Help with unboud configuration

Helium314 · May 21, 2020, 7:19am

I recently installed unbound-daemon and ca-bundle with the goals

use unbound with DNSSEC and DNS over TLS
configure multiple dns providers (in case one is down)
use unbound as default DNS provider if there is nothing else configured (instead of my ISP's DNS server)
(later): maybe use adblock with this

I tried to follow the unbound readme: https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md with the parallel dnsmasq option
There are several guides regarding unbound, and all are differnent enough to cause confusion about what are the "right" settings...

Anyway, with this guide I can set the DNS in unbound and it is actually used (according to DNS leak test), so it basically works.
In /etc/config/unbound I have

config zone
        option enabled '1'
        option zone_type 'forward_zone'
        option fallback '0'
        option tls_upstream '1'
        option tls_index 'cloudflare-dns.com'
        option tls_port '853'
        list zone_name '.'
        list server '1.1.1.1'
        list server '1.0.0.1'
        list server '8.8.8.8@853#dns.google'
        list server '9.9.9.9@853#dns.quad9.net'

now for the questions:

this looks like cloudflare is 'main' and the others are 'secondary' DNS providers. Is there actually any difference? If I make one copy of the zone for each DNS provider, then only one is used. (I actually plan to use different and maybe less reliable DNS servers later, but any should be fine for testing)
what does the fallback option do? It is not set in other guides, and I don't understand the explanation from the readme: 'Permit normal recursion when the narrowly selected servers in this zone are unresponsive or return empty responses'
according to https://dnssec.vs.uni-due.de/ DNSSEC does not work. What is wrong with my config?
how can I reliably check whether DNS over TLS is working?
- When I set to use 1.1.1.1 only in unbound config, https://cloudflare-dns.com/help/ says "Using DNS over TLS (DoT) No" and "Connected to 1.1.1.1 No", but https://www.cloudflare.com/ssl/encrypted-sni/ says "You are using encrypted DNS transport with 1.1.1.1"

pwned · May 21, 2020, 11:14am

Do not edit /etc/config/unbound directly. Just change what you need within LuCI what LuCI can handle and use /etc/unbound/unbound_srv.conf and /etc/unbound/unbound_ext.conf for extra stuff.
Referencing point 1. /etc/unbound/unbound_ext.conf:

forward-zone:
        name: "0.openwrt.pool.ntp.org"
#       forward-addr: 2606:4700:4700::1111
#       forward-addr: 1.1.1.1 #cloudflare
        forward-addr: 2620:fe::fe #quad9
        forward-addr: 9.9.9.9 #quad9
#       forward-addr: 149.112.112.112 #quad9
#       forward-addr: 2620:fe::9 #quad9

forward-zone:
       name: "."
#       forward-addr: 1.1.1.1@853 #cloudflare
#       forward-addr: 9.9.9.9@853 #quad9 incl. dnssec / filtered
#       forward-addr: 149.112.112.112@853 #quad9 incl. dnssec alternative / filtered
#       forward-addr: 9.9.9.10@853 #quad9 w/o dnssec unfiltered
#       forward-addr: 149.112.112.10@853 #quad9 w/o dnssec unfiltered
#       forward-addr: 2620:fe::fe@853 #quad9 incl. dnssec / filtered
#       forward-addr: 2620:fe::9@853 #quad9 incl. dnssec / filtered
#       forward-addr: 2620:fe::10@853 #quad9 w/o dnssec unfiltered
#       forward-addr: 2620:fe::fe:10@853 #quad9 w/o dnssec unfiltered
       forward-ssl-upstream: yes

Remove # to your needs. Remove the additions you have made to /etc/config/unbound. A ntp server is required to be reached without DNSSEC.

Fallback is there if the Master-Server with the rootkey cannot be reached and you want to allow to use the old keys anyway. IMO nothing you want to have if using DNSSEC.
Nobody can say what is wrong with you configuration if you only post a part of it. And as I mentioned already: Do not edit /etc/config/unbound directly. Only edit the both files I have mentioned.
Those scripts within the Browser are not relayable for every configuration. For e. g. use commandline (install bind/dig-bind):

delv +dnssec dnsprivacy.org

This should show: "fully validated"

AndrewZ · May 21, 2020, 11:20am

That is not the only option available.
Please see Using CloudFlare's DNS-Over-TLS

Helium314 · May 23, 2020, 1:13pm

Do not edit /etc/config/unbound directly. Just change what you need within LuCI
When I want to install luci-app-unbound, I need unbound-heavy, which I wanted to avoid...
Why does the unbound readme I linked tell me to edit the config directly? This is a bit confusing.
Thank you! Exactly the NTP server was the problem. DNSSEC is working now
Thanks, so better no fallback
I only posted the part that was different from changing the default config according to the unbound readme... but I see that simply posting everything would make it easier for you, sorry.

Regarding DNS over TLS I'm still confused... https://tenta.com/test/ says not enabled, https://cloudflare-dns.com/help/ says yes

Will redo everything using LuCI and /etc/unbound/unbound_ext.conf

@AndrewZ
Thanks, I wanted to try first with something more "official" from OpenWRT. And now it seems to work.

anomeome · May 23, 2020, 6:37pm

Usually just editing the /etc/config/unbound file is good enough, if your setup is not too complicated. unbound has a round robin option, but not in uci yet last I looked, no idea as to efficacy

Summary

config zone
	option enabled '1'
	option zone_type 'forward_zone'
	option fallback '1'
	option resolv_conf '0'
	option tls_upstream '1'
	list server '1.1.1.1@853#cloudflare-dns.com'
	list server '9.9.9.9@853#dns.quad9.net'
	list server '2606:4700:4700::1111@853#cloudflare-dns.com'
	list server '2620:fe::9@853#dns.quad9.net'
	list server '8.8.8.8@853#dns.google'
	list server '2001:4860:4860::8888@853#dns.google'
	list zone_name '.'

the tls_port placement used to be important at one point, not sure if that is still the case.

pwned · May 23, 2020, 7:24pm

/etc/config/unbound is the LuCI configuration for unbound. This file has nothing to do with /etc/unbound/unbound.conf (which is referenced by the unbound readme).

LuCI is integrating your /etc/config/unbound + ext, srv file (that changes you made by LuCI GUI) into /etc/unbound/unbound.conf. The endresult is placed in /tmp/lib/unbound/unbound.conf.

EDIT2:

The files are not merged with /etc/unbound/unbound.conf. This part is wrong! Sry for that.
But there is a button in Luci: "Skip UCI and use /etc/unbound/unbound.conf"

/etc/config/unbound is not fully supporting any setting you can make in /etc/unbound/unbound.conf. So just think about what happen if files getting merged. Thats why you have two options: make it with or without luci. I don't recommend to mix it. Sure you can do it like anomeome said. But then you have to be aware of same settings which are made in both files always.

EDIT:

What your tests belongs:

You have to test on the machine which is executing youre DNS requests in end. Not on Browser! On OpenWrt console. Either with tcpdump or the command I've mentioned above (if installed).

Helium314 · May 24, 2020, 5:41am

Actually the readme explicitly tells me to edit /etc/config/unbound in the how-to part.

Thanks for mentioning this again: delv +dnssec dnsprivacy.org shows fully validated, so I guess it is working

pwned · May 24, 2020, 6:56am

I would do it like LuCI is recommend it:

Manual Conf: Skip UCI and use /etc/unbound/unbound.conf

Otherwise use ext and srv file. I don't have any issues with doing it like that.

system · June 3, 2020, 6:56am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.