Thanks - I did give that a try - I did move Unbound to port '1053' as suggested by Eric - and still I got crashes - although the log message unbound-control is set to no was no longer present
I think something is wrong with Unbound package in the snapshot repo
I read something about this being a possibility here :
The bare minimum for Unbound+DoT is unbound-daemon and ca-bundle.
In addition, you may want to install unbound-control to resolve DHCP lease names.
Temporarily stop Dnsmasq and revert Unbound to default settings.
Then perform changes one-by-one testing each config modification.
Dear Barney, vgaetera, Eric, anomeome and all who have helped me so far,
If folks check out the tutorial which I authored in the OP - I am well versed and experienced in setting this whole thing up. Specially, with regard to moving Unbound to another port - I followed this guide below :
https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/
and this section below states :
Now, you just need to move the existing dnsmasq server aside, so unbound
can answer your devices DNS queries.
and I do this by following the referenced page ( see below ):
# Move dnsmasq to port 53535 where it will still serve local DNS from DHCP
# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535
uci set 'dhcp.@dnsmasq[0].port=53535'
# Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
# since it does not do this by default when port is configured.
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'
# Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up)
uci commit
# Restart (or start) unbound (System -> Startup -> unbound -> Restart)
/etc/init.d/unbound restart
So, I do appreciate all the help. But if anyone cares to read through the entire guides of mine and / or Torsten's - and offer any advice as to how to get this working on the new OpenWRT snapshots- I will be most grateful. However, I can tell you all ( as I stated earlier ) the setup I wrote up still works flawlessly
on current stable 19.07.6 builds. I am running hnyman's Build for Netgear R7800 - stable openwrt-19.07 owrt1907-r11285 now with absolutely no issues whatsoever. Maybe there are bugs in Unbound with regard to the snapshots. However, I am appreciative to all - have my eyes and ears still open and hopefully in time - I will finally get this working on the snapshots.
What I am ultimately seeking to find out is are there any changes in Unbound 1.13.0-1 ( the current Unbound version in Snapshots ) with regards as to how it needs to be configured so that it will work as detailed in the OP tutorial ?
Peace and God Bless All
Maybe. I'm using unbound 1.11.0 from snapshot r14740-0b31713c85 and it runs flawlessly.
If unbound crashes, it will tell you the reason, when you enter the following command (the -vvvv means very very very verbose):
unbound -d -c /var/lib/unbound/unbound.conf -vvvv
Please post the output of the previous command. Ctrl-C stops unbound.
1 Like
Dear All Who Have Helped Me So Far,
I am going to give this one more try - these are the Unbound packages which run flawlessly on
hnyman's Build for Netgear R7800 - stable openwrt-19.07 owrt1907-r11285
libunbound-heavy - 1.11.0-2
luci-app-unbound - git-21.022.31068-7129723-1
unbound-anchor - 1.11.0-2
unbound-checkconf - 1.11.0-2
unbound-control - 1.11.0-2
unbound-control-setup - 1.11.0-2
unbound-daemon-heavy - 1.11.0-2
unbound-host - 1.11.0-2
I do notice that unbound-daemon-heavy is not available in Snapshot package repository ; I read somewhere in the forums that this being absent may cause some issues on Unbound.
So, I am going to install and configure Unbound 1.13.0-1 on Snapshot instance. Then I will report back after running command
unbound -d -c /var/lib/unbound/unbound.conf -vvvv
as you have suggested. Thanks for all the assistance one more again.
Peace
Just to report back - here are the crash logs I got for Unbound 1.13.0-1 straight out the box after installing some custom firmware ( before my attempts at configuration )
The logs are nearly virtually identical to the logs I get with Unbound 1.13.0-1 when I install it and run it myself - please see below and if anyone can help ( especially you Eric ) please do respond and help me put this nagging headache behind me :
Fri Jan 29 00:29:04 2021 user.notice unbound: default protocol configuration
Fri Jan 29 00:29:04 2021 user.notice unbound: default memory configuration
Fri Jan 29 00:29:04 2021 user.notice unbound: default recursion configuration
Fri Jan 29 00:29:11 2021 user.notice unbound: default protocol configuration
Fri Jan 29 00:29:11 2021 user.notice unbound: default memory configuration
Fri Jan 29 00:29:11 2021 user.notice unbound: default recursion configuration
Fri Jan 29 00:29:26 2021 daemon.info procd: Instance unbound::unbound s in a crash loop 6 crashes, 0 seconds since last crash
Fri Jan 29 00:29:37 2021 user.notice unbound: default protocol configuration
Fri Jan 29 00:29:37 2021 user.notice unbound: default memory configuration
Fri Jan 29 00:29:37 2021 user.notice unbound: default recursion configuration
Fri Jan 29 00:29:37 2021 daemon.info procd: Instance unbound::unbound s in a crash loop 7 crashes, 1 seconds since last crash
Fri Jan 29 00:38:44 2021 user.notice unbound: default protocol configuration
Fri Jan 29 00:38:44 2021 user.notice unbound: default memory configuration
Fri Jan 29 00:38:44 2021 user.notice unbound: default recursion configuration
Fri Jan 29 00:38:44 2021 user.notice unbound: default protocol configuration
Fri Jan 29 00:38:44 2021 user.notice unbound: default memory configuration
Fri Jan 29 00:38:44 2021 user.notice unbound: default recursion configuration
Fri Jan 29 00:38:44 2021 user.notice unbound: default protocol configuration
Fri Jan 29 00:38:44 2021 user.notice unbound: default memory configuration
Fri Jan 29 00:38:44 2021 user.notice unbound: default recursion configuration
Fri Jan 29 00:38:46 2021 user.notice unbound: default protocol configuration
Fri Jan 29 00:38:46 2021 user.notice unbound: default memory configuration
Fri Jan 29 00:38:47 2021 user.notice unbound: default recursion configuration
Fri Jan 29 00:38:56 2021 daemon.info uwsgi-luci: [1611898736] unbound-control[9595:0] warning: control-enable is 'no' in the config file.
Fri Jan 29 00:38:56 2021 daemon.info uwsgi-luci: [1611898736] unbound-control[9595:0] error: connect: Connection refused for 127.0.0.1 port 8953
Fri Jan 29 00:38:58 2021 daemon.info uwsgi-luci: [1611898738] unbound-control[9642:0] warning: control-enable is 'no' in the config file.
Fri Jan 29 00:38:58 2021 daemon.info uwsgi-luci: [1611898738] unbound-control[9642:0] error: connect: Connection refused for 127.0.0.1 port 8953
Fri Jan 29 00:39:00 2021 daemon.info uwsgi-luci: [1611898740] unbound-control[9664:0] warning: control-enable is 'no' in the config file.
Fri Jan 29 00:39:00 2021 daemon.info uwsgi-luci: [1611898740] unbound-control[9664:0] error: connect: Connection refused for 127.0.0.1 port 8953
Fri Jan 29 00:39:02 2021 daemon.info procd: Instance unbound::unbound s in a crash loop 6 crashes, 0 seconds since last crash
Fri Jan 29 00:39:23 2021 daemon.info uwsgi-luci: [1611898763] unbound-control[9786:0] warning: control-enable is 'no' in the config file.
Fri Jan 29 00:39:23 2021 daemon.info uwsgi-luci: [1611898763] unbound-control[9786:0] error: connect: Connection refused for 127.0.0.1 port 8953
Thanks and God Bless All - and stay safe out there
1 Like
Since you have installed unbound-control, make sure to enable it:
uci set unbound.@unbound[0].unbound_control="1"
uci commit unbound
/etc/init.d/unbound restart
See also: Unbound and odhcpd
1 Like
Dear vgaetera,
My main man ( yes I know the lingo ) - thanks for that - I truly appreciate your continued and persistent assistance throughout this whole matter. I am going to tackle this one more again and then get back to you when I apply the fix you have been so kind enough to explain to me here. You are great by the way because I remember you helped me out a while back when I wrote up the WireGuard tutorial.
Peace and God Bless Always
1 Like
Dear vgaetera - Eric- anomeome and all,
Thanks for the continued help. OK I followed vgaetera's instructions in the above post specifically:
uci set unbound.@unbound[0].unbound_control="1"
uci commit unbound
/etc/init.d/unbound restart
and enabled unbound-control and that solved warning: control-enable is 'no' in the config file. and error: connect: Connection refused for 127.0.0.1 port 8953 in the Unbound logs
However, I now have a new issue popping up in the logs - please see log output below:
Fri Jan 29 04:46:36 2021 daemon.info procd: Instance unbound::unbound s in a crash loop 6 crashes, 0 seconds since last crash
Fri Jan 29 04:46:48 2021 daemon.info procd: Instance unbound::unbound s in a crash loop 7 crashes, 0 seconds since last crash
Fri Jan 29 04:48:34 2021 daemon.err uhttpd[3164]: /var/lib/unbound/etc/unbound/unbound_control.pem: No such file or directory
Fri Jan 29 04:48:36 2021 daemon.err uhttpd[3164]: /var/lib/unbound/etc/unbound/unbound_control.pem: No such file or directory
This error confounds me because I do run unbound-control-setup
Here is my /etc/config/unbound
config unbound 'ub_main'
option add_extra_dns '0'
option add_local_fqdn '1'
option add_wan_fqdn '0'
option dhcp4_slaac6 '0'
option dns64 '0'
option dns64_prefix '64:ff9b::/96'
option domain 'mydomain.com'
option domain_type 'transparent'
option edns_size '1232'
option extended_stats '1'
option hide_binddata '1'
option interface_auto '1'
option extended_luci '1'
option luci_expanded '1'
option listen_port '53'
option localservice '1'
option manual_conf '0'
option num_threads '2'
option protocol 'mixed'
option query_minimize '1'
option query_min_strict '1'
option rate_limit '0'
option rebind_localhost '0'
option rebind_protection '1'
option recursion 'aggressive'
option resource 'medium'
option root_age '9'
option ttl_min '120'
option unbound_control '3'
option validator '1'
option validator_ntp '1'
option verbosity '1'
list trigger_interface 'lan'
list trigger_interface 'wan'
option query_minimize '1'
list domain_insecure '3.us.pool.ntp.org'
list domain_insecure 'mydomain.com'
option dhcp_link 'dnsmasq'
So - hopefully - once this gets resolved - hopefully everything will work smoothly with and on
Unbound 1.13.0-1 - once again thanks for the patience, assistance and attention that all of you here have continued to extend to me regarding this matter
Dear Eric ( The Unbound Maintainer ) and all others,
Hello and I hope that all are safe and well. As I said, I have
a recurring error in Unbound logs which reads as detailed below:
daemon.err uhttpd[3164]: /var/lib/unbound/etc/unbound/unbound_control.pem: No such file or directory
Searching, I found a similar described issue here albeit it relates to pfSense:
Here the solution is described as by doing the following :
You need to pass it the full path to the config file.
$ unbound-control -c /var/unbound/unbound.conf stats_noreset
I have researched this matter and have found little to address rectifying the matter regarding OpenWRT.
Except this thread here : https://github.com/openwrt/packages/issues/6656
Notably, Eric Luehrsen is on the thread. So, should I run the command :
unbound-control -c /var/lib/unbound/unbound.conf status
after enabling unbound control and running unbound control-setup
In other words, I am seeking the proper method to create :
/var/lib/unbound/etc/unbound/unbound_control.pem
this seems to be the only remaining issue on Unbound 1.13.0-1
if I am lucky enough to ever solve this - as I said my setup
works without any such issues using unbound-daemon_1.11.0-2 with OpenWrt 19.07.6 stable
these errors only surface when using builds based on OpenWrt Development Snapshots
Anyway, I am still trying and I hope that you guys do not give up
on me or this issue. Peace and Stay Safe
Weird, what is uhttpd trying to do with the Unbound keys?
By the way, DoT doesn't require unbound-control.
Did you try a simpler setup without unbound-control?
Dear vgaetera,
As to your question :
what is uhttpd trying to do with the Unbound keys?
I want to thank you for at least identifying and isolating what the issue is. The reason I prefer to use unbound-control is due to fact that I can check out statistics and other information. Plus as I keep saying - this works ( with no problems ) with unbound-daemon_1.11.0-2 with OpenWRT 19.07.6 stable. Do you or anyone know how to debug uhttpd trying to do with the Unbound keys ? I guess someone must know somewhere out there hopefully. Again - thanks for all your assistance.
Peace My Friend
1 Like
Both of these are repeat from the thread above. Each application needs its own port and dnsmasq and Unbound are competing for 53. One must lose. The offending line in Unbound configuration I clipped from what you shared.
option listen_port '53'
You need to give each application its own port. 53 is assigned to the application you want on LAN. Other ports >1024 are assigned to those in the localhost chain, 5553 and 5453 for example.
LAN -> dnsmasq#53 -> localhost ->
-> unbound#5553 -> localhost ->
-> stubby#5453 -> WAN
See here regarding no conflicts with my port assignments:
# Move dnsmasq to port 53535 where it will still serve local DNS from DHCP
# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535
uci set 'dhcp.@dnsmasq[0].port=53535'
# Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
# since it does not do this by default when port is configured.
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'
# Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up)
uci commit
# Restart (or start) unbound (System -> Startup -> unbound -> Restart)
/etc/init.d/unbound restart
I leave Unbound on port 53 / after moving dnsmaq to port 53535 as detailed above / and as for stubby - I leave stubby on its default port 5453. Lastly, there must be some other issue ( s ) than the ports I have assigned because my setup works ( with no problems ) on unbound-daemon_1.11.0-2 with OpenWRT 19.07.6 stable
I will try this - then report back thanks Eric
LAN -> dnsmasq#53 -> localhost ->
-> unbound#5553 -> localhost ->
-> stubby#5453 -> WAN
As far as the PEM files, it seems Unbound has a defect with respect to the published behavior. They should be loaded before chroot. That is they are in (real root) /etc/unbound but somewhere in the mess unbound-control is trying /chroot.../etc/unbound. Enable unbound-control only localhost without encryption and it should work.
2 Likes
Dear Eric,
Thanks - I truly appreciate your detailed explanation. I will give this a try following your instructions.
Peace and God Bless
Dear Eric, vgaetera, anomeome and the whole Gang,
I want to thank all of you who have helped me with getting Unbound 1.13.0-1 to work as it should when using OpenWRT Development Snapshots. See the log below :
Sat Jan 30 12:33:22 2021 daemon.notice unbound: [7600:0] notice: init module 0: validator
Sat Jan 30 12:33:22 2021 daemon.notice unbound: [7600:0] notice: init module 1: iterator
Sat Jan 30 12:33:22 2021 daemon.info unbound: [7600:0] info: start of service (unbound 1.13.0).
Sat Jan 30 12:33:54 2021 daemon.info unbound: [7600:1] info: generate keytag query _ta-4a5c-4f66. NULL IN
Sat Jan 30 12:33:54 2021 daemon.info unbound: [7600:0] info: generate keytag query _ta-4a5c-4f66. NULL IN
Sat Jan 30 12:39:09 2021 user.notice unbound: root.key updated after 57 days
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: service stopped (unbound 1.13.0).
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: server stats for thread 0: 169 queries, 87 answers from cache, 82 recursions, 3 prefetch, 0 rejected by ip ratelimiting
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: server stats for thread 0: requestlist max 7 avg 2.05882 exceeded 0 jostled 0
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: average recursion processing time 24.480746 sec
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: histogram of recursion processing times
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: [25%]=0.0600747 median[50%]=0.218453 [75%]=1.58333
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: lower(secs) upper(secs) recursions
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.000000 0.000001 1
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.016384 0.032768 2
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.032768 0.065536 21
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.065536 0.131072 13
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.131072 0.262144 6
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.262144 0.524288 7
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.524288 1.000000 8
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 1.000000 2.000000 6
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 2.000000 4.000000 10
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 4.000000 8.000000 1
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 256.000000 512.000000 7
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: server stats for thread 1: 150 queries, 100 answers from cache, 50 recursions, 15 prefetch, 0 rejected by ip ratelimiting
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: server stats for thread 1: requestlist max 9 avg 2.29231 exceeded 0 jostled 0
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: average recursion processing time 28.609251 sec
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: histogram of recursion processing times
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: [25%]=0.09216 median[50%]=0.262144 [75%]=2.625
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: lower(secs) upper(secs) recursions
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.000000 0.000001 1
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.032768 0.065536 5
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.065536 0.131072 16
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.131072 0.262144 3
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.262144 0.524288 2
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 0.524288 1.000000 4
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 1.000000 2.000000 4
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 2.000000 4.000000 8
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 4.000000 8.000000 2
Sat Jan 30 12:39:10 2021 daemon.info unbound: [7600:0] info: 256.000000 512.000000 5
Sat Jan 30 12:39:15 2021 daemon.notice unbound: [10055:0] notice: init module 0: validator
Sat Jan 30 12:39:15 2021 daemon.notice unbound: [10055:0] notice: init module 1: iterator
Sat Jan 30 12:39:15 2021 daemon.info unbound: [10055:0] info: start of service (unbound 1.13.0).
Sat Jan 30 12:39:22 2021 daemon.info unbound: [10055:0] info: generate keytag query _ta-4f66. NULL IN
Sat Jan 30 12:40:23 2021 daemon.err uhttpd[3261]: luci: accepted login on /admin/services/unbound/status/syslog for root from 172.30.211.125
Now the key was following Eric's advice above. Before I close this can anyone offer me some standard tweaks to enter in /etc/unbound/unbound_srv.conf if that is something that is recommended or will enhance performance. I generally run WRT3200ACM or Netgear r7800.
Thanks Eric especially for your expertise, patience and genial manner - but the same can be said for all who helped me work this out
Cheers and Stay safe
1 Like
This topic was automatically closed 0 minutes after the last reply. New replies are no longer allowed.