Unbound unbound_manager (Manager/Installer utility for unbound - Recursive DNS Server)

[tomsk]

A:Option ==> dnsmasq disable

If you currently use or rely on dnsmasq features such as Diversion or IPSET auto-populate etc., then re-consider.

Do you still want to DISABLE dnsmasq?

    Reply 'y' or press [Enter]  to skip

when dnsmasq disabled then no diversion as I understand?

Yes you get a warning about that when you attempt to disable it

 

[Martineau]

Will you be adding these commands to the menu....
i see a hot fix sneak in there as i was playing with the dnsmasq command.

They should all be there, and the Hofix added 'dnsmasq [disable]' to the command description

I assume it can run directly from the advanced menu?

Yes.​

 

[tomsk]

They should all be there, and the Hofix added 'dnsmasq [disable]' to the command description

Yes.​

Sorry mate... unless I'm as blind as a bat, the command descriptions are the same as 3.09 for me.

 

[Martineau]

Sorry mate... unless I'm as blind as a bat, the command descriptions are the same as 3.09 for me.

Can you provide a screen shot?

Ahh OK...if you don't use Ad Block it won't appear

I've uploaded Hotfix

Version=3.10
Github md5=1071e00a2ea83501f75b6ed249b231bd​

 

[Martineau]

Converting dnsmasq local hosts to 'unbound'.....

Adding 'include: "/opt/share/unbound/configs/unbound.conf.addgui" to '/opt/var/lib/unbound/unbound.conf'
Adding 'include: "/opt/share/unbound/configs/unbound.conf.localhosts" to '/opt/var/lib/unbound/unbound.conf'
Restarting dnsmasq.....
Done.

unbound-checkconf: no errors in /opt/var/lib/unbound/unbound.conf

 Shutting down unbound...              done.
 Starting unbound...              failed.

Checking status, please wait.....

    ***ERROR unbound went AWOL after 1 seconds.....

    Try option 'debug' and check for unbound.conf or runtime errors!

A:Option ==> debug


[1588673447] unbound[23245:0] notice: Start of unbound 1.10.0.
May 05 10:10:47 unbound[23245:0] error: can't bind socket: Address already in use for 0.0.0.0 port 53
May 05 10:10:47 unbound[23245:0] fatal error: could not open ports

Something went wonky here..... dnsmasq enable recovered the old setup

Would you mind trying again?

e  = Exit Script [?]

A:Option ==> dnsmasq disable

and then provide the output of the following:

nvram get lan_ipaddr_rt

grep -A 5 "^port:" /opt/var/lib/unbound/unbound.conf

grep -A 1 "port=0" /jffs/configs/dnsmasq.conf.add

tail -n 5 /etc/dnsmasq.conf

then reinstate dnsmasq

e  = Exit Script [?]

A:Option ==> dnsmasq

I suspect the mods to '/jffs/addons/unbound/unbound.postconf' in trying to ensure you will always have a working router (i.e. DNS server) during a reboot/backout may be too cautious to allow disabling dnsmasq.

 

[tomsk]

Would you mind trying again?

e  = Exit Script [?]

A:Option ==> dnsmasq disable

and then provide the output of the following:

nvram get lan_ipaddr_rt

grep -A 5 "^port:" /opt/var/lib/unbound/unbound.conf

grep -A 1 "port=0" /jffs/configs/dnsmasq.conf.add

tail -n 5 /etc/dnsmasq.conf

then reinstate dnsmasq

e  = Exit Script [?]

A:Option ==> dnsmasq

I suspect the mods to '/jffs/addons/unbound/unbound.postconf' in trying to ensure you can always have a system (i.e. DNS server) during a reboot/backout may be to cautious to allow disabling dnsmasq.

tOmsK@RT-AC68U-4690:/jffs/scripts# nvram get lan_ipaddr_rt
10.10.10.1
tOmsK@RT-AC68U-4690:/jffs/scripts# grep -A 5 "^port:" /opt/var/lib/unbound/unbound.conf
port: 53                                 # v1.08 If 53 (Requires 'port=0' in '/etc/dnsmasq.conf') to answer queries direct from LAN clients
interface: 0.0.0.0                  # v1.01 as per @dave14305 minimal config
#port: 53 #NOdnsmasq                        # v1.08 https://www.snbforums.com/threads/unbound-gui-stats-including-top-blocked-top-replies-todays-replies.63188/
#interface: 0.0.0.0
#interface: 127.0.0.1@53
access-control: 0.0.0.0/0 allow
tOmsK@RT-AC68U-4690:/jffs/scripts# grep -A 1 "port=0" /jffs/configs/dnsmasq.conf.add
grep: /jffs/configs/dnsmasq.conf.add: No such file or directory
tOmsK@RT-AC68U-4690:/jffs/scripts# tail -n 5 /etc/dnsmasq.conf
addn-hosts=/opt/share/diversion/list/blockinglist
log-async
log-queries
log-facility=/opt/var/log/dnsmasq.log
# end of Diversion directives #

dnsmasq.conf.add gone awol?

 

[Martineau]

EDIT: dnsmasq.conf.add gone awol?

tOmsK@RT-AC68U-4690:/jffs/scripts# nvram get lan_ipaddr_rt
10.10.10.1
tOmsK@RT-AC68U-4690:/jffs/scripts# grep -A 5 "^port:" /opt/var/lib/unbound/unbound.conf
port: 53                                 # v1.08 If 53 (Requires 'port=0' in '/etc/dnsmasq.conf') to answer queries direct from LAN clients
interface: 0.0.0.0                  # v1.01 as per @dave14305 minimal config
#port: 53 #NOdnsmasq                        # v1.08 https://www.snbforums.com/threads/unbound-gui-stats-including-top-blocked-top-replies-todays-replies.63188/
#interface: 0.0.0.0
#interface: 127.0.0.1@53
access-control: 0.0.0.0/0 allow
tOmsK@RT-AC68U-4690:/jffs/scripts# grep -A 1 "port=0" /jffs/configs/dnsmasq.conf.add
grep: /jffs/configs/dnsmasq.conf.add: No such file or directory
tOmsK@RT-AC68U-4690:/jffs/scripts# tail -n 5 /etc/dnsmasq.conf
addn-hosts=/opt/share/diversion/list/blockinglist
log-async
log-queries
log-facility=/opt/var/log/dnsmasq.log
# end of Diversion directives #

Well it doesn't help ....… but as usual, perhaps my last minute tweak to improve the feature has borked it anyway.

I'll investigate later.

 

[tomsk]

Having been used to ad blocking for so long, it's a feature i wouldn't want to live without. Having used Diversion since it was called AB-Solution i have a certain affinity for it, however i would like to experiment with unbound adblocking too. Seeing as the two aren't really complementary, would it be possible to automate having unbound with the adblocking enabled when dnsmasq is bypassed, but turning off the unbound adblocking when dnsmasq is switched in to block with pixelserv and unbound as the authoritative server...... maybe not something many people would want i suppose, plumping for one or the other but there might be interest?

 

[SomeWhereOverTheRainBow]

I've uploaded v3.10

Version=3.10
Github md5=f4823fee76d00deb1f4d8693585aab8f
​

use 'u' to update when prompted on screen

Use of the 'i = Update unbound Installation' **Not required**

FIX:    'bind' command doesn't detect a valid Gateway IP for PPTP 'ppp0' interface
FIX:     logging status doesn't auto-disable' during initial install.
ADD:    's' command now displays cache stats by (if configured) thread (num-threads:) and discards the Average Summary.
ADD:    'ca min' command to set the cache size to 4M,4M,4M as shown below - interesting 17%/45% full!..wonder what happens if it reaches 100%?
ADD:    'adblock [update]'  command to request immediate execution of the Ad Block daily refresh/update cron job.
ADD:    'dnsmasq [disable]' command to allow ALL LAN Clients to use unbound as their Primary DNS server rather than dnsmasq.
         This may allow tweakers to play with 'num-threads'; i.e. DNS requests are no longer funnelled from only (single queue) dnsmasq.
         @Juched's reports may also be more informative.

NOTE: The new 'dnsmasq disable' command was personally useful and assisted in revealing which device was hammering DNS requests for 'ipid.shat.net'
So I was then able to manually add the domain to the Ad Block blockhosts; hence the use of the convenient new 'adblock update' command.

info: ipid.shat.net. always_nxdomain 10.88.8.120@3978 ipid.shat.net. A IN

    [✔] unbound Logging
    [✔] Ad and Tracker Blocking (No. of Adblock domains=64305,Blocked Hosts=0,Whitelist=19)
    [✔] unbound CPU/Memory Performance tweaks
    [✔] Router Graphical GUI statistics TAB installed
    [✔] unbound-control FAST response ENABLED
    [✔] Unbound is the Primary DNS for ALL LAN Clients (dnsmaq DNS features DISABLED e.g. IPSET auto-populate)

    unbound Memory/Cache:

    'key-cache-size:'   4194304 (4.00 MB)
    'msg-cache-size:'   4194304 (4.00 MB)   17% used 729278 (712.19 KB)
    'rrset-cache-size:' 4194304 (4.00 MB)   45% used 1911190    (1.82 MB)

total.num.queries=35063             total.num.expired=1914              total.requestlist.exceeded=0            total.tcpusage=0
total.num.queries_ip_ratelimited=0  total.num.recursivereplies=2982     total.requestlist.current.all=0         msg.cache.count=3785
total.num.cachehits=32081           total.requestlist.avg=1.31234       total.requestlist.current.user=0        rrset.cache.count=9536
total.num.cachemiss=2982            total.requestlist.max=16            total.recursion.time.avg=0.409051       infra.cache.count=3031
total.num.prefetch=2544             total.requestlist.overwritten=0     total.recursion.time.median=0.073728    key.cache.count=471

Summary: Cache Hits success=91.00%

I am now comforted knowing there will be no more robo calls to disabled web services such as ipid.shat.net.

 

[Martineau]

Would it be possible to automate having unbound with the adblocking enabled when dnsmasq is bypassed, but turning off the unbound adblocking when dnsmasq is switched in to block with pixelserv and unbound as the authoritative server...... maybe not something many people would want i suppose, plumping for one or the other but there might be interest?

Bit of a niche request, but I may consider it in a future release, however, the priority at the moment is to actually get 'dnsmasq disable' to work reliably!

Hotfix v3.10
Github md5=1071e00a2ea83501f75b6ed249b231bd

Hopefully bypassing dnsmasq now works reliably.

 

[tomsk]

Bit of a niche request, but I may consider it in a future release, however, the priority at the moment is to actually get 'dnsmasq disable' to work reliably!

Hotfix v3.10
Github md5=1071e00a2ea83501f75b6ed249b231bd

Hopefully bypassing dnsmasq now works reliably.

I thought you had nailed it....... i disabled dnsmasq and everything seemed to be working properly ( albeit the warning about affecting diversion etc never appeared), however after reverting to dnsmasq and then trying again, unbound failed to start ( warning for affecting diversion showed this time)..... using the same trouble shooting as before

[1588694336] unbound[11121:0] notice: Start of unbound 1.10.0.
May 05 15:58:56 unbound[11121:0] error: can't bind socket: Address already in use for 0.0.0.0 port 53
May 05 15:58:56 unbound[11121:0] fatal error: could not open ports


tOmsK@RT-AC68U-4690:/tmp/home/root# nvram get lan_ipaddr_rt
10.10.10.1
tOmsK@RT-AC68U-4690:/tmp/home/root# grep -A 5 "^port:" /opt/var/lib/unbound/unbound.conf
port: 53                                 # v1.08 If 53 (Requires 'port=0' in '/etc/dnsmasq.conf') to answer queries direct from LAN clients
interface: 0.0.0.0                  # v1.01 as per @dave14305 minimal config
#port: 53 #NOdnsmasq                        # v1.08 https://www.snbforums.com/threads/unbound-gui-stats-including-top-blocked-top-replies-todays-replies.63188/
#interface: 0.0.0.0
#interface: 127.0.0.1@53
access-control: 0.0.0.0/0 allow
tOmsK@RT-AC68U-4690:/tmp/home/root# grep -A 1 "port=0" /jffs/configs/dnsmasq.conf.add
port=0                           # unbound_manager
dhcp-option=lan,6,10.10.10.1      # unbound_manager
tOmsK@RT-AC68U-4690:/tmp/home/root# tail -n 5 /etc/dnsmasq.conf
addn-hosts=/opt/share/diversion/list/blockinglist
log-async
log-queries
log-facility=/opt/var/log/dnsmasq.log
# end of Diversion directives #

EDIT : having disabled and enabled dnsmasq a few more times , for the most part its working fine .... but i get the occasional failure to start unbound.. as reported.

 

[Martineau]

I disabled dnsmasq and everything seemed to be working properly ( albeit the warning about affecting diversion etc never appeared)

not sure how this can happen...the prompt should always appear, unless of course if you misspelt 'disable', in which case 'dnsmasq' is reinstated.

EDIT : having disabled and enabled dnsmasq a few more times , for the most part its working fine .... but i get the occasional failure to start unbound.. as reported.

OK, you have successfully bypassed dnsmasq but unreliably.

That old hack 'sleep nn' is once again the prime suspect.

unbound fails to start apparently because it believes that socket '0.0.0.0:53' is already in use.

So who is using the socket?

netstat -anp | grep LISTEN | grep -v unix | sort -k 4

So here is the hack I added.... v3.10 Hotfix

Basically if dnsmasq is stopped, surely nothing should be listening on '0.0.0.0:53' after 10 seconds,

If you have the time, when unbound fails the next time, can you manually terminate dnsmasq (it is restarted automatically if unbound FAILS!)

service stop_dnsmasq

Now if you wait say 20 seconds (double the 10 seconds in the code), can you now successfully restart unbound?

e  = Exit Script [?]

A:Option ==> rs

Alternatively, what happens if you increase the 'sleep 10' to say 'sleep 20' in the script …..do you get 100% success when requesting the bypassing of dnsmasq?

P.S. If you can identify what is listening on '0.0.0.0:53' then that would be a great help.

NOTE: The previous diagnostic commands highlighted the fact that in your environment '/jffs/configs/dnsmasq.conf.add' either went AWOL or has never existed?, so in your case they are now irrelevant.

 

[dave14305]

Don't forget that watchdog will restart dnsmasq if it doesn't find it running. Timing is everything.

 

[Martineau]

Don't forget that watchdog will restart dnsmasq if it doesn't find it running. Timing is everything.

So what is currently listening on '0.0.0.0:53' on your router?

 

[dave14305]

So what is currently listening on '0.0.0.0:53' on your router?

Nothing is listening on 0.0.0.0:53, but dnsmasq is listening on the loopback and LAN interface. I'm not testing this feature, but if you stop_dnsmasq, watchdog might restart it before you eventually restart it with port=0. I couldn't tell where your code restarts dnsmasq with the port=0 config.

 

[tomsk]

this is the syslog when dnsmasq is bypassed successfully

May  5 22:11:01 RT-AC68U-4690 rc_service: service 1907:notify_rc stop_dnsmasq
May  5 22:11:01 RT-AC68U-4690 custom_script: Running /jffs/scripts/service-event (args: stop dnsmasq)
May  5 22:11:15 RT-AC68U-4690 rc_service: service 2070:notify_rc restart_dnsmasq
May  5 22:11:15 RT-AC68U-4690 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
May  5 22:11:15 RT-AC68U-4690 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May  5 22:11:15 RT-AC68U-4690 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May  5 22:11:15 RT-AC68U-4690 tOmsK: Started unbound from .
May  5 22:11:17 RT-AC68U-4690 Diversion: restarted Dnsmasq to apply settings
May  5 22:11:17 RT-AC68U-4690 (dnsmasq.postconf): Updating /etc/dnsmasq.conf for unbound.....
May  5 22:11:17 RT-AC68U-4690 (dnsmasq.postconf): dnsmasq DNS bypassed. unbound will be the primary DNS for ALL LAN Clients.
May  5 22:11:17 RT-AC68U-4690 stubby[2338]: Read config from file /etc/stubby/stubby.yml

This is the syslog when it fails

May  5 22:19:54 RT-AC68U-4690 rc_service: service 4368:notify_rc stop_dnsmasq
May  5 22:19:54 RT-AC68U-4690 custom_script: Running /jffs/scripts/service-event (args: stop dnsmasq)
May  5 22:19:59 RT-AC68U-4690 rc_service: watchdog 283:notify_rc start_dnsmasq
May  5 22:19:59 RT-AC68U-4690 custom_script: Running /jffs/scripts/service-event (args: start dnsmasq)
May  5 22:19:59 RT-AC68U-4690 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May  5 22:19:59 RT-AC68U-4690 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May  5 22:20:01 RT-AC68U-4690 Diversion: restarted Dnsmasq to apply settings
May  5 22:20:01 RT-AC68U-4690 (dnsmasq.postconf): Updating /etc/dnsmasq.conf for unbound.....
May  5 22:20:01 RT-AC68U-4690 (dnsmasq.postconf): dnsmasq DNS bypassed. unbound will be the primary DNS for ALL LAN Clients.
May  5 22:20:01 RT-AC68U-4690 stubby[4685]: Read config from file /etc/stubby/stubby.yml
May  5 22:20:07 RT-AC68U-4690 rc_service: service 4793:notify_rc restart_dnsmasq
May  5 22:20:07 RT-AC68U-4690 custom_script: Running /jffs/scripts/service-event (args: restart dnsmasq)
May  5 22:20:08 RT-AC68U-4690 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
May  5 22:20:08 RT-AC68U-4690 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
May  5 22:20:08 RT-AC68U-4690 tOmsk: Failed to start unbound from .
May  5 22:20:10 RT-AC68U-4690 Diversion: restarted Dnsmasq to apply settings
May  5 22:20:10 RT-AC68U-4690 (dnsmasq.postconf): Updating /etc/dnsmasq.conf for unbound.....
May  5 22:20:10 RT-AC68U-4690 stubby[5061]: Read config from file /etc/stubby/stubby.yml

Not sure if that's any help?

 

[Martineau]

Nothing is listening on 0.0.0.0:53, but dnsmasq is listening on the loopback and LAN interface. I'm not testing this feature, but if you stop_dnsmasq, watchdog might restart it before you eventually restart it with port=0. I couldn't tell where your code restarts dnsmasq with the port=0 config.

Hmmmm, are you confirming that dnsmasq isn't listening on '0.0.0.0:53'?

If that is the case, why should I then care if dnsmasq gets restarted by the watchdog as it seemingly can't be the culprit that is responsible for unbound's failure to acquire exclusive use of the socket.... or can it?

P.S. Once dnsmasq is configured with the 'port=o' directive, it is persistent until explicitly removed, although I have changed the logic in '/jffs/addons/unbound/unbound.postconf' to try and prevent the router having no DNS resolution capability, i.e. currently, if there is an unexpected reboot, the router will resume with dnsmasq until I (or @Jack Yaz ) updates S61unbound.

 

[tomsk]

i tried an rs but still couldn't restart unbound....

[1588703462] unbound[6741:0] notice: Start of unbound 1.10.0.
May 05 18:31:02 unbound[6741:0] error: can't bind socket: Address already in use for 0.0.0.0 port 53
May 05 18:31:02 unbound[6741:0] fatal error: could not open ports


tOmsK@RT-AC68U-4690:/tmp/home/root# netstat -anp | grep LISTEN | grep -v unix | sort -k 4
tcp        0      0 0.0.0.0:18017           0.0.0.0:*               LISTEN      199/wanduck
tcp        0      0 0.0.0.0:3394            0.0.0.0:*               LISTEN      780/u2ec
tcp        0      0 0.0.0.0:3702            0.0.0.0:*               LISTEN      8016/wsdd2
tcp        0      0 0.0.0.0:5473            0.0.0.0:*               LISTEN      780/u2ec
tcp        0      0 0.0.0.0:7788            0.0.0.0:*               LISTEN      333/cfg_server
tcp        0      0 10.10.10.1:139          0.0.0.0:*               LISTEN      8014/smbd
tcp        0      0 10.10.10.1:22           0.0.0.0:*               LISTEN      220/dropbear
tcp        0      0 10.10.10.1:3838         0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.1:445          0.0.0.0:*               LISTEN      8014/smbd
tcp        0      0 10.10.10.1:515          0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.1:53           0.0.0.0:*               LISTEN      6615/dnsmasq
tcp        0      0 10.10.10.1:80           0.0.0.0:*               LISTEN      279/httpd
tcp        0      0 10.10.10.1:9100         0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.3:443          0.0.0.0:*               LISTEN      8545/pixelserv-tls
tcp        0      0 10.10.10.3:80           0.0.0.0:*               LISTEN      8545/pixelserv-tls
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      8014/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      8014/smbd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      6615/dnsmasq
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      279/httpd
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      6611/stubby

 

[dave14305]

Hmmmm, are you confirming that dnsmasq isn't listening on '0.0.0.0:53'?

If that is the case, why should I then care if dnsmasq gets restarted by the watchdog as it seemingly can't be the culprit that is responsible for unbound's failure to acquire exclusive use of the socket.... or can it?

P.S. Once dnsmasq is configured with the 'port=o' directive, it is persistent until explicitly removed, although I have changed the logic in '/jffs/addons/unbound/unbound.postconf' to try and prevent the router having no DNS resolution capability, i.e. currently, if there is an unexpected reboot, the router will resume with dnsmasq until I (or @Jack Yaz ) updates S61unbound.

Oh, I know! He's running stubby which will be listening on 127.0.1.1:53. You may need to only listen on the lan and loopback IPs.

 

[dave14305]

i tried an rs but still couldn't restart unbound....

[1588703462] unbound[6741:0] notice: Start of unbound 1.10.0.
May 05 18:31:02 unbound[6741:0] error: can't bind socket: Address already in use for 0.0.0.0 port 53
May 05 18:31:02 unbound[6741:0] fatal error: could not open ports


tOmsK@RT-AC68U-4690:/tmp/home/root# netstat -anp | grep LISTEN | grep -v unix | sort -k 4
tcp        0      0 0.0.0.0:18017           0.0.0.0:*               LISTEN      199/wanduck
tcp        0      0 0.0.0.0:3394            0.0.0.0:*               LISTEN      780/u2ec
tcp        0      0 0.0.0.0:3702            0.0.0.0:*               LISTEN      8016/wsdd2
tcp        0      0 0.0.0.0:5473            0.0.0.0:*               LISTEN      780/u2ec
tcp        0      0 0.0.0.0:7788            0.0.0.0:*               LISTEN      333/cfg_server
tcp        0      0 10.10.10.1:139          0.0.0.0:*               LISTEN      8014/smbd
tcp        0      0 10.10.10.1:22           0.0.0.0:*               LISTEN      220/dropbear
tcp        0      0 10.10.10.1:3838         0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.1:445          0.0.0.0:*               LISTEN      8014/smbd
tcp        0      0 10.10.10.1:515          0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.1:53           0.0.0.0:*               LISTEN      6615/dnsmasq
tcp        0      0 10.10.10.1:80           0.0.0.0:*               LISTEN      279/httpd
tcp        0      0 10.10.10.1:9100         0.0.0.0:*               LISTEN      781/lpd
tcp        0      0 10.10.10.3:443          0.0.0.0:*               LISTEN      8545/pixelserv-tls
tcp        0      0 10.10.10.3:80           0.0.0.0:*               LISTEN      8545/pixelserv-tls
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      8014/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      8014/smbd
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      6615/dnsmasq
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      279/httpd
tcp        0      0 127.0.1.1:53            0.0.0.0:*               LISTEN      6611/stubby

Disable DNS Privacy and try again. Or if it's enabled through Unbound Manager, disable it there.