Arch Linux

danSman

Member

Registered: 2017-12-21

Posts: 47

[SOLVED] DNS LEAKS - Pi-hole, unbound, dnscrypt and openWRT

Hi

I have a hard fight for a few weeks already and I can't figured out what the problems is.

I'm currently moving to another server and I'm using the same config as the existing one which is working great (the existing one).
I want to use unbound as my DNS server. So I added to

openWRT:
All custom DNS to 192.168.1.141
     - DHCP
     - LAN
     - WAN
and so on.

unbound.conf:

#
# Example configuration file.
#
# See unbound.conf(5) man page, version 1.9.6.
#
# this is a comment.

#Use this to include other text into the file.
#include: "otherfile.conf"

# The server clause sets the main parameters.

server:
    # If no logfile is specified, syslog is used
#    logfile: "/var/log/unbound.log"
    verbosity: 0

    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-daemonize: no
#    trust-anchor-file: trusted-key.key
    trust-anchor-file: /etc/unbound/trusted-key.key

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/etc/unbound/root.hints"

    # Trust glue only if it is within the servers authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # TTL bounds for cache
    cache-min-ttl: 3600
    cache-max-ttl: 86400

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines
    num-threads: 1

    # Ensure kernel buffer is large enough to not loose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.1.0/16
#    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    #private-address: fd00::/8 # IPv6
    #private-address: fe80::/10 # IPv6

# dnscrypt-proxy
  do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: ::1@53000
  forward-addr: 127.0.0.1@53000

Pi-hole:
Is changed to a custom DNS.
127.0.0.1#5353

It includes also:
- Never forward non-FQDNs
- Never forward reverse lookups for private IP ranges
- Use DNSSEC
- Use Conditional Forwarding
     - Router: 192.168.1.1; Local domain name: lan

dnscrypt-proxy.toml:
Is changed to:

listen_addresses = ['127.0.0.1:53000', '[::1]:53000']

It includes also some other server which shouldn't be the problem.

/etc/resolv.conf:

domain lan
nameserver 127.0.0.1

I disabled the NetworkManager to change the resolv.conf.

/etc/NetworkManager/conf.d/dns.conf

[main]
dns=none

The only difference between the two servers are that dhcpcd is running on the old one. I tried dhcpcd on the new one as well.

I hope you guys can help me out here. I just can't find the solution for it.

Thanks
Dan

Edit: 
Problem is 
https://www.dnsleaktest.com/ shows me that is my ISP DNS and not dnscrypt. When I change it to my old server (openWRT) it's working with dnscrypt.

# SOLUTION
There was just a wrong set up due to IPv4 and IPv6. I disabled IPv6.

Last edited by danSman (2020-05-06 23:41:32)

Awebb

Member

Registered: 2010-05-06

Posts: 6,604

Re: [SOLVED] DNS LEAKS - Pi-hole, unbound, dnscrypt and openWRT

And what is the problem?

danSman

Member

Registered: 2017-12-21

Posts: 47

Re: [SOLVED] DNS LEAKS - Pi-hole, unbound, dnscrypt and openWRT

Oh man ... sorry.

https://www.dnsleaktest.com/ shows me that is my ISP DNS and not dnscrypt. When I change it to my old server (openWRT) it's working with dnscrypt.

danSman

Member

Registered: 2017-12-21

Posts: 47

Re: [SOLVED] DNS LEAKS - Pi-hole, unbound, dnscrypt and openWRT

I'm really confused.

Yesterday, I used my old router (which was working before) to exclude the current router as a problem. Same problem.

I installed Arch Arm on a pi with pi-hole.
However, it does not use the DNS server I choose like quad 9 or whatever. Whether I change it in the GUI or in the terminal.
I have also tested it on the computer that still works with dnscrypt (dnscrypt is my goal). Same problem. I can choose any DNS server I want, but it seems to use only 127.0.0.1#5353 or 127.0.0.1#53000.
So for some reason Pihole doesn't seem to work properly, or I'm missing a setting that I overlooked, which is more likely.

I just can't see the wood for the trees anymore.

Edit:
Pi-hole lists all devices on my network.

Pihole, Unbound and DNScrypt ports are working.

dig archlinux.org -p53

; <<>> DiG 9.16.0 <<>> archlinux.org -p53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20168
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;archlinux.org.                 IN      A

;; ANSWER SECTION:
archlinux.org.          86399   IN      A       138.201.81.199

;; Query time: 519 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 29 19:30:09 NZDT 2020
;; MSG SIZE  rcvd: 58

dig archlinux.org -p5353

; <<>> DiG 9.16.0 <<>> archlinux.org -p5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60294
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;archlinux.org.                 IN      A

;; ANSWER SECTION:
archlinux.org.          86399   IN      A       138.201.81.199

;; Query time: 289 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Sat Feb 29 19:32:24 NZDT 2020
;; MSG SIZE  rcvd: 58

dig archlinux.org -p53000

; <<>> DiG 9.16.0 <<>> archlinux.org -p53000
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26438
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1220
;; QUESTION SECTION:
;archlinux.org.                 IN      A

;; ANSWER SECTION:
archlinux.org.          86226   IN      A       138.201.81.199

;; Query time: 136 msec
;; SERVER: 127.0.0.1#53000(127.0.0.1)
;; WHEN: Sat Feb 29 19:33:02 NZDT 2020
;; MSG SIZE  rcvd: 58

nslookup archlinux.org

Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   archlinux.org
Address: 138.201.81.199
Name:   archlinux.org
Address: 2a01:4f8:172:1d86::1

Last edited by danSman (2020-03-01 20:42:13)