Opkg breaks after installing unbound (wget returned 4)

Installing and Using OpenWrt
1

Okay so I am able to use Unbound with clients. All clients point back to the router and are successfully using unbound. However, the router himself is not resolving out. example,

root@OpenWrt:~# opkg update
Downloading https://downloads.openwrt.org/releases/21.02.3/targets/x86/64/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.3/targets/x86/64/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/base/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/base/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/luci/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/luci/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/packages/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/packages/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/routing/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/routing/Packages.gz

Downloading https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/telephony/Packages.gz
*** Failed to download the package list from https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/telephony/Packages.gz

Collected errors:
 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.3/targets/x86/64/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/base/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/luci/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/packages/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/routing/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.

 * opkg_download: Failed to download https://downloads.openwrt.org/releases/21.02.3/packages/x86_64/telephony/Packages.gz, wget returned 4.
 * opkg_download: Check your network settings and connectivity.
2

You probably have to fix the (new-) DNS setup for your router (with unbound in the picture).

1 Like
3 
config unbound 'ub_main'
	option dhcp_link 'dnsmasq'
	option dns64 '0'
	option domain 'Sam-Network'
	option edns_size '1232'
	option hide_binddata '1'
	option interface_auto '1'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option num_threads '1'
	option root_age '9'
	option ttl_neg_max '1000'
	option validator_ntp '1'
	option verbosity '1'
	list iface_wan 'wan'
	list domain_insecure 'time1.google.com'
	list domain_insecure 'time2.google.com'
	list domain_insecure 'time3.google.com'
	list domain_insecure 'time4.google.com'
	option enabled '1'
	option validator '1'
	option extended_stats '1'
	option recursion 'aggressive'
	option query_minimize '1'
	option rate_limit '1024'
	option ttl_min '1200'
	option unbound_control '1'
	option iface_lan 'lan'
	option query_min_strict '1'
	option protocol 'mixed'
	option resource 'large'
	option rebind_localhost '1'
	option rebind_protection '2'
	list iface_trig 'lan'
	list iface_trig 'wan'

config zone 'auth_icann'
	option enabled '0'
	option fallback '1'
	option url_dir 'https://www.internic.net/domain/'
	option zone_type 'auth_zone'
	list server 'lax.xfr.dns.icann.org'
	list server 'iad.xfr.dns.icann.org'
	list zone_name '.'
	list zone_name 'arpa.'
	list zone_name 'in-addr.arpa.'
	list zone_name 'ip6.arpa.'

config zone 'fwd_isp'
	option enabled '0'
	option fallback '1'
	option resolv_conf '1'
	option zone_type 'forward_zone'
	list zone_name 'isp-bill.example.com.'
	list zone_name 'isp-mail.example.net.'

config zone 'fwd_google'
	option enabled '0'
	option fallback '1'
	option tls_index 'dns.google'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list server '8.8.4.4'
	list server '8.8.8.8'
	list server '2001:4860:4860::8844'
	list server '2001:4860:4860::8888'
	list zone_name '.'

config zone 'fwd_cloudflare'
	option enabled '0'
	option fallback '1'
	option tls_index 'cloudflare-dns.com'
	option tls_upstream '1'
	option zone_type 'forward_zone'
	list server '1.1.1.1'
	list server '1.0.0.1'
	list server '2606:4700:4700::1111'
	list server '2606:4700:4700::1001'
	list zone_name '.'

And dnsmasq is pushed to the proper port.

4

Can you point me in the direction of where to read to do such. I followed the Unbound/dnsmasq parallel method line by line and now use of opkg is broken.

Dig works fine.

root@OpenWrt:~# dig www.google.com

; <<>> DiG 9.18.1 <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9627
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         532     IN      A       172.217.2.196

;; Query time: 4 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Jul 24 21:26:06 EDT 2022
;; MSG SIZE  rcvd: 59

So does NSlookup

root@OpenWrt:~# nslookup www.google.com
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      www.google.com
Address 1: 172.217.2.196
Address 2: 2607:f8b0:4002:80a::2004

Both indicate the "routers" dns is working, however opkg appears to be broken.

5

As a matter of fact I can,

root@OpenWrt:~# dig openwrt.org

; <<>> DiG 9.18.1 <<>> openwrt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26676
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;openwrt.org.                   IN      A

;; ANSWER SECTION:
openwrt.org.            1200    IN      A       139.59.209.225

;; Query time: 44 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Jul 24 21:36:25 EDT 2022
;; MSG SIZE  rcvd: 56

However

root@OpenWrt:~# dig downloads.openwrt.org

; <<>> DiG 9.18.1 <<>> downloads.openwrt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47235
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;downloads.openwrt.org.         IN      A

;; ANSWER SECTION:
downloads.openwrt.org.  40327   IN      CNAME   mirror-02.infra.openwrt.org.

;; AUTHORITY SECTION:
openwrt.org.            1000    IN      SOA     ns1.digitalocean.com. hostmaster.openwrt.org. 1655385680 10800 3600 604800 1800

;; Query time: 88 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Sun Jul 24 21:36:55 EDT 2022
;; MSG SIZE  rcvd: 147
6

With that error symptom, a typical error is that you have not provided a DNS server and gateway address in the router's LAN interface config. (That can easily happen e.g. with dumb APs as the clients gets the info via DHCP, but the router itself has a fixed IP in LAN and needs the DNS and gateway to be set.)

3 Likes
7

Do you mind sharing an example of such, here is what my network config looks like

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd00:348:300::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'
        option ip6assign '64'
        option ip6hint '2a90'
        option ip6ifaceid '::bad'
        list ip6class 'local'
        list ifname 'eth1'

config interface 'modem'
        option proto 'static'
        option ipaddr '192.168.100.2'
        option netmask '255.255.255.0'
        option device '@wan'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0'
        option broadcast '1'

config interface 'wan6'
        option proto 'dhcpv6'
        option reqprefix '60'
        option device 'eth0'
        option peerdns '1'
        option reqaddress 'try'
        option sourcefilter '0'
8

No clear advice for you, but my first guess is that the 'modem' interface with an IP may confuses router's routing: Possibly the traffic originating from the router itself sets the originating IP as '192.168.100.2' and that is unroutable for the actual wan (that has got a proper IP via ISP dhcp).

What does your route table and metrics look like?

You might try removing that "modem" ot at least disable its autostart. (That interface is likely just needed for managing the docsis modem at 192.168.100.1, but is not needed continuously)

9

set the routers DNS up. OpenWrt uses defaults for dnsmasq and assumes things at times. I ran into issues when i did similar to your config replacing dnsmasq with AdGuardHome.

As i dont require the router to be filtered. i explicitly set the router to have its own upstream that uses regular UDP dns which also avoids the NTP issue. (router doesnt have correct time and cannot update via secure DNS as the time is wrong)

10

The issue in reference happen to me when i installed unbound to run on port 53. In theory it should have worked since unbound was listening on universal 0.0.0.0:53. sounds to me like some consideration may be over looked with the firewall particularly with "lo" traffic or an issue with unbound default security configurations since it was returning NXdomain for only "some" traffic.