Unbound - Authoritative Recursive Caching DNS Server

[dave14305]

I'm very glad to have learned more about Unbound this weekend as a result of your research and testing. I think it's a good DNS solution. But I still do not see the purpose to insert Unbound between dnsmasq and Stubby since Unbound will not perform its own recursive queries when a forward-zone is configured. Since it behaves as another forwarder to the Stubby upstream servers, it would make more sense to me to see:

1. dnsmasq with Stubby to an external recursive resolver (e.g. CloudFlare, Google, Quad9, etc.)
   
2. dnsmasq with Unbound configured for DoT to an external recursive resolver
   
3. Unbound without dnsmasq or Stubby without any forward-zones (unencrypted)

It all depends on what you want to achieve. If you want encryption, 1 or 2 makes sense. If you want to not share too much DNS data with third-parties (CloudFlare, Google, Quad9, etc.) then you might want #3, even though it's snoopable. But you can't seem to get your own local recursive queries encrypted.

Thanks again @rgnldo for all the work you've done teaching us how to integrate Unbound!

 

[rgnldo]

Unbound without dnsmasq or Stubby without any forward-zones

Not possible on FW Merlin or any other firmware. The dnsmasq is shipped.

dnsmasq with Stubby to an external recursive resolver (e.g. CloudFlare, Google, Quad9, etc.)

It is optional. When I add cache-size=0 and no-resolv, I disable dnsmasq's DNS option and delegate resolution to stubby.

 

[Cam]

Not possible on FW Merlin or any other firmware. The dnsmasq is shipped.

It is optional. When I add cache-size=0 and no-resolv, I disable dnsmasq's DNS option and delegate resolution to stubby.

Well actually you're not technically disabling, just forwarding. it is possible if you want though... Set port=0 in dnsmasq.conf (via postconf) and you disable dns resolution via dnsmasq and leave dnsmasq to do dhcp only, and have unbound listen on port 53.

Then to @dave14305's point, you could turn have one less process (stubby) by turning off Dns-over-tls in router GUI and setup unbound to do Dns-over-tls.

the downside of this though is that none of this is configurable from the router GUI anymore. AND it breaks Diversion....but then if you're fiddling with your own dns sever you can always add your own ad blocking in unbound anyway. https://calomel.org/unbound_dns.html

PS thanks @rgnldo I've enjoyed reading up on unbound even though I am not yet using it.

 

[rgnldo]

Well actually you're not technically disabling, just forwarding. it is possible if you want though... Set port=0 in dnsmasq.conf (via postconf) and you disable dns resolution via dnsmasq and leave dnsmasq to do dhcp only, and have unbound listen on port 53.

I'll check.

you could turn have one less process (stubby) by turning off

With Stubby on, the /tmp/resolv.dnsmasq file looks like local resolution.

breaks Diversion

Does not break. Works smooth here and with Skynet.

add your own ad blocking in unbound anyway

I have the script that organizes an adblock mega list for unbound format, using nginx as Pixelserv. The problem is keeping this script up to date. I get the guys from Diversion.

 

[Cam]

Woah, easy there Perhaps you misread my message.
If, and only if, you disable dnsmasq with port=0 as I wrote, then, and only then, is diversion broken - as diversion obviously relies on dnsmasq using dns, which is actually disabled here (as opposed to redirected in your setup).

I was just offering a PoC that could work, only as you had said it can't be done.

Naturally if you dont use the port=0 method, then you can't use port 53 for unbound ("Unable to arrange unbound on port 53."). That much I thought was obvious, but again you clearly didn't read my message properly or it got lost in translation.

No matter though, your method works, so why change!

Sent from my Nokia 7 plus using Tapatalk

 

[rgnldo]

Woah, easy there Perhaps you misread my message.
If, and only if, you disable dnsmasq with port=0 as I wrote, then, and only then, is diversion broken - as diversion obviously relies on dnsmasq using dns, which is actually disabled here (as opposed to redirected in your setup).

I was just offering a PoC that could work, only as you had said it can't be done.

Naturally if you dont use the port=0 method, then you can't use port 53 for unbound ("Unable to arrange unbound on port 53."). That much I thought was obvious, but again you clearly didn't read my message properly or it got lost in translation.

No matter though, your method works, so why change!

Sent from my Nokia 7 plus using Tapatalk

OK! I will try to organize my adblock script with Nginx.

 

[rgnldo]

My intention is to organize in Pi-hole mode, incrementing with Unbound. Which is almost the same scenario as Diversion
https://docs.pi-hole.net/guides/unbound/

 

[rgnldo]

Script to generate list adblock for unbound

#!/bin/bash
destinationIP="0.0.0.0"
tempoutlist="/jffs/Adblock/adlist.tmp"
outlist='/jffs/Adblock/tmp.host'
finalist='/jffs/Adblock/tmp.finalhost'
permlist='/jffs/Adblock/adperm.txt'
adlist='/jffs/Adblock/adservers.txt'

echo "Removing Possible Temporary Files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Downloading StevenBlack ad lista..."
curl --progress-bar https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts | grep -v "#" | grep -v "::1" | grep -v "0.0.0.0 0.0.0.0" | sed '/^$/d' | sed 's/\ /\\ /g' | awk '{print $2}' | grep -v '^\\' | grep -v '\\$'| sort >> $tempoutlist

echo "Removing Duplicate Domain list formats..."
cat $tempoutlist | sed $'s/\r$//' | sort -u | sed '/^$/d' | awk -v "IP=$destinationIP" '{sub(/\r$/,""); print IP" "$0}' > $outlist

numberOfAdsBlocked=$(cat $outlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked compiled domains"

echo "Edit list of allowed domains..."
fgrep -vf $permlist $outlist  > $finalist

echo "Generating Unbound Adlist..."
cat $finalist | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" static"}' > $adlist
numberOfAdsBlocked=$(cat $adlist | wc -l | sed 's/^[ \t]*//')
echo "$numberOfAdsBlocked suspicious and blocked domains"

echo "Removing temporary files.."
[ -f /jffs/Adblock/adlist.tmp ] && rm -f /jffs/Adblock/adlist.tmp
[ -f /jffs/Adblock/tmp.host ] && rm -f /jffs/Adblock/tmp.host
[ -f /jffs/Adblock/tmp.finalhost ] && rm -f /jffs/Adblock/tmp.finalhost

echo "Restarting DNS servers..."
/opt/etc/init.d/S61unbound restart

From what I noticed, memory consumption has greatly reduced.

unbound.conf file

server:
    # port to answer queries from
    port: 53
    verbosity: 1

    do-ip4: yes
    do-ip6: yes
    do-udp: yes
    do-tcp: yes

    # don't be picky about interfaces but consider your firewall
    interface: 0.0.0.0
    interface: ::0
    access-control: 0.0.0.0/0 refuse
    access-control: 127.0.0.0/8 allow
    access-control: 10.0.30.0/24 allow
    access-control: 192.168.1.0/24 allow
    access-control: ::0/0 refuse
    access-control: ::1/128 allow

    # DNS Rebinding
    # For DNS Rebinding prevention
    private-address: 10.0.0.0/8
    private-address: ::ffff:a00:0/104
    private-address: 172.16.0.0/12
    private-address: ::ffff:ac10:0/108
    private-address: 169.254.0.0/16
    private-address: ::ffff:a9fe:0/112
    private-address: 192.168.0.0/16
    private-address: ::ffff:c0a8:0/112
    private-address: fd00::/8
    private-address: fe80::/10
  
    # no threads and no memory slabs for threads
    num-threads: 2
    msg-cache-slabs: 4
    rrset-cache-slabs: 4
    infra-cache-slabs: 4
    key-cache-slabs: 4
    so-reuseport: yes
 
    # tiny memory cache
    key-cache-size: 16m
    msg-cache-size: 2m
    rrset-cache-size: 2m
    cache-max-ttl: 86400
    cache-min-ttl: 3600
    cache-max-negative-ttl: 0
    edns-buffer-size: 1472
    rrset-roundrobin: yes
    harden-glue: yes
    harden-below-nxdomain: yes

    # prefetch
    prefetch: yes
    prefetch-key: yes
    minimal-responses: yes

    # gentle on recursion
    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    val-clean-additional: yes
 
    # Self jail Unbound with user "unbound" to /var/lib/unbound
    username: "nobody"
    directory: "/opt/var/lib/unbound"
    chroot: "/opt/var/lib/unbound"
    root-hints: "/opt/var/lib/unbound/root.hints"

    # DNSSEC and DNS-over-TLS
    auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"
    tls-cert-bundle: /opt/etc/ssl/certs/ca-certificates.crt
    # The pid file
    pidfile: "/opt/var/run/unbound.pid"

    # Adblock blacklist
    include: /jffs/Adblock/adservers.txt

remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 953
    server-key-file: "/opt/var/lib/unbound/unbound_server.key"
    server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
    control-key-file: "/opt/var/lib/unbound/unbound_control.key"
    control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 185.222.222.222@853#dns.sb
    forward-addr: 185.184.222.222@853#dns.sb
    forward-addr: 2a09::@853#dns.sb
    forward-addr: 2a09::1@853#dns.sb

dnsmasq.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_append "server=127.0.1.1#53" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "port=0" $CONFIG

 

[dave14305]

forward-addr: 185.222.222.222@853
forward-addr: 185.184.222.222@853
forward-addr: 2a09::@853
forward-addr: 2a09::1@853

I read it's important (if not necessary) to append the TLS authentication name to the forward-addr, like this:

forward-addr: 185.222.222.222@853#dns.sb

Do you get any problems or warnings without it?

 

[rgnldo]

Do you get any problems or warnings without it?

Test with tcpdump on port 853, check for traffic. I'm at work, away from my router

 

[dave14305]

Test with tcpdump on port 853, check for traffic. I'm at work, away from my router

Not quite what I asked about.

I read this article earlier and figured the TLS names were important to explicitly configure:
https://www.ctrl.blog/entry/unbound-tls-forwarding.html

 

[rgnldo]

I read this article earlier and figured the TLS names were important to explicitly configure:
https://www.ctrl.blog/entry/unbound-tls-forwarding.html

So add and give us feedback

 

[rgnldo]

Unbound running on port 53 unlinked from dnsmasq.
dnsmasq.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "no-negcache" $CONFIG
pc_replace "cache-size=1500" "cache-size=0" $CONFIG
pc_append "port=0" $CONFIG
pc_append "dhcp-option=6,IPDNSROUTER" $CONFIG

You need the option port=0 and dhcp-option=6,IPDNSROUTER on file dnsmasq.conf
To make things work, dnsmasq has to stop providing DNS services. This can be achieved with the port=0 keyword, however that will also disable informing DHCP clients about the DNS server to use. So this has to be added in manually.

@SomeWhereOverTheRainBow @dave14305 @Cam @Xentrk

 

[SomeWhereOverTheRainBow]

I read it's important (if not necessary) to append the TLS authentication name to the forward-addr, like this:

forward-addr: 185.222.222.222@853#dns.sb

Do you get any problems or warnings without it?

This is when you are forward traffic without initial tls connection, but if you are forwarding using stubby you don't need tls argument because stubby handles that.
You are correct if you are talking about letting unbound establish the connection though because it is required for proper tls handshake or else you could not properly assure it is making a secure connection.

 

[rgnldo]

On commit 3c27750 the development team FW Merlin describes:

Implement option to prevent Firefox's automatic usage of DoH

Firefox is going to automatically use DNS over HTTPS, requiring the
users to manually opt out if they don't want to use it. This means
that by default Firefox will bypass your DNS over TLS servers configured
through DNSPrivacy, or DNS servers applied by DNSFilter.

This option uses a canary domain that instructs Firefox not to
automatically enable DoH. By default, the router will only do
so if DNSPrivacy is enabled, or if you have a global DNSFilter configured.
(client-specific DNSFilter are NOT gonna automatically trigger this).
Users can also enable that override to unconditionaly apply.

and add canary domain support for dnsmasq: address=/use-application-dns.net
For unbound, how is it? By this way:

local-zone: "use-application-dns.net" static

Tell Firefox to not automagically send traffic to Cloudflare as there is this
Unbound using DNS-over-TLS / DNSCrypt without the need for it to use
separate DNS.

 

[rgnldo]

If anyone has questions about unbound's privacy strength, take the quiz
https://tenta.com/test/

 

[dave14305]

I’ve setup Unbound as a recursive resolver (no forward-zone) on 127.0.1.1#53 with DNSEC. dnsmasq is still active with Diversion, forwarding to Unbound and adding proxy-dnssec. Will let this run a few days before deciding the next step.

 

[rgnldo]

I’ve setup Unbound as a recursive resolver (no forward-zone) on 127.0.1.1#53 with DNSEC. dnsmasq is still active with Diversion, forwarding to Unbound and adding proxy-dnssec. Will let this run a few days before deciding the next step.

The best option I got was with unbound running alone. I added the adblock nxdomain function with the script I wrote. Some of these functions there in dnsmasq derive a lot from unbound functionality.

 

[SomeWhereOverTheRainBow]

The best option I got was with unbound running alone. I added the adblock nxdomain function with the script I wrote. Some of these functions there in dnsmasq derive a lot from unbound functionality.

Dave's method seems interesting if it works good I would like to know what options he is setting to dnsmasq to have it forwarding to unbound.

 

[SomeWhereOverTheRainBow]

I’ve setup Unbound as a recursive resolver (no forward-zone) on 127.0.1.1#53 with DNSEC. dnsmasq is still active with Diversion, forwarding to Unbound and adding proxy-dnssec. Will let this run a few days before deciding the next step.

What are the options you are setting for dnsmasq to have it forward to unbound?.