Unbound on second router cant make it work

edneyhelene · November 20, 2023, 7:26pm

Hello There,

I have 2 routers with Openwrt. one connects Wan with PPOE and is dhcp server on 192.168.1.10 >>> The other one i removed WAN and set static ip of 192.168.1.11.

192.168.1.11 should be unbound + adblock so i followed the guide at: https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md

And i did the parallel
/etc/config/unbound:

config unbound
  # likely you want to match domain option between Unbound and dnsmasq
  option dhcp_link 'dnsmasq'
  option domain 'yourdomain'
  option listen_port '53'
  ...

/etc/config/dhcp:

config dnsmasq
option domain 'yourdomain'
option noresolv '1'
option port '1053'
option resolvfile '/tmp/resolv.conf.auto'
...

config dhcp 'lan'

dnsmasq may not issue DNS option if not std. configuration

list dhcp_option 'option:dns-server,0.0.0.0'
...

Ok, I also disabled DHCP for that lan interface on 192.168.1.11, did set 192.168.1.10 as gateway.

On the main router i added option 6 for dns at 192.168.1.11 and on firewall i did set a forward for every port 53 of this device forward to 192.168.1.11..

Nothing makes it work, i have no clue why, i tried everything.

Ah something important i also checked the unbound conf with checkconf and it says it's ok.

I downloaded and added root hints because i dont want to use another DNS, aka:

file to read root hints from.

# get one from https://www.internic.net/domain/named.cache
root-hints: "/root.hint"

Any tips on what do i have to do to make this config work? as soon as i disable 192.168.1.11 as DNS everything works again so the problem is on the config but i cant identify what is no matter what, i also tried using the zones instead of the root file but no success.

Why cant my main router use the secondary router as dns?

Thanks in advance!

trendy · November 21, 2023, 8:44am

What does nslookup openwrt.org 192.168.1.11 return?

edneyhelene · November 21, 2023, 9:37pm

Hey,

Thanks for your answer, it returns

 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@OpenWrt:~# nslookup 192.168.1.11
Server:         127.0.0.1
Address:        127.0.0.1:53

** server can't find 11.1.168.192.in-addr.arpa: NXDOMAIN

If i do a traceroute i get:


  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@OpenWrt:~# traceroute 192.168.1.11
traceroute to 192.168.1.11 (192.168.1.11), 30 hops max, 46 byte packets
 1  *  *  *
 2  *  *  *
 3  *  *  *
 4  *  *  *
 5  *  *  *
 6  *  *  192.168.1.11 (192.168.1.11)  1.877 ms
root@OpenWrt:~#

Not sure why or what's wrong...just to be clear both are connected on same non managed switch and i can reach both on same subnet via computer...

Something seems intermittent and i cant identify why the traffic isnt running on these 2.

trendy · November 22, 2023, 10:29am

This is not the command I asked you to run.

edneyhelene · November 22, 2023, 11:39am

Sorry my answer was stupid hang in there i'm going to run the correct one

egc · November 22, 2023, 11:52am

If unbound itself also uses DNS port 53 for upstream queries, make sure you make an exception for 192.168.1.11 itself otherwise it will run in circles

edneyhelene · November 22, 2023, 2:35pm

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@OpenWrt:~# nslookup openwrt.org 192.168.1.11
nslookup: read: Connection refused
nslookup: read: Connection refused
nslookup: read: Connection refused
nslookup: read: Connection refused
;; connection timed out; no servers could be reached

Ok now it makes more sense, how do i open it there?
I created a firewall rule and opened any forwarding from 192.168.1.11 but still nothing..

frollic · November 22, 2023, 2:40pm

how are the two routers interconnected?

edneyhelene · November 22, 2023, 2:46pm

both on Lan ports and each connected to a switch..

The switch works correctly as i have other devices there too. actually my whole network is on it. It's not managed.

frollic · November 22, 2023, 2:51pm

then run netstat -tulpn | grep 53 on the unbound device, check if it's actually listening.

edneyhelene · November 22, 2023, 3:10pm

/$ netstat -tulpn | grep 53
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2867/unbound
tcp        0      0 192.168.1.11:1053       0.0.0.0:*               LISTEN      1159/dnsmasq
tcp        0      0 127.0.0.1:1053          0.0.0.0:*               LISTEN      1159/dnsmasq
tcp        0      0 ::1:1053                :::*                    LISTEN      1159/dnsmasq
tcp        0      0 ::1:53                  :::*                    LISTEN      2867/unbound
tcp        0      0 fd67:3983:4721::1:1053  :::*                    LISTEN      1159/dnsmasq
tcp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                    LISTEN      1159/dnsmasq
tcp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                    LISTEN      1159/dnsmasq
udp        0      0 127.0.0.1:1053          0.0.0.0:*                           1159/dnsmasq
udp        0      0 192.168.1.11:1053       0.0.0.0:*                           1159/dnsmasq
udp        0      0 127.0.0.1:53            0.0.0.0:*                           2867/unbound
udp        0      0 fd67:3983:4721::1:1053  :::*                                1159/dnsmasq
udp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                                1159/dnsmasq
udp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                                1159/dnsmasq
udp        0      0 ::1:1053                :::*                                1159/dnsmasq
udp        0      0 ::1:53                  :::*                                2867/unbound

Looks ok to me right?

frollic · November 22, 2023, 3:20pm

It's only listening to localhost on port 53, so no.
Guess you need to specify interface or IP too, in the config.

edneyhelene · November 22, 2023, 3:41pm

/etc/unbound$ netstat -tulpn | grep 53
tcp        0      0 192.168.1.11:1053       0.0.0.0:*               LISTEN      1158/dnsmasq
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      2617/unbound
tcp        0      0 127.0.0.1:1053          0.0.0.0:*               LISTEN      1158/dnsmasq
tcp        0      0 ::1:1053                :::*                    LISTEN      1158/dnsmasq
tcp        0      0 fd67:3983:4721::1:1053  :::*                    LISTEN      1158/dnsmasq
tcp        0      0 :::53                   :::*                    LISTEN      2617/unbound
tcp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                    LISTEN      1158/dnsmasq
tcp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                    LISTEN      1158/dnsmasq
udp        0      0 127.0.0.1:1053          0.0.0.0:*                           1158/dnsmasq
udp        0      0 192.168.1.11:1053       0.0.0.0:*                           1158/dnsmasq
udp        0      0 0.0.0.0:53              0.0.0.0:*                           2617/unbound
udp        0      0 0.0.0.0:39533           0.0.0.0:*                           2107/ntpd
udp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                                1158/dnsmasq
udp        0      0 fd67:3983:4721::1:1053  :::*                                1158/dnsmasq
udp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                                1158/dnsmasq
udp        0      0 ::1:1053                :::*                                1158/dnsmasq
udp        0      0 :::53                   :::*                                2617/unbound

I changed the unbound config to listen to everything now, also to the other addresses, is it ok now? If the answer is negative could you please be so kind and tell me what else to change?

trendy · November 22, 2023, 8:02pm

It's fine, restart the service now to verify that it works.

edneyhelene · November 22, 2023, 8:13pm

[quote="trendy, post:2, topic:178178"]
Unfortunately not.


  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@OpenWrt:~# nslookup openwrt.org 192.168.1.11
nslookup: read: Connection refused
nslookup: read: Connection refused
nslookup: read: Connection refused
nslookup: read: Connection refused
;; connection timed out; no servers could be reached

root@OpenWrt:~#

So what's next? xD

I still see my isp dns on dnsleaktest instead of my external IP.

trendy · November 22, 2023, 8:14pm

netstat -tulpn | grep 53

edneyhelene · November 22, 2023, 8:16pm


BusyBox v1.36.1 (2023-11-14 13:38:11 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@OpenWrt:~# netstat -tulpn | grep 53
tcp        0      0 127.0.0.1:1053          0.0.0.0:*               LISTEN      1157/dnsmasq
tcp        0      0 192.168.1.11:1053       0.0.0.0:*               LISTEN      1157/dnsmasq
tcp        0      0 ::1:1053                :::*                    LISTEN      1157/dnsmasq
tcp        0      0 fd67:3983:4721::1:1053  :::*                    LISTEN      1157/dnsmasq
tcp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                    LISTEN      1157/dnsmasq
tcp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                    LISTEN      1157/dnsmasq
udp        0      0 127.0.0.1:1053          0.0.0.0:*                           1157/dnsmasq
udp        0      0 192.168.1.11:1053       0.0.0.0:*                           1157/dnsmasq
udp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                                1157/dnsmasq
udp        0      0 fd67:3983:4721::1:1053  :::*                                1157/dnsmasq
udp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                                1157/dnsmasq
udp        0      0 ::1:1053                :::*                                1157/dnsmasq
root@OpenWrt:~# 

Weird right?

trendy · November 22, 2023, 8:17pm

Now it is not running at all.
logread -e unbound

edneyhelene · November 22, 2023, 8:36pm

/etc/unbound$ netstat -tulpn | grep 53
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      2888/unbound
tcp        0      0 192.168.1.11:1053       0.0.0.0:*               LISTEN      1159/dnsmasq
tcp        0      0 192.168.1.11:53         0.0.0.0:*               LISTEN      2888/unbound
tcp        0      0 127.0.0.1:1053          0.0.0.0:*               LISTEN      1159/dnsmasq
tcp        0      0 :::53                   :::*                    LISTEN      2888/unbound
tcp        0      0 fd67:3983:4721::1:1053  :::*                    LISTEN      1159/dnsmasq
tcp        0      0 ::1:1053                :::*                    LISTEN      1159/dnsmasq
tcp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                    LISTEN      1159/dnsmasq
tcp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                    LISTEN      1159/dnsmasq
udp        0      0 127.0.0.1:1053          0.0.0.0:*                           1159/dnsmasq
udp        0      0 192.168.1.11:1053       0.0.0.0:*                           1159/dnsmasq
udp        0      0 192.168.1.11:53         0.0.0.0:*                           2888/unbound
udp        0      0 0.0.0.0:53              0.0.0.0:*                           2888/unbound
udp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                                1159/dnsmasq
udp        0      0 fd67:3983:4721::1:1053  :::*                                1159/dnsmasq
udp        0      0 fe80::5264:2bff:fe94:f386:1053 :::*                                1159/dnsmasq
udp        0      0 ::1:1053                :::*                                1159/dnsmasq
udp        0      0 :::53                   :::*                                2888/unbound

and

BusyBox v1.36.1 (2023-11-14 23:00:58 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.2, r23630-842932a63d
 -----------------------------------------------------
root@OpenWrt:~# nslookup openwrt.org 192.168.1.11
;; connection timed out; no servers could be reached

And what you asked:


/etc$  logread -e unbound
Wed Nov 22 20:31:31 2023 daemon.notice unbound: [2668:0] notice: init module 0: validator
Wed Nov 22 20:31:31 2023 daemon.notice unbound: [2668:0] notice: init module 1: iterator
Wed Nov 22 20:31:32 2023 daemon.info unbound: [2668:0] info: start of service (unbound 1.18.0).

So tips? I'm very confused with this result hahaha

trendy · November 22, 2023, 10:21pm

Run the same command from the .1.11 server to verify that nothing is blocking it.