Unbound Unbound suddenly not resolving certian domains!

[dave14305]

; <<>> DiG 9.16.29 <<>> NS nest.gq. @185.21.168.65
;; global options: +cmd
;; connection timed out; no servers could be reached

That’s what needs to be solved. Disable Skynet and try again.

# dig NS nest.gq. @185.21.168.65

; <<>> DiG 9.18.1 <<>> NS nest.gq. @185.21.168.65
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31741
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nest.gq.                       IN      NS

;; AUTHORITY SECTION:
nest.gq.                300     IN      NS      david.ns.cloudflare.com.
nest.gq.                300     IN      NS      maria.ns.cloudflare.com.

;; Query time: 49 msec
;; SERVER: 185.21.168.65#53(185.21.168.65) (UDP)
;; WHEN: Tue Jul 19 19:54:35 EDT 2022
;; MSG SIZE  rcvd: 93

 

[Khadanja]

That’s what needs to be solved. Disable Skynet and try again.

# dig NS nest.gq. @185.21.168.65

; <<>> DiG 9.18.1 <<>> NS nest.gq. @185.21.168.65
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31741
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nest.gq.                       IN      NS

;; AUTHORITY SECTION:
nest.gq.                300     IN      NS      david.ns.cloudflare.com.
nest.gq.                300     IN      NS      maria.ns.cloudflare.com.

;; Query time: 49 msec
;; SERVER: 185.21.168.65#53(185.21.168.65) (UDP)
;; WHEN: Tue Jul 19 19:54:35 EDT 2022
;; MSG SIZE  rcvd: 93

Skynet disabled, still same.

 

[dave14305]

Skynet disabled, still same.

Maybe they are banning your IP or ISP.

 

[Khadanja]

Maybe they are banning your IP or ISP.

Changed log verbosity to 5, does this help. Shows timeout

Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: sending query: nest.gq. A IN
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: sending to target: <gq.> 185.21.168.65#53
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: dnssec status: not expected
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: mesh_run: iterator module exit state is module_wait_reply
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: iterator[module 2] operate: extstate:module_state_initial event:module_event_pass
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: iterator operate: query . DNSKEY IN
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: iter_handle processing q with state INIT REQUEST STATE
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: resolving . DNSKEY IN
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: request has dependency depth of 1
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
;; flags: qr ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
.    IN    DNSKEY

;; ANSWER SECTION:
.    172773    IN    DNSKEY    256 3 8 AwEAAaQVKIqdmeLCaF4lq+IoKpejId9qqoIbZJ6cjB5MfyJYX3KVFXYyJ9rt4jKOwf4m2BoDOY66V1upRumF+eu502HXzdOdJlioRLA9YiRyLgvfjzyfUYrExYT4/TDTS4XfQX2UcJDN5C7SQ9UxebZk/VjQfPAUU+hZKOcjOVRFbAHom4tIi+Rin0laGlAi8ZY5WUZypYKR0xvprtG0eXeOBMjbUt1EnhmO2Bs52zC8B0cMjq6fMiYFUqtziALccsQczGngIDR0dIvvL54ky1JNNp19Ldy9ir27s7eRCYGbYI1WzR05/d4/nCmDSHkQS2BiesYufuWZZwm+FsitupCciwE= ;{id = 20826 (zsk), size = 2048b}
.    172773    IN    DNSKEY    257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b}
.    172773    IN    RRSIG    DNSKEY 8 0 172800 20220801000000 20220711000000 20326 . H+vsHlbxSqqGiGtoNc6SVINuZzN3A2BIUBI2boWYKpDjhlG64fZtBF75qpSIT8NLFO3kpoE/q5YHm5f/Bbs9ESUSSwr3wvnpXbrVCHs7UK+NlXUFW4hjiliHxE0TT5DzbhevV6ZexA/0xWABzCTHighPREki8tgJ4jw750pRw/dNcGyQKbH0Wy/1gvGR1KcJ8xmSyaHo9vV/rBPMbCOXbi2rNoCI+vNQ80iPB1CIr3KDx61NvFhudzBLzc5c4qdlJjNpQ6zpNG5wl3igpHORZu1sKtlIQIyBS7j9h3blzE3+fvvIup/vbBjCw7uWTGqaoLRsLnHvItpGwTaIVXrJOw== ;{id = 20326}

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:
;; MSG SIZE  rcvd: 853
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: msg ttl is 172773, prefetch ttl 155493
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: returning answer from cache.
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: iter_handle processing q with state FINISHED RESPONSE STATE
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: finishing processing for . DNSKEY IN
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: mesh_run: iterator module exit state is module_finished
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: validator[module 1] operate: extstate:module_state_initial event:module_event_moddone
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: validator operate: query . DNSKEY IN
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: validator: nextmodule returned
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: not validating response, is valrec(validation recursion lookup)
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: mesh_run: validator module exit state is module_finished
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: respip operate: query . DNSKEY IN
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] debug: mesh_run: respip module exit state is module_finished
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: mesh_run: end 2 recursion states (2 with reply, 0 detached), 2 waiting replies, 11 recursion replies sent, 0 replies dropped, 0 states jostled out
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: average recursion processing time 2.385541 sec
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: histogram of recursion processing times
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: [25%]=0.49152 median[50%]=2.25 [75%]=3.625
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info: lower(secs) upper(secs) recursions
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info:    0.131072    0.262144 1
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info:    0.262144    0.524288 2
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info:    0.524288    1.000000 1
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info:    1.000000    2.000000 1
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info:    2.000000    4.000000 4
Jul 20 12:04:46 RT-AC68U-20E0 unbound: [18581:1] info:    4.000000    8.000000 2

 

[Jumpstarter]

; <<>> DiG 9.16.29 <<>> NS nest.gq. @185.21.168.65
;; global options: +cmd
;; connection timed out; no servers could be reached

Try reinstalling from scratch (unbound I mean), use default settings with no dnsfirewall or Unbound adblocking.

 

[Jumpstarter]

Maybe they are banning your IP or ISP.

This is a possibility to consider.

 

[Jumpstarter]

Maybe they are banning your IP or ISP.

Would he be able to ping the host if he was banned?

 

[Khadanja]

Could it be a Cloudflare issue in my region? All these domain have DNS set up in Cloudflare. Now another one that was working is broken.

 

[Jumpstarter]

Could it be a Cloudflare issue in my region? All these domain have DNS set up in Cloudflare. Now another one that was working is broken.

are you forwarding request to cloudflare through unbound? or are you using unbound recursively? What does your unbound config look like then? I am using unbound recursively without forwarding to any servers.

 

[Khadanja]

are you forwarding request to cloudflare through unbound? or are you using unbound recursively? What does your unbound config look like then? I am using unbound recursively without forwarding to any servers.

Using unbound recursively.

server:

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 192.168.1.1                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

#outgoing-interface: xxx.xxx.xxx.xxx        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

#########################################
# integration LOG's
#
verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB)
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes                     # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
log-replies: yes
use-syslog: yes                            # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s)
log-local-actions: yes                     # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

module-config: "respip validator iterator"  # v1.08 add 'respip' for rpz feature @juched

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow         # v1.10 Martineau  Fix CIDR 16->12
access-control: 192.168.0.0/16 allow        # v1.10 @dave14305 Fix CIDR 24->16

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8                   # v1.11 Martineau
private-address: fe80::/10                  # v1.11 Martineau
do-ip4: yes
do-udp: yes
do-tcp: yes

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0                                 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: yes
# edns-buffer-size: 1232                           # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manager-installer-utility-for-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator"      # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                            # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"  # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 14400                            # v1.08 Martineau
cache-min-ttl: 1200                             # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 3600                         # v1.12 as per @juched
serve-expired-ttl-reset: yes                     # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0                                  # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config
max-udp-size: 3072                               # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767                    # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535               # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m                                   # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
include: /opt/var/lib/unbound/adblock/adservers
include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

remote-control:
control-enable: yes
control-use-cert: no                            # v1.08 Default "Fast Menu" ENABLED v1.07 Martineau "Fast Menu"
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

##########################################
#forward-zone:#Stubby                         # v1.08 Add #Stubby edit marker
#name: "."
#forward-addr: 127.0.1.1@5453
#forward-addr: 0::1@5453 # integration IPV6
#########################################

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # v1.05 Martineau
#forward-zone:#DoT                                                    # v1.08 Add #DoT edit marker v1.05 DNS-Over-TLS support
#name: "."
#forward-tls-upstream: yes
#forward-addr: 1.1.1.1@853#cloudflare-dns.com
#forward-addr: 1.0.0.1@853#cloudflare-dns.com
#forward-addr: 9.9.9.9@853#dns.quad9.net
#forward-addr: 149.112.112.112@853#dns.quad9.net
#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
#forward-addr: 2620:fe::fe@853#dns.quad9.net
#forward-addr: 2620:fe::9@853#dns.quad9.net
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externally
#      and an external cron job will update the DNS Firewall every 00:15 minutes
#
#rpz:#RPZ                                                             # v1.08 DNS Firewall
#name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
#zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone             # v1.09 Match @juched's 'rpzsites'
#rpz-log: yes
#rpz-log-name: "rpz.urlhaus.abuse.ch"
#rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
include: "/opt/share/unbound/configs/unbound.conf.firewall"        # Custom DNS Firewall

server:
include: "/opt/share/unbound/configs/unbound.conf.localhosts"        # Custom server directives
server:
include: "/opt/share/unbound/configs/unbound.conf.safesearch"        # Custom server directives

 

[sfx2000]

Something local maybe?

dig @185.21.168.65 my.nest.gq
; <<>> DiG 9.10.6 <<>> @185.21.168.65 my.nest.gq
; (1 server found)
;; global options: +cmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40650
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232

;; QUESTION SECTION:
;my.nest.gq. IN A

;; AUTHORITY SECTION:
nest.gq. 300 IN NS david.ns.cloudflare.com.
nest.gq. 300 IN NS maria.ns.cloudflare.com.

;; Query time: 219 msec
;; SERVER: 185.21.168.65#53(185.21.168.65)
;; WHEN: Tue Jul 19 18:46:22 PDT 2022
;; MSG SIZE rcvd: 96

 

[Jumpstarter]

Using unbound recursively.

server:

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
port: 53                                 # v1.08 If 53, requires 'port=0' in '/etc/dnsmasq.conf' to 'disable' dnsmasq to answer queries direct from LAN clients
interface: 192.168.1.1                  # v1.01 As per @dave14305 minimal config; Will be overwritten by $(nvram get lan_ipaddr_rt) if dnsmasq 'disabled'
interface: 127.0.0.1@53                    # v1.10 Required by router if dnsmasq 'disabled'
#access-control: 0.0.0.0/0 allow            # v1.10 Will be overwritten by LAN subnet "${lan_ip_addr_rt}/24" if 'dnsmasq disabled' aka bypassed
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

#outgoing-interface: xxx.xxx.xxx.xxx        # v1.08 Martineau Use VPN tunnel to hide Root server queries from ISP (or force WAN ONLY)

#########################################
# integration LOG's
#
verbosity: 1                               # v1.02 '1' is adequate to prove unbound is processing domains
logfile: "/opt/var/lib/unbound/unbound.log" # v1.01 as per @dave14305 minimal config (v3.06 now deletes this if size grows > 10MB)
log-time-ascii: yes                         # v1.01 as per @dave14305 minimal config
log-tag-queryreply: yes                     # v1.02 @Martineau Explicitly Tag log-queries/replies with 'query'/'reply'
log-queries: yes
log-replies: yes
use-syslog: yes                            # v1.02 @Martineau Recommended to let scribe/syslog-ng handle the log(s)
log-local-actions: yes                     # v1.02 @Martineau ('yes' required for @juched's Graphical Ad Block statistics)
log-servfail: yes                           # v1.01 as per @dave14305 minimal config
#########################################

module-config: "respip validator iterator"  # v1.08 add 'respip' for rpz feature @juched

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/8 allow
access-control: 172.16.0.0/12 allow         # v1.10 Martineau  Fix CIDR 16->12
access-control: 192.168.0.0/16 allow        # v1.10 @dave14305 Fix CIDR 24->16

# RFC1918 private IP address - Protects against DNS Rebinding
private-address: 127.0.0.0/8
private-address: 169.254.0.0/16
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8                   # v1.11 Martineau
private-address: fe80::/10                  # v1.11 Martineau
do-ip4: yes
do-udp: yes
do-tcp: yes

#########################################
# integration IPV6
#
do-ip6: no
private-address: ::/0                                 # v1.11 Martineau Enhance 'do-ip6: no' i.e. explicitly drop ALL IPv6 responses
# do-ip6: yes
# edns-buffer-size: 1232                           # v1.11 as per @Linux_Chemist https://www.snbforums.com/threads/unbound_manager-manager-installer-utility-for-unbound-recursive-dns-server.61669/page-151
# interface: ::0
# access-control: ::0/0 refuse
# access-control: ::1 allow
# private-address: fd00::/8
# private-address: fe80::/10
#########################################
#module-config: "dns64 respip validator iterator"      # v1.08 v1.03 v1.01 perform a query against AAAA record exists
#dns64-prefix: 64:FF9B::/96                            # v1.03 v1.01

tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"  # v1.01 as per @dave14305 minimal config

# no threads and no memory slabs for threads
num-threads: 2
msg-cache-slabs: 2
rrset-cache-slabs: 2
infra-cache-slabs: 2
key-cache-slabs: 2

# tiny memory cache
extended-statistics: yes                        # v1.06 Martineau for @juched GUI TAB
key-cache-size: 8m
msg-cache-size: 8m
rrset-cache-size: 16m
cache-max-ttl: 14400                            # v1.08 Martineau
cache-min-ttl: 1200                             # v1.08 Martineau
# prefetch
prefetch: yes
prefetch-key: yes
minimal-responses: yes
serve-expired: yes
serve-expired-ttl: 3600                         # v1.12 as per @juched
serve-expired-ttl-reset: yes                     # v1.13 as per @jumpsmm7 Set the TTL of expired records to the serve-expired-ttl value after a failed attempt to retrieve the record from upstream.
incoming-num-tcp: 600
outgoing-num-tcp: 100
ip-ratelimit: 0                                  # v1.04 as per @L&LD as it impacts ipleak.net?
edns-buffer-size: 1472                           # v1.01 as per @dave14305 minimal config
max-udp-size: 3072                               # v1.13 as per @jumpsmm7 mitigate DDOS threats when using dnssec, reduce potential for fragmentation.
#outgoing-port-avoid: 0-32767                    # v1.13 as per @jumpsmm7 avoid grabbing udp ports commonly used / only for users with UDP port availability problems
#outgoing-port-permit: 32768-65535               # v1.13 as per @jumpsmm7 ports to permit / Not necessary if port-avoid is not used. limits port randomization.

# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 1m                                   # v1.05 Martineau see DEFAULT /proc/sys/net/core/rmem_default

#########################################
# Options for integration with TCP/TLS Stubby
# udp-upstream-without-downstream: yes
#########################################

# gentle on recursion
hide-identity: yes
hide-version: yes
do-not-query-localhost: no
qname-minimisation: yes
harden-glue: yes
harden-below-nxdomain: yes
rrset-roundrobin: yes
aggressive-nsec: yes
deny-any: yes

# Self jail Unbound with user "nobody" to /var/lib/unbound
username: "nobody"
directory: "/opt/var/lib/unbound"
chroot: "/opt/var/lib/unbound"

# The pid file
pidfile: "/opt/var/run/unbound.pid"

# ROOT Server's
root-hints: "/opt/var/lib/unbound/root.hints"

# DNSSEC
auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

#########################################
# Adblock blacklist
include: /opt/var/lib/unbound/adblock/adservers
include: /opt/var/lib/unbound/adblock/firefox_DOH
#########################################

remote-control:
control-enable: yes
control-use-cert: no                            # v1.08 Default "Fast Menu" ENABLED v1.07 Martineau "Fast Menu"
control-interface: 127.0.0.1
control-port: 953
server-key-file: "/opt/var/lib/unbound/unbound_server.key"
server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
control-key-file: "/opt/var/lib/unbound/unbound_control.key"
control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

##########################################
#forward-zone:#Stubby                         # v1.08 Add #Stubby edit marker
#name: "."
#forward-addr: 127.0.1.1@5453
#forward-addr: 0::1@5453 # integration IPV6
#########################################

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ # v1.05 Martineau
#forward-zone:#DoT                                                    # v1.08 Add #DoT edit marker v1.05 DNS-Over-TLS support
#name: "."
#forward-tls-upstream: yes
#forward-addr: 1.1.1.1@853#cloudflare-dns.com
#forward-addr: 1.0.0.1@853#cloudflare-dns.com
#forward-addr: 9.9.9.9@853#dns.quad9.net
#forward-addr: 149.112.112.112@853#dns.quad9.net
#forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
#forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
#forward-addr: 2620:fe::fe@853#dns.quad9.net
#forward-addr: 2620:fe::9@853#dns.quad9.net
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


# v1.01 Added the following
auth-zone:
       name: "."
       url: "https://www.internic.net/domain/root.zone"
       fallback-enabled: yes
       for-downstream: no
       for-upstream: yes
       zonefile: root.zone

#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# v1.08 Example rpz ( see https://medium.com/nlnetlabs/response-policy-zones-in-unbound-5d453de75f26)
# Uses @juched's script so until NLLabs fix the 'url:' download issue - assume the zonefile will be downloaded externally
#      and an external cron job will update the DNS Firewall every 00:15 minutes
#
#rpz:#RPZ                                                             # v1.08 DNS Firewall
#name: rpz.urlhaus.abuse.ch
#url: "http://urlhaus.abuse.ch/downloads/rpz/"
#zonefile: /opt/var/lib/unbound/rpz.urlhaus.abuse.ch.zone             # v1.09 Match @juched's 'rpzsites'
#rpz-log: yes
#rpz-log-name: "rpz.urlhaus.abuse.ch"
#rpz-action-override: nxdomain
#@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
include: "/opt/share/unbound/configs/unbound.conf.firewall"        # Custom DNS Firewall

server:
include: "/opt/share/unbound/configs/unbound.conf.localhosts"        # Custom server directives
server:
include: "/opt/share/unbound/configs/unbound.conf.safesearch"        # Custom server directives

try disabling the IP ratelimit option using a comment #, unbound might be overzealous

e.g. #ip-ratelimit: 0

 

[Khadanja]

try disabling the IP ratelimit option using a comment #, unbound might be overzealous

e.g. #ip-ratelimit: 0

no change

 

[Jumpstarter]

no change

You could try making sure all those cloudflare domains are whitelisted for you in slynet, and your blockers. Aside from that, there would be not much else you can do aside from tell unbound to forward those specific request to a dns server.

 

[Khadanja]

You could try making sure all those cloudflare domains are whitelisted for you in slynet, and your blockers. Aside from that, there would be not much else you can do aside from tell unbound to forward those specific request to a dns server.

Issue seems to be with my ISP? Is that possible? When using unbound, does ISP come into play? The reason I'm saying this is because I'm not able to access the site using mobile broadband too. Both home internet & mobile broadband are with same company.

 

[Jumpstarter]

Issue seems to be with my ISP? Is that possible? When using unbound, does ISP come into play? The reason I'm saying this is because I'm not able to access the site using mobile broadband too. Both home internet & mobile broadband are with same company.

Could be a number of things. Your isp could block them , or they could be blocking your isp.

 

[Jumpstarter]

Could be a number of things. Your isp could block them , or they could be blocking your isp.

My suggestion in this case is to create a forwarding rule in unbound that forwards request specific for that domain to like 8.8.8.8 for example. You can even leverage unbound DoT to ensure the requests are done over encryption.

 

[Jumpstarter]

Issue seems to be with my ISP? Is that possible? When using unbound, does ISP come into play? The reason I'm saying this is because I'm not able to access the site using mobile broadband too. Both home internet & mobile broadband are with same company.

e.g.

forward-zone:#DoT                                                    # v1.08 Add #DoT edit marker v1.05 DNS-Over-TLS support
name: "nest.gq"
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net

 

[Khadanja]

My suggestion in this case is to create a forwarding rule in unbound that forwards request specific for that domain to like 8.8.8.8 for example. You can even leverage unbound DoT to ensure the requests are done over encryption.

How to do that? When I check my DNS server online like on tenta.com/test my WAN IP comes as DNS server, correct? So does my ISP part in DNS queries. Looks like my ISP has blocked .gq but I thought when I use unbound I bypass ISP restrictions?

 

[Khadanja]

e.g.

forward-zone:#DoT                                                    # v1.08 Add #DoT edit marker v1.05 DNS-Over-TLS support
name: "nest.gq"
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net

Works if I do this. How to add multiple domains? Also, why does it work this way? If my ISP is blocking it, I thought unbound bypasses ISP for DNS?