Unbound - Authoritative Recursive Caching DNS Server

[Deleted member 67693]

With VPN constantly enabled, it doesn't make sense for a local DNS server.

But why it makes no sense, I mean when I am outside in a public wifi I can encrypt my traffic with the vpn, without the dns server the traffic goes to my ISP. And the Dns queries say sth about my traffic and so on. I dont know whether I get it right. I mean this test https://cmdns.dev.dns-oarc.net/ is more bad with the dns from ISP than with a unbound local server.

Which operating system is installed on rP?

Rasbian

 

[Martineau]

Rasbian

Is that Raspbian ?

 

[rgnldo]

Rasbian

Raspbian is a Debian environment. Just configure the repository in sources.list.

apt-get update
apt-get install -y unbound dnsutils

Configure as needed.
Unfortunately, due to the forum's thematic focus, for ASUS routers, I will not extend too much guidance from other devices.
see: https://www.raspberrypi.org/forums/viewforum.php?f=66

 

[Martineau]

I tried it. The only think is how can I add the Entware-NG repository on my rasberry pi, I dont find any helpful things on the internet. I use at the moment Pi Hole and OpenVPN.The script installer dont work as well, maybe you can help me.

see How to install Pihole and unbound

 

[Deleted member 67693]

Raspbian is a Debian environment. Just configure the repository in sources.list.

apt-get update
apt-get install -y unbound dnsutils

Configure as needed.
Unfortunately, due to the forum's thematic focus, for ASUS routers, I will not extend too much guidance from other devices.
see: https://www.raspberrypi.org/forums/viewforum.php?f=66

Thank you for helping me and sorry that I ask you so much.
I tested your commands and on the Virtual machine it works, I will try it tomorrow with my RP.
But now I have some questions for understanding.
1. What does dnsutils do?
2. Can I still edit the config from unbound or would it cause trouble?
3. But normally the instructuion at beginning would work with PiHole or?

@Martineau I know how to install unbound the config was my problem.

 

[Martineau]

@Martineau I know how to install unbound the config was my problem.

So your comment

"The script installer dont work as well, maybe you can help me."

refers to which script?

 

[rgnldo]

1. What does dnsutils do?

It is a set of dns diagnostic tools ( dig, nslookup, nsupdate...) It is for situations where Raspbian does not have it natively.

Can I still edit the config from unbound or would it cause trouble?

Try using the unbound.conf suggested in your link. It is enough to live with the Pi-hole. If you want a complete experience with Unbound, see the adblock script that I collaborated in organizing and is being commented on in the unbound_manager script-installer thread.

But normally the instructuion at beginning would work with PiHole or?

It is the same principle with Diversion - The Router Ad-Blocker script, organized here in the forum. Unbound interacts very well.
Follow the posts. Over time it gains knowledge.

 

[Kingp1n]

Apparently unbound wants an IPv6 for its IPv6 queries to the stub-zone. Since IPv6 is not always working I solved that using the local interface. Anyone interested in IPV6 can test.

    stub-zone:
        name: 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
        stub-addr: 127.0.0.1@53535

What does this do for those who have IPV6 enabled?

 

[Deleted member 62525]

Last changes to the code - and I cannot pin it down - is big slow down on Unbound performance with VPN clients.

This is just started to happen with the new update. It is so bad that it takes 8 sec to load cnn.com over vpn.
When I configure the router and disable vpn client then everything is fast again. I have been setting vpn client DNS to disable and this was always working for me very well. Is there an additional settings I should apply in unbound.conf?

 

[L&LD]

@Markster, I use OpenVPN every day back to my router from my phone and laptop and I don't see that issue. Quite the opposite actually, using OpenVPN makes the connection I'm on seem faster.

 

[rgnldo]

additional settings I should apply in unbound.conf?

There is no need.

This is just started to happen with the new update.

Neither unbound nor the script is to blame.

It is so bad that it takes 8 sec to load cnn.com over vpn.

Check these options on the WAN and VPN on Merlin FW:

- WAN:
Connect to DNS Server automatically: NO
Set DNS add your VPN provider's primary and secondary static dns

set Save

- VPN Client:
Accept DNS Configuration: strict

Set save

- Restart your Unbound.

Report the result here to help others.

 

[rgnldo]

What does this do for those who have IPV6 enabled?

It is for some situations.

 

[Deleted member 62525]

@Markster, I use OpenVPN every day back to my router from my phone and laptop and I don't see that issue. Quite the opposite actually, using OpenVPN makes the connection I'm on seem faster.

For sure. I agree as I can also testify to that. Did the whole refresh as I was not certain what was causing the issue.
Did a complete rebuild, reset, manual configured everything and I noticed that as soon as I enable VPN client things get slow.
Chaning DNS Disabled on VPN client to Strict did not make a difference. However, I noticed in the crush.log some messages about 127.0.0.1 nord(something) messages. I did not have time to investigate further this morning as I was leaving to work.

I use NordVPN and sometimes they would update or change something on the servers so when I get home I will try to use a different server and
see how that goes. Then report back.

 

[Deleted member 62525]

There is no need.

Neither unbound nor the script is to blame.

Check these options on the WAN and VPN on Merlin FW:

- WAN:
Connect to DNS Server automatically: NO
Set DNS add your VPN provider's primary and secondary static dns

set Save

- VPN Client:
Accept DNS Configuration: strict

Set save

- Restart your Unbound.

Report the result here to help others.

All setting confirmed as you mentioned. DNS Strict did not make a difference. I see some messages in the crush.log related to vpn on IP 127.0.0.1 but dont remember exact syntax. When I am home I will investigate further and try different vpn server (NordVPN).

 

[rgnldo]

Note: I don't use commercial VPN on the router. I have this NordVPN account from a friend.

(NordVPN)

On WAN keep automatic DNS.
Set on unbound.conf -> forward-zone, on final file.

forward-zone: 
       name: "."
       forward-addr: 103.86.96.100
       forward-addr: 103.86.99.100

Spoiler: answer cnn on lan

% dig cnn.com

; <<>> DiG 9.10.6 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62057
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;cnn.com.            IN    A

;; ANSWER SECTION:
cnn.com.        38    IN    A    151.101.65.67
cnn.com.        38    IN    A    151.101.193.67
cnn.com.        38    IN    A    151.101.129.67
cnn.com.        38    IN    A    151.101.1.67

;; Query time: 2 msec
;; SERVER: 2804:4474:201:cb00::1#53(2804:4474:201:cb00::1)
;; WHEN: Fri Feb 28 14:34:45 -03 2020
;; MSG SIZE  rcvd: 100

Spoiler: LOG's Unbound

[1582911543] unbound[19005:0] notice: init module 0: dns64
[1582911543] unbound[19005:0] notice: init module 1: validator
[1582911543] unbound[19005:0] notice: init module 2: iterator
[1582911543] unbound[19005:0] info: start of service (unbound 1.9.6).
[1582911543] unbound[19005:0] info: resolving duckduckgo.com. A IN
[1582911543] unbound[19005:0] info: resolving duckduckgo.com. AAAA IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. A IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: prime trust anchor
[1582911544] unbound[19005:0] info: generate keytag query _ta-4f66. NULL IN
[1582911544] unbound[19005:0] info: resolving . DNSKEY IN
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validate keys with anchor(DS): sec_status_secure
[1582911544] unbound[19005:0] info: Successfully primed trust anchor . DNSKEY IN
[1582911544] unbound[19005:0] info: resolving _ta-4f66. NULL IN
[1582911544] unbound[19005:0] info: query response was NXDOMAIN ANSWER
[1582911544] unbound[19005:0] info: resolving com. DS IN
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validated DS com. DS IN
[1582911544] unbound[19005:0] info: resolving com. DNSKEY IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. AAAA IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911544] unbound[19005:0] info: query response was nodata ANSWER
[1582911544] unbound[19005:0] info: validated DS com. DS IN
[1582911544] unbound[19005:0] info: response for com. DNSKEY IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validated DNSKEY com. DNSKEY IN
[1582911544] unbound[19005:0] info: validated DNSKEY com. DNSKEY IN
[1582911544] unbound[19005:0] info: resolving duckduckgo.com. DS IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. DS IN
[1582911550] unbound[19005:0] info: resolving cnn.com. A IN
[1582911550] unbound[19005:0] info: resolving cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: response for cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911550] unbound[19005:0] info: query response was ANSWER
[1582911550] unbound[19005:0] info: resolving cnn.com. DS IN
[1582911550] unbound[19005:0] info: response for cnn.com. A IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was ANSWER
[1582911550] unbound[19005:0] info: response for cnn.com. DS IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was nodata ANSWER
[1582911550] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911550] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911550] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911550] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911550] unbound[19005:0] info: resolving www.cnn.com. A IN
[1582911550] unbound[19005:0] info: resolving www.cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: response for www.cnn.com. A IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was CNAME
[1582911550] unbound[19005:0] info: resolving www.cnn.com. A IN
[1582911550] unbound[19005:0] info: response for www.cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911550] unbound[19005:0] info: query response was CNAME
[1582911550] unbound[19005:0] info: resolving www.cnn.com. AAAA IN
[1582911551] unbound[19005:0] info: response for www.cnn.com. A IN
[1582911551] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911551] unbound[19005:0] info: query response was ANSWER
[1582911551] unbound[19005:0] info: resolving cnn.com. DS IN
[1582911551] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911551] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911551] unbound[19005:0] info: resolving net. DS IN
[1582911551] unbound[19005:0] info: query response was ANSWER

 

[Deleted member 62525]

Note: I don't use commercial VPN on the router. My VPN use is for private tunneling purposes on local, edge networks. I have this NordVPN account from a friend. To help those who use it. My VPN use is at the laptop level and only ProtonVPN, to access some forums with the boring Recaptcha.

On WAN keep automatic DNS.
Set on unbound.conf -> forward-zone, on final file.

forward-zone: 
       name: "."
       forward-addr: 103.86.96.100
       forward-addr: 103.86.99.100

Spoiler: answer cnn on lan

% dig cnn.com

; <<>> DiG 9.10.6 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62057
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;cnn.com.            IN    A

;; ANSWER SECTION:
cnn.com.        38    IN    A    151.101.65.67
cnn.com.        38    IN    A    151.101.193.67
cnn.com.        38    IN    A    151.101.129.67
cnn.com.        38    IN    A    151.101.1.67

;; Query time: 2 msec
;; SERVER: 2804:4474:201:cb00::1#53(2804:4474:201:cb00::1)
;; WHEN: Fri Feb 28 14:34:45 -03 2020
;; MSG SIZE  rcvd: 100

Spoiler: LOG's Unbound

[1582911543] unbound[19005:0] notice: init module 0: dns64
[1582911543] unbound[19005:0] notice: init module 1: validator
[1582911543] unbound[19005:0] notice: init module 2: iterator
[1582911543] unbound[19005:0] info: start of service (unbound 1.9.6).
[1582911543] unbound[19005:0] info: resolving duckduckgo.com. A IN
[1582911543] unbound[19005:0] info: resolving duckduckgo.com. AAAA IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. A IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: prime trust anchor
[1582911544] unbound[19005:0] info: generate keytag query _ta-4f66. NULL IN
[1582911544] unbound[19005:0] info: resolving . DNSKEY IN
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validate keys with anchor(DS): sec_status_secure
[1582911544] unbound[19005:0] info: Successfully primed trust anchor . DNSKEY IN
[1582911544] unbound[19005:0] info: resolving _ta-4f66. NULL IN
[1582911544] unbound[19005:0] info: query response was NXDOMAIN ANSWER
[1582911544] unbound[19005:0] info: resolving com. DS IN
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validated DS com. DS IN
[1582911544] unbound[19005:0] info: resolving com. DNSKEY IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. AAAA IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911544] unbound[19005:0] info: query response was nodata ANSWER
[1582911544] unbound[19005:0] info: validated DS com. DS IN
[1582911544] unbound[19005:0] info: response for com. DNSKEY IN
[1582911544] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911544] unbound[19005:0] info: query response was ANSWER
[1582911544] unbound[19005:0] info: validated DNSKEY com. DNSKEY IN
[1582911544] unbound[19005:0] info: validated DNSKEY com. DNSKEY IN
[1582911544] unbound[19005:0] info: resolving duckduckgo.com. DS IN
[1582911544] unbound[19005:0] info: response for duckduckgo.com. DS IN
[1582911550] unbound[19005:0] info: resolving cnn.com. A IN
[1582911550] unbound[19005:0] info: resolving cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: response for cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911550] unbound[19005:0] info: query response was ANSWER
[1582911550] unbound[19005:0] info: resolving cnn.com. DS IN
[1582911550] unbound[19005:0] info: response for cnn.com. A IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was ANSWER
[1582911550] unbound[19005:0] info: response for cnn.com. DS IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was nodata ANSWER
[1582911550] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911550] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911550] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911550] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911550] unbound[19005:0] info: resolving www.cnn.com. A IN
[1582911550] unbound[19005:0] info: resolving www.cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: response for www.cnn.com. A IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911550] unbound[19005:0] info: query response was CNAME
[1582911550] unbound[19005:0] info: resolving www.cnn.com. A IN
[1582911550] unbound[19005:0] info: response for www.cnn.com. AAAA IN
[1582911550] unbound[19005:0] info: reply from <.> 103.86.99.100#53
[1582911550] unbound[19005:0] info: query response was CNAME
[1582911550] unbound[19005:0] info: resolving www.cnn.com. AAAA IN
[1582911551] unbound[19005:0] info: response for www.cnn.com. A IN
[1582911551] unbound[19005:0] info: reply from <.> 103.86.96.100#53
[1582911551] unbound[19005:0] info: query response was ANSWER
[1582911551] unbound[19005:0] info: resolving cnn.com. DS IN
[1582911551] unbound[19005:0] info: NSEC3s for the referral proved no DS.
[1582911551] unbound[19005:0] info: Verified that unsigned response is INSECURE
[1582911551] unbound[19005:0] info: resolving net. DS IN
[1582911551] unbound[19005:0] info: query response was ANSWER

I can see that you had your Nord VPN DNS IP in Unbound.conf file
forward-addr: 103.86.96.100
forward-addr: 103.86.99.100

This config would redirect all DNS queries to VPN provider. In may case all my network devices except a thermostat and TV go over VPN.
It would be no point to use Unbound if all these devices use Nord DNS.

Before I used Unbound my config was
1. VPN Client DNS = Disable
2. WAN DNS set to DNSSEC + DoT using Quad9
3. DNS Filter = Enable (Router)

With above setup, all devices were using DNSSEC + DoT from Quad9 and that included all VPN clients. Very fast, secure and efficient.
I also did use Diversion and Skynet.

When I first started using Unbound all I did was use a default config and all my devices were using the new Unbound DNS. It was impressive and I still am with the Unbound. Don't know what happened since then (2 days ago). I rebuild my config from scratch; reset, reboot, manually reconfig etc.Something is strange and I will try to dig into it. I have not tracked it down yet why VPN clients suddenly are so slow.
But I definitely have proven that it has something to do with VPN. If I disable VPN and let all clients be non-vpn the browsing and DNS queries are very fast. I will spend some time to figure it out why it was fine before and what is causing it. I will mention that in both cases VPN or not when I do DNS leak test it shows my WAN IP so I know unbound DNS is used. Something else is at work.

UPDATE:

When I came back home today everything works just fine. As I suspected NordVPN must have been doing some updates or my ISP, who knows. The moral of the whole store is if you have a config working and suddenly it does not .... wait a day

Thanks @rgnldo and @L&LD for suggestions. Much appreciated.

 

[rgnldo]

It would be no point to use Unbound if all these devices use Nord DNS.

In both situations, they work perfectly.
I exemplified to demonstrate that the problem is not unbound.

 

[Ubimo]

Hello
I noticed this line in syslog after a reboot.

Mar  1 18:27:52 kernel: warning: process `unbound' used the deprecated sysctl system call with 1.40.6.

Is this normal?

And another curiosity.
I typed reboot into ssh terminal and the router started to reboot.
During the shutdown procedure, all services stop or shutdown, but it looks like unbound wants to start again?

Mar  1 18:26:14 WEBDAV_Server: daemon is stopped
Mar  1 18:26:14 Mastiff: Got SIGTERM
Mar  1 18:26:14 Mastiff: Got SIGTERM
Mar  1 18:26:14 Mastiff: Got SIGTERM
Mar  1 18:26:15 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar  1 18:26:15 iTunes: daemon is stopped
Mar  1 18:26:15 FTP_Server: daemon is stopped
.....
Mar  1 18:26:17 S02haveged: Starting Haveged entropy /opt/etc/init.d/S02haveged
Mar  1 18:26:17 haveged: haveged: Stopping due to signal 15
....
Mar  1 18:26:28 FTP_Server: daemon is stopped
Mar  1 18:26:28 Samba_Server: smb daemon is stopped
Mar  1 18:26:28 Timemachine: daemon is stopped
Mar  1 18:26:36 custom_script: Running /jffs/scripts/unmount (args: /tmp/mnt/USB)
Mar  1 18:26:36 Diversion: disabling services for unmount
Mar  1 18:26:36 S61unbound: Starting Unbound DNS server /opt/etc/init.d/S61unbound
Mar  1 18:26:36 S02haveged: Starting Haveged entropy /opt/etc/init.d/S02haveged

Is that normal too?

 

[rgnldo]

Is this normal?

normal.

 

[rgnldo]

I typed reboot into ssh terminal and the router started to reboot.

launch on terminal

service start_reboot