[solved] Unbound doesn’t resolve static leases (take 2)

aboaboit · March 30, 2020, 1:36pm

On the face of it, my issue looked very much like that mentionedd in a previous (closed) post

I have tried the fix recommended by @davids but it doesn't seem to be working. I have restarted both the router and one test client (with a static lease), but I'm still getting lookup failures, both on the router itself and on a different client. Not only static leases are not being found, even hosts with fixed addresses are unknown. FQDN or shortname makes no difference.

I followed this guide for the "Parallel dnsmasq" scenario.

If I query dnsmasq (on port 1053) from the clients, I get a valid reply, so it looks like the query to unbound is going straight to the root servers, which obviously isn't ideal

Any tips?

dlakelan · March 30, 2020, 2:28pm

I use dnsmasq for serving DNS and tell it to talk to unbound upstream on port 5353, unbound then does DoT to 1.1.1.1 the scheme works well and resolves local names no problem.

aboaboit · March 30, 2020, 2:42pm

@dlakelan I assume DoT stands for "DNS over TLS", which is something I'll deal with later once I have it working.

Most importantly, you seem to have followed the so-called "serial" approach. I have read the documentation and decided that I wanted to follow the "parallel" one. I'll get back to you if I decide to switch tactic, for the moment thanks for the help.

dlakelan · March 30, 2020, 2:54pm

Yes, my device is a RPi4 with 4GB of RAM and 64 Gigs of microsd, I have dnsmasq cache set to something like 5000 entries, so neither resource consumption nor speed are of any concern. Dns over tls generally adds latency to the initial lookup so caching is essential.

Good luck.

anomeome · March 30, 2020, 5:00pm

Any hint to be found by inspecting the generated config files under

/tmp/lib/unbound/

aboaboit · March 30, 2020, 5:09pm

@anomeome good idea, anything specific I should look out for? I see that the local dnsmasq port is present and correct, would you like the complete file?

anomeome · March 30, 2020, 6:32pm

I just did a quick test on a couple of devices and things worked for me. As per dlakelan above I was running serial, I made just the changes required to run parallel and the static leases resolve.

/etc/config/unbound
#	option dhcp_link 'none'
	option dhcp_link 'dnsmasq'
#	option listen_port '5353'
	option listen_port '53'
/etc/config/dhcp
#	option port '53'
	option port '5353'
#	list server '127.0.0.1#5353'
#	list server '::1#5353'

Edit: should add I'm on master, which iirc is a more recent version of unbound than the 19.x readme you linked above.

aboaboit · March 30, 2020, 8:43pm

I'll try comparing the two READMEs in case some changes were made. Other than a different port number, I don't see anything obviously wrong in my setup compared to the above snippet.

I'll have a look tomorrow, then post the raw config if I can't solve it. Thanks, btw.

aboaboit · April 1, 2020, 4:58pm

Hmm, I thought I needed to add a forward-zone and did so via luci; turns out I was wrong, since the "dnsmasq" link option probably takes care of that.

However I noticed that this implicit zone definition uses "forward-addr" while my expllcit zone uses "forward-host".

Anyhow, it still doesn't work: with "forward-host" I get a SERVFAIL, whereas "forward-addr" gives me NXDOMAIN because it goes straight to root: even considering an earlier post on host vs domain, I still get no reply for both static addresses (config domain) and static leases (config host)

@anomeome here is the unbound.conf file, with masked data:
(I started masking it before testing, never mind the timestamp)

unbound.conf

# /var/lib/unbound/unbound.conf generated by UCI 2020-03-30T11:09:25+0000
# /var/lib/unbound/server.conf.tmp generated by UCI 2020-03-30T11:09:25+0000
server:
  username: unbound
  chroot: /var/lib/unbound
  directory: /var/lib/unbound
  pidfile: /var/run/unbound.pid
  tls-cert-bundle: /var/lib/unbound/ca-certificates.crt

  num-threads: 1
  msg-cache-slabs: 1
  rrset-cache-slabs: 1
  infra-cache-slabs: 1
  key-cache-slabs: 1

  use-syslog: yes
  statistics-interval: 0
  statistics-cumulative: no
  verbosity: 1
  extended-statistics: no

  edns-buffer-size: 1280
  port: 53
  outgoing-port-permit: 10240-65535
  interface: 0.0.0.0
  interface: ::0

  module-config: "iterator"

  cache-min-ttl: 120
  cache-max-ttl: 72000
  val-bogus-ttl: 300
  infra-host-ttl: 900

  hide-identity: yes
  hide-version: yes

  private-address: 10.0.0.0/8
  private-address: 100.64.0.0/10
  private-address: 169.254.0.0/16
  private-address: 172.16.0.0/12
  private-address: 192.168.0.0/16
  private-address: fc00::/7
  private-address: fe80::/10

  access-control: LAN/24 allow
  access-control: xxxx:yyyy:zzzz:2::c0:fefe/64 allow
  access-control: aaaa:bbbb:cccc:2::c0:fefe/64 allow
  access-control: WAN/32 allow
  access-control: MODEM/24 allow
  access-control: GUEST/24 allow
  access-control: xxxx:yyyy:zzzz:3::c0:fefe/64 allow
  access-control: aaaa:bbbb:cccc:3::c0:fefe/64 allow
  access-control: HE_NET/64 allow
  access-control: 127.0.0.0/8 allow
  access-control: ::1/128 allow
  access-control: fe80::/10 allow

# /var/lib/unbound/host.conf.tmp generated by UCI 2020-03-30T11:09:25+0000
# Local zone is handled by dnsmasq

# /var/lib/unbound/dnsmasq_srv.conf.tmp generated by UCI 2020-03-30T11:09:25+0000
  do-not-query-localhost: no

  domain-insecure: localdomain,192.168.0.0/16
  private-domain: localdomain,192.168.0.0/16
  local-zone: localdomain,192.168.0.0/16 transparent

  domain-insecure: REVLAN.in-addr.arpa
  private-domain: REVLAN.in-addr.arpa
  local-zone: REVLAN.in-addr.arpa transparent

  domain-insecure: REVLAN6.ip6.arpa
  private-domain: REVLAN6.ip6.arpa
  local-zone: REVLAN6.ip6.arpa transparent

  domain-insecure: REVULALAN.ip6.arpa
  private-domain: REVULALAN.ip6.arpa
  local-zone: REVULALAN.ip6.arpa transparent

  domain-insecure: REVGUEST.in-addr.arpa
  private-domain: REVGUEST.in-addr.arpa
  local-zone: REVGUEST.in-addr.arpa transparent

  domain-insecure: REVGUEST6.ip6.arpa
  private-domain: REVGUEST6.ip6.arpa
  local-zone: REVGUEST6.ip6.arpa transparent

  domain-insecure: REVULAGUEST.ip6.arpa
  private-domain: REVULAGUEST.ip6.arpa
  local-zone: REVULAGUEST.ip6.arpa transparent
	
include: /var/lib/unbound/unbound_srv.conf

# /var/lib/unbound/zone.conf.tmp generated by UCI 2020-03-30T11:09:24+0000
# /var/lib/unbound/ctrl.conf.tmp generated by UCI 2020-03-30T11:09:25+0000
# /var/lib/unbound/dnsmasq_ext.conf.tmp generated by UCI 2020-03-30T11:09:25+0000
forward-zone:
  name: localdomain,192.168.0.0/16
  forward-first: no
  forward-addr: 127.0.0.1@1053

forward-zone:
  name: REVLAN.in-addr.arpa
  forward-first: no
  forward-addr: 127.0.0.1@1053

forward-zone:
  name: REVLAN6.ip6.arpa
  forward-first: no
  forward-addr: 127.0.0.1@1053

forward-zone:
  name: REVULALAN.ip6.arpa
  forward-first: no
  forward-addr: 127.0.0.1@1053

forward-zone:
  name: REVGUEST.in-addr.arpa
  forward-first: no
  forward-addr: 127.0.0.1@1053

forward-zone:
  name: REVGUEST6.ip6.arpa
  forward-first: no
  forward-addr: 127.0.0.1@1053

forward-zone:
  name: REVULAGUEST.ip6.arpa
  forward-first: no
  forward-addr: 127.0.0.1@1053

include: /var/lib/unbound/unbound_ext.conf

anomeome · April 1, 2020, 5:35pm

The local lookup appears incorrect, if of any assistance here are the relevant bits of the two relevant config files that I changed the other day.

/etc/config/unbound

config unbound
	option add_extra_dns '0'
	option add_local_fqdn '0'
	option add_wan_fqdn '0'
#	option dhcp_link 'none'
	option dhcp_link 'dnsmasq'
	option dhcp4_slaac6 '0'
	option dns64 '0'
	option dns64_prefix '64:ff9b::/96'
	option domain 'bsa.net'
#	option domain_type 'static'
	option domain_type 'refuse'
	option edns_size '1280'
	option extended_stats '0'
	option hide_binddata '1'
#	option listen_port '5353'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option num_threads '2'
	option protocol 'default'
	option query_minimize '0'
	option query_min_strict '0'
	option rebind_localhost '0'
	option rebind_protection '1'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option unbound_control '0'
	option validator '1'
	option validator_ntp '1'
	option verbosity '1'
	list trigger_interface 'lan'
	list trigger_interface 'wan'
	list domain_insecure 'bsa.net'

config zone
	option enabled '1'
	option zone_type 'forward_zone'
	option fallback '1'
	option resolv_conf '0'
	option tls_upstream '1'
	list server '2620:fe::9@853#dns.quad9.net'
	list server '9.9.9.9@853#dns.quad9.net'
	list server '8.8.8.8@853#dns.google'
	list server '2001:4860:4860::8888@853#dns.google'
	list server '1.1.1.1@853#cloudflare-dns.com'
	list server '2606:4700:4700::1111@853#cloudflare-dns.com'
	list zone_name '.'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option nonwildcard '1'
	option localservice '1'
	option domain 'bsa.net'
	option local '/bsa/'
	list server '/3.ca.pool.ntp.org/8.8.4.4'
	list server '/2.ca.pool.ntp.org/8.8.4.4'
	list server '/1.ca.pool.ntp.org/149.112.112.10'
	list server '/0.ca.pool.ntp.org/9.9.9.10'
#	list server '127.0.0.1#5353'
#	list server '::1#5353'
#	option cachesize '512'
	option cachesize '128'
	option noresolv '1'
#	option port '53'
	option port '5353'
	option proxydnssec '1'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'

config dhcp 'lan'
	option interface 'lan'
	option start '129'
	option limit '126'
	option dhcpv6 'server'
	option ra 'server'
	option leasetime '1h'
	list dhcp_option 'option:dns-server,0.0.0.0'
	option ra_default '1'
	option ra_management '1'

config dhcp 'guest'
	option interface 'guest'
	option start '129'
	option limit '126'
	option leasetime '1h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'bsaAP'
	option dns '1'
	option mac 'xx:xx:xx:xx:xx:xx'
	option ip '192.168.120.2'

With this I can ssh into the static DHCP target bsaAP (a C7V2 acting as an AP running OpenWrt) using hostname or FQDN.

aboaboit · April 1, 2020, 5:44pm

Thanks for the config, I'll try to compare it with mine.
Couple of questions, though:

incorrect local lookup: which keyword are you referring to, local-zone, forward-zone or something else?
minor curiosity: how did you do the expandable file box?

anomeome · April 1, 2020, 5:47pm

forward-zone:
  name: localdomain,192.168.0.0/16

is what caught my eye, unsure though, depends on your config.

Hide Details under the wee star to the right of the toolbar.

aboaboit · April 2, 2020, 8:51am

@anomeome thanks for the tip, I have edited my post, it works nicely.

Back on topic: that definition came from /etc/config/dhcp and it's been like that for, well, ages. I could try to find out why it was so (meaning, both "option local" and "option domain", the latter with domainname and IP/mask), with but it wouldn't really help in this case; in fact, I've tried removing the IP/mask and restarting both dnsmasq and unbound, no luck.

Ok, I'll have more questions once I have compared the config files.

aboaboit · April 4, 2020, 6:51pm

@anomeome looks like you were correct, I must have made some mistakes during testing: changing
option domain 'localdomain,192.168.0.0/16'
to
option domain 'localdomain'
indeed fixed the fqdn dig lookup.

Also, I have apparently fixed the "host works / domain does not" issue I mentioned earlier by changing
add_extra_dns from the default 0 to 1.

EDIT: I had another question but it's getting off-topic, it's better if I close this thread and create a new one.

system · April 14, 2020, 6:51pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.