[Solved] Using unbound along with vpn-policy-based-routing

Installing and Using OpenWrt
1

Hello.

Is it possible to use unbound along with vpn-pbr?

For testing purposes I installed unbound following this tutorial:

After installing it and disabling DNS role with:

uci set dhcp.@dnsmasq[0].port="0"
uci commit dhcp
/etc/init.d/dnsmasq restart

im am loosing internet connection.

First step will be to get unbound working correctly.

After that I will try if it can work along with vpn-pbr routing.

So can someone help me to get unbound to work? @trendy :smile:

2 
opkg update
opkg install ca-bundle
/etc/init.d/unbound restart
2 Likes
3

Okay. I did that. ca-bundle was already up to date... Whatโ€™s next?

1 Like
4

Collect the output:
https://openwrt.org/docs/guide-user/services/dns/dot_unbound#troubleshooting

2 Likes
5

Log and status


Mon Jan  4 13:13:50 2021 daemon.info procd: Instance unbound::unbound s in a crash loop 6 crashes, 0 seconds since last crash

Runtime configuration

empty

Persistent configuration


unbound.@unbound[0]=unbound
unbound.@unbound[0].add_extra_dns='0'
unbound.@unbound[0].add_local_fqdn='1'
unbound.@unbound[0].add_wan_fqdn='0'
unbound.@unbound[0].dhcp_link='none'
unbound.@unbound[0].dns64='0'
unbound.@unbound[0].domain='lan'
unbound.@unbound[0].domain_type='static'
unbound.@unbound[0].edns_size='1280'
unbound.@unbound[0].extended_stats='0'
unbound.@unbound[0].hide_binddata='1'
unbound.@unbound[0].interface_auto='1'
unbound.@unbound[0].listen_port='53'
unbound.@unbound[0].localservice='1'
unbound.@unbound[0].manual_conf='0'
unbound.@unbound[0].num_threads='1'
unbound.@unbound[0].protocol='default'
unbound.@unbound[0].rate_limit='0'
unbound.@unbound[0].rebind_localhost='0'
unbound.@unbound[0].rebind_protection='1'
unbound.@unbound[0].recursion='default'
unbound.@unbound[0].resource='default'
unbound.@unbound[0].root_age='9'
unbound.@unbound[0].ttl_min='120'
unbound.@unbound[0].unbound_control='0'
unbound.@unbound[0].validator_ntp='1'
unbound.@unbound[0].verbosity='1'
unbound.@unbound[0].trigger_interface='lan' 'wan'
unbound.@unbound[0].enabled='1'
unbound.@unbound[0].validator='1'
unbound.forward=zone
unbound.forward.enabled='1'
unbound.forward.fallback='0'
unbound.forward.zone_type='forward_zone'
unbound.forward.tls_upstream='1'
unbound.forward.tls_index='dns.google'
unbound.forward.zone_name='.'
unbound.forward.server='2001:4860:4860::8888' '2001:4860:4860::8844' '8.8.8.8' '8.8.4.4'
1 Like
6

Check the system and package versions and make sure the port is free:

ubus call system board; \
opkg list-installed | grep -e unbound-daemon -e ca-bundle; \
netstat -l -n -p | grep -e :53
2 Likes
7 

        "kernel": "4.14.209",
        "hostname": "OpenWrt",
        "model": "Raspberry Pi 3 Model B Plus Rev 1.3",
        "board_name": "raspberrypi,3-model-b-plus",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.5",
                "revision": "r11257-5090152ae3",
                "target": "brcm2708/bcm2710",
                "description": "OpenWrt 19.07.5 r11257-5090152ae3"
        }
}
ca-bundle - 20200601-1
unbound-daemon - 1.11.0-2
tcp        0      0 10.2.23.208:53          0.0.0.0:*               LISTEN      4273/dnsmasq
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      4273/dnsmasq
tcp        0      0 192.168.1.2:53          0.0.0.0:*               LISTEN      4273/dnsmasq
tcp        0      0 fe80::72ac:72db:cf4f:a321:53 :::*                    LISTEN      4273/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      4273/dnsmasq
tcp        0      0 fe80::ba27:ebff:fe0d:a6b5:53 :::*                    LISTEN      4273/dnsmasq
tcp        0      0 fd7a:c322:7f86::1:53    :::*                    LISTEN      4273/dnsmasq
tcp        0      0 fe80::ba27:ebff:fe58:f3e0:53 :::*                    LISTEN      4273/dnsmasq
udp        0      0 10.2.23.208:53          0.0.0.0:*                           4273/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           4273/dnsmasq
udp        0      0 192.168.1.2:53          0.0.0.0:*                           4273/dnsmasq
udp        0      0 fe80::72ac:72db:cf4f:a321:53 :::*                                4273/dnsmasq
udp        0      0 ::1:53                  :::*                                4273/dnsmasq
udp        0      0 fe80::ba27:ebff:fe0d:a6b5:53 :::*                                4273/dnsmasq
udp        0      0 fd7a:c322:7f86::1:53    :::*                                4273/dnsmasq
udp        0      0 fe80::ba27:ebff:fe58:f3e0:53 :::*                                4273/dnsmasq
2 Likes
8

It appears that dnsmasq is still working as your main DNS server.

uci show dhcp
2 Likes
9 

dhcp.@dnsmasq[0]=dnsmasq
dhcp.@dnsmasq[0].domainneeded='1'
dhcp.@dnsmasq[0].localise_queries='1'
dhcp.@dnsmasq[0].rebind_protection='1'
dhcp.@dnsmasq[0].rebind_localhost='1'
dhcp.@dnsmasq[0].local='/lan/'
dhcp.@dnsmasq[0].domain='lan'
dhcp.@dnsmasq[0].expandhosts='1'
dhcp.@dnsmasq[0].readethers='1'
dhcp.@dnsmasq[0].leasefile='/tmp/dhcp.leases'
dhcp.@dnsmasq[0].localservice='1'
dhcp.@dnsmasq[0].confdir='/tmp/dnsmasq.d'
dhcp.@dnsmasq[0].dnssec='1'
dhcp.lan=dhcp
dhcp.lan.interface='lan'
dhcp.lan.ra='server'
dhcp.lan.ignore='1'
dhcp.wan=dhcp
dhcp.wan.interface='wan'
dhcp.wan.ignore='1'
dhcp.odhcpd=odhcpd
dhcp.odhcpd.maindhcp='0'
dhcp.odhcpd.leasefile='/tmp/hosts/odhcpd'
dhcp.odhcpd.leasetrigger='/usr/sbin/odhcpd-update'
dhcp.odhcpd.loglevel='4'
2 Likes
10

Specify an alternative free port:

uci set unbound.@unbound[0].listen_port="5053"
uci commit unbound
/etc/init.d/unbound restart

And perform the troubleshooting again.

2 Likes
11

Looks much better!


root@OpenWrt:/etc/config# logread -e unbound; netstat -l -n -p | grep -e unbound
Mon Jan  4 14:20:25 2021 daemon.notice unbound: [6548:0] notice: init module 0: validator
Mon Jan  4 14:20:25 2021 daemon.notice unbound: [6548:0] notice: init module 1: iterator
Mon Jan  4 14:20:25 2021 daemon.info unbound: [6548:0] info: start of service (unbound 1.11.0).
tcp        0      0 0.0.0.0:5053            0.0.0.0:*               LISTEN      6548/unbound
tcp        0      0 :::5053                 :::*                    LISTEN      6548/unbound
udp        0      0 0.0.0.0:5053            0.0.0.0:*                           6548/unbound
udp        0      0 :::5053                 :::*                                6548/unbound
root@OpenWrt:/etc/config# pgrep -f -a unbound
6548 /usr/sbin/unbound -d -c /var/lib/unbound/unbound.conf
root@OpenWrt:/etc/config# uci show unbound
unbound.@unbound[0]=unbound
unbound.@unbound[0].add_extra_dns='0'
unbound.@unbound[0].add_local_fqdn='1'
unbound.@unbound[0].add_wan_fqdn='0'
unbound.@unbound[0].dhcp_link='none'
unbound.@unbound[0].dns64='0'
unbound.@unbound[0].domain='lan'
unbound.@unbound[0].domain_type='static'
unbound.@unbound[0].edns_size='1280'
unbound.@unbound[0].extended_stats='0'
unbound.@unbound[0].hide_binddata='1'
unbound.@unbound[0].interface_auto='1'
unbound.@unbound[0].localservice='1'
unbound.@unbound[0].manual_conf='0'
unbound.@unbound[0].num_threads='1'
unbound.@unbound[0].protocol='default'
unbound.@unbound[0].rate_limit='0'
unbound.@unbound[0].rebind_localhost='0'
unbound.@unbound[0].rebind_protection='1'
unbound.@unbound[0].recursion='default'
unbound.@unbound[0].resource='default'
unbound.@unbound[0].root_age='9'
unbound.@unbound[0].ttl_min='120'
unbound.@unbound[0].unbound_control='0'
unbound.@unbound[0].validator_ntp='1'
unbound.@unbound[0].verbosity='1'
unbound.@unbound[0].trigger_interface='lan' 'wan'
unbound.@unbound[0].enabled='1'
unbound.@unbound[0].validator='1'
unbound.@unbound[0].listen_port='5053'
unbound.forward=zone
unbound.forward.enabled='1'
unbound.forward.fallback='0'
unbound.forward.zone_type='forward_zone'
unbound.forward.tls_upstream='1'
unbound.forward.tls_index='dns.google'
unbound.forward.zone_name='.'
unbound.forward.server='2001:4860:4860::8888' '2001:4860:4860::8844' '8.8.8.8' '8.8.4.4'

Whatโ€™s next?

2 Likes
12

Disable dnsmasq DNS role:
https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#disabling_dns_role

Set Unbound as default DNS:

uci set unbound.@unbound[0].listen_port="53"
uci commit unbound
/etc/init.d/unbound restart
2 Likes
13

Did it


root@OpenWrt:/etc/config# logread -e unbound; netstat -l -n -p | grep -e unbound
Mon Jan  4 14:29:27 2021 daemon.notice unbound: [7067:0] notice: init module 0: validator
Mon Jan  4 14:29:27 2021 daemon.notice unbound: [7067:0] notice: init module 1: iterator
Mon Jan  4 14:29:27 2021 daemon.info unbound: [7067:0] info: start of service (unbound 1.11.0).
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      7067/unbound
tcp        0      0 :::53                   :::*                    LISTEN      7067/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                           7067/unbound
udp        0      0 :::53                   :::*                                7067/unbound
2 Likes
14

Is unbound working now?
vpn-pbr seems to work to...
Should I restart the router to test if everything works after a reboot?

15

Check out:

cat /etc/resolv.conf; nslookup example.org

Well, it doesn't hurt to try.

2 Likes
16

I did an reboot. Seems to work...


# /tmp/resolv.conf generated by Unbound UCI 2021-01-04T14:37:55+0100
nameserver 127.0.0.1
nameserver ::1
search lan.
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:      openwrt.org
Address 1: 139.59.209.225
Address 2: 2a03:b0c0:3:d0::1af1:1
2 Likes
17

Hmmm. My openVPN tunnel and adblock seems to stop working...

18 
uci set adblock.global.adb_dns="unbound"
uci commit adblock
/etc/init.d/adblock restart

See also: Adblock Config Options

In addition, performing DNSSEC locally is known to be problematic, so it's best to disable:

uci set unbound.@unbound[0].validator="0"
uci commit unbound
/etc/init.d/unbound restart

And rely on the upstream DNS provider that supports DNSSEC.

1 Like
19

Great VPN and adbock seems to work!
vpn-pbr is working, too! :smile:

1 Like
20

One last thing.
Could you please help me to set up an DNS over TLS connection to a DNS provider which protects my privacy?