dig will tell you which resolver(s) answered. You can also direct your query at the resolver(s) of your choice.
2 Likes
Installing dnsmasq instantly fixed the problem without having to add or change anything in the dhcp file.
However, using dig shows 127.0.0.1 so it's not clear to me what's changed. Is the local dns forwarding requests to the dhcp assigned dns servers or something else?
My intention is not to use unbound for local dns queries at all, only recursive from other devices on the lan.
;; ANSWER SECTION:
pets.com. 3600 IN A 3.33.139.32
;; Query time: 30 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Fri Jun 30 16:31:14 UTC 2023
;; MSG SIZE rcvd: 53
# dig +trace facts.com
; <<>> DiG 9.18.16 <<>> +trace facts.com
;; global options: +cmd
. 86221 IN NS i.root-servers.net.
. 86221 IN NS d.root-servers.net.
. 86221 IN NS e.root-servers.net.
. 86221 IN NS l.root-servers.net.
. 86221 IN NS k.root-servers.net.
. 86221 IN NS m.root-servers.net.
. 86221 IN NS a.root-servers.net.
. 86221 IN NS b.root-servers.net.
. 86221 IN NS g.root-servers.net.
. 86221 IN NS j.root-servers.net.
. 86221 IN NS c.root-servers.net.
. 86221 IN NS f.root-servers.net.
. 86221 IN NS h.root-servers.net.
. 86221 IN RRSIG NS 8 0 518400 20230713050000 20230630040000 60955 . ***snip***
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 10 ms
;; Received 38 bytes from 192.58.128.30#53(j.root-servers.net) in 0 ms
Is this telling me the dns server used was 192.58.128.30?
Because the actual dns server;
~# cat /tmp/resolv.conf.d/resolv.conf.auto
$ Interface lan
nameserver 10.20.40.1
search localdomain
Nope.
The DNS server used was one of these:
;; AUTHORITY SECTION:
facts.com. 86400 IN NS ns-1027.awsdns-00.org.
facts.com. 86400 IN NS ns-1795.awsdns-32.co.uk.
facts.com. 86400 IN NS ns-473.awsdns-59.com.
facts.com. 86400 IN NS ns-848.awsdns-42.net.
unbound is recursive, so it would have queried j.root-servers.net first, on its way to finding the SOA for facts.com, before spewing out the rest of the stuff which you snipped:
$ dig +trace facts.com
; <<>> DiG 9.18.12-1ubuntu1.1-Ubuntu <<>> +trace facts.com
;; global options: +cmd
. 66452 IN NS m.root-servers.net.
. 66452 IN NS e.root-servers.net.
. 66452 IN NS f.root-servers.net.
. 66452 IN NS h.root-servers.net.
. 66452 IN NS j.root-servers.net.
. 66452 IN NS l.root-servers.net.
. 66452 IN NS g.root-servers.net.
. 66452 IN NS a.root-servers.net.
. 66452 IN NS c.root-servers.net.
. 66452 IN NS i.root-servers.net.
. 66452 IN NS b.root-servers.net.
. 66452 IN NS k.root-servers.net.
. 66452 IN NS d.root-servers.net.
;; Received 239 bytes from 127.0.0.53#53(127.0.0.53) in 24 ms
;; UDP setup with 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) for facts.com failed: network unreachable.
;; UDP setup with 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) for facts.com failed: network unreachable.
;; UDP setup with 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) for facts.com failed: network unreachable.
;; UDP setup with 2001:7fd::1#53(2001:7fd::1) for facts.com failed: network unreachable.
;; UDP setup with 2001:500:12::d0d#53(2001:500:12::d0d) for facts.com failed: network unreachable.
;; UDP setup with 2001:500:2::c#53(2001:500:2::c) for facts.com failed: network unreachable.
;; UDP setup with 2001:500:2f::f#53(2001:500:2f::f) for facts.com failed: network unreachable.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com. 86400 IN RRSIG DS 8 1 86400 20230713050000 20230630040000 60955 . FXN/fUYfAQQsTQ2pRQ9u4fZ8SQpzUTmau4XpTt/g5fQT9nIrlEEnlyBc CoBF5XZhG05blqlbVMM1oG8FzzJ0pSSEdtf5poDuU/eLjvI3S4S/1yBh jJdW+ASl0hDIsd5uhQwteBZVKqHHBnOXkMRsuSeMO1aPo/UYSfKT0p05 GJbns/6dqD8qc5JBADUBmgL4vDvwMV1jwJIq5C4BAizAl2ILjgAvWWmz Zr+1HB0Vl2ul8NfutUm0+LmHOcAYo2m1op4JuKHvyU01Zr75VDBRXWJX CLif61D+SsLn4+fXx0m/RYhaEdh8unDbRPJgiWIdNRB4JBEwG1jGM+oE 5WCiQg==
;; Received 1169 bytes from 193.0.14.129#53(k.root-servers.net) in 20 ms
facts.com. 172800 IN NS ns-473.awsdns-59.com.
facts.com. 172800 IN NS ns-848.awsdns-42.net.
facts.com. 172800 IN NS ns-1027.awsdns-00.org.
facts.com. 172800 IN NS ns-1795.awsdns-32.co.uk.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20230705042331 20230628031331 46551 com. OW/dw2Ei8SAE3ow5LtoodmBAkm62b7ltSUcgn/bqJOEfmrrF4ZMe+yEh Q67jQnVXcxQH3IjW0BRFTE+BiQqa7qAIJHmVN0kBucl57JdYU+z1tX1O Y70KAQ4EZaWExPTr/wesZtrMvnq5t032uc1i+eWYGNaYv+aood3Rz4eZ lVcL/50MgH5QiWdgZzDgSJTupbagXjs+zhd63kcbbnxUkw==
9QCUCID48FBJ1APOJKTLM6Q0BUP0KEN4.com. 86400 IN NSEC3 1 1 0 - 9QCV5DI6U4QGL573QNVEFN9OCVA3DSIL NS DS RRSIG
9QCUCID48FBJ1APOJKTLM6Q0BUP0KEN4.com. 86400 IN RRSIG NSEC3 8 2 86400 20230705053620 20230628042620 46551 com. Pc2A2fzIgVB2696KsacNjILHl6jHGKOII1F7XKVByW841dd5dU8oEvKw cB2cyCqfk+2u+uP1xCjMscsKFKfLwvPNkGQ8cQDj4YCjluXykcBtfIO8 MEQQRmGVgcn+Dj+pLSxW+E7/l2ABV5td07QLqRReONCEkV+R4q51X3/g D5++sc/wV3bGcb26Cy+CvT4XQX8iprnQACSEUvEaV8bdSQ==
;; Received 740 bytes from 192.35.51.30#53(f.gtld-servers.net) in 28 ms
facts.com. 300 IN A 52.200.113.215
facts.com. 172800 IN NS ns-1027.awsdns-00.org.
facts.com. 172800 IN NS ns-1795.awsdns-32.co.uk.
facts.com. 172800 IN NS ns-473.awsdns-59.com.
facts.com. 172800 IN NS ns-848.awsdns-42.net.
;; Received 191 bytes from 205.251.195.80#53(ns-848.awsdns-42.net) in 28 ms
1 Like
I only snipped the long code.
Unfortunately, I don't know enough about dns to fully understand what I'm seeing here.
Not sure why I'm seeing errors.
# dig +trace pets.com
; <<>> DiG 9.18.16 <<>> +trace pets.com
;; global options: +cmd
. 85752 IN NS c.root-servers.net.
. 85752 IN NS k.root-servers.net.
. 85752 IN NS j.root-servers.net.
. 85752 IN NS f.root-servers.net.
. 85752 IN NS d.root-servers.net.
. 85752 IN NS m.root-servers.net.
. 85752 IN NS l.root-servers.net.
. 85752 IN NS e.root-servers.net.
. 85752 IN NS i.root-servers.net.
. 85752 IN NS b.root-servers.net.
. 85752 IN NS g.root-servers.net.
. 85752 IN NS a.root-servers.net.
. 85752 IN NS h.root-servers.net.
. 85752 IN RRSIG NS 8 0 518400 20230713050000 20230630040000 60955 . rFEyMCV9N8NcU1RWF qyycag==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 170 ms
;; UDP setup with 2001:500:9f::42#53(2001:500:9f::42) for pets.com failed: network unreachable.
;; UDP setup with 2001:500:9f::42#53(2001:500:9f::42) for pets.com failed: network unreachable.
;; UDP setup with 2001:500:9f::42#53(2001:500:9f::42) for pets.com failed: network unreachable.
;; UDP setup with 2001:503:ba3e::2:30#53(2001:503:ba3e::2:30) for pets.com failed: network unreachable.
;; UDP setup with 2001:dc3::35#53(2001:dc3::35) for pets.com failed: network unreachable.
;; UDP setup with 2001:500:2f::f#53(2001:500:2f::f) for pets.com failed: network unreachable.
pets.com. 2919 IN A 3.33.139.32
;; Received 53 bytes from 192.36.148.17#53(i.root-servers.net) in 30 ms
Those errors in my copied output are because I'm not running IPv6, but the records contain IPv6 addresses. Thus any attempt at IPv6 resolution will fail (for me), but IPv4 resolution will succeed.
1 Like
Adding dnsmasq has solved the dns problem but am I still where I'd like to be?
It's ok if the unbound is in play in this but when it's being used as a recursive dns server for other devices on the lan, at that point, I want it to not forward to the isp, and be a stand alone dns server basically. You know, for some privacy.
Oh, so what I'm seeing are ipv6 addresses that show failed since I'm not actually using ipv6.
That is unbound's default behaviour anyway.
unbound never uses - or should never use, if it's working properly - any resolvers other than the Root Servers for the first query. That's the point of recursive DNS: ask the Root Servers first for the SOA for the TLD. Then ask the TLD's SOA for the SOA for the next subdomain. And so on, all the way down to the final SOA for the domain you want.
You can test it by monitoring its queries. If you ever see a query go to your ISP's DNS servers (i.e. a query for a host which isn't hosted by your ISP), then you know there's something to investigate.
Nice, so if I understand, in effect, I have the best of both worlds now.
Using dnsmasq and unbound, I'm not using the isp and if the unbound local server is used by local clients, they are also not using the isp dns and there is a redundant dns server.
Yes... as long as dnsmasq isn't conflicting with unbound.
It is also possible to daisy-chain the two if you wish, with dnsmasq acting as the local resolver, configured to forward requests to unbound. If running on the same host, then dnsmasq and unbound can't both listen on the same port.
This is how I run my own DNS. I have dnsmasq acting as DHCP and internal DNS for my LAN, forwarding external DNS requests to unbound on the same host (listening on port 5353/udp), which then sends the requests onward to the Root Servers.
Well, it worked out of the box once I installed dnsmasq but now wondering if I should do any additional configuring to get what you mention above. As mentioned, I like to keep my default build using image builder so if I mess up a router, I can easily reflash it so would have to pre-configure a file in files/
Entirely up to you. It doesn't take much extra configuration to achieve.
dnsmasq: forward upstream to 127.0.0.1:5353
unbound: listen on 127.0.0.1:5353
You can even do further nesting if you're feeling froggy:
dnsmasq: forward upstream to 127.0.0.1:5335
adguardhome: listen on 127.0.0.1:5335, forward upstream to 127.0.0.1:5353
unbound: listen on 127.0.0.1:5353
But such flexibility comes at the expense of simplicity. You might decide that what currently works is good enough for your needs.
If you want a standalone DNS server it still needs to update entries that have outlived their TTL. You won't get much more privacy out of making a standalone DNS server. If you want more privacy consider using vpn, for dns / data or both.
What IP and port is Unbound listening on to serve the LAN? Is dnsmasq now conflicting?
What is the benefit of having DNSmasq forwarding requests to unbound? Seems double to me.
1 Like
Understood but vpn isn't a solution in this case. I just like to use the routers for multiple tasks when I build them for something. In this case, the router is being used as an sdr antenna but I want to have a dns server for emergency and privacy.
This is the new device I put online to test the things we've talked about in this post.
In terms of ports;
From a Linux server on the lan;
$ nmap 192.168.192.5
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
On the router itself;
$ netstat -tupl
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.192.5:domain 0.0.0.0:* LISTEN 1229/dnsmasq
tcp 0 0 localhost:domain 0.0.0.0:* LISTEN 1229/dnsmasq
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN 1251/dropbear
tcp 0 0 fe80::9683:c4ff:fe1b:9fc4:domain :::* LISTEN 1229/dnsmasq
tcp 0 0 fe80::9683:c4ff:fe1b:9fc4:domain :::* LISTEN 1229/dnsmasq
tcp 0 0 fe80::9683:c4ff:fe1b:9fc4:domain :::* LISTEN 1229/dnsmasq
tcp 0 0 localhost:domain :::* LISTEN 1229/dnsmasq
tcp 0 0 :::ssh :::* LISTEN 1251/dropbear
udp 0 0 192.168.192.5:domain 0.0.0.0:* 1229/dnsmasq
udp 0 0 localhost:domain 0.0.0.0:* 1229/dnsmasq
udp 0 0 :::dhcpv6-server :::* 1478/odhcpd
udp 0 0 fe80::9683:c4ff:fe1b:9fc4:domain :::* 1229/dnsmasq
udp 0 0 fe80::9683:c4ff:fe1b:9fc4:domain :::* 1229/dnsmasq
udp 0 0 fe80::9683:c4ff:fe1b:9fc4:domain :::* 1229/dnsmasq
udp 0 0 localhost:domain :::* 1229/dnsmasq
Gotcha bro, special case. Then it's all up for grabs and see what works best 
1 Like
So Unbound is either disabled or failed to start due to dnsmasq occupying port 53. What does logread tell you?
1 Like
Fri Jun 30 17:18:33 2023 daemon.info procd: Instance unbound::unbound s in a crash loop 7 crashes, 0 seconds since last crash