Need Help With UNBOUND Setup on Snapshots

Dear Community,
Hello and I hope that all are both safe and well. I am wondering if anyone can assist me in how to set up UNBOUND on the new OpenWRT snapshots. Specifically,unbound with dnsmasq for dhcp. I wrote many tutorials for OpenWRT DOT using stubby with unbound, dnsmasq.
If anyone can explain this new procedure to me then I will update the tutorials ( write new ones ) for all who used this configuration successfully. Thanks and God Bless. Please do not just point me to the UNBOUND readme as I really need and would prefer more detailed guidance and instructions.
I am well versed in SSH - so uci commands are fine.

This is my old tutorial here for reference below :

and here :
https://forums.torguard.net/index.php?/topic/1374-from-the-dns-privacy-project-dns-over-tls-on-openwrtlede-featuring-unbound-getdns-and-stubby/

Thanks - I just want to get this set up updated to benefit the entire OpenWRT Community - especially for those interested in internet privacy

Here is how to forward DOT to one of the common choices. Fallback is disabled so unknowns will fail and not go into recursion. IPv6 shown but commented out.

config zone 'fwd_cloudflare'
	option enabled '1'
	option fallback '0'
	option tls_index 'cloudflare-dns.com'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list server '1.1.1.1'
	list server '1.0.0.1'
	#list server '2606:4700:4700::1111'
	#list server '2606:4700:4700::1001'
	list zone_name '.'

-or-

config zone 'fwd_google'
	option enabled '1'
	option fallback '0'
	option tls_index 'dns.google'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list server '8.8.4.4'
	list server '8.8.8.8'
	#list server '2001:4860:4860::8844'
	#list server '2001:4860:4860::8888'
	list zone_name '.'

-or-

config zone 'fwd_quad9'
	option enabled '1'
	option fallback '0'
	option tls_index 'dns.quad9.net'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list server '9.9.9.9'
	list server '149.112.112.112'
	#list server '2620:fe::fe'
	#list server '2620:fe::9'
	list zone_name '.'

Here is how to forward to all of them. You can only have one root zone definition in Unbound. Note however mixing like this may have odd results. They each have their own DNS naughty list (or not) and privacy policy. Quad9 has different server addresses for different behaviors. Read providers respective websites carefully.

config zone 'fwd_everywhere'
	option enabled '1'
	option fallback '0'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	# mixing servers so each line must be fully qualified
	list server '1.1.1.1@853#cloudflare-dns.com'
	list server '1.0.0.1@853#cloudflare-dns.com'
	list server '8.8.4.4@853#dns.google'
	list server '8.8.8.8@853#dns.google'
	list server '9.9.9.9@853#dns.quad9.net'
	list server '149.112.112.112@853#dns.quad9.net'
	list zone_name '.'
1 Like

As for mixing dnsmasq and unbound the serial method is easiest. dnsmasq serves the local domain as usual, but it believes the only upstream server is the local unbound instance.

Unbound only needs this one UCI change to listen on some other odd port, not #53.

option listen_port '1053'

dnsmasq needs to be told that all queries can only be answered by local host on #1053. You need to disable the resolve file and tell dnsmasq where to go.

option noresolv '1'
list server '127.0.0.1#1053'
1 Like

The above each apply to OpenWrt 19.07 and snapshots in 2021.

1 Like

Dear Eric,
Hello and I hope that all is well with you and that you and yours are safe in this world of ours. Thank you so very much for your reply. Which file should I enter the forward zone in - /etc/config/unbound ? or somewhere else ?
Also I want to integrate stubby in with unbound and dnsmasq. Would something like this below work ?:

config zone 'fwd_stubby'
	option enabled '1'
	option fallback '0'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	# mixing servers so each line must be fully qualified
	list server '127.0.0.1@5453#/etc/stubby/stubby.yml file'

Basically - I am trying to follow this guide here below :
https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/
The issue which confounds me is - I used to forward dns requests from stubby ( 127.0.0.1#5453 ) to unbound - then move dnsmasq to port 53535
Lastly I would do the following below in dnsmasq file :

 nano /etc/config/dhcp 

    list server '127.0.0.1#5453' # Stubby/Unbound Default Address/Port
    option noresolv ā€˜1ā€™   # Make sure to change this as indicated 

So - once again thanks for your assistance. I am truly grateful and confused ( a bit less after your intervention ). However - you see I am trying to use stubby along with unbound and serial dnsmasq . That is my ultimate goal. Thanks and God Bless You and Yours
Always In Peace

The forward zones are part of the Unbound UCI file. However now, I don't fully understand your topology. Why stubby and Unbound? Unbound is capable of DOT, and now fixed, it keeps TCP open for a few queries at a time. If you use stubby alone, then you can link it with libunbound and get cache which otherwise it lacks.

If you have Unbound forward to stubby, then disable TLS. Your local host doesn't have a certificate for "localhost" so the connection would fail.

config zone 'fwd_stubby'
	option enabled '1'
	option fallback '0'
	option tls_upstream '0'
	option zone_type 'forward_zone'
	option port '5453'
	list server '127.0.0.1'
	list server '::1'
	list zone '.'

Dear Eric,
Thanks a ton for your time, consideration and expertise regarding this matter. So, basically I can and should leave dnsmasq untouched - is that correct ?

Why stubby and Unbound?

The reason I prefer stubby with Unbound is the pinning and other features stubby provides / see below from stubby page on stubby homepage:

 Some users combine Unbound (as a caching proxy with other features such as
 DNS Blacklisting) and Stubby (as a fully featured TLS forwarder).

When you say Unbound UCI file - would I edit /etc/config/unbound ? -and if so would this zone go at the end of the file - or is there a designated area in which to enter the configuration which you were kind enough to layout above.
Thanks - and once I get this working - I will write up a new tutorial for those who wish to deploy DOT using stubby and Unbound. Naturally, I will give credit where credit is due - and that means you Eric - if that attribution is OK with you.
Peace and Be well

Current setup from one of my edge devices using unbound in parallel setup with dnsmasq

root@bsaedgy:/etc/config# cat unbound
config unbound
	option add_extra_dns '0'
	option add_local_fqdn '0'
	option add_wan_fqdn '0'
#	option dhcp_link 'none'
	option dhcp_link 'dnsmasq'
	option dhcp4_slaac6 '0'
	option dns64 '0'
	option dns64_prefix '64:ff9b::/96'
	option domain 'bsa.net'
#	option domain_type 'static'
	option domain_type 'refuse'
	option edns_size '1280'
	option extended_stats '0'
	option hide_binddata '1'
	option interface_auto '1'
#	option listen_port '5353'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option num_threads '2'
	option protocol 'default'
	option query_minimize '0'
	option query_min_strict '0'
	option rebind_localhost '0'
	option rebind_protection '1'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option unbound_control '0'
	option validator '1'
	option validator_ntp '1'
	option verbosity '1'
	list trigger_interface 'lan'
	list trigger_interface 'wan'
	list domain_insecure 'bsa.net'

config zone
	option enabled '1'
	option zone_type 'forward_zone'
	option fallback '1'
	option resolv_conf '0'
	option tls_upstream '1'
	list server '1.1.1.1@853#cloudflare-dns.com'
	list server '9.9.9.9@853#dns.quad9.net'
	list server '2606:4700:4700::1111@853#cloudflare-dns.com'
	list server '2620:fe::9@853#dns.quad9.net'
	list server '8.8.8.8@853#dns.google'
	list server '2001:4860:4860::8888@853#dns.google'
	list zone_name '.'

Dear anomeome,
My man - thank you so very much for this. Between you and Eric - I should be able to get this working ( hopefully ) in some shape, form, or fashion. What has been giving me problems is unbound-control. Do I need to install that package or I am just better off in not bothering with unbound-control at all ? Further to that point - what packages do you suggest to install when attempting to use Unbound with the current snapshots ? I have been using the packages listed below ( as they always worked well together up and until current stable release 19.07.6 ):

opkg update ; opkg install unbound-daemon unbound-control
unbound-control-setup luci-app-unbound unbound-anchor 
unbound-host stubby getdns unbound-checkconf odhcpd

Maybe with the new snapshots some of those packages listed above are not needed and / or buggy. Thanks for your assistance. Lastly - do you have any recommendations as to the overall configuration of dns over tls using stubby, dnsmasq and unbound as I used to do as described in the first post - except now with an updated method for the current OpenWRT Snapshots.
Thanks for all the help - Peace and God Bless

Again as shown above, you will need to disable the resolve conf file in dnsmasq, otherwise it will forward to your ISP. Then you need to tell dnsmasq to forward all queries to Unbound at local host. Unbound and Stubby will need to listen on different non-standard ports each. That is I assume you are doing this:
LAN -> dnsmasq#53 -> localhost -> unbound#5553 -> localhost -> stubby#5453 -> WAN

1 Like

Dear Eric,
Thanks once again - can you set me straight on this inquiry before I dive into the pool - thanks in advance :

What packages do you suggest to install when attempting to use Unbound 
with the current snapshots ? I have been using the packages listed
below ( as they always worked well together up and until current 
stable release 19.07.6 ):

opkg update ; opkg install unbound-daemon unbound-control
unbound-control-setup luci-app-unbound unbound-anchor 
unbound-host stubby getdns unbound-checkconf odhcpd

I just want to be sure that I am not installing any packages which are
superfluous and / or not necessary for Unbound to work

I keep getting an error with the old setup - that said unbound-control was set to no - and this caused Unbound to go into a loop and continually crash. So, I am asking is it best to omit unbound-control all together ?
Lastly, I am just about ready to tackle this. I can not begin to fully express my most sincere gratitude and appreciation for all the patience and assistance which you have given me here.
My understanding is much improved as to how to handle this. I just need your recommendation as to the unbound package ( s ) to install - and I will take it from there.

opkg install luci-app-unbound

should be enough to just get unbound w. LuCI GUI. That being said, I have no idea what options are used by the bot for libunbound generation, and would assume your loop / crash is probably self-inflicted; it has been ~year since I have seen anything untoward with unbound in my environs.

Thanks anomeome - I ( at this point concur with your opinion that less is more ) - once again - I appreciate your help - so I am going to take a stab at this now - and will report back to you and Eric as to how I fared in this undertaking
Peace To You Guys

The crashing has nothing to do with unbound-control. The crashing is caused by the installation routine. It assumes, that no other program uses port 53, but dnsmasq does. Therefore unbound can't claim port 53 and crashes.

In order to solve the issue you must assign another port for unbound and start it again.

1 Like

Thanks - I did give that a try - I did move Unbound to port '1053' as suggested by Eric - and still I got crashes - although the log message unbound-control is set to no was no longer present
I think something is wrong with Unbound package in the snapshot repo
I read something about this being a possibility here :

The bare minimum for Unbound+DoT is unbound-daemon and ca-bundle.
In addition, you may want to install unbound-control to resolve DHCP lease names.

Temporarily stop Dnsmasq and revert Unbound to default settings.
Then perform changes one-by-one testing each config modification.

Dear Barney, vgaetera, Eric, anomeome and all who have helped me so far,
If folks check out the tutorial which I authored in the OP - I am well versed and experienced in setting this whole thing up. Specially, with regard to moving Unbound to another port - I followed this guide below :

https://blog.grobox.de/2018/what-is-dns-privacy-and-how-to-set-it-up-for-openwrt/
and this section below states :
Now, you just need to move the existing dnsmasq server aside, so unbound
can answer your devices DNS queries.
and I do this by following the referenced page ( see below ):

# Move dnsmasq to port 53535 where it will still serve local DNS from DHCP
# Network -> DHCP & DNS -> Advanced Settings -> DNS server port to 53535
uci set 'dhcp.@dnsmasq[0].port=53535'

# Configure dnsmasq to send a DNS Server DHCP option with its LAN IP
# since it does not do this by default when port is configured.
uci add_list "dhcp.lan.dhcp_option=option:dns-server,$(uci get network.lan.ipaddr)"
uci set 'unbound.@unbound[0].dhcp_link=dnsmasq'

# Save & Apply (will restart dnsmasq, DNS unreachable until unbound is up)
uci commit

# Restart (or start) unbound (System -> Startup -> unbound -> Restart)
/etc/init.d/unbound restart

So, I do appreciate all the help. But if anyone cares to read through the entire guides of mine and / or Torsten's - and offer any advice as to how to get this working on the new OpenWRT snapshots- I will be most grateful. However, I can tell you all ( as I stated earlier ) the setup I wrote up still works flawlessly
on current stable 19.07.6 builds. I am running hnyman's Build for Netgear R7800 - stable openwrt-19.07 owrt1907-r11285 now with absolutely no issues whatsoever. Maybe there are bugs in Unbound with regard to the snapshots. However, I am appreciative to all - have my eyes and ears still open and hopefully in time - I will finally get this working on the snapshots.
What I am ultimately seeking to find out is are there any changes in Unbound 1.13.0-1 ( the current Unbound version in Snapshots ) with regards as to how it needs to be configured so that it will work as detailed in the OP tutorial ?
Peace and God Bless All

Maybe. I'm using unbound 1.11.0 from snapshot r14740-0b31713c85 and it runs flawlessly.

If unbound crashes, it will tell you the reason, when you enter the following command (the -vvvv means very very very verbose):

unbound -d -c /var/lib/unbound/unbound.conf -vvvv

Please post the output of the previous command. Ctrl-C stops unbound.

1 Like

Dear All Who Have Helped Me So Far,
I am going to give this one more try - these are the Unbound packages which run flawlessly on
hnyman's Build for Netgear R7800 - stable openwrt-19.07 owrt1907-r11285

libunbound-heavy - 1.11.0-2
luci-app-unbound - git-21.022.31068-7129723-1
unbound-anchor - 1.11.0-2
unbound-checkconf - 1.11.0-2
unbound-control - 1.11.0-2
unbound-control-setup - 1.11.0-2
unbound-daemon-heavy - 1.11.0-2
unbound-host - 1.11.0-2

I do notice that unbound-daemon-heavy is not available in Snapshot package repository ; I read somewhere in the forums that this being absent may cause some issues on Unbound.
So, I am going to install and configure Unbound 1.13.0-1 on Snapshot instance. Then I will report back after running command

unbound -d -c /var/lib/unbound/unbound.conf -vvvv

as you have suggested. Thanks for all the assistance one more again.
Peace

heavy fell by the wayside.