I guess I got myself confused or things have changed. I thought I could resolve www.facebook.com ... so I thought I could resolve some Facebook subdomains but not all. But now today (with the 1.9 unbound) I can't resolve any.
I have my gateway, my 4G LTE modem, and then the AT&T network between me and reality. I'll check the first two again for some type of filtering.
It's interesting (from your previous post) that I can add special cases for particular domains.
The other question is if doing encrypted queries would help. Any idea if it would?
Thank you again for your help. It's been very educational for me.
pi@ph5b:~ $ traceroute -n 185.89.218.12
traceroute to 185.89.218.12 (185.89.218.12), 30 hops max, 60 byte packets
1 10.0.0.1 0.713 ms 0.704 ms 0.817 ms
2 192.168.1.1 1.096 ms 0.901 ms 0.905 ms
3 62.58.240.1 7.562 ms 7.320 ms 7.845 ms
4 212.53.25.201 10.555 ms 11.000 ms 26.897 ms
5 212.53.25.193 10.782 ms 10.578 ms 10.714 ms
6 212.151.190.0 11.419 ms 11.210 ms 11.102 ms
7 130.244.82.55 8.042 ms 8.037 ms 8.983 ms
8 130.244.200.46 10.774 ms 11.048 ms 10.959 ms
9 195.219.194.78 218.731 ms 195.219.156.61 204.850 ms 195.219.194.146 203.320 ms
10 195.219.156.133 211.872 ms 195.219.156.151 214.576 ms 80.231.217.5 206.166 ms
11 195.219.87.209 202.499 ms 195.219.87.169 213.530 ms 180.87.12.2 205.479 ms
12 180.87.12.226 216.651 ms 80.231.217.1 199.245 ms 199.079 ms
13 116.0.93.168 202.783 ms 80.231.217.91 203.732 ms 116.0.93.152 197.990 ms
14 180.87.12.2 202.581 ms 116.0.93.147 206.972 ms 180.87.12.2 202.714 ms
15 180.87.12.226 215.920 ms * 116.0.82.62 211.895 ms
16 116.0.82.62 198.831 ms 203.942 ms 116.0.93.147 200.938 ms
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
(Unrelated to the issue, just to clarify: DNSSEC is not about encrypting DNS traffic - it is about digitally signing DNS records so you can be sure they are authentic and haven't been manipulated.
It is correct that the root servers don't do encryption, but they (as well as the majority of TLD domain servers) do support DNSSEC (the root zone has been completely signed since 2010).
Since the root servers do not support encryption, that also means you cannot run unbound (nor any other DNS server) as a fully recursive resolver and encrypt DNS traffic at the same time.)
Last week my kids were complaining that some sites including Instagram weren't connecting. After some investigation it transpired that it was down to the Adlists that were pulled in overnight. Trimming the Adlists to the default 4 brought them all back. Bonus was that it brought down the memory usage of the Pi as well.
I created a little bash script to analyse those debug logs and generate a list of dig queries that unbound performs.
Next time we can compare outcome for those queries between a good and bad setup.
I know its not perfect but does the job:
pi@ph5b:~ $ nano unbound_check.sh
#!/bin/bash
while read LINE; do
if [[ "$LINE" =~ "sending query" ]]; then
QUERY=$(sed 's/^.*sending query: //' <<< $LINE )
fi
if [[ "$LINE" =~ "sending to target" ]]; then
TARGET=$(sed 's/^.*sending to target.*> //; s/#.*$//' <<< $LINE )
fi
if [[ "$QUERY" != "" ]] && [[ "$TARGET" != "" ]]; then
echo "dig +norecurse @$TARGET $QUERY"
QUERY=""
TARGET=""
fi
done < $1
pi@ph5b:~ $ chmod +x unbound_check.sh
pi@ph5b:~ $
Below my good logs:
pi@ph5b:~ $ ./unbound_check.sh unbound.good.log | column -t
dig +norecurse @192.203.230.10 . NS IN
dig +norecurse @199.9.14.201 com. A IN
dig +norecurse @192.54.112.30 instagram.com. A IN
dig +norecurse @205.251.193.128 www.instagram.com. A IN
dig +norecurse @192.112.36.4 org. A IN
dig +norecurse @192.36.148.17 uk. A IN
dig +norecurse @202.12.27.33 net. A IN
dig +norecurse @199.19.53.1 awsdns-40.org. A IN
dig +norecurse @192.35.51.30 facebook.com. A IN
dig +norecurse @192.54.112.30 awsdns-44.net. A IN
dig +norecurse @205.251.196.43 ns-1349.awsdns-40.org. A IN
dig +norecurse @129.134.31.12 c10r.facebook.com. A IN
dig +norecurse @205.251.195.46 ns-868.awsdns-44.net. A IN
dig +norecurse @129.134.30.11 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @43.230.48.1 co.uk. A IN
dig +norecurse @156.154.102.3 awsdns-60.co.uk. A IN
dig +norecurse @192.36.148.17 . DNSKEY IN
dig +norecurse @192.33.4.12 _ta-4f66. A IN
dig +norecurse @192.52.178.30 com. DNSKEY IN
dig +norecurse @205.251.198.1 ns-2016.awsdns-60.co.uk. A IN
Below the bad logs:
pi@ph5b:~ $ ./unbound_check.sh unbound.bad.log | column -t
dig +norecurse @192.5.5.241 . NS IN
dig +norecurse @198.97.190.53 com. A IN
dig +norecurse @192.31.80.30 instagram.com. A IN
dig +norecurse @205.251.193.128 www.instagram.com. A IN
dig +norecurse @192.5.5.241 org. A IN
dig +norecurse @192.5.5.241 uk. A IN
dig +norecurse @192.112.36.4 net. A IN
dig +norecurse @192.43.172.30 facebook.com. A IN
dig +norecurse @199.19.56.1 awsdns-40.org. A IN
dig +norecurse @192.12.94.30 awsdns-44.net. A IN
dig +norecurse @185.89.218.12 c10r.facebook.com. A IN
dig +norecurse @205.251.199.172 ns-868.awsdns-44.net. A IN
dig +norecurse @205.251.194.234 ns-1349.awsdns-40.org. A IN
dig +norecurse @156.154.103.3 co.uk. A IN
dig +norecurse @156.154.103.3 awsdns-60.co.uk. A IN
dig +norecurse @205.251.198.1 ns-2016.awsdns-60.co.uk. A IN
dig +norecurse @129.134.30.12 c10r.facebook.com. A IN
dig +norecurse @129.134.30.12 c10r.facebook.com. A IN
dig +norecurse @185.89.218.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @129.134.31.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @129.134.31.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.219.12 c10r.facebook.com. A IN
dig +norecurse @185.89.219.12 c10r.facebook.com. A IN
dig +norecurse @185.89.219.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.218.12 c10r.facebook.com. A IN
dig +norecurse @185.89.218.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.219.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.219.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @129.134.31.12 c10r.facebook.com. A IN
dig +norecurse @129.134.31.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @129.134.31.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @129.134.30.12 c10r.facebook.com. A IN
dig +norecurse @129.134.30.12 c10r.facebook.com. A IN
dig +norecurse @185.89.219.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @129.134.30.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.219.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.218.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.218.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.218.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.219.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.218.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.218.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @185.89.218.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @129.134.30.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @129.134.30.12 z-p42-instagram.c10r.facebook.com. A IN
dig +norecurse @129.134.30.12 z-p42-instagram.c10r.facebook.com. A IN