Unbound and QNAME minimisation

You simply run the command and it will tell you if it’s enabled (you might need to install a package for it first)

That may be part of my problem - “bash: drill: command not found”

Thanks for the help. I’ll do some digging and figure out how to install it.

That solved my problem. Thanks very much for your help - as you can tell I’m not much of a Unix cowboy - but I am slightly trainable.

“sudo apt-get install ldnsutils” installs DNS utilities including drill.

“drill txt qnamemintest.internet.nl” produces the following output, which shows that QNAME minimisation is enabled.

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41676
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; qnamemintest.internet.nl. IN TXT

;; ANSWER SECTION:
qnamemintest.internet.nl. 2951 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3600 IN TXT “HOORAY - QNAME minimisation is enabled on your resolver :)!”

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 758 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Jun 1 23:16:53 2018
;; MSG SIZE rcvd: 146

Although this is solved, I should tell you that, although qname-minimisation is a nice idea, it is not guaranteed to work always (and in fact doesn’t always work!). See https://indico.dns-oarc.net/event/21/contribution/9 for an analysis of this problem.
This is why we don’t suggest using QNAME minimization in our guide.

Thanks for the link and info. In my install, I did not intentionally turn on QNAME minimisation, the install put the “/etc/unbound/unbound.conf.d/qname-minimisation.conf” file in place. The file date is 2/19/2017.

The configuration is the same on two different Pi’s with independent installations, about a week apart.

I installed unbound per the instructions at “https://docs.pi-hole.net/guides/unbound/”. I see that the examples of recursive DNS resolution on that page show the behavior with QNAME minimisation OFF, but the installer turned it on without any input from me.

I’ll turn it off on one and see how the performance changes for me. I see in the version notes for unbound that they made some changes on QNAME behavior in later releases beyond 1.6.0.

I got…

~ # drill txt qnamemintest.internet.nl
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 48979
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; qnamemintest.internet.nl. IN TXT

;; ANSWER SECTION:
qnamemintest.internet.nl. 10 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 10 IN TXT “HOORAY - QNAME minimisation is enabled on your resolver :)!”

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 177 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Jun 3 10:26:04 2018
;; MSG SIZE rcvd: 164

without an installed unbound instance and without configured QNAME MINIMIZATION

I get

$ dig txt qnamemintest.internet.nl +short
a.b.qnamemin-test.internet.nl.
"NO - QNAME minimisation is NOT enabled on your resolver :("

with Pi-hole + unbound as described in my guide.

used the same guide:

dig txt qnamemintest.internet.nl +short
a.b.qnamemin-test.internet.nl.
“HOORAY - QNAME minimisation is enabled on your resolver :)!”

@Tntdruid Check if you have additional files in /etc/unbound/unbound.conf.d as has been mentioned by @jfb .

I have

$ ls /etc/unbound/unbound.conf.d
recursive.conf  root-auto-trust-anchor-file.conf

whereas

$ cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

ls /etc/unbound/unbound.conf.d
pi-hole.conf qname-minimisation.conf root-auto-trust-anchor-file.conf

No idea where qname-minimisation.conf is from, I did not add that one

And for me the same…

~ $ ls /etc/unbound/unbound.conf.d
pi-hole.conf qname-minimisation.conf root-auto-trust-anchor-file.conf

~ $ dig txt qnamemintest.internet.nl +short
a.b.qnamemin-test.internet.nl.
“HOORAY - QNAME minimisation is enabled on your resolver :)!”

Is everyone that is seeing the extra qname-minimisation.conf file running Raspbian?

For me yes. Clean install before 2 weeks. (raspbian stretch)

Yeah im running that :wink:

I also have the same config files after following the guide precisely.
Installed unbound on Stretch from the repository and it is version 1.6.0

I did try at one point to compile the latest stable version (1.7.1) but failed :frowning:

In /etc/unbound/unbound.conf.d I have:

pi-hole.conf
qname-minimisation.conf
root-auto-trust-anchor-file.conf

I do not have:

recursive.conf

/etc/unbound/unbound.conf.d $ ls
pi-hole.conf  qname-minimisation.conf  root-auto-trust-anchor-file.conf

whereas

cat qname-minimisation.conf
server:
    # Send minimum amount of information to upstream servers to enhance
    # privacy. Only sends minimum required labels of the QNAME and sets
    # QTYPE to NS when possible.

    # See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
    # details.

    qname-minimisation: yes

and

dig txt qnamemintest.internet.nl +short
a.b.qnamemin-test.internet.nl.
"NO - QNAME minimisation is NOT enabled on your resolver :("

version 1.6.0

I have the same files as glenw, and no “recursive.conf” either.

I ran a test on the web addresses listed in the referenced document (page 34 of 42 in the document) with QNAME minimisation enabled - I was able to resolve them all with dig.

I suspect that since the date of that paper (May 2015) the noted problems at the authoritative name servers have been corrected.

I am running two setups of unbound and Pi-Hole; identical but on different Pi’s. One has QNAME off, the other has QNAME on. I cannot see any different in DNS resolution between the two.

I believe that Cloudflare is using QNAME minimisation on their DNS service: https://blog.cloudflare.com/dns-resolver-1-1-1-1/

1 Like

Thanks for testing it so throughly. It’s good to know that we don’t have to expect issues from possible system provided config files that enable qname minimization without the (explicit) knowledge of the user.

I haven’t checked, but it may be that dnsmasq from Raspbian is dropping in the qname file. Will have to do some more research on that.