Unbound - Authoritative Recursive Caching DNS Server

[SomeWhereOverTheRainBow]

Disregarded by unbound in the compilation.

--disable-dsa --disable-gost

 

[SomeWhereOverTheRainBow]

@L&LD - you can have unbound in Scribe [option is available under @Martineau unbound install script] - but clearly not the full live logs which will certainly crash the webgui. We will have to wait for the combo of @Martineau and @Jack Yaz to give us an unbound webpage in the gui to show stats etc.

At this time the unbound script option for Scribe simply injects an unbound script into /opt/entware/etc/syslog-ng.d/ - but does not provide a script for logrotate. I basically "cloned" the pixelserv logrotate script and dropped it into /opt/entware/etc/logrotate.d/

Works fine in Scribe - and at least gives an indication that unbound is running and will track any activities invoked through unbound_manager.

did you consider does unbound supply its own log rotation? if so it may modify permissions of log file upon doing so. just a heads up. you may want to run without a log-rotate if that is the case....

 

[rgnldo]

The tests must be those recommended by the IANA. That's enough. https://www.icann.org/resources/pages/tools-2012-02-25-en

dig www.cloudflare.com +dnssec +short

 % dig www.cloudflare.com +dnssec +short
104.17.210.9
104.17.209.9
A 13 3 300 20200206114546 20200204094546 34505 www.cloudflare.com. OWdN/Y56DclLLRvRpIe8DiX4LLdUdrNCaFqP6YA2dNqkICrFK7QlpB1N qefpe84NoBYUSVvCcK61QNpHtXU31g==

dig DNSKEY cloudflare.com +short

% dig DNSKEY cloudflare.com +short
257 3 13 mdsswUyr3DPW132mOi8V9xESWE8jTo0dxCjjnopKl+GqJxpVXckHAeF+ KkxLbxILfDLUT0rAK9iUzy1L53eKGQ==
256 3 13 oJMRESz5E4gYzS/q6XDrvU1qMPYIjCWzJaOau8XNEZeqCYKD5ar0IRd8 KqXXFJkqmVfRvMGPmM1x8fGAa2XhSA==

 

[dave14305]

did you consider does unbound supply its own log rotation? if so it may modify permissions of log file upon doing so. just a heads up. you may want to run without a log-rotate if that is the case....

It doesn’t appear to offer any log grooming at all, so use query logging sparingly. But if you let Unbound use syslog for logging then Scribe could manage filtering and rotating.

 

[Skeptical.me]

Hi,

When I have Unbound installed and I enable the OpenVPN client in Merlin a large percentage of web pages won't open. When I do not have the VPN enabled this doesn't occur, I'm able to open all web pages. Does anyone know why this would occur?

 

[JemTheWire]

OK. I'm trying to understand the finer points of Unbound. I'm a noob to this, but can follow instructions.

Running Merlin 384.15.0 beta 1 on my AX88U.

Before I installed Unbound:-

I have DoT enabled and Cloudflare as both my primary and secondary DNS servers.
The DNS Server boxes on both the WAN and LAN settings pages are blank
DNSSEC enabled.
Rebind Enabled.

All is well and works with out error, surviving both hard and soft reboot.

After I installed Unbound (via script):-

I have DoT enabled and Cloudflare as both my primary and secondary DNS servers.
The DNS Server boxes on both the WAN and LAN settings pages are blank
DNSSEC disabled
Rebind disabled

All, again is well, surviving both hard and soft reboot.

My question is this:

If Unbound gets the DNS info from the Name servers directly and not via Cloudflare for example, why does my router say 'Internet Disconnected' if I remove the Cloudflare DNS entries from my routers WAN (Merlin) DoT drop down entry fields?

I am guessing that, as my routers time is not set (the default May 05 is shown), that is why I have no access, but I thought Unbound would sort that for me?

Hope you understand my question!

 

[dave14305]

If Unbound gets the DNS info from the Name servers directly and not via Cloudflare for example, why does my router say 'Internet Disconnected' if I remove the Cloudflare DNS entries from my routers WAN (Merlin) DoT drop down entry fields?

Because WAN DNS should not be empty, even with DoT setup. The router needs to test internet connectivity by sending DNS queries to WAN DNS servers. DoT servers were the fallback, so once you disabled that, it couldn’t do that anymore.

 

[Martineau]

I'll continue to promote a minimalist unbound.conf that uses most defaults where appropriate for a small router like my AC68U.

Spoiler: My personal unbound.conf not used by the installer

server:
username: "nobody"
chroot: "/opt/var/lib/unbound"
directory: "/opt/var/lib/unbound"
pidfile: "unbound.pid"
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
root-hints: "root.hints"
auto-trust-anchor-file: "root.key"

logfile: "unbound.log"
log-time-ascii: yes
log-servfail: yes
extended-statistics: yes

edns-buffer-size: 1472
interface: 127.0.0.1@53535
private-address: 127.0.0.0/8
private-address: 192.168.1.0/24
do-ip6: no

private-address: 127.0.0.0/8
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16

prefetch: yes
prefetch-key: yes
minimal-responses: yes
edns-buffer-size: 1472
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
rrset-roundrobin: yes
harden-glue: yes
harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes

remote-control:
control-enable: yes
control-use-cert: no

FYI Duplicate statement (although 'unbound-checkconf' doesn't detect/complain)

edns-buffer-size: 1472

 

[dave14305]

FYI Duplicate statement (although 'unbound-checkconf' doesn't detect/complain)

edns-buffer-size: 1472

You're right! I was yanking lines around when I was comparing to the OpenWRT script and missed to delete it.

Plus my duplicate private-address: statements.

 

[SolluxCaptor]

Mine precisely the same as yours {Thumbs-Up}.
However - prior to Unbound my scores looked like this ...
View attachment 21192

Someone feel free to correct me if I am wrong on this, but wasn't DSA depreciated in DNSSEC? Edit: better link https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml

 

[SolluxCaptor]

https://www.isc.org/docs/matthijs-mekking-oarc30-unsupported-algorithms.pdf
Edit: better link - https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml

 

[kernol]

This is helpful for noobs like me ... https://tools.ietf.org/id/draft-ietf-dnsop-algorithm-update-01.html
See para 3 - explains it all .

 

[SolluxCaptor]

This is helpful for noobs like me ... https://tools.ietf.org/id/draft-ietf-dnsop-algorithm-update-01.html
See para 3 - explains it all .

Aha! That's perfect, thanks

 

[SomeWhereOverTheRainBow]

Hi,

When I have Unbound installed and I enable the OpenVPN client in Merlin a large percentage of web pages won't open. When I do not have the VPN enabled this doesn't occur, I'm able to open all web pages. Does anyone know why this would occur?

Possibly the addresses you have setup in unbound conf for access control and private address don't match the addresses of your vpn.

 

[SomeWhereOverTheRainBow]

Someone feel free to correct me if I am wrong on this, but wasn't DSA depreciated in DNSSEC? Edit: better link https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xml

That was with the dnsmasq nettle I believe

 

[Martineau]

I've uploaded v2.04

New: Create example '/logrotate.d/unbound' file if 'scribe' logging has been enabled.
Fix: When a file contains only two bytes '0d0a' such as the Ad Block /adblock/blockhosts file the script incorretly reported a line count of 1.

I have now reluctantly decided to host the 'unbound.conf' on my Github.

'unbound.conf' v1.01 now includes by default

logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-servfail: yes                           # v1.01 as per @dave14305 minimal config

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"   # v1.01 as per @dave14305 minimal config

edns-buffer-size: 1472                      # v1.01 as per @dave14305 minimal config

# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

NOTE: File 'root.zone' has always been downloaded during the installation and there is a daily cron job to ensure it is current.

New: TCP Fast Open. If you install the performance 'stuning.sh' option, if you have a HND router then the following is added to 'stuning.sh'

start() {

 # Enable TCP Fast Open on HND routers - unbound_manager
 echo 3 > /proc/sys/net/ipv4/tcp_fastopen

I don't think the above needs to be restricted to HND routers, but initially it is prudent pending confirmation that it is fully compatible with non-HND routers.

Change: For IPv6 users the following is added (I don't have the ability to test IPv6):

    #module-config: "validator iterator"
    module-config: "dns64 validator iterator"  # v1.01 perform a query against AAAA record exists
    dns64-prefix: 64:FF9B::/96

Please immediately report any anomalies with the changes in 'unbound.conf' v1.01.

 

[L&LD]

@Martineau thank you for the new defaults.

On my RT-AX88U everything went smoothly until I went to 3, scribe.

Then the unbound.conf failed with 1 error: syntax error.

The part I see that changed was 'use-syslog: yes'.

Here is the complete unbound.conf.

# rgnldo User Install Custom Version vx.xx (Date Loaded by unbound_manager Wed Feb  5 13:35:49 MST 2020)
# rgnldo Version=v1.01 Martineau update (Date Loaded
# v1.01 Martineau - Added  'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:'
use-syslog: yes
log-local-actions: yes
#                   Change 'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
server:
# port to answer queries from
port: 53535

#########################################
# integration LOG's
#
# verbosity: 2
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config
# log-queries: yes
# log-replies: yes
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
use-syslog: yes
log-local-actions: yes
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

do-ip4: yes
#do-ip6: no
do-udp: yes
do-tcp: yes

# don't be picky about interfaces but consider your firewall
#interface: 0.0.0.0
interface: 127.0.0.1@53535                      # v1.01 as per @dave14305 minimal config

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/16 allow
access-control: 192.168.0.0/24 allow

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16

#########################################
# integration IPV6
#
 do-ip6: yes
 module-config: "dns64 validator iterator"      # v1.01 perform a query against AAAA record exists
 dns64-prefix: 64:FF9B::/96                     # v1.01
 interface: ::0
 access-control: ::0/0 refuse
 access-control: ::1 allow
 private-address: fd00::/8
 private-address: fe80::/10
#########################################

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"     # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 1
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 21600
cache-min-ttl: 5
prefetch: yes
prefetch-key: yes
serve-expired: yes
serve-expired-ttl: 3600
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 100
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
#module-config: "validator iterator"
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
#include: /opt/var/lib/unbound/adblock/adservers
#include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

#########################################
#forward-zone:
#   name: "."
#   forward-addr: 127.0.0.1@5453
#   forward-addr: 0::1@5453 # integration IPV6
#########################################

# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

 

[dave14305]

# v1.01 Martineau - Added 'auth-zone:', 'edns-buffer-size:' log-time-ascii: 'log-servfail:' IPv6 'dns64-prefix:'
use-syslog: yes
log-local-actions: yes
# Change 'interface: 0.0.0.0' to 'interface: 127.0.0.1@53535'
server:

There shouldn't be any options before the server: line.

EDIT: I think the sed is finding the comment at the top of the file and inserting the use-syslog.

sed -i '/log\-time\-ascii:/ause\-syslog: yes' ${CONFIG_DIR}unbound.conf

 

[L&LD]

@dave14305, I didn't look up that high in unbound.conf!

I deleted those two duplicated lines and no errors!

@Martineau, I'll now try to see if I can enable this is Scribe and uiScribe too.

 

[JemTheWire]

Because WAN DNS should not be empty, even with DoT setup. The router needs to test internet connectivity by sending DNS queries to WAN DNS servers. DoT servers were the fallback, so once you disabled that, it couldn’t do that anymore.

Thank you, sorry for the late reply. I guess that's pretty obvious now I come to think of it.

Another quick question:

Does my ISP get to 'see' more or less of the address' I visit when I am using Unbound?
I.E. Does using Unbound improve my privacy with regard to my surfing habits?