Need Help with Unbound Config

Hi there,
i try to use unbound as an tls connection to blahdns. After 3 Days i need someone how can help me.
I user an tp-link-wdr3600 with openwrt18.6.1. installed the certificates and unbound and followed at last these instruction:

 Move dnsmasq to port 53535 where it will still serve local DNS from DHCP

 Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535
uci set 'dhcp.@dnsmasq[0].port=53535'

Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
since it does not do this by default when port is configured.
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'

Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up)
uci commit

Restart (or start) unbound (System -> Startup -> unbound -> Restart)
/etc/init.d/unbound restart

i guess unbound server conf and unbound ext.conf is set correctly.

But i my dns request are send to my isp and not the Servers i configured.

Systemlog show folling errors

Thu Dec 13 18:13:47 2018 daemon.info odhcpd[979]: Using a RA lifetime of 0 seconds on br-lan

Thu Dec 13 18:19:36 2018 daemon.notice unbound: [4096:0] notice: sendto failed: Permission denied
Thu Dec 13 18:19:36 2018 daemon.notice unbound: [4096:0] notice: remote address is 2001:12f8:c::10 port 53

Does anybody got an idea?

All the Best Fred

If you are just following this, dnsmasq should still be at port 53 and talking to unbound at port 53535. Easier to just show relevant bits from /etc/config/ directory.

Ok, thx a lot

The previous permission warning are gone.
One Step Ahead :slight_smile:
But now i got another error:

Thu Dec 13 20:30:31 2018 user.notice unbound: default root hints (built in rootservers.net)

Seems that Unbound doesnt like me :frowning:

https://en.wikipedia.org/wiki/Syslog#Severity_level or man syslog

     LOG_NOTICE    Conditions that are not error conditions, but should
                   possibly be handled specially.

As in, "I'm using the built-in root hints, which isn't the best thing in the world. One day you should consider a proper root anchor or set of root hints."

How can i do this?

ok i found a wget link and make a cron job for that:

32 4 * * 0,6 wget https://www.internic.net/domain/named.cache -O /etc/unbound
/root.hints

after 5 hours without internet and hours of trying i gived up and plan to go with dnscrypt.
Does somebody know if adblock will work over dnsmask with dnscrypt?
I will buy a second router for testing.
Thx everybody for try helping.
Have a nice day
Fred

To simplify your life a little bit, a cron job to fetch the root.hints file is major overkill.

That file is used to resolve the Catch-22 of "How do I find a root server by name if I need a root server to determine the IP address of the root server?" The file contents change very, very slowly and as long as you've got one valid entry that's up (of A-M for 18 servers), a robust resolver will work just fine. Once a quarter, once a year, even once every few years is probably more than enough. I'd bet that a 20-year-old root.hints file would be functional today assuming that you've got IPv4 connectivity.

https://www.icann.org/en/system/files/files/rssac-023-04nov16-en.pdf

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.