file and root.key file - ill compare it to mine
 
Last edited:
Is there any chance your ISP is intercepting DNS queries?
Not that I'm aware of. Put differently, if one of my country's ISPs did some forced DNS redirection, I probably would have read about it somewhere.

I'm only using my ISP's DNS servers because of my "minimal config after factory reset" approach. Normally I'm using Cloudflare, DNS.WATCH, or Quad9 servers.

Leak test with ISP DNS:
1697897912773.png



Leak test with custom DNS servers in the router's WAN config:
1697899257787.png


So that's as I would expect.
 
What about a direct query to a root server?

Huh.
Code:
router@RT-AX86U-D318:/tmp/home/root# dig NS . @199.9.14.201
;; communications error to 199.9.14.201#53: timed out
;; communications error to 199.9.14.201#53: timed out
;; communications error to 199.9.14.201#53: timed out

; <<>> DiG 9.18.16 <<>> NS . @199.9.14.201
;; global options: +cmd
;; no servers could be reached
As I don't understand that dig, could you please tell me what that means? What is performing the query in this case, unbound or dnsmasq or something else?
 
could be worth posting your root.hints file and root.key file - ill compare it to mine

root.hints (I took the path found in unbound.conf - correct?)
Code:
;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:     September 28, 2023
;       related version of root zone:     2023092801
;
; FORMERLY NS.INTERNIC.NET
;
.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
;
; FORMERLY C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
;
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
;
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
; End of file

root.key:
Code:
  GNU nano 5.7     /opt/var/lib/unbound/root.key
 
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
 
Tomorrow I'm going to dig up my old RT-AC3200, where I had Diversion & Unbound running for years without issue (except that at the end the router needed 1-2 reboots per week because it kept locking up intermittently after some uptime).

Should I try to get it up and running as I find it, or should I do a factory reset there, too?
 
Huh.
Code:
router@RT-AX86U-D318:/tmp/home/root# dig NS . @199.9.14.201
;; communications error to 199.9.14.201#53: timed out
;; communications error to 199.9.14.201#53: timed out
;; communications error to 199.9.14.201#53: timed out

; <<>> DiG 9.18.16 <<>> NS . @199.9.14.201
;; global options: +cmd
;; no servers could be reached
As I don't understand that dig, could you please tell me what that means? What is performing the query in this case, unbound or dnsmasq or something else?
Dig is querying the root server directly for all the nameservers for the root (dot) domain. It seems like either your ISP or IP is blocked from communicating.

I was hoping for a response like this:
Code:
$ dig NS . @199.9.14.201

; <<>> DiG 9.18.12-0ubuntu0.22.04.3-Ubuntu <<>> NS . @199.9.14.201
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47273
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 5a4083ce1d643cba010000006533f52f53475f9f82f5017d (good)
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       518400  IN      NS      d.root-servers.net.
.                       518400  IN      NS      b.root-servers.net.
.                       518400  IN      NS      l.root-servers.net.
.                       518400  IN      NS      h.root-servers.net.
.                       518400  IN      NS      k.root-servers.net.
.                       518400  IN      NS      j.root-servers.net.
.                       518400  IN      NS      c.root-servers.net.
.                       518400  IN      NS      a.root-servers.net.
.                       518400  IN      NS      m.root-servers.net.
.                       518400  IN      NS      f.root-servers.net.
.                       518400  IN      NS      e.root-servers.net.
.                       518400  IN      NS      g.root-servers.net.
.                       518400  IN      NS      i.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.     518400  IN      A       202.12.27.33
l.root-servers.net.     518400  IN      A       199.7.83.42
k.root-servers.net.     518400  IN      A       193.0.14.129
j.root-servers.net.     518400  IN      A       192.58.128.30
i.root-servers.net.     518400  IN      A       192.36.148.17
h.root-servers.net.     518400  IN      A       198.97.190.53
g.root-servers.net.     518400  IN      A       192.112.36.4
f.root-servers.net.     518400  IN      A       192.5.5.241
e.root-servers.net.     518400  IN      A       192.203.230.10
d.root-servers.net.     518400  IN      A       199.7.91.13
c.root-servers.net.     518400  IN      A       192.33.4.12
b.root-servers.net.     518400  IN      A       199.9.14.201
a.root-servers.net.     518400  IN      A       198.41.0.4
m.root-servers.net.     518400  IN      AAAA    2001:dc3::35
l.root-servers.net.     518400  IN      AAAA    2001:500:9f::42
k.root-servers.net.     518400  IN      AAAA    2001:7fd::1
j.root-servers.net.     518400  IN      AAAA    2001:503:c27::2:30
i.root-servers.net.     518400  IN      AAAA    2001:7fe::53
h.root-servers.net.     518400  IN      AAAA    2001:500:1::53
g.root-servers.net.     518400  IN      AAAA    2001:500:12::d0d
f.root-servers.net.     518400  IN      AAAA    2001:500:2f::f
e.root-servers.net.     518400  IN      AAAA    2001:500:a8::e
d.root-servers.net.     518400  IN      AAAA    2001:500:2d::d
c.root-servers.net.     518400  IN      AAAA    2001:500:2::c
b.root-servers.net.     518400  IN      AAAA    2001:500:200::b
a.root-servers.net.     518400  IN      AAAA    2001:503:ba3e::2:30

;; Query time: 56 msec
;; SERVER: 199.9.14.201#53(199.9.14.201) (UDP)
;; WHEN: Sat Oct 21 11:58:39 EDT 2023
;; MSG SIZE  rcvd: 851

 
Last edited:
Tomorrow I'm going to dig up my old RT-AC3200, where I had Diversion & Unbound running for years without issue (except that at the end the router needed 1-2 reboots per week because it kept locking up intermittently after some uptime).

Should I try to get it up and running as I find it, or should I do a factory reset there, too?
I think the main benefit of testing it is that you might get a new public IP from your ISP just to see if that changes anything. If you can’t query those servers with dig, Unbound won’t be able to query them either.

Do you have a valid public IP? Do you want to share which Country/region you live in?
 
If you can’t query those servers with dig, Unbound won’t be able to query them either.

I'll be damned. Reading this gave me an idea: Instead of switching routers, I fired up an Ubuntu installation in Windows Subsystem for Linux on my main laptop. Tried your dig query to the root server - the query timed out just like with unbound. Tried to ping the server - all is fine.

Then I started a VPN tunnel on my laptop (NordVPN). Tried to ping again - still works, but the pings took a bit longer (130 vs. 25 ms). So I knew the traffic went through the tunnel. Tried the dig again, and it f***ing worked.

So indeed something at my ISP appears to be the cause for my troubles. Do you have any insight what it means that I can ping the root server, but not actually query it? From the DNS leak test I know that there is no general port 53 redirection or blocking; and I could always use other DNS servers without issue.

I live in Germany and currently have a DSL connection, which is one of two common technologies over here (the other being cable/DOCSIS - fibre still is in the early stages here). For DSL connections it is common to have dynamic IP assignment, i.e. everytime the router connects (over PPPoE) it gets a new public IP from the ISP, and there is one forced reconnection each day. So currently I have a different public IP every day.

I think I will need to start bothering my ISP about this whole thing.....
 
Just to be thorough, try querying all these root servers. If they all fail, then it sounds like a deliberate block. 198.41.0.4 is shown as Frankfurt on the root map. Try that one.
Code:
m.root-servers.net.     518400  IN      A       202.12.27.33
l.root-servers.net.     518400  IN      A       199.7.83.42
k.root-servers.net.     518400  IN      A       193.0.14.129
j.root-servers.net.     518400  IN      A       192.58.128.30
i.root-servers.net.     518400  IN      A       192.36.148.17
h.root-servers.net.     518400  IN      A       198.97.190.53
g.root-servers.net.     518400  IN      A       192.112.36.4
f.root-servers.net.     518400  IN      A       192.5.5.241
e.root-servers.net.     518400  IN      A       192.203.230.10
d.root-servers.net.     518400  IN      A       199.7.91.13
c.root-servers.net.     518400  IN      A       192.33.4.12
b.root-servers.net.     518400  IN      A       199.9.14.201
a.root-servers.net.     518400  IN      A       198.41.0.4
At some point, you’ll have to ask yourself if Unbound is worth the trouble. But understanding the root of the root issue is worth still pursuing.
 
Sounds familiar. And we have been also testing with server “b”.


 
root.hints (I took the path found in unbound.conf - correct?)
Code:
;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:     September 28, 2023
;       related version of root zone:     2023092801
;
; FORMERLY NS.INTERNIC.NET
;
.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
;
; FORMERLY C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
;
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
;
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
; End of file

root.key:
Code:
  GNU nano 5.7     /opt/var/lib/unbound/root.key
 
. IN DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D

Not sure whether my post is redundant however :-

Your Root.key is significantly different from mine .

There is a command utility called unbound-anchor
when you issue command unbound-anchor -v you should get following - what do you get ?-

check out https://www.nlnetlabs.nl/documentation/unbound/unbound-anchor/ with how to use unbound-anchor

The other thing you could try is to reinstall Entware. problems with unbound in past have occurred when new libraries have been introduced. Do this through amtm by removing entware and reinstalling or updating if updating is required

unbound-anchor -v
/opt/var/lib/unbound/root.key has content
success: the anchor is ok
joescian@RT-AC86U-6440:/tmp/home/root#

<contents of the root.key file below ( if unbound is working correctly)

; autotrust trust anchor file
;;id: . 1
;;last_queried: 1697864122 ;;Sat Oct 21 15:55:22 2023
;;last_success: 1697864122 ;;Sat Oct 21 15:55:22 2023
;;next_probe_time: 1697949753 ;;Sun Oct 22 15:42:33 2023
;;query_failed: 0
;;query_interval: 86400
;;retry_time: 17280
. 86400 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [ VALID ] ;;count=0 ;;lastchange=1686140158 ;;Wed Jun 7 22:15:58 2023
 
Last edited:
Just to be thorough, try querying all these root servers. If they all fail, then it sounds like a deliberate block. 198.41.0.4 is shown as Frankfurt on the root map. Try that one.
Yep, it's like that. I can ping all of them, but I can query none of them.

At some point, you’ll have to ask yourself if Unbound is worth the trouble. But understanding the root of the root issue is worth still pursuing.
Good point, and knowing that the cause for my issue is outside of my realm gives me some degree of peace of mind. However, issues like this tend to keep nagging me quite a bit. ;)

Actually, I'm not even sure this is allowed in Germany. Public ISPs are regulated here, and there is a principle called "net neutrality" which ISPs are obliged by law to follow. Essentially, internet connections must behave like "dumb pipes". ISP are not allowed to do any kind of QoS or similar (except to ensure that the IP telephony part of their products works). Just recently, there was a ruling that mobile/cellular ISPs are not allowed to do something called "zero rating" (the mobile ISP and e.g. Spotify struck a deal where Spotify pays money to the ISP and in return Spotify streaming data does not count towards users' monthly data allowance) as this violates net neutrality.

I've been able to use Unbound with my two previous ISPs, so I will for sure ask my current one what this is all about. But as you said, I need to think about how much energy I want to put into this.

@dave14305 and @joe scian : Let me say a big THANK YOU for your help, time, and patience! I learned quite a bit doing this with you.
 
Not sure whether my post is redundant however :-

Your Root.key is significantly different from mine .

There is a command utility called unbound-anchor
I looked into that, and tried to force update my anchor/root.key.

Code:
ASUSWRT-Merlin RT-AX86U 3004.388.4_0 Mon Aug 21 19:34:20 UTC 2023

router@RT-AX86U-D318:/tmp/home/root# unbound-anchor -v
/opt/var/lib/unbound/root.key has content
fail: the anchor is NOT ok and could not be fixed

router@RT-AX86U-D318:/tmp/home/root# unbound-anchor -v -F
/opt/var/lib/unbound/root.key has content
debug cert update forced
/opt/var/lib/unbound/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
resolve data.iana.org A: no result
resolve data.iana.org AAAA: no result
data.iana.org has no IP addresses I can use
I'm guessing my root.key looks different from yours because even the initial download fails because of my ISP's routing policy.
 
I looked into that, and tried to force update my anchor/root.key.

Code:
ASUSWRT-Merlin RT-AX86U 3004.388.4_0 Mon Aug 21 19:34:20 UTC 2023

router@RT-AX86U-D318:/tmp/home/root# unbound-anchor -v
/opt/var/lib/unbound/root.key has content
fail: the anchor is NOT ok and could not be fixed

router@RT-AX86U-D318:/tmp/home/root# unbound-anchor -v -F
/opt/var/lib/unbound/root.key has content
debug cert update forced
/opt/var/lib/unbound/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
resolve data.iana.org A: no result
resolve data.iana.org AAAA: no result
data.iana.org has no IP addresses I can use
I'm guessing my root.key looks different from yours because even the initial download fails because of my ISP's routing policy.

for your information only on what my command looks like

ASUSWRT-Merlin RT-AC86U 386.12_0 Mon Sep 4 15:48:44 UTC 2023
joescian@RT-AC86U-6440:/tmp/home/root# unbound-anchor -v -F
/opt/var/lib/unbound/root.key has content
debug cert update forced
last successful probe: Sun Oct 22 21:21:36 2023
the last successful probe is recent
/opt/var/lib/unbound/icannbundle.pem: No such file or directory
using builtin certificate
have 1 trusted certificates
resolved server address 152.199.24.38
resolved server address 2606:2800:21f:b505:516b:4186:98cd:116
connect to 152.199.24.38
fetched root-anchors/root-anchors.xml (690 bytes)
connect to 2606:2800:21f:b505:516b:4186:98cd:116
connect: Cannot assign requested address
connect to 152.199.24.38
fetched root-anchors/root-anchors.p7s (2551 bytes)
signer 0: Subject: /O=ICANN/CN=DNSSEC Trust Anchor Verification/emailAddress=dns sec@iana.org
the PKCS7 signature verified
XML was parsed successfully, 1 keys
success: the anchor has been updated using the cert
joescian@RT-AC86U-6440:/tmp/home/root#
 
I've been able to use Unbound with my two previous ISPs, so I will for sure ask my current one what this is all about. But as you said, I need to think about how much energy I want to put into this.
Not sure how much effort you want to continue putting into this... but this might be a potential solution for you to get around all this? I have been my own DNS resolver for some time now... in fact, my VPN endpoint IP is my resolver... like so:

1697978502484.png

1697978604865.png


You mentioned before that once you've connected through VPN, that you had some success with resolution. I'm also using NordVPN, so each time my VPN connection resets, so does my DNS resolver endpoint... and it's all automated through the use of VPNMON-R2 and Unbound. This feature gives me the freedom to be my own resolver, *and* it prevents my ISP from snooping on any unencrypted DNS resolution traffic coming from from my endpoint. So anyways, wasn't sure if that's a path you wanted to go down, but it seems to be working well for me thusfar.
 
I got news. It's NOT my ISP. I posted my problem in my ISP's community forums. Other customers tried to query the root servers, and it worked. So I did some testing and there are setups where my queries pass, too.

Here's my setup:

Plugged into the wall is an AVM Fritzbox 7530. These devices are among the market leaders in Germany (and maybe Europe), but are mostly unknown elsewhere. The Fritzbox is a fully-fledged router, but - inofficially! - can be configured in a way that it will only act as a modem, providing PPPoE passthrough to connected devices. I usually do just that and let the AX86U do all the rest, incl. PPPoE dialup and login (WAN Connection Type = PPPoE)

However, for testing purposes I reconfigured the Fritzbox to be my main router and create the PPPoE connection itself. Plugged into the Fritzbox with my laptop, dig NS . @199.9.14.201 works just fine, so it can't be my ISP. And what's more, when I reconfigure the AX86U WAN Connection Type to "Automatic IP", the query also works from the Asus itself, and from my laptop via wifi as well, double-NATed and all.

So it's ONLY with the Fritzbox in modem-mode and the AX86U handling the internet connection where I have this issue. How weird is that?!

Next step: I'm going to get another modem for testing purposes and replace the Fritzbox. If the queries work then, it was the Fritzbox. If they don't, the AX86U MUST be the culprit.
 
On a whim, try removing edns-max-buffer-size and max-udp-size from the unbound.conf so that the 1232 default will take effect.
 
On a whim, try removing edns-max-buffer-size and max-udp-size from the unbound.conf so that the 1232 default will take effect.
No effect.

I have two updates: After a few days of running double-NATed (so with the AX86U in "Automatic IP" WAN mode behind the Fritzbox 7530 configured as a router as well), where - to my surprise - Unbound worked like a charm, I reverted to the original setup with the Fritzbox as modem only and the AX86U in PPPoE WAN mode.

I was slightly surprised again: Unbound kept working, at least on the surface. A forced anchor update unbound-anchor -F -v failed because the iana.org servers could not be resolved, so I would guess that at some point Unbound would stop working again and that the issue might lie somewhere in the initial run.

Then, as a further test, I uninstalled and reinstalled Unbound, and I had the same problems all over again. Unbound can't resolve anything, probably because it can't query the root servers.

And then I couldn't resist and switched the AX86U against my old RT-AC3200. Long story short: Same problems here.

Tomorrow I will get two different DSL modems to try out over the weekend. Then I'll know more, hopefully.
 
reverted to the original setup with the Fritzbox as modem only and the AX86U in PPPoE WAN mode.
Perhaps try some ping tests to discover the maximum MTU allowed. Windows ping syntax:
Code:
ping -f -l 1500 199.9.14.201
ping -f -l 1492 199.9.14.201
ping -f -l 1472 199.9.14.201
Also verify if an MSS clamping rule is active or not on the router in this config.
Code:
iptables-save -c | grep -i clamp
 
Last edited:
Perhaps try some ping tests to discover the maximum MTU allowed. Windows ping syntax:
Code:
ping -f -l 1500 199.9.14.201
ping -f -l 1492 199.9.14.201
ping -f -l 1472 199.9.14.201
Also verify if an MSS clamping rule is active or not on the router in this config.
Code:
iptables-save -c | grep -i clamp
This is a good suggestion, going off the OP's previous post. Typically at this point, @dave14305 has arrived at the solution everyone has been missing, so I have waited to say anything in this thread. After watching every one doing this "peel the onion" technique of investigating I did some digging myself. IIRC I read somewhere that FritzBox messes with DNS queries down to the root zone. The claim being that FritzBox packet level inspection drops UDP DNS queries to the root-zone, but this should not be the case if FritzBox is "truely" acting in a bridge-mode, no?

Here's something I read on ensuring FritzBox is in bridge-mode. I am not 100percent sure it is applicable to our OP's FritzBox, I am just sharing incase the OP has not completely put their FritzBox in bridge mode. It is here so the OP can review to ensure they have completely dotted all the "i"s and crossed all the "t"s in regards to their FritzBox and Bridge mode.

Has anybody asked if skynet or another router firewall was in the mix? I have seen queries fail if skynet has a crazy level of country blocks going on, and no telling what type of voodoo is happening if this is a secondary router passing requests through two firewalls. With two firewalls, it could be something as simple as ports not opening up (no UPNP) when the requesting router (secondary router) is making the requests over unbound. Unbound requires a crazy amount of out bound port access. If it is passing through two firewalls where the port randomization is blocked on the outbound between the two firewalls, there could be a problem. As someone else mentioned, it could also be an ISP issue as well. I suggest look at TCP dumps of the queries. See what is happening.

After further research, this is a known Issue with FritzBox and PPOE connection with another Router, a Pf-Sense box. I bet if the OP set unbound up as a forwarder to google or cloudflare, DNS would work. However, Unbound appears to be unable to make requests to root.zone when FritzBox passes connection as PPOE. It is actually a known issue to the people at this link:


The OP in his previous post stumbled upon the fact that Unbound has no problem working recursively in "double-nat" mode, which leads me to think something is broken or not working correctly with the Bridge mode setup on the FritzBox, or the OP may need to review the Bridgemode settings I have posted. The people in the link above also encountered that in bridge-mode/PPOE passthru mode, they could only use unbound as a forwarder, and could only use Unbound as a Recursive server if the modem/router was in a double-nat mode using "Automatic IP".

Perhaps bridgemode on the FritzBox is not enough to satisfy root.zone access. Maybe the OP has to do something like this with their FrizBox (similar to DMZ) where the OP must use the Expose Host options.

 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top