Unbound 1.9.2 released (june 17)

meaning ?
reference?

I can't seem to get qname minimization to work when compiling 1.9.2. Never tested it with earlier versions though. When running "dig txt qnamemintest.internet.nl" it says it's not working, it works with Knot. Any ideas?

Too bad Unbound seems stalled in Debian, now with Buster being released soon as well.

Interesting, you consider 1.9.0 to be dead. Debian -- Details of package unbound in buster

1 Like

unbound (127.10.10.2 -p 5552):

dig @127.10.10.2 -p 5552 txt qnamemintest.internet.nl

; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.10.10.2 -p 5552 txt qnamemintest.internet.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7577
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;qnamemintest.internet.nl.      IN      TXT

;; ANSWER SECTION:
qnamemintest.internet.nl. 3600  IN      CNAME   a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3600 IN  TXT     "HOORAY - QNAME minimisation is enabled on your resolver :)!"

;; AUTHORITY SECTION:
a.b.qnamemin-test.internet.nl. 3600 IN  NS      ns.a.b.qnamemin-test.internet.nl.

;; ADDITIONAL SECTION:
ns.a.b.qnamemin-test.internet.nl. 3600 IN AAAA  2a04:b900::8:0:0:63
ns.a.b.qnamemin-test.internet.nl. 3600 IN A     185.49.140.63

;; Query time: 132 msec
;; SERVER: 127.10.10.2#5552(127.10.10.2)
;; WHEN: Thu Jun 20 16:42:54 CEST 2019
;; MSG SIZE  rcvd: 218

knot-resolver (127.10.10.5 -p 5555):

dig @127.10.10.5 -p 5555 txt qnamemintest.internet.nl

; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.10.10.5 -p 5555 txt qnamemintest.internet.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 425
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qnamemintest.internet.nl.      IN      TXT

;; ANSWER SECTION:
qnamemintest.internet.nl. 3361  IN      CNAME   a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3361 IN  TXT     "HOORAY - QNAME minimisation is enabled on your resolver :)!"

;; Query time: 0 msec
;; SERVER: 127.10.10.5#5555(127.10.10.5)
;; WHEN: Thu Jun 20 16:43:53 CEST 2019
;; MSG SIZE  rcvd: 157

content of /etc/unbound/unbound.conf.d/qname-minimisation.conf:

server:
    # Send minimum amount of information to upstream servers to enhance
    # privacy. Only sends minimum required labels of the QNAME and sets
    # QTYPE to NS when possible.

    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
    # details.
	
	# https://ripe72.ripe.net/presentations/120-unbound_qnamemin_ripe72.pdf
	# test: drill txt qnamemintest.internet.nl
	# result: "HOORAY - QNAME minimisation is enabled on your resolver :)!"

    qname-minimisation: yes
    harden-below-nxdomain: yes

Thanks, I had exactly that config but it was on a Diet-Pi installation. I will try with normal Raspbian light as well.

Got it working now, weird!

Any idea why I get a bunch of these in my logs?

Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 198.97.190.53 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 193.0.14.129 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 193.0.14.129 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 198.97.190.53 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.203.230.10 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.203.230.10 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.36.148.17 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.33.4.12 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 193.0.14.129 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.203.230.10 port 53

NOT in my logs.
What is your verbose setting?

Verbosity is set to 1. If I delete root.zone and start over it looks fine I think, then if I reboot the log messages start to appear.

you can (have to ?) update the local copy of the root zone using the command:

sudo /usr/sbin/unbound-control auth_zone_transfer "."

I do this on a weekly basis, using cron, also updating the root.hints

You can also increase / decrease the verbose setting using the command:

sudo /usr/sbin/unbound-control verbosity x

x being any number between 0 and ? (I've gone as high as 5)

edit
using the above command eliminates the need to restart unbound, you'll see an entry in the log, if successful.
/edit

In order for this to work, you need to have the following in your unbound.conf file:

# Remote control config section.
remote-control:
	control-enable: yes

Script I run with cron (way to complex, I know):

#!/usr/bin/env bash

# Make sure only root can run our script
if [ "$(id -u)" != "0" ]; then
  echo "This script must be run as root" 1>&2
  exit 1
fi

# compiled version of unbound v1.9.2
if [ -f /etc/unbound/root.hints ]
then
   # unbound
   sudo wget https://www.internic.net/domain/named.root -O /etc/unbound/root.hints
fi
if [ -f /etc/unbound/root.zone ]
then
   # zone transfert
   echo 'zone transfert "."'
   sudo /usr/sbin/unbound-control auth_zone_transfer "."
fi

# Raspbian version of unbound v1.6.0
if [ -f /var/lib/unbound/root.hints ]
then
   # unbound
   sudo wget https://www.internic.net/domain/named.root -O /var/lib/unbound/root.hints
fi

Thanks for the help, much appreciated! I'll give it a try... :slight_smile:

I followed the link above and compiled from scratch. Although i double checked the unbound.conf I can´t get it to work. unbound -v gave me "can´t bind socket". I´m running armbian on rock64. Looks like I have to stick to the default package.

My unbound configuration here.

If you are using the IPv4 only configuration, you will NOT be able to use the default package either, the same error will occur.

Ipv4 only config:

    interface: 127.10.10.2@5552
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: no

If you are using both IPv4 and IPv6, you need to ensure the IPv6 address exists, before starting unbound, as opposed to the IPv4 addresses I use (127.10.10.x), which do NOT need to exist before starting unbound.

IPv4 & IPv6 configuration:

    interface: 127.10.10.2@5552
    interface: fdaa:bbcc:ddee:2::5552@5552
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
    do-ip6: yes

I've been using a "dirty", probably unapproved, method to ensure the IPv6 address exists, even after a reboot:

sudo ip -6 addr add fdaa:bbcc:ddee:2::5552/128 dev eth0
sudo sed -i '0,/^e-i xit 0.*/s/^exit 0.*/sudo ip -6 addr add fdaa:bbcc:ddee:2::5552\/128 dev eth0\n&/' /etc/rc.local

First line adds the IPv6 address immediately, after this you should be able to start unbound.
Second line adds the command to /etc/rc.local, which is executed during reboot.

1 Like

You are right. I´m running IP4 only. I´ll try again and keep you posted. Thanks for hinting me in the right direction.

Don't give up to soon!

Something else you might not know (yet):
The instructions I provided to compile unbound, result in unbound, running with chroot.
As far as I understand this (NOT a Linux expert), this is more secure, unbound can't get to anything outside it's own directory.
What this means:
The unbound configuration files are located in /etc/unbound. As far as unbound is aware, this is the root. This means, for example, you have to configure unbound to keep the logfile somewhere in/etc/unbound or below. The configuration file however will show:

logfile: /unbound.log

All file reference are relative to /etc/unbound.

1 Like

Naw, I won´t give up that soon.
I managed to set up everything, double checked but still getting this:

root@rock64:~# unbound -v
[1561192621] unbound[1643:0] notice: Start of unbound 1.9.2.
Jun 22 10:37:01 unbound[1643:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953
Jun 22 10:37:01 unbound[1643:0] error: cannot open control interface 127.0.0.1 8953
Jun 22 10:37:01 unbound[1643:0] fatal error: could not open ports

I have no clue where that port comes from. I explicitly pointed to local interface and port #5353 in unbound.conf

Again, I'm NOT a Linux expert, just trying.

On my system, running pihole + unbound 1.9.2, when I enter sudo netstat -tulpen | grep 8953, I get the result:

sudo netstat -tulpen | grep 8953
tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      0          990113     4080/unbound
tcp6       0      0 ::1:8953                :::*                    LISTEN      0          990112     4080/unbound

DuckDuck go says here, this is a port, used by unbound.

edit
Also port 5353 is already in use by the avahi-daemon

sudo netstat -tulpen | grep 5353
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           108        11592      407/avahi-daemon: r
udp6       0      0 :::5353

/edit

As a NON linux expert, I would conclude unbound is already running.
To verify this:
sudo service unbound status
To stop the already running unbound:
sudo service unbound stop

Commands I use to check if unbound is working (replace port and IP):
dig @127.10.10.2 -p 5552 +dnssec www.raspberrypi.org

If you followed my instructions to compile unbound, you should have created /lib/systemd/system/unbound.service (+daemon reload & enable service)
This means you don't start unbound with unbound -v, but use sudo service unbound stop && sudo service unbound start to get things running.

NOT sure this will help...

I have a similar issue: did a fresh install and have a similar issue when running sudo unbound -v:

[1597059373] unbound[2177:0] notice: Start of unbound 1.11.1.
Aug 10 12:36:13 unbound[2177:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953
Aug 10 12:36:13 unbound[2177:0] error: cannot open control interface 127.0.0.1 8953
Aug 10 12:36:13 unbound[2177:0] fatal error: could not open ports

This is the output of
ps -aux | grep unbound

root 317 0.0 0.0 0 0 ? I 11:59 0:00 [kworker/u2:4-events_unbound]
unbound 419 0.3 3.4 19000 15320 ? Ss 11:59 0:07 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d
pi 2140 0.0 0.4 7332 2024 pts/0 S+ 12:33 0:00 grep --color=auto unbound

Any idea how I can solve this pls?
(edit: running latest Pi-Hole master i.e. 5.1.2 and compiled Unbound from the Unbound Github i.e. 1.11.1)

Result of

sudo netstat -tulpen | grep 8953

is

tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 0 13951 419/unbound

And result of

sudo netstat -tulpen | grep 5335

is

tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 0 13950 419/unbound
udp 0 0 127.0.0.1:5335 0.0.0.0:* 0 13949 419/unbound

So, if I get it correctly, running unbound -v tries to start it. Then the message makes sense as it is indeed already running...

You are trying to start a running instance of unbound.

1 Like

Thanks - learnt something here today...