Unbound - Authoritative Recursive Caching DNS Server

[SomeWhereOverTheRainBow]

Thanks for experimenting with this project.
Hope to see a final product soon.

question to ask. The FAQ was drifted for some time. Not sure if unbound has updates on that.

What is the difference between using Stubby and using Unbound as a local forwarding resolver?
ANSWER: Unbound can be configured as a local forwarder using DNS-over-TLS to forward queries. However at the moment Unbound does not have all the TCP/TLC features that Stubby has for example, it cannot support 'Strict' mode, it cannot pad queries to hide query size and it opens a separate connection for every DNS query (Stubby will re-use connections). However, Unbound is a mature and stable daemon and many people already use it as a local resolver. While there were some early issues the last few releases of Stubby have focussed on stability and security and have significantly improved the usability of Stubby. We also have plans to add a small cache to stubby! Note that some users choose to use the two together, unbound for caching and stubby for upstream TLS.
https://dnsprivacy.org/wiki/m/mobile.action#page/3145784

It can support strict if you tell it no udp connections essentially, but dns resolution may occasionally fail. also query are not padded like you mention.

 

[dave14305]

I made another adjustment to my dnsmasq.postconf to get the listening udp port on a loopback address for the running unbound process. I'm not a great scripter, and I think there could be a better check to ensure my variable isn't empty before proceeding, but posting for feedback anyway. This might make the whole setup more portable and dynamic for different configurations. Note that this only works right if you've made the dnsmasq restart a POSTCMD in S61unbound. If it's still a PRECMD, then unbound won't yet be running when this script runs.

#!/bin/sh
. /opt/share/diversion/file/post-conf.div # Added by Diversion

CONFIG=$1
. /usr/sbin/helper.sh

if [ -n "$(pidof unbound)" ]; then
        UNBOUNDLISTENADDR=$(netstat -nlup | grep unbound$ | grep "^udp " | grep " 127\.0" | head -1 | awk ' { print $4 } ' | tr ':' '#')
        if [ -n "$UNBOUNDLISTENADDR" ]; then
                pc_delete "servers-file" "$CONFIG"
                pc_delete "no-negcache" "$CONFIG"
                pc_replace "cache-size=1500" "cache-size=0" "$CONFIG"
                pc_append "server=$UNBOUNDLISTENADDR" "$CONFIG"
                pc_append "proxy-dnssec" "$CONFIG"
        fi
fi

 

[rgnldo]

This might make the whole setup more portable and dynamic for different configurations.

Very good. Working correctly

 

[Kingp1n]

So if folks decide to use Unbound...does DoT have to be disabled?

 

[dave14305]

So if folks decide to use Unbound...does DoT have to be disabled?

Assuming you're talking about the built-in DNS Privacy with Stubby (and not Unbound's own DoT capability), it probably should be disabled to save resources on the router.

Probably the biggest adaptation still needed is to disable DNSSEC in the GUI so that dnsmasq is not doing its own DNSSEC, but only proxying whatever Unbound will return. The current dnsmasq.postconf posted doesn't yet address this possibility.

 

[rgnldo]

I'm not a great scripter, and I think there could be a better check to ensure my variable isn't empty before proceeding, but posting for feedback anyway

I changed the installation steps at the beginning of the post as suggested.

pc_delete "servers-file" "$CONFIG"

My suggestion is to arrange a condition for eliminating dnsmasq's resolution service for different environment.
Another point is to check if IPV6 is also listening to unbound.

 

[rgnldo]

@dave14305 dnsmasq.postconf only works with 'source' on reboot

CONFIG=$1
source /usr/sbin/helper.sh

Why this mode does not work

CONFIG=$1
. /usr/sbin/helper.sh

I am not using Diversion or Skynet to further study unbound behavior

 

[rgnldo]

Test unbound with IPV6 queries from clients on lan, wireless.

Reduction of response time.

 

[dave14305]

@dave14305 dnsmasq.postconf only works with 'source' on reboot

CONFIG=$1
source /usr/sbin/helper.sh

Why this mode does not work

CONFIG=$1
. /usr/sbin/helper.sh

I am not using Diversion or Skynet to further study unbound behavior

I haven’t rebooted yet, but the period has worked for the line above for Diversion without issue. Let me reboot. Be right back.

Edit: no issues for me on reboot. What happened when you rebooted? What logs or errors did you see?

 

[rgnldo]

Edit: no issues for me on reboot. What happened when you rebooted? What logs or errors did you see?

In the logs does not mention anything. I think it's because I am not using Diversion. Your dnsmasq.postconf contains arguments for starting Diversion.

 

[rgnldo]

Unbound self TLS. Experimental. The options listed will prioritize TCP TLS traffic.

incoming-num-tcp: 1000
udp-upstream-without-downstream: yes

Take the tests

Key's:

mkdir /opt/var/lib/unbound/ssl
cd /opt/var/lib/unbound/ssl
openssl genrsa -out sslcert.key 2048
openssl req -key sslcert.key -new -x509 -days 720 -sha256 -extensions v3_ca -out sslcert.crt
-subj "/CN=Unbound CA"
chown -R nobody /opt/var/lib/unbound/ssl

unbound.conf:

# Server configuration
##
server:

port: 53535
verbosity: 1

# Interface IP(s) to bind to
interface-automatic: no
interface: 127.0.0.1
interface: 127.0.0.1@853
interface: 0::1
interface: 0::1@853

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-port: 853
tls-service-pem: "/opt/var/lib/unbound/ssl/sslcert.crt"
tls-service-key: "/opt/var/lib/unbound/ssl/sslcert.key"

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# Outgoing interfaces to be used

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address

hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes

module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 1000
incoming-num-tcp: 1000
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m
qname-minimisation: yes
udp-upstream-without-downstream: yes

num-threads: 1
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /opt/var/lib/unbound/root.key
prefetch: yes
prefetch-key: yes
use-caps-for-id: no
serve-expired: no

# Adblock blacklist
include: /jffs/Adblock/adservers.txt

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

 

[Delusion]

Unbound self TLS. Experimental. The options listed will prioritize TCP TLS traffic.

incoming-num-tcp: 1000
udp-upstream-without-downstream: yes

Take the tests

Spoiler

Key's:

mkdir /opt/var/lib/unbound/ssl
cd /opt/var/lib/unbound/ssl
openssl genrsa -out sslcert.key 2048
openssl req -key sslcert.key -new -x509 -days 720 -sha256 -extensions v3_ca -out sslcert.crt
-subj "/CN=Unbound CA"
chown -R nobody /opt/var/lib/unbound/ssl

unbound.conf:

# Server configuration
##
server:

port: 53535
verbosity: 1

# Interface IP(s) to bind to
interface-automatic: no
interface: 127.0.0.1
interface: 127.0.0.1@853
interface: 0::1
interface: 0::1@853

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-port: 853
tls-service-pem: "/opt/var/lib/unbound/ssl/sslcert.crt"
tls-service-key: "/opt/var/lib/unbound/ssl/sslcert.key"

# Self jail Unbound with user "unbound" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"
root-hints: "/opt/var/lib/unbound/root.hints"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# Outgoing interfaces to be used

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address

hide-identity: yes
hide-version: yes
harden-glue: yes
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: yes

module-config: "validator iterator"
unwanted-reply-threshold: 0
num-queries-per-thread: 512
jostle-timeout: 200
infra-host-ttl: 900
infra-cache-numhosts: 10000
outgoing-num-tcp: 1000
incoming-num-tcp: 1000
edns-buffer-size: 4096
cache-max-ttl: 86400
cache-min-ttl: 0
harden-dnssec-stripped: yes
msg-cache-size: 4m
rrset-cache-size: 8m
qname-minimisation: yes
udp-upstream-without-downstream: yes

num-threads: 1
msg-cache-slabs: 4
rrset-cache-slabs: 4
infra-cache-slabs: 4
key-cache-slabs: 4
outgoing-range: 4096
#so-rcvbuf: 4m
auto-trust-anchor-file: /opt/var/lib/unbound/root.key
prefetch: yes
prefetch-key: yes
use-caps-for-id: no
serve-expired: no

# Adblock blacklist
include: /jffs/Adblock/adservers.txt

remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

To make this work we need to append server 127.0.0.1#853 in dnsmasq.postconf (no need for 127.0.0.1#53535 in dnmasq right? it works without appending 127.0.0.1#53535 in dnsmasq)

 

[rgnldo]

To make this work we need to append server 127.0.0.1#853 in dnsmasq.postconf (no need for 127.0.0.1#53535 in dnmasq right? it works without appending 127.0.0.1#53535 in dnsmasq)

Works on 127.0.0.1#853!

# Server configuration
##
server:

port: 853
verbosity: 1

# Interface IP(s) to bind to
interface-automatic: no
interface: 127.0.0.1@853
interface: 0::1@853

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-port: 853
tls-service-pem: "/opt/var/lib/unbound/ssl/sslcert.crt"
tls-service-key: "/opt/var/lib/unbound/ssl/sslcert.key"

 

[dave14305]

I don’t understand what this is doing (or more precisely why you are doing it). You’ve reconfigured unbound to be a DoT listener on 127.0.0.1:853, but dnsmasq can’t send DoT requests so how can it be working as DoT?

There isn’t much need to encrypt traffic within the router’s loopback interface. Anyone who can sniff your loopback traffic is already in a position to have all your secrets.

 

[rgnldo]

I don’t understand what this is doing (or more precisely why you are doing it). You’ve reconfigured unbound to be a DoT listener on 127.0.0.1:853, but dnsmasq can’t send DoT requests so how can it be working as DoT?

There isn’t much need to encrypt traffic within the router’s loopback interface. Anyone who can sniff your loopback traffic is already in a position to have all your secrets.

Debating in the PFsense forum I elaborated this configuration. The logic is give TCP TLS receive preference. Delusion's suggestion was just a test tip. Ignore it

# Server configuration
##
server:

port: 53535
verbosity: 1

# Interface IP(s) to bind to
interface-automatic: no
interface: 0.0.0.0
interface: 0.0.0.0@853
interface: ::0
interface: ::0@853

# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"
tls-port: 853
tls-service-pem: "/opt/var/lib/unbound/ssl/sslcert.crt"
tls-service-key: "/opt/var/lib/unbound/ssl/sslcert.key"
incoming-num-tcp: 1000
udp-upstream-without-downstream: yes

 

[rgnldo]

unbound 1.9.3 on update Entware - Oct 7, 2019

For update, launch the command:

/opt/etc/init.d/rc.unslung stop
opkg update
opkg upgrade

 

[dave14305]

unbound 1.9.3 on update Entware - Oct 7, 2019

For update, launch the command:

/opt/etc/init.d/rc.unslung stop
opkg update
opkg upgrade

I'm broken after this. It wants to write the root.key to the read-only root filesystem.

Oct  7 16:11:05 unbound: [28213:0] fatal error: could not open autotrust file for writing, /root.key.28213-0-1f0f40: Permission denied
Oct  7 16:11:05 unbound: [28214:1] fatal error: could not open autotrust file for writing, /root.key.28214-1-1f0f40: Permission denied

EDIT: I needed to re-run unbound-anchor for the DNSSEC intialization.

EDIT2: I let opkg overwrite my S61unbound file and it was pointing to an invalid config /opt/etc/unbound/unbound.conf. Fixed

EDIT3: My /opt/var/lib/unbound directory reverted back to admin ownership instead of nobody, so I re-ran the "chown nobody /opt/var/lib/unbound" and things are working well again.

 

[rgnldo]

I'm broken after this. It wants to write the root.key to the read-only root filesystem.

From what I observed, there were several changes in the shape of packages. I had a clean install of Entware.
Running smooth.

 

[dave14305]

From what I observed, there were several changes in the shape of packages. I had a clean install of Entware.
Running smooth.

Yes, I had to force upgrade and now unbound is now unbound-daemon package.

I also lost the unbound-checkconf command. Time to update the install instructions in post #1.

 

[rgnldo]

I had problems like this when I upgraded from version 1.7.1 to 1.8.1. Then I know you need to install entware in clean mode.