Unbound doesn't resolve lan hostnames

Hi everyone! :slight_smile:
I'm running OpenWRT 18.06 on a DGA4131, on which I configured unbound and disabled dnsmasq dhcp role as per the wiki page:


I also configured a IPSec VPN server with Strongswan, which works great.
The problem is that lan hostnames don't get resolved by unbound over the VPN, but I actually think that they don't get resolved at all: even if they get resolved on lan, if I stop unbound they still get resolved, so I think they're because of NetBIOS and not because of unbound.
If I use dnsmasq instead of unbound they get resolved even over the VPN, but I would like to use unbound for DNSSec validation (I can't use stubby because I don't have that package in my firmware's repos).
I managed to resolve some domains with unbound (also over the VPN) by adding them to /etc/config/dhcp in this way:
config domain
	option name 'devicehostname'
	option ip '192.168.1.1'

But I'd like to have all of them to resolve without manually adding them. I'd also like to get e.g. "hostname" to resolve and not "hostname.lan", as it was with dnsmasq.
Am I missing something? Is there a way to do this?

My /etc/config/dhcp configuration:


config dnsmasq 'dnsmasq'
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachelocal '0'
	option cachesize '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option strictorder '1'
	option dhcpscript '/lib/dnsmasq/dhcp-event.sh'
	list hostname 'omitted'
	option logfacility '/var/log/dnsmasq'
	list dhcp_option_force 'tag:cpewan-id,vi-encap:3561,6,"omitted"'
	list dhcp_option_force 'tag:cpewan-id,vi-encap:3561,5,"omitted"'
	list dhcp_option_force 'tag:cpewan-id,vi-encap:3561,4,"omitted"'
	option port '0'
	option localservice '0'
	option nonwildcard '0'

config odhcpd 'odhcpd'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'

config dhcp 'lan'
	option interface 'lan'
	option start '50'
	option limit '201'
	option leasetime '24h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '0'
	option ra_mininterval '200'
	option ra_maxinterval '600'
	option ra_lifetime '1800'
	option ra_hoplimit '64'
	option ra_mtu '1480'
	option force '1'
	option ignore '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '0'
	option dhcpv4 'disabled'

config dhcp 'wan6'
	option interface 'wan'
	option ignore '1'

config dhcp 'wwan'
	option interface 'wwan'
	option ignore '1'

config opassthrud 'opassthrud'
	option passthruscript '/lib/dhcpopassthrud/dnsmasq.sh'
	option options_needed '0'

config relay 'relay'

config host '1DF3C892AD9EF930D21A3D6C478DA0BF'
	option mac 'omitted'
	option ip '192.168.1.1'
	option name 'omitted'

config host 'DD563BFAF67F1AF629746EB960611713'
	option mac 'omitted'
	option ip '192.168.1.2'
	option name 'omitted'

config host 'F6E1A3498ACE5C864BF26758BB664CC5'
	option mac 'omitted'
	option ip '192.168.1.3'
	option name 'omitted'

config host 'E76FDA79ABA5B5E062B3DFB72B17C961'
	option ip '192.168.1.4'
	option mac 'omitted'
	option name 'omitted'

config domain
	option name 'omitted'
	option ip '192.168.1.1'

config domain
	option name 'omitted'
	option ip '192.168.1.4'

My /etc/config/unbound configuration:

config unbound
	option add_local_fqdn '1'
	option add_wan_fqdn '0'
	option dhcp_link 'none'
	option dns64 '0'
	option domain 'lan'
	option domain_type 'static'
	option edns_size '1280'
	option extended_luci '0'
	option extended_stats '0'
	option hide_binddata '1'
	option listen_port '53'
	option manual_conf '0'
	option protocol 'default'
	option rebind_localhost '0'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option unbound_control '0'
	option validator_ntp '1'
	option validator '1'
	option localservice '0'
	option enabled '1'
	option rebind_protection '1'
	option add_extra_dns '1'
	list trigger_interface 'lan'
	list trigger_interface 'wan'

config zone 'forward'
	option enabled '1'
	option fallback '0'
	option zone_type 'forward_zone'
	option tls_upstream '1'
	list zone_name '.'
	option tls_index 'cloudflare-dns.com'
	list server '2606:4700:4700::1111'
	list server '2606:4700:4700::1001'
	list server '1.1.1.1'
	list server '1.0.0.1'

Thank you in advance for your help :pray:t3: and sorry if my english is not the best, I'm Italian. :grinning:

Odhcpd + unbound problem

2 Likes

I tried that but I still get "DNS_PROBE_FINISHED_NXDOMAIN" when I try to connect from the VPN :confused:

Added to the wiki:
Replacing dnsmasq with odhcpd and Unbound
Make sure you reconnect LAN clients to refill the lease file.

You should also provide your LAN domain with the VPN client profile as a search domain:
Unbound: shortname lookups? non authoritative answer?

2 Likes

Ok I followed the wiki and rebooted, but it still doesn't work.
If I understand correctly, running "nslookup 192.168.1.x" should give the fqdn for that particular device (being 192.168.1.254 the gateway), but this doesn't happen, even if I run it from the gateway ssh (to exclude a client problem). Only "nslookup 192.168.1.254" gives the gateway hostname in a "pure" form, such as "gatewayname" and not "gatewayname.lan".
How can I automatically add each lan device hostname, so that e.g. if I run "nslookup ipad_ipaddress" I get "ipadname".

I also don't fully understand your last statement, because I haven't set any lan domain. But I think you mean that if a lan domain is set I should set it as search domain on every client, so that when they query unbound they automatically add ".landomain" at the end of the hostname, because unbound cannot resolve the bare hostname as dnsmasq does as stated here, am I right? But then why does "gatewayname" get resolved even from the VPN?

Sorry if maybe I'm asking stupid questions, but I'm getting a bit confused, and thank you for your help!

Check this:

head -v -n -0 /var/lib/unbound/dhcp*

According to the thread linked above, Unbound does not expand short names.
But you can expand them automatically on the client.
I'm not sure about strongSwan, but this can be performed with other VPNs:

# OpenVPN server
push "dhcp-option DOMAIN example.org"

# OpenVPN client
dhcp-option DOMAIN example.org

# WireGuard client
DNS = ..., example.org

The router/gateway seems to be added without domain:

grep -e local-data: /var/lib/unbound/unbound.conf

So it can be resolved without domain, but cannot be resolved using FQDN.
To be fair, this looks like a bug.

1 Like

Ok, I finally got it working! :tada:

First, I realized that in order to use only unbound and odhcpd you have to install the unbound-control package, which I didn't install because it's not in my repos. I had thus to reinstall dnsmasq and I configured dnsmasq and unbound in series (dnsmasq --> unbound).
In this way I got dhcp entries to resolve as "device.lan".
Then I checked if hostnames actually could get resolved by dnsmasq. I tried that on my android and ios devices, connected to 4G through my vpn, and hostnames were actually resolved, but that didn't happen on Windows (even connected via wifi with NetBIOS disabled in network card properties). So, following your suggestion I checked if there is a way to automatically push a dns suffix to clients with strongswan, but I didn't find it, so in the end I configured the suffix "lan" in Windows vpn properties (it's actually the same as network card properties) together with the "use default gateway on remote network" option and it started working.
The interesting thing is that running "nslookup hostname" on Windows worked even before setting the dns suffix, but any browser gave "err_name_not_resolved". I also don't know why in android and ios devices I didn't have to set the dns suffix to make it working, I assume that is a Windows "feature".

My only question now is: should I set both dnsmasq cache and unbound cache, only unbound cache (dnsmasq cachesize set to 0) or only dnsmasq cache to get the best performance? Because obviously, being them in series, now the two caches are pretty identical I guess.

Thank you so much for your help @vgaetera!! :smile:

BTW, for anyone interested, here are my /etc/config/dhcp and /etc/config/unbound files now:

/etc/config/dhcp
config dnsmasq 'dnsmasq'
	option domainneeded '1'
	option localise_queries '1'
	option boguspriv '1'
	option filterwin2k '0'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option cachelocal '1'
	option cachesize '2500'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option strictorder '1'
	option dhcpscript '/lib/dnsmasq/dhcp-event.sh'
	list hostname 'omitted'
	option logfacility '/var/log/dnsmasq'
	list dhcp_option_force 'tag:cpewan-id,vi-encap:3561,6,"omitted"'
	list dhcp_option_force 'tag:cpewan-id,vi-encap:3561,5,"omitted"'
	list dhcp_option_force 'tag:cpewan-id,vi-encap:3561,4,"omitted"'
	option port '53'
	option localservice '1'
	option nonwildcard '0'
	option noresolv '1'
	list server '127.0.0.1#1053'
	list server '::1#1053'
	option nohosts '0'
	option expandhosts '1'
	option nonegcache '0'
	option logqueries '1'

config odhcpd 'odhcpd'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd.sh'

config dhcp 'lan'
	option interface 'lan'
	option start '50'
	option limit '201'
	option leasetime '24h'
	option dhcpv6 'server'
	option ra 'server'
	option ra_management '0'
	option ra_mininterval '200'
	option ra_maxinterval '600'
	option ra_lifetime '1800'
	option ra_hoplimit '64'
	option ra_mtu '1480'
	option force '1'
	option ignore '0'

config dhcp 'wan'
	option interface 'wan'
	option ignore '0'
	option dhcpv4 'disabled'

config dhcp 'wan6'
	option interface 'wan'
	option ignore '1'

config dhcp 'wwan'
	option interface 'wwan'
	option ignore '1'

config opassthrud 'opassthrud'
	option passthruscript '/lib/dhcpopassthrud/dnsmasq.sh'
	option options_needed '0'

config relay 'relay'

config host '1DF3C892AD9EF930D21A3D6C478DA0BF'
	option mac 'omitted'
	option ip '192.168.1.1'
	option name 'omitted'

config host 'DD563BFAF67F1AF629746EB960611713'
	option mac 'omitted'
	option ip '192.168.1.2'
	option name 'omitted'

config host 'F6E1A3498ACE5C864BF26758BB664CC5'
	option mac 'omitted'
	option ip '192.168.1.3'
	option name 'omitted'

config host 'E76FDA79ABA5B5E062B3DFB72B17C961'
	option ip '192.168.1.4'
	option mac 'omitted'
	option name 'omitted'
/etc/config/unbound
config unbound
	option add_local_fqdn '0'
	option add_wan_fqdn '0'
	option dhcp_link 'none'
	option dns64 '0'
	option domain 'lan'
	option domain_type 'refuse'
	option edns_size '1280'
	option extended_luci '0'
	option extended_stats '0'
	option hide_binddata '1'
	option listen_port '1053'
	option manual_conf '0'
	option protocol 'default'
	option rebind_localhost '0'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option unbound_control '0'
	option validator_ntp '1'
	option validator '1'
	option localservice '1'
	option enabled '1'
	option rebind_protection '1'
	option add_extra_dns '0'
	list trigger_interface 'lan'
	list trigger_interface 'wan'

config zone 'forward'
	option enabled '1'
	option fallback '0'
	option zone_type 'forward_zone'
	option tls_upstream '1'
	list zone_name '.'
	option tls_index 'cloudflare-dns.com'
	list server '2606:4700:4700::1111'
	list server '2606:4700:4700::1001'
	list server '1.1.1.1'
	list server '1.0.0.1'
1 Like

Dnsmasq is your primary resolver, so it's best to disable caching for Unbound.
Also, a caching DNS forwarder is a typical use case for Dnsmasq.

1 Like

Thank you, I suspected that.

EDIT: For completeness, here's how I disabled Unbound caching:

/etc/config/unbound
config unbound
	option add_local_fqdn '0'
	option add_wan_fqdn '0'
	option dhcp_link 'none'
	option dns64 '0'
	option domain 'lan'
	option domain_type 'refuse'
	option edns_size '1280'
	option extended_luci '0'
	option extended_stats '0'
	option hide_binddata '1'
	option listen_port '1053'
	option manual_conf '0'
	option protocol 'default'
	option rebind_localhost '0'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option unbound_control '0'
	option validator_ntp '1'
	option validator '1'
	option localservice '1'
	option enabled '1'
	option rebind_protection '1'
	option add_extra_dns '0'
	list trigger_interface 'lan'
	list trigger_interface 'wan'
/etc/unbound/unbound_ext.conf
forward-zone:
	name: "."
	forward-host: cloudflare-dns.com
	forward-addr: 2606:4700:4700::1111@853
	forward-addr: 2606:4700:4700::1001@853
	forward-addr: 1.1.1.1@853
	forward-addr: 1.0.0.1@853
	forward-first: no
	forward-tls-upstream: yes
	forward-no-cache: yes

The key point is that forward-no-cache: yes has no equivalent in UCI.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.