Unbound dropping lan hosts

Hey everyone!
I have a issue with my router. So, I have installed the latest Openwrt with unbound.
I use unbound to give PTR records to my devices in the LAN, so I can use their hostnames in my apps to get both IPv4 and IPv6 when it's available. But recently (for some months) after a while unbound drops all entries in it's "local" list... The only hostname that doesn't disappear is the router's own hostname. But after I restart unbound it restores all hostnames and strata working well again.
What can I do?
If you need to see any files just say and I'll post!

Thanks!:grin::grin::grin:

grep -v -r -e "^#" -e "^$" /var/lib/unbound
netstat -l -n -p | grep -e unbound
pgrep -f -a unbound
logread -e unbound
1 Like
/var/lib/unbound/unbound_srv.conf:verbosity: 1
/var/lib/unbound/unbound_ext.conf:forward-zone:
/var/lib/unbound/unbound_ext.conf:  name: "."
/var/lib/unbound/unbound_ext.conf:  forward-addr: 2606:4700:4700::1111@853
/var/lib/unbound/unbound_ext.conf:  forward-addr: 2606:4700:4700::1001@853
/var/lib/unbound/unbound_ext.conf:  forward-addr: 1.1.1.1@853
/var/lib/unbound/unbound_ext.conf:  forward-addr: 1.0.0.1@853
/var/lib/unbound/unbound_ext.conf:  forward-ssl-upstream: yes
/var/lib/unbound/unbound.conf:server:
/var/lib/unbound/unbound.conf:  username: unbound
/var/lib/unbound/unbound.conf:  chroot: /var/lib/unbound
/var/lib/unbound/unbound.conf:  directory: /var/lib/unbound
/var/lib/unbound/unbound.conf:  pidfile: /var/run/unbound.pid
/var/lib/unbound/unbound.conf:  tls-cert-bundle: /var/lib/unbound/ca-certificates.crt
/var/lib/unbound/unbound.conf:  auto-trust-anchor-file: /var/lib/unbound/root.key
/var/lib/unbound/unbound.conf:  num-threads: 1
/var/lib/unbound/unbound.conf:  msg-cache-slabs: 1
/var/lib/unbound/unbound.conf:  rrset-cache-slabs: 1
/var/lib/unbound/unbound.conf:  infra-cache-slabs: 1
/var/lib/unbound/unbound.conf:  key-cache-slabs: 1
/var/lib/unbound/unbound.conf:  use-syslog: yes
/var/lib/unbound/unbound.conf:  statistics-interval: 0
/var/lib/unbound/unbound.conf:  statistics-cumulative: no
/var/lib/unbound/unbound.conf:  verbosity: 1
/var/lib/unbound/unbound.conf:  extended-statistics: yes
/var/lib/unbound/unbound.conf:  edns-buffer-size: 1280
/var/lib/unbound/unbound.conf:  port: 53
/var/lib/unbound/unbound.conf:  outgoing-port-permit: 10240-65535
/var/lib/unbound/unbound.conf:  interface: 0.0.0.0
/var/lib/unbound/unbound.conf:  interface: ::0
/var/lib/unbound/unbound.conf:  outgoing-interface: 0.0.0.0
/var/lib/unbound/unbound.conf:  outgoing-interface: ::0
/var/lib/unbound/unbound.conf:  do-ip4: yes
/var/lib/unbound/unbound.conf:  do-ip6: yes
/var/lib/unbound/unbound.conf:  prefer-ip6: yes
/var/lib/unbound/unbound.conf:  harden-short-bufsize: yes
/var/lib/unbound/unbound.conf:  harden-large-queries: yes
/var/lib/unbound/unbound.conf:  harden-glue: yes
/var/lib/unbound/unbound.conf:  use-caps-for-id: no
/var/lib/unbound/unbound.conf:  msg-buffer-size: 32768
/var/lib/unbound/unbound.conf:  outgoing-range: 640
/var/lib/unbound/unbound.conf:  num-queries-per-thread: 320
/var/lib/unbound/unbound.conf:  outgoing-num-tcp: 20
/var/lib/unbound/unbound.conf:  incoming-num-tcp: 20
/var/lib/unbound/unbound.conf:  rrset-cache-size: 8192k
/var/lib/unbound/unbound.conf:  msg-cache-size: 4096k
/var/lib/unbound/unbound.conf:  key-cache-size: 4096k
/var/lib/unbound/unbound.conf:  neg-cache-size: 2048k
/var/lib/unbound/unbound.conf:  infra-cache-numhosts: 8192
/var/lib/unbound/unbound.conf:  harden-dnssec-stripped: yes
/var/lib/unbound/unbound.conf:  val-clean-additional: yes
/var/lib/unbound/unbound.conf:  ignore-cd-flag: yes
/var/lib/unbound/unbound.conf:  module-config: "validator iterator"
/var/lib/unbound/unbound.conf:  qname-minimisation: no
/var/lib/unbound/unbound.conf:  aggressive-nsec: yes
/var/lib/unbound/unbound.conf:  prefetch-key: yes
/var/lib/unbound/unbound.conf:  prefetch: yes
/var/lib/unbound/unbound.conf:  target-fetch-policy: "3 2 1 0 0"
/var/lib/unbound/unbound.conf:  cache-min-ttl: 120
/var/lib/unbound/unbound.conf:  cache-max-ttl: 72000
/var/lib/unbound/unbound.conf:  val-bogus-ttl: 300
/var/lib/unbound/unbound.conf:  infra-host-ttl: 900
/var/lib/unbound/unbound.conf:  hide-identity: yes
/var/lib/unbound/unbound.conf:  hide-version: yes
/var/lib/unbound/unbound.conf:  private-address: 127.0.0.0/8
/var/lib/unbound/unbound.conf:  private-address: ::1/128
/var/lib/unbound/unbound.conf:  access-control: 192.168.1.1/24 allow
/var/lib/unbound/unbound.conf:  access-control: 2001:8a0:6f08:2800::1/60 allow
/var/lib/unbound/unbound.conf:  access-control: 85.241.237.108/24 allow
/var/lib/unbound/unbound.conf:  access-control: 127.0.0.0/8 allow
/var/lib/unbound/unbound.conf:  access-control: ::1/128 allow
/var/lib/unbound/unbound.conf:  access-control: fe80::/10 allow
/var/lib/unbound/unbound.conf:  private-domain: lan
/var/lib/unbound/unbound.conf:  local-zone: lan transparent
/var/lib/unbound/unbound.conf:  domain-insecure: openwrt
/var/lib/unbound/unbound.conf:  private-domain: openwrt
/var/lib/unbound/unbound.conf:  local-zone: openwrt static
/var/lib/unbound/unbound.conf:  local-data: "openwrt. 7200 IN SOA localhost. nobody.invalid. 25913463 3600 1200 9600 300"
/var/lib/unbound/unbound.conf:  local-data: "openwrt. 7200 IN NS localhost."
/var/lib/unbound/unbound.conf:  local-data: 'openwrt. 7200 IN TXT "comment=local intranet dns zone"'
/var/lib/unbound/unbound.conf:  local-zone: 108.237.241.85.in-addr.arpa transparent
/var/lib/unbound/unbound.conf:  local-zone: 1.168.192.in-addr.arpa transparent
/var/lib/unbound/unbound.conf:  local-zone: 0.8.2.8.0.f.6.0.a.8.0.1.0.0.2.ip6.arpa transparent
/var/lib/unbound/unbound.conf:  local-data-ptr: "192.168.1.1 300 openwrt.lan"
/var/lib/unbound/unbound.conf:  local-data: "openwrt.lan. 300 IN A 192.168.1.1"
/var/lib/unbound/unbound.conf:  local-data: "openwrt. 300 IN A 192.168.1.1"
/var/lib/unbound/unbound.conf:  local-data-ptr: "2001:8a0:6f08:2800::1 300 openwrt.lan"
/var/lib/unbound/unbound.conf:  local-data: "openwrt.lan. 300 IN AAAA 2001:8a0:6f08:2800::1"
/var/lib/unbound/unbound.conf:  local-data: "openwrt. 300 IN AAAA 2001:8a0:6f08:2800::1"
/var/lib/unbound/unbound.conf:include: /var/lib/unbound/dhcp.conf
/var/lib/unbound/unbound.conf:include: /var/lib/unbound/unbound_srv.conf
/var/lib/unbound/unbound.conf:remote-control:
/var/lib/unbound/unbound.conf:  control-enable: yes
/var/lib/unbound/unbound.conf:  control-use-cert: no
/var/lib/unbound/unbound.conf:  control-interface: 127.0.0.1
/var/lib/unbound/unbound.conf:  control-interface: ::1
/var/lib/unbound/unbound.conf:include: /var/lib/unbound/unbound_ext.conf
/var/lib/unbound/hotplug.time:2019-03-29T00:02:16+0000
/var/lib/unbound/dhcp.conf:local-data: "nextcloud.lan. 300 IN A 192.168.1.3"
/var/lib/unbound/dhcp.conf:local-data-ptr: "192.168.1.3 300 nextcloud.lan"
/var/lib/unbound/dhcp.conf:local-data: "nextcloud.lan. 300 IN AAAA 2001:8a0:6f08:2800:02ff:60ff:feba:b582"
/var/lib/unbound/dhcp.conf:local-data-ptr: "2001:8a0:6f08:2800:02ff:60ff:feba:b582 300 nextcloud.lan"
/var/lib/unbound/dhcp.conf:local-data: "android-72f625b62edc1006.lan. 300 IN A 192.168.1.224"
/var/lib/unbound/dhcp.conf:local-data-ptr: "192.168.1.224 300 android-72f625b62edc1006.lan"
/var/lib/unbound/dhcp.conf:local-data: "android-72f625b62edc1006.lan. 300 IN AAAA 2001:8a0:6f08:2800:1e7b:23ff:fea2:c490"
/var/lib/unbound/dhcp.conf:local-data-ptr: "2001:8a0:6f08:2800:1e7b:23ff:fea2:c490 300 android-72f625b62edc1006.lan"
/var/lib/unbound/dhcp.conf:local-data: "desktop-jsgm9gt.lan. 300 IN A 192.168.1.119"
/var/lib/unbound/dhcp.conf:local-data-ptr: "192.168.1.119 300 desktop-jsgm9gt.lan"
/var/lib/unbound/dhcp.conf:local-data: "desktop-jsgm9gt.lan. 300 IN AAAA 2001:8a0:6f08:2800:42f0:2fff:feba:fb12"
/var/lib/unbound/dhcp.conf:local-data-ptr: "2001:8a0:6f08:2800:42f0:2fff:feba:fb12 300 desktop-jsgm9gt.lan"
/var/lib/unbound/dhcp.conf:local-data: "mps.lan. 300 IN A 192.168.1.238"
/var/lib/unbound/dhcp.conf:local-data-ptr: "192.168.1.238 300 mps.lan"
/var/lib/unbound/dhcp.conf:local-data: "mps.lan. 300 IN AAAA 2001:8a0:6f08:2800:66a2:f9ff:fe51:eb53"
/var/lib/unbound/dhcp.conf:local-data-ptr: "2001:8a0:6f08:2800:66a2:f9ff:fe51:eb53 300 mps.lan"
/var/lib/unbound/dhcp.conf:local-data: "dataserver.lan. 300 IN A 192.168.1.2"
/var/lib/unbound/dhcp.conf:local-data-ptr: "192.168.1.2 300 dataserver.lan"
/var/lib/unbound/dhcp.conf:local-data: "dataserver.lan. 300 IN AAAA 2001:8a0:6f08:2800:7285:c2ff:fe78:5a7c"
/var/lib/unbound/dhcp.conf:local-data-ptr: "2001:8a0:6f08:2800:7285:c2ff:fe78:5a7c 300 dataserver.lan"

there was some certificate output but I don't think you need it.

tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      29875/unbound
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      29875/unbound
tcp        0      0 :::53                   :::*                    LISTEN      29875/unbound
tcp        0      0 ::1:8953                :::*                    LISTEN      29875/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                           29875/unbound
udp        0      0 :::53                   :::*                                29875/unbound

29875 /usr/sbin/unbound -d -c /var/lib/unbound/unbound.conf
Tue Apr  9 03:00:42 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 03:58:34 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 05:03:42 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 06:24:17 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 07:26:04 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 08:24:13 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 08:28:27 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 09:53:52 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 10:49:30 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 11:39:17 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 13:06:47 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 14:01:05 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 14:50:13 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 16:06:31 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN
Tue Apr  9 17:02:09 2019 daemon.info unbound: [29875:0] info: generate keytag query _ta-4f66. NULL IN

Thanks for the help.

Records A/AAAA are resolved into IPv4/IPv6-addresses respectively.
PTR should do the opposite, i.e. resolve IP-addresses into domain names.

May be you should use type static instead of transparent?

You are not using ca-bundle package?
Where did you get those certificates from?


Some ideas about troubleshooting:

  • Check the log when you experience the issue.
  • Increase log verbosity if you don't see anything abnormal in the log.
  • Check service startup errors:
service log restart; service unbound restart; sleep 10
logread -e unbound
1 Like

I will try with static and see what happens.

About the certificates I have no idea, as I use dns over tls I believe those are the certificates used, iI don't know.

Also, the log didn't show any info, and if I increase verbosity I see nothing as the logs dissapear.
There are no startup errors.

Thanks for the help!

Then it's better use /etc/ssl/cert.pem from the package ca-bundle:
https://openwrt.org/docs/guide-user/services/dns/dot_unbound

1 Like

Ok just checked and I'm actually using it ahahaha
But still happens the issue, should I log it to OpenWRT bugs?

Which unbound version? Which odhcpd version? (opkg list-installed | grep "unbound\|odhcpd")
Did you manually setup unbound or did you use the uci/LuCI setup interface?

Most probably a configuration issue: Please doublecheck this section: https://github.com/openwrt/packages/blob/openwrt-18.06/net/unbound/files/README.md#unbound-and-odhcpd

Your DNSSEC/DNS over TLS config looks incomplete as well. In /etc/unbound/unbound_ext.conf the 'forward-addr' format must be ip "@" port number "#" followed by the valid public hostname (which is actually missing) in order for unbound to use the tls-cert-bundle to validate the dns server certificate.

1 Like

libunbound - 1.9.1-2
luci-app-unbound - git-19.102.63814-0c7031b-1
odhcpd - 2019-04-17-38bc630b-3
unbound - 1.9.1-2
unbound-anchor - 1.9.1-2
unbound-control - 1.9.1-2

It's everything fine, I've already doublechecked.

Ok, I just fixed it, but I believe that that's not related to the problem.

OK thanks, than please provide the content of /etc/config/dhcp, /etc/config/unbound, /etc/unbound/unbound_ext.conf and /etc/unbound/unbound_srv.conf

root@OpenWrt:~# cat /etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        option ra 'server'
        option dhcpv6 'server'
        option dhcpv4 'server'
        option dhcpv4_forcereconf '1'
        option dhcpv6_na '0'
        list domain 'lan'
        option start '11'
        option limit '254'
        option ra_management '0'
        option leasetime '1h'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '1'
        option leasefile '/tmp/lib/odhcpd/dhcp.leases'
        option leasetrigger '/usr/lib/unbound/odhcpd.sh'
        option loglevel '4'

config host
        option name 'DATASERVER'
        option dns '1'
        option mac '70:85:C2:78:5A:7C'
        option ip '192.168.1.2'

config host
        option name 'NEXTCLOUD'
        option dns '1'
        option mac '02:FF:60:BA:B5:82'
        option ip '192.168.1.3'

root@OpenWrt:~# cat /etc/unbound/unbound_ext.conf
##############################################################################
# Extended user clauses added to the end of the UCI generated 'unbound.conf'
#
# Put your own forward:, view:, stub:, or remote-control: clauses here. This
# file is appended to the end of 'unbound.conf' with an include: statement.
# Notice that it is not part of the server: clause. Use 'unbound_srv.conf' to
# place custom option statements in the server: clause.
root@OpenWrt:~# cat /etc/unbound/unbound_srv.conf
##############################################################################
# User custom options added in the server: clause part of UCI 'unbound.conf'
#
# Add your own option statements here when they are not covered by UCI. This
# file is placed _inside_ the server: clause with an include: statement. Do
# not start other clauses here, because that would brake the server: clause.
# Use 'unbound_ext.conf' to start new clauses at the end of 'unbound.conf'.
##############################################################################

and thats it, for an extra:

root@OpenWrt:~# cat /etc/config/unbound

config unbound
        option domain 'lan'
        option edns_size '1280'
        option hide_binddata '1'
        option listen_port '53'
        option localservice '1'
        option manual_conf '0'
        option ttl_min '120'
        option verbosity '1'
        option enabled '1'
        option dhcp_link 'odhcpd'
        option dhcp4_slaac6 '1'
        option add_local_fqdn '3'
        option unbound_control '1'
        option protocol 'ip6_prefer'
        option extended_stats '1'
        option dns64 '0'
        option root_age '3'
        option rebind_localhost '1'
        option validator '1'
        option validator_ntp '1'
        option add_extra_dns '1'
        option rebind_protection '0'
        option domain_type 'static'
        option resource 'default'
        option recursion 'default'
        option add_wan_fqdn '3'
        list trigger_interface 'lan'
        list trigger_interface 'wan'
        list trigger_interface 'wan6'

config zone
        option fallback '0'
        option enabled '1'
        option zone_type 'forward_zone'
        list zone_name '.'
        list server '1.0.0.1'
        list server '1.1.1.1'
        list server '2606:4700:4700::1001'
        list server '2606:4700:4700::1111'
        option tls_upstream '1'
        option tls_index 'one.one.one.one'

Please configure local "domain" entries in /etc/config/dhcp - not "host", e.g.:

config domain
        option name 'NEXTCLOUD'
        option ip '192.168.1.3'

But that isn't a device on the router but a device on another server

You've activated "extra dns" in unbound ... this function does not parse 'host' entries, excerpt from the online doc:

 option add_extra_dns '0'
    Level. Execute traditional DNS overrides found in `/etc/config/dhcp`.
    Optional so you may use other Unbound conf or redirect to NSD instance.
    0 - Ignore `/etc/config/dhcp`
    1 - Use only 'domain' clause (host records)
    2 - Use 'domain', 'mxhost', and 'srvhost' clauses
    3 - Use all of 'domain', 'mxhost', 'srvhost', and 'cname' clauses

... for a combination of unbound plus odhcpd you have to use 'domain' sections.

Ok, I've disabled it since you told me to, butt it still drops all hostnames, I've seen in log the time when it happens and there's nothing to show, it doesn't say anything, it's just like it gets deleted without unbound noticing.

Does it drop /etc/config/dhcp#domain host names? Or does it drop odhcpd lease host names? Is the time to failure repeatable or appear to be in a regular range?

For odhpcd and depending your lease duration settings and how clients renew versus confirm leases, the lease file output can be stale. The script for dhcp-to-dns records tries to do differences to be robust to active networks (lots of mobile devices coming and going). The interaction can delete hosts on lease expiration, but not get new lease information on renew or more likely is blind as cosequence to confirm transactions.

It drops everything, but when all hostnames are dropped, I go to luci unbound settings and do "apply" the hostnames come back.
My lease time is 4 hours

Is there a time component that is repeatable in anyway? One hour, few hours, half day, whole day, days? Or purely random?

As I see it, completely random, at some point I thought it was related to wan dhcpv6 prefix renewal but I was wrong, even the logs show nothing

Hello. How to fix it like that?

Tue Mar  2 11:31:13 2021 daemon.notice unbound: [17048:0] notice: init module 0: validator
Tue Mar  2 11:31:13 2021 daemon.notice unbound: [17048:0] notice: init module 1: iterator
Tue Mar  2 11:31:13 2021 daemon.info unbound: [17048:0] info: start of service (unbound 1.13.1).
Tue Mar  2 11:31:24 2021 daemon.info unbound: [17048:0] info: generate keytag query _ta-4f66. NULL IN