Menu
What's new
By:
Filters Better Search

Unbound Understanding Unbound...

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Viktor Jaep said:
OK, this is interesting. Can you explain a little how this works, and what you're seeing behavior-wise from your end? When I call the "unbound_manager vpn=3", it will change the "outgoing-interface:" dynamically to the internal VPN IP, usually in the form of an address, like: 10.0.8.3...

Are you saying you change the outgoing interface to 192.168.1.1 (or internal router br0 IP), and use this script to facilitate setting the rules for unbound to traverse over the VPN in this case?
Click to expand...
When I first started to use unbound, I could not get "unbound_manager vpn=3" to work either. Then I found the script by @Swinson and it works right away. So yes, I leave "vpn=disable" in unbound and rely on this script to facilitate it.

Say you put the script in '/jffs/addons/unbound/unbound_DNS_via_OVPN.sh', you can manually run it. For ovpnc3, syntax to start and stop is
Code: 
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh 3 start
/jffs/addons/unbound/unbound_DNS_via_OVPN.sh 3 stop
.
Once stop is run, unbound traffic will go back to WAN interface. It can bind to another ovpn client by changing the vpn id.

Viktor Jaep said:
So really weird... DNSMON is showing that queries are initiating from my tun14 interface (IP is 10.8.1.2)... yet, when I run the command:

Code: 
tcpdump -i tun14 -p port 53

...it doesn't report any traffic whatsoever. And the mystery continues...
Click to expand...
I suspect it is going through your WAN interface. Perhaps you run tcpdump on your WAN interface and see if it is there. By the way, if it is cached by unbound, there will be no outgoing query.
 
Last edited:
Twiglets said:
No no no no no !!!
Do not wish that on the world ..... ever.
(Remember Pandora and her problems with a certain box !!!) :)

I can 'hack' anything that has been well written ('standing on the shoulders of giants') but starting from scratch usually is not very good !!! :(

I can live with my hacks but they are not 'safe' for automagic use ..... i.e. If things fail there is usually not a 'Press this button to fix' answer !!!
Click to expand...
😁 I see, i request this feature nonetheless, maybe you can collaborate with some of these giants? :)
 
This Script ?

www.snbforums.com

Unbound - Unbound DNS VPN Client w/policy rules

@Kingp1n I kept the added server line but re-enabled the unbound.postconf. I restarted dnsmasq the server line is in there twice now which doesn’t seem to be a problem so far and I’m currently not showing a leak. I’ll do some reboots and report back if I find anything.
www.snbforums.com www.snbforums.com
 
Viktor Jaep said:
Right... but as was stated before... if you run the command "unbound_manager vpn=4", unbound would then send all queries out over your VPN interface to prevent the ISP from snooping on that traffic, and your public VPN IP then would indicate as the DNS resolver -- I have not been able to make that happen as of yet... My question is, is this really happening, and why does the DNSMON tool show that outbound traffic looks like it's going out over the VPN, but the recipient of return traffic is coming back to the WAN interface.
Click to expand...
I don't believe that's possible with Unbound - I don't think that is the intended functionality
 
Gary_Dexter said:
I don't believe that's possible with Unbound - I don't think that is the intended functionality
Click to expand...
I have been trying to solve this problem and also found that 'unbound_manager vpn=x' does not work.
i.e. Traffic does not seem to go through the tunnel, even though the vpn connection is up !!!

I have not needed to use a vpn via the router before, so this is 'New' to me !!!

BTW:
Martineau did rewrite Swinsons script to use vpn in unbound ---> Here.
[A very Useful pointer to how to get it to work ..... Once I understand what it does !!! :) ]
This script is also new to me, so I am doing some hacking/testing to see what I can get to work :)
 
Gary_Dexter said:
I don't believe that's possible with Unbound - I don't think that is the intended functionality
Click to expand...
Well... it supposedly is? If you look under the advanced menu, there's an option to specify a vpn # command. There's a lot of documentation on getting this to work, and while it seems like it does, I'm not getting the same results... See below:

Martineau said:
You shouldn't believe everything you read on the Internet;)

Once upon a time.... ha!:p

Of course you can use unbound with a permanently running VPN.

unbound will always use the WAN but be unencrypted (i.e. ISP snooping), and your LAN nominated Selective Routing devices can either use the VPN ISP's DNS (EXCLUSIVE) or unbound.

The only thing that is new is (optionally) unbound is also capable of sending it's requests though the VPN tunnel to prevent ISP snooping, but I doubt many have used the option within unbound_manager as it is experimental.
Click to expand...

And I just noticed (FINALLY!) from this that the only way to get this to work is to set your "Accept DNS" in your VPN slot config to EXCLUSIVE... but then your VPN DNS servers become forwarders, and Unbound isn't really doing any root server lookups in this case, if I'm not mistaking.
 
Last edited:
Twiglets said:
I have been trying to solve this problem and also found that 'unbound_manager vpn=x' does not work.
i.e. Traffic does not seem to go through the tunnel, even though the vpn connection is up !!!

I have not needed to use a vpn via the router before, so this is 'New' to me !!!

BTW:
Martineau did rewrite Swinsons script to use vpn in unbound ---> Here.
[A very Useful pointer to how to get it to work ..... Once I understand what it does !!! :) ]
This script is also new to me, so I am doing some hacking/testing to see what I can get to work :)
Click to expand...
I will definitely be trying Swinson's script... thanks for the extended how-to's @chongnt! Hope to get some time to experiment SOON! :)
 
Last edited:
Viktor Jaep said:
So really weird... DNSMON is showing that queries are initiating from my tun14 interface (IP is 10.8.1.2)... yet, when I run the command:

Code: 
tcpdump -i tun14 -p port 53

...it doesn't report any traffic whatsoever. And the mystery continues...
Click to expand...
That might be because Unbound is randomizes its internal NAT ports before exit. So, while it appears unobservable internally, it exits out port 53 on the other end. I think alot of people misunderstand the implications and intentions of port randomization capabilities of unbound. Without internal intervention (a.k.a. adjusting settings in unbound.conf), unbound tries to make it pretty darn difficult to track and packet sniff by seperating parts of queries and randomizing exit ports. Your best place to look is the connections tracking page on your routers system log tab. Plus you need to specify you want to observe UDP port 53. I doubt unbound uses TCP only unless you tell it to. Otherwise it will typically use UDP. I am not sure tcpdump defaultly examines UDP traffic, I think you have to specify it.


Example of some unbound related traffic on my network..
1683243496655.png

1683243468341.png


@Viktor Jaep To fully appreciate unbounds capabilities, you need to observe all of your traffic in its entirety via connection tracking.
 
Last edited:
SomeWhereOverTheRainBow said:
That might be because Unbound is randomizes its internal NAT ports before exit. So, while it appears unobservable internally, it exits out port 53 on the other end. I think alot of people misunderstand the implications and intentions of port randomization capabilities of unbound. Without internal intervention (a.k.a. adjusting settings in unbound.conf), unbound tries to make it pretty darn difficult to track and packet sniff by seperating parts of queries and randomizing exit ports. Your best place to look is the connections tracking page on your routers system log tab. Plus you need to specify you want to observe UDP port 53. I doubt unbound uses TCP only unless you tell it to. Otherwise it will typically use UDP. I am not sure tcpdump defaultly examines UDP traffic, I think you have to specify it.


Example of some unbound related traffic on my network..
View attachment 49879
View attachment 49878

@Viktor Jaep To fully appreciate unbounds capabilities, you need to observe all of your traffic in its entirety via connection tracking.
Click to expand...
I took a look at the connection tracking, and am seeing this... the 10.8.0.2 is my tun14 IP...

1683249192561.png


When I ran tcpdump:
Code: 
tcpdump -i tun14 -nn -l udp port 53
... I get zero results... even tried going to some websites I've never been to thinking that they wouldn't be cached, and would force a lookup.
 
Viktor Jaep said:
I took a look at the connection tracking, and am seeing this... the 10.8.0.2 is my tun14 IP...

View attachment 49886

When I ran tcpdump:
Code: 
tcpdump -i tun14 -nn -l udp port 53
... I get zero results... even tried going to some websites I've never been to thinking that they wouldn't be cached, and would force a lookup.
Click to expand...
So, the silent good news is, Connection Tracking has identified my hypothesis. You would not be able to observe port 53 traffic (atleast not in the way you hoped). However, Connection Tracking shows that majority of your traffic for DNS is indeed unbound VIA your VPN.
 
SomeWhereOverTheRainBow said:
So, the silent good news is, Connection Tracking has identified my hypothesis. You would not be able to observe port 53 traffic (atleast not in the way you hoped). However, Connection Tracking shows that majority of your traffic for DNS is indeed unbound VIA your VPN.
Click to expand...
So that's good news... ;) What's your theory on this? Using Eibgrad's DNSMON tool, it shows DNS requests going out over the VPN, but it almost seems like their replies are coming back to the WAN? One would think if they go out over the VPN, they would return over the VPN?

1683249787682.png
 
Viktor Jaep said:
I took a look at the connection tracking, and am seeing this... the 10.8.0.2 is my tun14 IP...

View attachment 49886

When I ran tcpdump:
Code: 
tcpdump -i tun14 -nn -l udp port 53
... I get zero results... even tried going to some websites I've never been to thinking that they wouldn't be cached, and would force a lookup.
Click to expand...
What’s your WAN interface? I’m on PPPoE, and in tcpdump I can capture these on ppp0 interface after I stop binding unbound to vpn.
 
Viktor Jaep said:
So that's good news... ;) What's your theory on this? Using Eibgrad's DNSMON tool, it shows DNS requests going out over the VPN, but it almost seems like their replies are coming back to the WAN? One would think if they go out over the VPN, they would return over the VPN?

View attachment 49888
Click to expand...
That is because the script is not accounting for the classify middleman address of 10.8.0.2 correctly as a vpn.
 
Viktor Jaep said:
So that's good news... ;) What's your theory on this? Using Eibgrad's DNSMON tool, it shows DNS requests going out over the VPN, but it almost seems like their replies are coming back to the WAN? One would think if they go out over the VPN, they would return over the VPN?

View attachment 49888
Click to expand...
Once bind to VPN with the script mentioned abive, DNSMON recipient dest ip is always the vpn ip in my case. I don’t think you should see your WAN IP there if it is going through VPN.
 
chongnt said:
Once bind to VPN with the script mentioned abive, DNSMON recipient dest ip is always the vpn ip in my case. I don’t think you should see your WAN IP there if it is going through VPN.
Click to expand...
I'm certainly going to try the swinson/martineau script and see what my results look like there... I'm very interested in seeing it in action! :)
 
dave14305 said:
none of that is DNS traffic. You’re picking up the :53 seconds in the timestamp.
Click to expand...
OMG. Looks like you're right on that... DANG!
 
You must log in or register to reply here.

Similar threads

muffintastic
Unbound Force all DNS requests through Unbound using iptables?
Replies
14
Views
446
RMerlin
RMerlin
B
Unbound Unbound whitelist
Replies
15
Views
561
BeachGuy
B
Z
Unbound Unbound + AdGuard Settings
Replies
1
Views
352
Gary_Dexter
Gary_Dexter
B
Unbound YouTube Ad Blocker
Replies
8
Views
785
laracroftonline
laracroftonline
B
Unbound Use unbound/router as default DNS server
Replies
2
Views
870
BeachGuy
B
Similar threads
Thread starter Title Forum Replies Date
muffintastic Unbound Force all DNS requests through Unbound using iptables? Asuswrt-Merlin AddOns 14
Z Unbound Unbound + AdGuard Settings Asuswrt-Merlin AddOns 1
Z Unbound Unbound on subnet router Asuswrt-Merlin AddOns 3
B Unbound Does unbound update automatically? Asuswrt-Merlin AddOns 8
F Unbound Unbound stopped working Asuswrt-Merlin AddOns 3
B Unbound Unbound whitelist Asuswrt-Merlin AddOns 15
Jack-Sparr0w Is it possible to use nord dns with unbound or any way to add it? Asuswrt-Merlin AddOns 9
Jack-Sparr0w Guide to using vpn with unbound dns? Asuswrt-Merlin AddOns 3
B Unbound Use unbound/router as default DNS server Asuswrt-Merlin AddOns 2
B Unbound Test unbound Asuswrt-Merlin AddOns 6

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 729 (members: 17, guests: 712)
Top