Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[Mutzli]

I sympathise, but without a knowledgeable SME to provide a tutorial regarding what information can be extracted/inferred from increasing the 'verbosity: X' directive or alternatively using 'dig', then identifying your unbound issues may take a while.

However, if you posted the 'dig' output for a domain that inexplicably fails, together with the section of the 'unbound.log' (having temporarily increased 'verbosity: X') then there may be clue in the output.

unbound is definitely a new technology for probably 99% of us, but I suspect that if the same spurious issues occurred with say dnsmasq+DoT+DNSSEC etc., would it be straight forward to instantly identify the reason?

I had to switch it off during the day for now. I'll try again later in the week. Hopefully I get some useful info from dig and log.

 

[elorimer]

I was unable to access usaa.com.

Broke for me too, with Chrome and Firefox. The page starts to load and then goes blank.

Uninstalled unbound through unbound_manager, still broke. Rebooted, now loads fine.

 

[L&LD]

@L&LD How do I direct message you bud?

This is as direct as possible.

 

[Mutzli]

You should have Diversion logging enabled and see what happens when sites break. Do you see SERVFAIL messages in the diversion log? Or rebind attack messages because maybe you're using adblock in Unbound?

No, I did check that. It was my first suspicion as well. But nothing related to diversion and no, I don't run the adblock option in unbound.
Update: I do see SERVFAIL messages for the sites that don't work any longer:
Feb 11 09:59:52 dnsmasq[7300]: forwarded www.hulu.com to 127.0.0.1
Feb 11 09:59:52 dnsmasq[7300]: reply error is SERVFAIL
And they do increase over time. At first I have a few here and there and at the end of the log there are hundreds.

 

[Stevens243]

Broke for me too, with Chrome and Firefox. The page starts to load and then goes blank.

That is my symptom as well. I ran out of time to test but I was going to flush cache and try it on a couple of browsers and turn off any plugins first. I didn't get a chance to scan the logs either. I'll report my finding back this evening (PST) when I get home.

 

[elnash]

I think the easiest way is to go to https://www.dnsleaktest.com/

Note your WAN IP on the welcome page (Hello 123.45.67.89). Then run the test. The IP on the next page should list your WAN IP again as your DNS server.

Well, according to the test you have suggested, it appears as you comment, so it is working correctly.

 

[Mutzli]

I see problems. Disable DoT to start and why are you forwarding local dns to upstream dns server?

I'll try with DoT disabled. I have a windows server on that network that resolves DNS requests for some clients.

 

[ika]

I see problems. Disable DoT to start...?

When you have unbound working properly, does it really matter what DOT settings do you have in the GUI? Isn't it bypassed anyway by the DNS filter?

 

[elnash]

@elnash, use your network for a while. Don't just go to different websites, browse/click links within that main site too. Go to amtm and hit 7 Enter. Type s. What is the % cache hit?

Cache= 5.00%

 

[skeal]

When you have unbound working properly, does it really matter what DOT settings do you have in the GUI? Isn't it bypassed anyway by the DNS filter?

It matters. At this time there isn't full support for DoT in unbound.

 

[QuikSilver]

@elnash, use your network for a while. Don't just go to different websites, browse/click links within that main site too. Go to amtm and hit 7 Enter. Type s. What is the % cache hit?

Mine's around 77%. What's considered normal?

 

[ika]

It matters. At this time there isn't full support for DoT in unbound.

Thank you for the answer. Do you know in what test or scenario would I see the difference or the problem it could cause?

 

[elnash]

Mine's around 77%. What's considered normal?

Pufff, you get me a good piece in percentage

 

[skeal]

Thank you for the answer. Do you know in what test or scenario would I see the difference or the problem it could cause?

If you use DoT and try dnsleak.com it will mess your results from what @dave14305 has wisely recommended.

dave14305 said: ↑
I think the easiest way is to go to https://www.dnsleaktest.com/

Note your WAN IP on the welcome page (Hello 123.45.67.89). Then run the test. The IP on the next page should list your WAN IP again as your DNS server.

 

[ika]

If you use DoT and try dnsleak.com it will mess your results from what @dave14305 has wisely recommended.

I also saw @dave14305's relevant post, and was looking into this, but I get zero difference with that settings in any test I can find, that's why I'm curious.

 

[skeal]

I also saw @dave14305's relevant post, and was looking into this, but I get zero difference with that settings in any test I can find, that's why I'm curious.

What is your dnsfilter set to?

 

[ika]

What is your dnsfilter set to?

Router

 

[skeal]

Router

Then unbound somehow is overriding your DoT experiment.

 

[ika]

Then unbound somehow is overriding your DoT experiment.

I think the DNSfilter settings overwrties it, with or without unbound.

 

[skeal]

For me when changing settings like DoT or anything else and restarting unbound has caused issues or problematic test results.