Unbound Unable to make Unbound work

[mangkoran]

Hi all. I am trying to install Unbound on my AX-56U. I tried to install Unbound via amtm -> unbound_manager. I fulfilled all the pre-reqs and unbound is successfully installed with the default config. However, when I tried to dig @127.0.0.1 -p 53535 google.com, it showed SERVFAIL status.

; <<>> DiG 9.18.16 <<>> @127.0.0.1 -p 53535 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 17418
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 158 msec
;; SERVER: 127.0.0.1#53535(127.0.0.1) (UDP)
;; WHEN: Mon Sep 11 05:29:02 ICT 2023
;; MSG SIZE  rcvd: 39

This makes all clients connected to the router to have no connectivity/internet access due to DNS resolution failure. Could anyone please guide me where I did it wrong?

 

[dave14305]

Check the router with:

netstat -nltup | grep -E ":53 |unbound|dnsmasq"
dig google.com @127.0.0.1

 

[mangkoran]

Check the router with:

netstat -nltup | grep -E ":53 |unbound|dnsmasq"
dig google.com @127.0.0.1

Below is the output.

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      32281/unbound
tcp        0      0 127.0.0.1:53535         0.0.0.0:*               LISTEN      32281/unbound
udp        0      0 127.0.0.1:53535         0.0.0.0:*                           32281/unbound
udp        0      0 0.0.0.0:67              0.0.0.0:*                           32309/dnsmasq

Looks like unbound is running. But the dig command seems indicate it failed to connect.

;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused
;; communications error to 127.0.0.1#53: connection refused

; <<>> DiG 9.18.16 <<>> google.com @127.0.0.1
;; global options: +cmd
;; no servers could be reached

 

[dave14305]

Looks like unbound is running. But the dig command seems indicate it failed to connect.

Nothing is listening on port 53, so clients can’t find a DNS server. It sounds like you somehow disabled dnsmasq DNS (e.g. port=0), but Unbound isn’t listening on port: 53 in its place.

 

[mangkoran]

I found that there is port=0 config added in /jffs/configs/dnsmasq.conf.add (idk maybe I forgot about this). After removing that line, I think dnsmasq now up and listening to :53.

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2605/dnsmasq
tcp        0      0 192.168.50.1:53         0.0.0.0:*               LISTEN      2605/dnsmasq
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      2214/unbound
tcp        0      0 127.0.0.1:53535         0.0.0.0:*               LISTEN      2214/unbound
udp        0      0 127.0.0.1:53535         0.0.0.0:*                           2214/unbound
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2605/dnsmasq
udp        0      0 192.168.50.1:53         0.0.0.0:*                           2605/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           2605/dnsmasq

However, the dig still fails.

; <<>> DiG 9.18.16 <<>> google.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 43749
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Sep 11 06:28:57 ICT 2023
;; MSG SIZE  rcvd: 39

 

[dave14305]

I would uninstall unbound manager, cleanup /jffs/configs/dnsmasq.conf.add and /jffs/scripts/dnsmasq.postconf so you can get a working system again. Then start over slowly with Unbound. Document each step and option selected.

 

[mangkoran]

Did you mean I should reinstall unbound with unbound_manager? Or manually install from entware? Apologize as I am pretty new in networking so I thought unbound_manager could help me to setup unbound easier.

 

[dave14305]

Did you mean I should reinstall unbound with unbound_manager? Or manually install from entware? Apologize as I am pretty new in networking so I thought unbound_manager could help me to setup unbound easier.

Yes, I did mean with unbound_manager, if it isn’t too complicated. It just seemed it wasn‘t setup correctly the first time.

The fact that your original dig command on port 53535 failed, suggested Unbound couldn’t reach the internet. Is Skynet also installed?

 

[mangkoran]

Yes, I did mean with unbound_manager, if it isn’t too complicated. It just seemed it wasn‘t setup correctly the first time.

The fact that your original dig command on port 53535 failed, suggested Unbound couldn’t reach the internet. Is Skynet also installed?

I see. I will try to reinstall unbound and report the step here. And no I have no skynet installed. Although I have diversion installed but I disabled it.

 

[mangkoran]

I have cleaned those 2 files and reinstalled unbound. Below are the options I chose.

Do you want to ENABLE unbound logging? (NO recommended)

        Reply 'y' or press ENTER  to skip (skip)

Do you want to optimise Performance/Memory parameters? (YES recommended)

        Reply 'y' or press [Enter]  to skip (y)

After that, below is the router configuration as reported by unbound_manager.

        Router Configuration recommended pre-reqs status:

        [✔] Swapfile=2097148 kB
        [✔] DNS Filter=ON
        [✔] DNS Filter=ROUTER
        [✔] WAN: Use local caching DNS server as system resolver=NO
        [✔] Entware NTP server 'S77ntpd' is running
        [✔] Enable DNS Rebind protection=NO
        [✔] Enable DNSSEC support=NO

        Options:

        [✔] unbound CPU/Memory Performance tweaks
        [✔] Firefox DNS-over-HTTPS (DoH) DISABLE/Blocker
        [✔] unbound-control FAST response ENABLED

Netstat output.

netstat: showing only processes with your user ID
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      7751/dnsmasq
tcp        0      0 192.168.50.1:53         0.0.0.0:*               LISTEN      7751/dnsmasq
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      7652/unbound
tcp        0      0 127.0.0.1:53535         0.0.0.0:*               LISTEN      7652/unbound
udp        0      0 127.0.0.1:53535         0.0.0.0:*                           7652/unbound
udp        0      0 127.0.0.1:53            0.0.0.0:*                           7751/dnsmasq
udp        0      0 192.168.50.1:53         0.0.0.0:*                           7751/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           7751/dnsmasq

However, dig still reported SERVFAIL.

; <<>> DiG 9.18.16 <<>> www.google.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 22929
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Sep 11 07:37:19 ICT 2023
;; MSG SIZE  rcvd: 43

 

[dave14305]

However, dig still reported SERVFAIL.

Check output in /opt/var/lib/unbound/unbound.log and try a domain besides Google.com.

 

[mangkoran]

I tried to dig snbforums.com and it still reported SERVFAIL.

; <<>> DiG 9.18.16 <<>> snbforums.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55342
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;snbforums.com.                 IN      A

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Sep 11 07:54:51 ICT 2023
;; MSG SIZE  rcvd: 42

Below is the content of unbound.log.

Sep 11 07:37:39 unbound[7652:0] info: service stopped (unbound 1.17.1).
Sep 11 07:54:28 unbound[13089:0] info: start of service (unbound 1.17.1).
Sep 11 07:54:44 unbound[13089:0] info: validation failure <snbforums.com. A IN>: No DNSKEY record from 192.43.172.30 for key com. while building chain of trust
Sep 11 07:55:01 unbound[13089:0] info: validation failure <agent-oc.ninjarmm.com. AAAA IN>: key for validation com. is marked as invalid
Sep 11 07:55:01 unbound[13089:0] info: validation failure <agent-oc.ninjarmm.com. A IN>: key for validation com. is marked as invalid
Sep 11 07:55:02 unbound[13089:0] info: validation failure <edgeapi.slack.com. HTTPS IN>: key for validation com. is marked as invalid
Sep 11 07:55:02 unbound[13089:0] info: validation failure <edgeapi.slack.com. A IN>: key for validation com. is marked as invalid
Sep 11 07:55:06 unbound[13089:0] info: validation failure <signaler-pa.clients6.google.com. A IN>: key for validation com. is marked as invalid

I suppose this key validation thing is the culprit?

Edit: After I searched the net for a while, I suppose this has something to do with DNSSEC. If its the case, is it possible to turn off unbound's DNSSEC and see if it will work?

 

[dave14305]

I suppose this key validation thing is the culprit?

Try:

cat /opt/var/lib/unbound/root.key
/opt/sbin/unbound-anchor -a /opt/var/lib/unbound/root.key
cat /opt/var/lib/unbound/root.key

is it possible to turn off unbound's DNSSEC

Possible by removing validatorfrom the module-config option. But without dnssec, there’s not much extra benefit to Unbound over dnsmasq. Recursive resolving is fun to try, but not a must-have for small home routers.

 

[mangkoran]

I tried the unbound-anchor command and added -v for verbosity. Below is the output.

/opt/var/lib/unbound/root.key has content
fail: the anchor is NOT ok and could not be fixed

I have searched the net and it seems it has something to do with ntp. But I have ntpMerlin running with ntpd.