Is dnssec working?

Valiceemo · October 26, 2019, 3:23pm

Scrap the above
Even with unbound on port 5354, all queries are coming back with SERVFAIL

Valiceemo · October 26, 2019, 5:53pm

Yes it resolves ok

Valiceemo · October 28, 2019, 12:31pm

Agreed it's an option. But as has been mentioned others have it working on v1.60
I'm just eager to figure out what has happened on my install

Valiceemo · October 30, 2019, 9:36am

So i decided to try this.
I could not get version 1.9.4-1 to install.
When i run dpkg i get a lot of dependancy errors:

pi@pi-hole:/tmp $ sudo dpkg -i unbound_1.9.4-1_armhf.deb
Selecting previously unselected package unbound.
(Reading database ... 38251 files and directories currently installed.)
Preparing to unpack unbound_1.9.4-1_armhf.deb ...
Unpacking unbound (1.9.4-1) ...
dpkg: dependency problems prevent configuration of unbound:
 unbound depends on unbound-anchor; however:
  Package unbound-anchor is not installed.
 unbound depends on libc6 (>= 2.28); however:
  Version of libc6:armhf on system is 2.24-11+deb9u4.
 unbound depends on libevent-2.1-6 (>= 2.1.8-stable); however:
  Package libevent-2.1-6 is not installed.
 unbound depends on libfstrm0 (>= 0.2.0); however:
  Package libfstrm0 is not installed.
 unbound depends on libprotobuf-c1 (>= 1.0.1); however:
  Package libprotobuf-c1 is not installed.
 unbound depends on libpython3.7 (>= 3.7.0); however:
  Package libpython3.7 is not installed.
 unbound depends on libssl1.1 (>= 1.1.1); however:
  Version of libssl1.1:armhf on system is 1.1.0l-1~deb9u1.

dpkg: error processing package unbound (--install):
 dependency problems - leaving unconfigured
Processing triggers for systemd (232-25+deb9u12) ...
Processing triggers for man-db (2.7.6.1-2) ...
Errors were encountered while processing:
 unbound

Immediately before trying to install, i removed unbound 1.6.0 with sudo apt purge unbound and then finally sudo apt autoremove && sudo apt autoclean
All remaining config files and logs were removed.
Finally sudo apt update && sudo apt upgrade
So my system is fully upto date, but unbound 1.9.4-1 did not install.

I noticed the .deb file you listed above was appended with _armhf.deb but the one unistalled on my system was 1.6.0-3+deb9u2
Is this significant? looking at the mirror list there are multiple different deb files...im unsure which is what and how to choose, if that makes sense?

Valiceemo · October 30, 2019, 6:45pm

I haven't reinstalled unbound yet.
Having tried reinstalling 3 times I see no sense in trying it again tbh.
I'm hoping they guys over at the unbound git page will help
Looking at the Debian mirror I also see unbound_1.9.4-2_armel.deb
You'll have to excuse my ignorance, but I'm not really sure which deb files can or can't be installed, or indeed even why.
I assume that the _arm64.deb is for 64 bit processors?

Valiceemo · October 30, 2019, 7:07pm

Currently i do t have unbound installed at all.
So the command sudo unbound -vvvv gives nothing.
Sorry if I'm missing something

Valiceemo · October 30, 2019, 7:30pm

No, I don't use a VPN whilst I'm at home.
Occasionally dial into my network with a VPN - openvpn on same pi as pi-hole, installed via PiVPN

Valiceemo · October 30, 2019, 7:35pm

Do you mean sudo apt install unbound-anchor and then use dpkg to try and install unbound 1.9.4?

Valiceemo · October 30, 2019, 7:52pm

IPV6 is disabled on my network

Valiceemo · October 30, 2019, 7:57pm

Looking at my pi-hole logs, I see a lot of queries appended with .local
Edit:
These include 'normal' looking queries, and gibberish?

Oct 30 19:50:31 dnsmasq[4542]: query[A] ivkorssvmebjco.local from 192.168.0.150
Oct 30 19:50:31 dnsmasq[4542]: forwarded ivkorssvmebjco.local to 1.0.0.1
Oct 30 19:50:31 dnsmasq[4542]: query[A] dbhaxzjgfoaw.local from 192.168.0.150
Oct 30 19:50:31 dnsmasq[4542]: forwarded dbhaxzjgfoaw.local to 1.0.0.1
Oct 30 19:50:31 dnsmasq[4542]: reply grdgchv.local is NXDOMAIN
Oct 30 19:50:31 dnsmasq[4542]: reply ivkorssvmebjco.local is NXDOMAIN
Oct 30 19:50:31 dnsmasq[4542]: reply dbhaxzjgfoaw.local is NXDOMAIN

Valiceemo · November 1, 2019, 7:57pm

So the guys over at the unbound git page have concluded that my ISP is highjacking my DNS traffic. Which sucks
I'm now running unbound in forwarding mode, with forward-addr: 1.1.1.1@853 and forward-ssl-upstream: yes
Yet I still get dnssec tests failing.
Now, here's another strange one....
If I connect to my home network via VPN, dnssec tests pass

drewski · November 1, 2019, 8:00pm

sounds like doh/dot might be the only option for dnssec validation.

Valiceemo · November 1, 2019, 8:02pm

How can I implement this, if you don't mind helping a little please?

drewski · November 1, 2019, 8:20pm

I can point you to a guide for stubby.
Any place you see this command sudo vi replace it with sudo nano

drewski · November 1, 2019, 8:22pm

Also take note once you get to the pihole configuration at the bottom ignore making the new dnsmasq config file. Instead set the address and port in the pihole gui.

drewski · November 1, 2019, 8:25pm

I should be able to help if u hit any roadblocks.
one more tip you can use the default stubby.yml no editing is actually required

crap i lied.....

replace this command at the very end sudo systemctl restart dnsmasq with sudo pihole restartdns probably not necessary to even run honestly

Valiceemo · November 1, 2019, 9:01pm

Thanks @drewski
I'll take a look when I get a chance.
I tried following the guide for cloudflared, went all the way through, bit couldn't resolve any queries.

drewski · November 1, 2019, 9:11pm

I'm glad to help.
I have been using stubby for months now. Very reliable! Good luck

Valiceemo · November 2, 2019, 9:01am

Yeah makes sense.
Sky must have changed something in recent times.
Annoying.
Thanks for all you help, appreciated.
I'll give stubby a try over the weekend, given cloudflared didn't seem to work.

Valiceemo · November 2, 2019, 9:04am

I have this is my config already.

I've also tried this, but unbound 1.6.0 tells me this is an unknown key using unbound-checkconfig