You are not logged in.

#1 2021-01-07 03:16:32

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Local Unbound DNS server issues

Recently I decided to run my own local recursive caching DNS server and Unbound seemed like a good fit. So I used the Unbound Archwiki. My current /etc/unbound/unbound.conf is:

server:
	do-ip6: no
	verbosity: 1
	#interface: 127.0.0.1:53
	trust-anchor-file: /etc/unbound/trusted-key.key
	root-hints: /etc/unbound/root.hints
	#aggressive-nsec: yes
	#hide-identity: yes
	#hide-version: yes
	#prefetch: yes
	access-control: 192.168.0.0/24 allow_snoop
	#interface-automatic: yes


remote-control:
	control-enable: yes

#forward-zone:
#	name: "."
#	forward-addr: 199.195.251.84
#	forward-addr: 1.1.1.1

With this, I have a few issues resolving domains consistently.
I started using openresolv. My resolvconf.conf is currently:

# Configuration for resolvconf(8)
# See resolvconf.conf(5) for details

resolv_conf=/etc/resolv.conf
# If you run a local name server, you should uncomment the below line and
# configure your subscribers configuration files below.
#name_servers="199.195.251.84 127.0.0.1"
#resolv_conf_local_only=N

I uncomment the line with name_servers and resolvconf knows to only use 127.0.0.1 unless resolv_conf_local_only line is uncommented. The reason everything is commented is that I need to be able to resolve archlinux.org to post this.
I ditched systemd-resolved. You can see in this section of Systemd-networkd archwiki that resolvd is optional for networkd usage. I have one configuration meant to give me static IP 192.168.0.50  on my enp3s0 interface. It is /etc/systemd/network/20-wired.network which contains:

[Match]
name=enp3s0

[Network]
Address=192.168.0.50/24
DNS=127.0.0.1

[Route]
Gateway=192.168.0.1

However this didn't work, I rebooted and had 0 connectivity. I needed to briefly install DHCPCD to get internet access. When I systemctl status systemd-networkd it said that it was not running, so I enabled it.
Anyways, I have issues resolving using this configuration (please tell me if I missed something or maybe a log). I do

drill redhat.com @127.0.0.1

for example and after 13 or so seconds it fails. Then I drill it again and get 0ms successful response. After a few drilling different domains it gives me a very fast fail, like with 7ms on average. I can wireshark it but last time I did that I strangely lost my IP allocation on the network and ip a told me that the interface had an ipv6 address (usually is 192.168.0.xxx up to 255) so I will do it after submitting this post to avoid losing the whole thing again.
systemctl status of unbound is this:

● unbound.service - Validating, recursive, and caching DNS resolver
     Loaded: loaded (/usr/lib/systemd/system/unbound.service; enabled; vendor preset: disabled)
     Active: active (running) since Wed 2021-01-06 21:40:56 EST; 25min ago
       Docs: man:unbound(8)
   Main PID: 422 (unbound)
      Tasks: 1 (limit: 19104)
     Memory: 11.4M
     CGroup: /system.slice/unbound.service
             └─422 /usr/bin/unbound -d -p

Jan 06 21:40:55 benpc systemd[1]: Starting Validating, recursive, and caching DNS resolver...
Jan 06 21:40:56 benpc unbound[422]: [422:0] notice: init module 0: subnet
Jan 06 21:40:56 benpc unbound[422]: [422:0] notice: init module 1: validator
Jan 06 21:40:56 benpc unbound[422]: [422:0] notice: init module 2: iterator
Jan 06 21:40:56 benpc systemd[1]: Started Validating, recursive, and caching DNS resolver.
Jan 06 21:40:56 benpc unbound[422]: [422:0] info: start of service (unbound 1.13.0).

I don't know if it matters at all but I usually enable and start my services without using sudo and systemctl asks to authenticate for my user, which it works.
It has been a pretty big headache as sometimes my network will cut out due to some interaction with unbound and I have to spend a few minutes trying to fix the issue. Generally, when I use 127.0.0.1 as my DNS server and try to go a webpage (in firefox) it will load for a very very long time and fail. Sometimes when I reload it will load the main page right away, but 3rd party resources have trouble. This happens even when using unbound in forwarding mode.

Some more information is that I am behind a rather ancient netgear router (admin claims there are no rules that would restrict what I'm doing) and my ISP is Comcast, but that should have no effect. Spent probably over 20 hours so far on this.

Wireshark captures pending soon... should only be a few minutes.

Here is a few query and responses: A query out to facebook cdn

00000000000000000000000008004500003e075c4000401135517f0000017f000001928f0035002afe3d361501000001000000000000037777770866616365626f6f6b03636f6d0000010001

and a response (looks successful)

00000000000000000000000008004500006b076f0000401175117f0000017f0000010035928f0057fe6a361581800001000200000000037777770866616365626f6f6b03636f6d0000010001c00c0005000100000a3f001109737461722d6d696e690463313072c010c02e000100010000003c00041f0d5024

Here's another but the response is failed: Query

00000000000000000000000008004500004038c74000401103e47f0000017f000001ecb00035002cfe3f230401000001000000000000066e732d63646e076e6575737461720362697a0000010001

SERVFAIL 2 error code

00000000000000000000000008004500004038c90000401143e27f0000017f0000010035ecb0002cfe3f230481820001000000000000066e732d63646e076e6575737461720362697a0000010001

There's also several packets which say "Destination Unreachable (Port Unreachable):

000000000000000000000000080045c0005e3c70000040013f6d7f0000017f0000010303470900000000450000425e86000040111e237f0000017f00000100358b21002efe41ed6981820001000000000000086170702d61623430076d61726b65746f03636f6d00001c0001

and another similar (yet different) one

000000000000000000000000080045c000b55134000040012a527f0000017f0000010303ff0a000000004500009978fd0000401103557f0000017f00000100358b210085fe98ed6981800001000100010000086170702d61623430076d61726b65746f03636f6d00001c0001c00c000500010000012100100461623430086d6b746f65646765c01dc0370006000100000e10002f0462617274026e730a636c6f7564666c617265c01d03646e73c0567959e9a1000027100000096000093a8000000e10

Those are all copied from wireshark hex stream format. I found some online packet decoders (1 and 2) which you can copy and paste the packets into and get the information. I'm of course not any kind of expert, so there's probably a better way to do this.

(I did not want to share a full wireshark capture file since there were a few packets with potentially personally identifiable information.)

Last edited by kinru (2021-01-07 13:12:18)

Offline

#2 2021-01-07 10:14:06

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Local Unbound DNS server issues

So what is the content of /etc/nsswitch.conf & /etc/resolv.conf? If you're defining static addresses via systemd-networkd then there doesn't seem to be much point in running resolvconf(8) at all because nothing will be trying to write to /etc/resolv.conf.

Note that the DNS= line in /etc/systemd/network/20-wired.network would only be applied if systemd-resolved is running.

Offline

#3 2021-01-07 16:04:01

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: Local Unbound DNS server issues

I didn't know about nsswitch.conf, so I haven't edited it manually. Here it is:

# Name Service Switch configuration file.
# See nsswitch.conf(5) for details.

passwd: files mymachines systemd
group: files mymachines systemd
shadow: files

publickey: files

hosts: files mymachines myhostname mdns_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
networks: files

protocols: files
services: files
ethers: files
rpc: files

netgroup: files

My resolv.conf is right now

# Generated by resolvconf
domain netgear.com
nameserver 1.1.1.1
nameserver 8.8.8.8
nameserver 192.168.0.1

but it is like this when I uncomment the line in resolvconf.conf:

# Generated by resolvconf
domain netgear.com
nameserver 127.0.0.1

May be relevant: sudo netstat -anlpu | grep unbound

udp        0      0 192.168.0.12:58436      192.52.178.30:53        ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:26246      192.229.254.5:53        ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:50839      91.198.174.239:53       ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:59148      2.22.230.65:53          ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:43126      108.162.192.101:53      ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:36168      72.21.80.6:53           ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:28421      192.52.178.30:53        ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:61816      192.48.79.30:53         ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:61984      192.52.178.30:53        ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:6039       193.108.91.189:53       ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:47760      2.22.230.65:53          ESTABLISHED 422/unbound         
udp        0      0 127.0.0.1:53            0.0.0.0:*                           422/unbound         
udp        0      0 192.168.0.12:24742      192.48.79.30:53         ESTABLISHED 422/unbound         
udp        0      0 192.168.0.12:49717      199.19.53.1:53          ESTABLISHED 422/unbound

Is it intended for the local address to have those seemingly random port numbers and the foreign address having all 53, or should it be reversed?

Last edited by kinru (2021-01-07 16:09:37)

Offline

#4 2021-01-07 17:46:16

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Local Unbound DNS server issues

kinru wrote:

but it is like this when I uncomment the line in resolvconf.conf:

# Generated by resolvconf
domain netgear.com
nameserver 127.0.0.1

That is the correct content: unbound listens to port 53 on localhost. Either un-comment the line to which you refer in resolvconf.conf or uninstall the openresolv package and populate /etc/resolv.conf manually so that it includes 127.0.0.1 as a nameserver.

EDIT: https://wiki.archlinux.org/index.php/Un … DNS_server

Last edited by Head_on_a_Stick (2021-01-07 17:47:35)

Offline

#5 2021-01-07 19:31:13

kinru
Member
From: East Coast USA
Registered: 2019-03-23
Posts: 99

Re: Local Unbound DNS server issues

Head_on_a_Stick wrote:

[ Either un-comment the line to which you refer in resolvconf.conf or uninstall the openresolv package and populate /etc/resolv.conf manually so that it includes 127.0.0.1 as a nameserver.

All my testing in browser has been done with the following resolv.conf

# Generated by resolvconf
domain netgear.com
nameserver 127.0.0.1

Sometimes I drill a website with

drill example.com @127.0.0.1

when my resolv.conf points to typical nameservers (like 1.1.1.1)
So, I would say that is not the issue (since I have been doing just that) unless I'm missing something.

Offline

Board footer

Powered by FluxBB