Unbound question

agarg · February 6, 2025, 7:43am

I have an AT&T DSL connection for internet. In our area, their solution comes with a wifi router and in our area, they do not support customer devices. However, their modem/router offers a IP passthrough and that is how I use it.

I want to test out unbound without disturbing the existing lan set up. Here is the questions:

Since the AT&T router has a address range of 192.168.200.1/24, i can connect a unbound on a spare port on AT&T router. This device will have firewall disabled and will basically be a lan switch (192.168.200.200) with one of its lan port connected to AT&T DSL.
On the second port will be my openwrt firewall. On its wan port, I will fix the DNS as 192.168.200.200 as primary and 9.9.9.9 as secondary which I can remove at some future date after testing.
On the firewall, I will install BanIP that will force the use of port 53 only to the list of well known ip address.
One the lan DHCP, I will make an option 6 for lan gateway address so that the dnsmasq has all the dns querries.

Will this solution give me recursive DNS. I realize that if I do vpn setup on this firewall, this solution will fail. VPN set up on individual devices will still work.

Appreciate comments.

frollic · February 6, 2025, 7:57am

there's no firewall on a subnet.
why not simply double or triple NAT ? put the openwrt device behind the AT&T router ?

for testing, that is ...

agarg · February 8, 2025, 3:09am

On my AT&T router, I connected two Open WRT devices. one of them is just a Netgear R6100 with Unbound loaded default and listening to the 53 port. The ATT router assigned it an IP address of 192.168.200.100

The second device connected to my AT&T router is my main Openwrt firewall that is an Onhub running with ksmbd. It serves approximately 50 devices (including IOT) on its two interfaces (LAN and IOT).

On this main firewall, for both the LAN and the WAN, I have entered following custom DNS servers:

192.168.200.100
9.9.9.9
8.8.8.8
1.1.1.1

I hope to remove one of the public dns server every two days and watch for performance. This is our only net and its failure will make my family very unhappy and so I am taking baby stems to get off the public DNS.

Am I on the right path? I did dig and got followiung response:

agarg@anil-ZBOX-CI327:~/Downloads$ dig garg.com 192.168.200.100

; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> garg.com 192.168.200.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55236
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;garg.com.			IN	A

;; ANSWER SECTION:
garg.com.		300	IN	A	15.197.148.33
garg.com.		300	IN	A	3.33.130.190

;; Query time: 32 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Feb 07 19:18:13 PST 2025
;; MSG SIZE  rcvd: 69

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16348
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;192.168.200.100.		IN	A

;; AUTHORITY SECTION:
.			2122	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2025020701 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Fri Feb 07 19:18:13 PST 2025
;; MSG SIZE  rcvd: 119

agarg@anil-ZBOX-CI327:~/Downloads$

Also I enabled control and installed unbound-control

config unbound 'ub_main'
	option add_extra_dns '0'
	option add_local_fqdn '1'
	option add_wan_fqdn '0'
	option dhcp_link 'none'
	option dhcp4_slaac6 '0'
	option dns64 '0'
	option dns64_prefix '64:ff9b::/96'
	option domain 'lan'
	option domain_type 'static'
	option edns_size '1232'
	option extended_stats '0'
	option hide_binddata '1'
	option interface_auto '1'
	option listen_port '53'
	option localservice '1'
	option manual_conf '0'
	option num_threads '1'
	option protocol 'default'
	option query_minimize '0'
	option query_min_strict '0'
	option rate_limit '0'
	option rebind_localhost '0'
	option rebind_protection '1'
	option recursion 'default'
	option resource 'default'
	option root_age '9'
	option ttl_min '120'
	option ttl_neg_max '1000'
	option unbound_control '0'
	option validator '0'
	option validator_ntp '1'
	option verbosity '1'
	list iface_trig 'lan'
	list iface_trig 'wan'
	list iface_wan 'wan'
	#list domain_insecure 'ntp.example.com'

And it says connection refused

root@R6100-SW:~# unbound-control stats
[1738985589] unbound-control[4148:0] error: connect: Connection refused for 127.0.0.1 port 8953
root@R6100-SW:~#

dibdot · February 8, 2025, 6:43am

the use of unbound-control is disabled in your config.

agarg · February 8, 2025, 7:13am

Thanks. I changed that to 1 since tls is not needed for intranet. checked to confirm that the firewall is disabled on this box ..... Rebooted the box. The box on which the unbound is installed is 192.168.200.100.

I still get this:

root@R6100-SW:/etc/unbound# unbound-control stats
[1738996277] unbound-control[5887:0] error: connect: Connection refused for 127.0.0.1 port 8953
root@R6100-SW:/etc/unbound# cat /etc/config/unbound

dibdot · February 8, 2025, 12:53pm

So unbound and unbound-control are running on different hardware? If so, check the unbound online readme (https://github.com/openwrt/packages/blob/master/net/unbound/files/README.md) which described different unbound-control access methods, e.g.

agarg · February 8, 2025, 5:06pm

I followed this and set the unbound control to 1.

Both unbound and unbound control are on the same Netgear R6100. Netgear R6100 has no other function. Its firewall has been disabled, lan interface set to dhcp, and unbound (+control) installed before boot.

I am running the unbound control from the command line of R6100 after ssh into it. I made a picture to illustrate:

This is the response I get from it:

agarg@ZBOX-CI327:~$ dig builtwith.com 192.168.200.100

; <<>> DiG 9.18.30-0ubuntu0.24.04.1-Ubuntu <<>> builtwith.com 192.168.200.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49352
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;builtwith.com.			IN	A

;; ANSWER SECTION:
builtwith.com.		60	IN	A	65.8.161.116
builtwith.com.		60	IN	A	65.8.161.14
builtwith.com.		60	IN	A	65.8.161.121
builtwith.com.		60	IN	A	65.8.161.89

;; Query time: 43 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Feb 08 09:11:34 PST 2025
;; MSG SIZE  rcvd: 106

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 31670
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;192.168.200.100.		IN	A

;; AUTHORITY SECTION:
.			43161	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2025020800 1800 900 604800 86400

;; Query time: 3 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Feb 08 09:11:34 PST 2025
;; MSG SIZE  rcvd: 119

dibdot · February 8, 2025, 5:08pm

OK, than post the output of ...

ps | grep "[u]nbound"

agarg · February 8, 2025, 5:13pm

agarg@ZBOX-CI327:~$ ssh -l root 192.168.200.100


BusyBox v1.36.1 (2025-01-08 18:59:28 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 23.05.5, r24106-10cc5fcd00
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@R6100-SW:~# ps | grep "[u]nbound"
root@R6100-SW:~# ps | grep "nbound"
 8512 root      1372 S    grep nbound
root@R6100-SW:~#

dibdot · February 8, 2025, 5:15pm

That means that unbound is not running on this device, therefore the unbound-control error!

agarg · February 8, 2025, 5:15pm

OK. Let me check why not. My service is enabled on the Luci.

I got into ssh and started:

root@R6100-SW:~# service unbound start
root@R6100-SW:~# ps | grep unbound
 9076 unbound  16352 S    /usr/sbin/unbound -d -c /var/lib/unbound/unbound.conf
 9103 root      1372 S    grep unbound
root@R6100-SW:~#

And, after that I ran following command and got whole lot of data:

root@R6100-SW:~# unbound-control stats
thread0.num.queries=0
thread0.num.queries_ip_ratelimited=0
thread0.num.queries_cookie_valid=0
thread0.num.queries_cookie_client=0
thread0.num.queries_cookie_invalid=0
thread0.num.cachehits=0
thread0.num.cachemiss=0
thread0.num.prefetch=0
thread0.num.queries_timed_out=0
thread0.query.queue_time_us.max=0
thread0.num.expired=0
thread0.num.recursivereplies=0
thread0.requestlist.avg=0
thread0.requestlist.max=0
thread0.requestlist.overwritten=0
thread0.requestlist.exceeded=0
thread0.requestlist.current.all=0
thread0.requestlist.current.user=0
thread0.recursion.time.avg=0.000000
thread0.recursion.time.median=0
thread0.tcpusage=0
total.num.queries=0
total.num.queries_ip_ratelimited=0
total.num.queries_cookie_valid=0
total.num.queries_cookie_client=0
total.num.queries_cookie_invalid=0
total.num.cachehits=0
total.num.cachemiss=0
total.num.prefetch=0
total.num.queries_timed_out=0
total.query.queue_time_us.max=0
total.num.expired=0
total.num.recursivereplies=0
total.requestlist.avg=0
total.requestlist.max=0
total.requestlist.overwritten=0
total.requestlist.exceeded=0
total.requestlist.current.all=0
total.requestlist.current.user=0
total.recursion.time.avg=0.000000
total.recursion.time.median=0
total.tcpusage=0
time.now=1739035551.515822
time.up=104.828688
time.elapsed=104.828688
root@R6100-SW:~#

agarg · February 8, 2025, 5:41pm

Thanks so much. I dont know why unbound wont run despite being enabled and several reboots later.

I started from command line and it started running and that has survived the reboot.

This is the final result:

agarg@ZBOX-CI327:~$ while true; do dig openwrt.org @192.168.200.100 | grep time; sleep 2; done
;; Query time: 6 msec
;; Query time: 6 msec
;; Query time: 5 msec
;; Query time: 7 msec
;; Query time: 5 msec
^C
agarg@ZBOX-CI327:~$ while true; do dig openwrt.org @9.9.9.9 | grep time; sleep 2; done
;; Query time: 30 msec
;; Query time: 26 msec
;; Query time: 26 msec
;; Query time: 26 msec
^C
agarg@ZBOX-CI327:~$ while true; do dig openwrt.org @8.8.8.8 | grep time; sleep 2; done
;; Query time: 34 msec
;; Query time: 33 msec
;; Query time: 33 msec
;; Query time: 34 msec
;; Query time: 34 msec
^C
agarg@ZBOX-CI327:~$ while true; do dig openwrt.org @1.1.1.1 | grep time; sleep 2; done
;; Query time: 27 msec
;; Query time: 27 msec
;; Query time: 27 msec
;; Query time: 26 msec
^C

Thanks for your super help.

system · February 18, 2025, 5:42pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.