meaning ?
reference?
I can't seem to get qname minimization to work when compiling 1.9.2. Never tested it with earlier versions though. When running "dig txt qnamemintest.internet.nl" it says it's not working, it works with Knot. Any ideas?
Too bad Unbound seems stalled in Debian, now with Buster being released soon as well.
unbound (127.10.10.2 -p 5552):
dig @127.10.10.2 -p 5552 txt qnamemintest.internet.nl
; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.10.10.2 -p 5552 txt qnamemintest.internet.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7577
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;qnamemintest.internet.nl. IN TXT
;; ANSWER SECTION:
qnamemintest.internet.nl. 3600 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3600 IN TXT "HOORAY - QNAME minimisation is enabled on your resolver :)!"
;; AUTHORITY SECTION:
a.b.qnamemin-test.internet.nl. 3600 IN NS ns.a.b.qnamemin-test.internet.nl.
;; ADDITIONAL SECTION:
ns.a.b.qnamemin-test.internet.nl. 3600 IN AAAA 2a04:b900::8:0:0:63
ns.a.b.qnamemin-test.internet.nl. 3600 IN A 185.49.140.63
;; Query time: 132 msec
;; SERVER: 127.10.10.2#5552(127.10.10.2)
;; WHEN: Thu Jun 20 16:42:54 CEST 2019
;; MSG SIZE rcvd: 218
knot-resolver (127.10.10.5 -p 5555):
dig @127.10.10.5 -p 5555 txt qnamemintest.internet.nl
; <<>> DiG 9.10.3-P4-Raspbian <<>> @127.10.10.5 -p 5555 txt qnamemintest.internet.nl
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 425
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;qnamemintest.internet.nl. IN TXT
;; ANSWER SECTION:
qnamemintest.internet.nl. 3361 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3361 IN TXT "HOORAY - QNAME minimisation is enabled on your resolver :)!"
;; Query time: 0 msec
;; SERVER: 127.10.10.5#5555(127.10.10.5)
;; WHEN: Thu Jun 20 16:43:53 CEST 2019
;; MSG SIZE rcvd: 157
content of /etc/unbound/unbound.conf.d/qname-minimisation.conf:
server:
# Send minimum amount of information to upstream servers to enhance
# privacy. Only sends minimum required labels of the QNAME and sets
# QTYPE to NS when possible.
# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
# details.
# https://ripe72.ripe.net/presentations/120-unbound_qnamemin_ripe72.pdf
# test: drill txt qnamemintest.internet.nl
# result: "HOORAY - QNAME minimisation is enabled on your resolver :)!"
qname-minimisation: yes
harden-below-nxdomain: yes
Thanks, I had exactly that config but it was on a Diet-Pi installation. I will try with normal Raspbian light as well.
Got it working now, weird!
Any idea why I get a bunch of these in my logs?
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 198.97.190.53 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 193.0.14.129 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 193.0.14.129 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 198.97.190.53 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.203.230.10 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.203.230.10 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.36.148.17 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.33.4.12 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 193.0.14.129 port 53
Jun 20 17:37:40 unbound[403:0] info: error sending query to auth server 192.203.230.10 port 53
NOT in my logs.
What is your verbose setting?
Verbosity is set to 1. If I delete root.zone and start over it looks fine I think, then if I reboot the log messages start to appear.
you can (have to ?) update the local copy of the root zone using the command:
sudo /usr/sbin/unbound-control auth_zone_transfer "."
I do this on a weekly basis, using cron, also updating the root.hints
You can also increase / decrease the verbose setting using the command:
sudo /usr/sbin/unbound-control verbosity x
x being any number between 0 and ? (I've gone as high as 5)
edit
using the above command eliminates the need to restart unbound, you'll see an entry in the log, if successful.
/edit
In order for this to work, you need to have the following in your unbound.conf file:
# Remote control config section.
remote-control:
control-enable: yes
Script I run with cron (way to complex, I know):
#!/usr/bin/env bash
# Make sure only root can run our script
if [ "$(id -u)" != "0" ]; then
echo "This script must be run as root" 1>&2
exit 1
fi
# compiled version of unbound v1.9.2
if [ -f /etc/unbound/root.hints ]
then
# unbound
sudo wget https://www.internic.net/domain/named.root -O /etc/unbound/root.hints
fi
if [ -f /etc/unbound/root.zone ]
then
# zone transfert
echo 'zone transfert "."'
sudo /usr/sbin/unbound-control auth_zone_transfer "."
fi
# Raspbian version of unbound v1.6.0
if [ -f /var/lib/unbound/root.hints ]
then
# unbound
sudo wget https://www.internic.net/domain/named.root -O /var/lib/unbound/root.hints
fi
Thanks for the help, much appreciated! I'll give it a try...
I followed the link above and compiled from scratch. Although i double checked the unbound.conf I can´t get it to work. unbound -v gave me "can´t bind socket". I´m running armbian on rock64. Looks like I have to stick to the default package.
My unbound configuration here.
If you are using the IPv4 only configuration, you will NOT be able to use the default package either, the same error will occur.
Ipv4 only config:
interface: 127.10.10.2@5552
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: no
If you are using both IPv4 and IPv6, you need to ensure the IPv6 address exists, before starting unbound, as opposed to the IPv4 addresses I use (127.10.10.x), which do NOT need to exist before starting unbound.
IPv4 & IPv6 configuration:
interface: 127.10.10.2@5552
interface: fdaa:bbcc:ddee:2::5552@5552
do-ip4: yes
do-udp: yes
do-tcp: yes
do-ip6: yes
I've been using a "dirty", probably unapproved, method to ensure the IPv6 address exists, even after a reboot:
sudo ip -6 addr add fdaa:bbcc:ddee:2::5552/128 dev eth0
sudo sed -i '0,/^e-i xit 0.*/s/^exit 0.*/sudo ip -6 addr add fdaa:bbcc:ddee:2::5552\/128 dev eth0\n&/' /etc/rc.local
First line adds the IPv6 address immediately, after this you should be able to start unbound.
Second line adds the command to /etc/rc.local
, which is executed during reboot.
You are right. I´m running IP4 only. I´ll try again and keep you posted. Thanks for hinting me in the right direction.
Don't give up to soon!
Something else you might not know (yet):
The instructions I provided to compile unbound, result in unbound, running with chroot.
As far as I understand this (NOT a Linux expert), this is more secure, unbound can't get to anything outside it's own directory.
What this means:
The unbound configuration files are located in /etc/unbound
. As far as unbound is aware, this is the root. This means, for example, you have to configure unbound to keep the logfile somewhere in/etc/unbound
or below. The configuration file however will show:
logfile: /unbound.log
All file reference are relative to /etc/unbound
.
Naw, I won´t give up that soon.
I managed to set up everything, double checked but still getting this:
root@rock64:~# unbound -v
[1561192621] unbound[1643:0] notice: Start of unbound 1.9.2.
Jun 22 10:37:01 unbound[1643:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953
Jun 22 10:37:01 unbound[1643:0] error: cannot open control interface 127.0.0.1 8953
Jun 22 10:37:01 unbound[1643:0] fatal error: could not open ports
I have no clue where that port comes from. I explicitly pointed to local interface and port #5353 in unbound.conf
Again, I'm NOT a Linux expert, just trying.
On my system, running pihole + unbound 1.9.2, when I enter sudo netstat -tulpen | grep 8953
, I get the result:
sudo netstat -tulpen | grep 8953
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 0 990113 4080/unbound
tcp6 0 0 ::1:8953 :::* LISTEN 0 990112 4080/unbound
DuckDuck go says here, this is a port, used by unbound.
edit
Also port 5353 is already in use by the avahi-daemon
sudo netstat -tulpen | grep 5353
udp 0 0 0.0.0.0:5353 0.0.0.0:* 108 11592 407/avahi-daemon: r
udp6 0 0 :::5353
/edit
As a NON linux expert, I would conclude unbound is already running.
To verify this:
sudo service unbound status
To stop the already running unbound:
sudo service unbound stop
Commands I use to check if unbound is working (replace port and IP):
dig @127.10.10.2 -p 5552 +dnssec www.raspberrypi.org
If you followed my instructions to compile unbound, you should have created /lib/systemd/system/unbound.service
(+daemon reload & enable service)
This means you don't start unbound with unbound -v
, but use sudo service unbound stop && sudo service unbound start
to get things running.
NOT sure this will help...
I have a similar issue: did a fresh install and have a similar issue when running sudo unbound -v:
[1597059373] unbound[2177:0] notice: Start of unbound 1.11.1.
Aug 10 12:36:13 unbound[2177:0] error: can't bind socket: Address already in use for 127.0.0.1 port 8953
Aug 10 12:36:13 unbound[2177:0] error: cannot open control interface 127.0.0.1 8953
Aug 10 12:36:13 unbound[2177:0] fatal error: could not open ports
This is the output of
ps -aux | grep unbound
root 317 0.0 0.0 0 0 ? I 11:59 0:00 [kworker/u2:4-events_unbound]
unbound 419 0.3 3.4 19000 15320 ? Ss 11:59 0:07 /usr/sbin/unbound -c /etc/unbound/unbound.conf -d
pi 2140 0.0 0.4 7332 2024 pts/0 S+ 12:33 0:00 grep --color=auto unbound
Any idea how I can solve this pls?
(edit: running latest Pi-Hole master i.e. 5.1.2 and compiled Unbound from the Unbound Github i.e. 1.11.1)
Result of
sudo netstat -tulpen | grep 8953
is
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 0 13951 419/unbound
And result of
sudo netstat -tulpen | grep 5335
is
tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 0 13950 419/unbound
udp 0 0 127.0.0.1:5335 0.0.0.0:* 0 13949 419/unbound
So, if I get it correctly, running unbound -v tries to start it. Then the message makes sense as it is indeed already running...
You are trying to start a running instance of unbound.
Thanks - learnt something here today...