You are not logged in.
Hi
I have a hard fight for a few weeks already and I can't figured out what the problems is.
I'm currently moving to another server and I'm using the same config as the existing one which is working great (the existing one).
I want to use unbound as my DNS server. So I added to
openWRT:
All custom DNS to 192.168.1.141
- DHCP
- LAN
- WAN
and so on.
unbound.conf:
#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.9.6.
#
# this is a comment.
#Use this to include other text into the file.
#include: "otherfile.conf"
# The server clause sets the main parameters.
server:
# If no logfile is specified, syslog is used
# logfile: "/var/log/unbound.log"
verbosity: 0
port: 5353
do-ip4: yes
do-udp: yes
do-tcp: yes
do-daemonize: no
# trust-anchor-file: trusted-key.key
trust-anchor-file: /etc/unbound/trusted-key.key
# May be set to yes if you have IPv6 connectivity
do-ip6: no
# Use this only when you downloaded the list of primary root servers!
root-hints: "/etc/unbound/root.hints"
# Trust glue only if it is within the servers authority
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
# Suggested by the unbound man page to reduce fragmentation reassembly problems
edns-buffer-size: 1472
# TTL bounds for cache
cache-min-ttl: 3600
cache-max-ttl: 86400
# Perform prefetching of close to expired message cache entries
# This only applies to domains that have been frequently queried
prefetch: yes
# One thread should be sufficient, can be increased on beefy machines
num-threads: 1
# Ensure kernel buffer is large enough to not loose messages in traffic spikes
so-rcvbuf: 1m
# Ensure privacy of local IP ranges
private-address: 192.168.1.0/16
# private-address: 172.16.0.0/12
private-address: 10.0.0.0/8
#private-address: fd00::/8 # IPv6
#private-address: fe80::/10 # IPv6
# dnscrypt-proxy
do-not-query-localhost: no
forward-zone:
name: "."
forward-addr: ::1@53000
forward-addr: 127.0.0.1@53000
Pi-hole:
Is changed to a custom DNS.
127.0.0.1#5353
It includes also:
- Never forward non-FQDNs
- Never forward reverse lookups for private IP ranges
- Use DNSSEC
- Use Conditional Forwarding
- Router: 192.168.1.1; Local domain name: lan
dnscrypt-proxy.toml:
Is changed to:
listen_addresses = ['127.0.0.1:53000', '[::1]:53000']
It includes also some other server which shouldn't be the problem.
/etc/resolv.conf:
domain lan
nameserver 127.0.0.1
I disabled the NetworkManager to change the resolv.conf.
/etc/NetworkManager/conf.d/dns.conf
[main]
dns=none
The only difference between the two servers are that dhcpcd is running on the old one. I tried dhcpcd on the new one as well.
I hope you guys can help me out here. I just can't find the solution for it.
Thanks
Dan
Edit:
Problem is
https://www.dnsleaktest.com/ shows me that is my ISP DNS and not dnscrypt. When I change it to my old server (openWRT) it's working with dnscrypt.
# SOLUTION
There was just a wrong set up due to IPv4 and IPv6. I disabled IPv6.
Last edited by danSman (2020-05-06 23:41:32)
Offline
And what is the problem?
Online
Oh man ... sorry.
https://www.dnsleaktest.com/ shows me that is my ISP DNS and not dnscrypt. When I change it to my old server (openWRT) it's working with dnscrypt.
Offline
I'm really confused.
Yesterday, I used my old router (which was working before) to exclude the current router as a problem. Same problem.
I installed Arch Arm on a pi with pi-hole.
However, it does not use the DNS server I choose like quad 9 or whatever. Whether I change it in the GUI or in the terminal.
I have also tested it on the computer that still works with dnscrypt (dnscrypt is my goal). Same problem. I can choose any DNS server I want, but it seems to use only 127.0.0.1#5353 or 127.0.0.1#53000.
So for some reason Pihole doesn't seem to work properly, or I'm missing a setting that I overlooked, which is more likely.
I just can't see the wood for the trees anymore.
Edit:
Pi-hole lists all devices on my network.
Pihole, Unbound and DNScrypt ports are working.
dig archlinux.org -p53
; <<>> DiG 9.16.0 <<>> archlinux.org -p53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20168
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;archlinux.org. IN A
;; ANSWER SECTION:
archlinux.org. 86399 IN A 138.201.81.199
;; Query time: 519 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 29 19:30:09 NZDT 2020
;; MSG SIZE rcvd: 58
dig archlinux.org -p5353
; <<>> DiG 9.16.0 <<>> archlinux.org -p5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60294
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;archlinux.org. IN A
;; ANSWER SECTION:
archlinux.org. 86399 IN A 138.201.81.199
;; Query time: 289 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Sat Feb 29 19:32:24 NZDT 2020
;; MSG SIZE rcvd: 58
dig archlinux.org -p53000
; <<>> DiG 9.16.0 <<>> archlinux.org -p53000
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26438
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;archlinux.org. IN A
;; ANSWER SECTION:
archlinux.org. 86226 IN A 138.201.81.199
;; Query time: 136 msec
;; SERVER: 127.0.0.1#53000(127.0.0.1)
;; WHEN: Sat Feb 29 19:33:02 NZDT 2020
;; MSG SIZE rcvd: 58
nslookup archlinux.org
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: archlinux.org
Address: 138.201.81.199
Name: archlinux.org
Address: 2a01:4f8:172:1d86::1
Last edited by danSman (2020-03-01 20:42:13)
Offline