Unbound and QNAME minimisation

jfb · 2018-06-02T01:41:40.076Z

Expected Behaviour:

Unbound should be using QNAME minimisation.

Actual Behaviour:

How do I verify unbound is using QNAME minimisation

Debug Token:

None.

Please correct me if this is the incorrect place to ask this. I installed FTLDNS beta and unbound per the posted instructions (all of which worked quite well, so thanks to those who wrote them), within the last three weeks. Unbound V 1.6.0.

In my config directory (on my Pi running Stretch), there is a pre-installed "/etc/unbound/unbound.conf.d/qname-minimisation.conf" file, containing the following text:

server:
# Send minimum amount of information to upstream servers to enhance
# privacy. Only sends minimum required labels of the QNAME and sets
# QTYPE to NS when possible.

# See RFC 7816 "DNS Query Name Minimisation to Improve Privacy" for
# details.

qname-minimisation: yes.

All the files in this directory are included in "/etc/unbound/unbound.conf" via an "include: "/etc/unbound/unbound.conf.d/*.conf" command line.

So, from what I can see, unbound should be running with QNAME minimisation ON. Unbound is working and finding DNS addresses.

My question - how can I verify that unbound is actually using QNAME minimisation? Is there a log file or status command that would verify this? I've searched through MAN unbound and MAN unbound-control but haven't found a way. Any help from the unbound experts (or referral to the correct place) would be appreciated.

Mcat12 · 2018-06-02T02:19:59.997Z

I found this by searching "unbound qname minimisation":

nlnetlabs.nl

unbound_qnamemin_oarc24.pdf

410.38 KB

jfb · 2018-06-02T02:52:05.469Z

jfb:

RFC 7816 "DNS Query Name Minimisation to Improve Privacy"

Thanks. I read that, and a few others, and they all describe what QNAME minimisation does. It's a good technique and I want to be using it. What I don't understand is how to verify that my installation of unbound is actually doing it.

Here is a short piece of the tail of my PiHole log when I browse for a website that I know is not in my DNS cache. I see the request from the browser to the PiHole, and from the PiHole to unbound, the the reply back with the IP address, but I don't know how to see the details of what unbound is sending out to the DNS authoritative server. I haven't managed to find a log for unbound on the Pi. I also don't know enough about WireShark to capture the outgoing packets from unbound to the DNS authoritative servers.

Jun 1 21:38:56 dnsmasq[27250]: 14766 192.168.0.138/49400 query[A] www.prevention.com from 192.168.0.138
Jun 1 21:38:56 dnsmasq[27250]: 14766 192.168.0.138/49400 forwarded www.prevention.com to 127.0.0.1
Jun 1 21:38:56 dnsmasq[27250]: * 192.168.0.138/49400 dnssec-query[DS] prevention.com to 127.0.0.1
Jun 1 21:38:56 dnsmasq[27250]: * 192.168.0.138/49400 reply prevention.com is no DS
Jun 1 21:38:56 dnsmasq[27250]: 14766 192.168.0.138/49400 validation result is INSECURE
Jun 1 21:38:56 dnsmasq[27250]: 14766 192.168.0.138/49400 reply www.prevention.com is
Jun 1 21:38:56 dnsmasq[27250]: 14766 192.168.0.138/49400 reply b2.shared.global.fastly.net is 151.101.50.217
Jun 1 21:38:57 dnsmasq[27250]: 14767 192.168.0.138/64715 query[A] assets.hearstapps.com from 192.168.0.138
Jun 1 21:38:57 dnsmasq[27250]: 14767 192.168.0.138/64715 forwarded assets.hearstapps.com to 127.0.0.1
Jun 1 21:38:57 dnsmasq[27250]: 14768 192.168.0.138/63276 query[A] hips.hearstapps.com from 192.168.0.138
Jun 1 21:38:57 dnsmasq[27250]: 14768 192.168.0.138/63276 forwarded hips.hearstapps.com to 127.0.0.1
Jun 1 21:38:57 dnsmasq[27250]: 14769 192.168.0.138/49979 query[A] nexus.ensighten.com from 192.168.0.138
Jun 1 21:38:57 dnsmasq[27250]: 14769 192.168.0.138/49979 /etc/pihole/gravity.list nexus.ensighten.com is 192.168.0.150
Jun 1 21:38:57 dnsmasq[27250]: 14770 192.168.0.138/63683 query[A] glimmer.hearstapps.com from 192.168.0.138
Jun 1 21:38:57 dnsmasq[27250]: 14770 192.168.0.138/63683 forwarded glimmer.hearstapps.com to 127.0.0.1
Jun 1 21:38:57 dnsmasq[27250]: * 192.168.0.138/64715 dnssec-query[DS] hearstapps.com to 127.0.0.1
Jun 1 21:38:57 dnsmasq[27250]: * 192.168.0.138/63683 dnssec-query[DS] hearstapps.com to 127.0.0.1
Jun 1 21:38:57 dnsmasq[27250]: * 192.168.0.138/63276 dnssec-query[DS] hearstapps.com to 127.0.0.1
Jun 1 21:38:57 dnsmasq[27250]: * 192.168.0.138/63276 reply hearstapps.com is no DS
Jun 1 21:38:57 dnsmasq[27250]: 14768 192.168.0.138/63276 validation result is INSECURE
Jun 1 21:38:57 dnsmasq[27250]: 14768 192.168.0.138/63276 reply hips.hearstapps.com is
Jun 1 21:38:57 dnsmasq[27250]: 14768 192.168.0.138/63276 reply hearst.map.fastly.net is 151.101.48.200

Mcat12 · 2018-06-02T02:53:29.881Z

That PDF showed some example logs which showed the feature in action.

jfb · 2018-06-02T03:43:55.516Z

I'm going to have to get a lot smarter on this topic. The pdf shows the following which appears to test the QNAME function, but I'm puzzled as to what to do with it.

$ drill txt qnamemintest.internet.nl
"HOORAY - QNAME minimisation is enabled on your resolver :)!"
"NO - QNAME minimisation is NOT enabled on your resolver :(."

Mcat12 · 2018-06-02T03:46:05.750Z

You simply run the command and it will tell you if it's enabled (you might need to install a package for it first)

jfb · 2018-06-02T04:02:59.050Z

jfb:

drill txt qnamemintest.internet.nl

That may be part of my problem - "bash: drill: command not found"

Thanks for the help. I'll do some digging and figure out how to install it.

jfb · 2018-06-02T04:27:33.534Z

That solved my problem. Thanks very much for your help - as you can tell I'm not much of a Unix cowboy - but I am slightly trainable.

"sudo apt-get install ldnsutils" installs DNS utilities including drill.

"drill txt qnamemintest.internet.nl" produces the following output, which shows that QNAME minimisation is enabled.

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41676
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; qnamemintest.internet.nl. IN TXT

;; ANSWER SECTION:
qnamemintest.internet.nl. 2951 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 3600 IN TXT "HOORAY - QNAME minimisation is enabled on your resolver :)!"

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 758 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Jun 1 23:16:53 2018
;; MSG SIZE rcvd: 146

DL6ER · 2018-06-02T09:46:36.489Z

Although this is solved, I should tell you that, although qname-minimisation is a nice idea, it is not guaranteed to work always (and in fact doesn’t always work!). See https://indico.dns-oarc.net/event/21/contribution/9 for an analysis of this problem.
This is why we don't suggest using QNAME minimization in our guide.

jfb · 2018-06-02T13:55:48.032Z

Thanks for the link and info. In my install, I did not intentionally turn on QNAME minimisation, the install put the "/etc/unbound/unbound.conf.d/qname-minimisation.conf" file in place. The file date is 2/19/2017.

The configuration is the same on two different Pi's with independent installations, about a week apart.

I installed unbound per the instructions at "Redirecting...". I see that the examples of recursive DNS resolution on that page show the behavior with QNAME minimisation OFF, but the installer turned it on without any input from me.

I'll turn it off on one and see how the performance changes for me. I see in the version notes for unbound that they made some changes on QNAME behavior in later releases beyond 1.6.0.

MaDa · 2018-06-03T08:31:34.494Z

jfb:

drill txt qnamemintest.internet.nl” produces the following output, which shows that QNAME minimisation is enabled.

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 41676
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; qnamemintest.internet.nl. IN TXT

I got...

~ # drill txt qnamemintest.internet.nl
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 48979
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; qnamemintest.internet.nl. IN TXT

;; ANSWER SECTION:
qnamemintest.internet.nl. 10 IN CNAME a.b.qnamemin-test.internet.nl.
a.b.qnamemin-test.internet.nl. 10 IN TXT "HOORAY - QNAME minimisation is enabled on your resolver :)!"

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 177 msec
;; SERVER: 127.0.0.1
;; WHEN: Sun Jun 3 10:26:04 2018
;; MSG SIZE rcvd: 164

...without an installed unbound instance and without configured QNAME MINIMIZATION

DL6ER · 2018-06-03T08:51:04.967Z

I get

$ dig txt qnamemintest.internet.nl +short
a.b.qnamemin-test.internet.nl.
"NO - QNAME minimisation is NOT enabled on your resolver :("

with Pi-hole + unbound as described in my guide.

Tntdruid · 2018-06-03T09:54:29.821Z

used the same guide:

dig txt qnamemintest.internet.nl +short
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"

DL6ER · 2018-06-03T12:13:53.980Z

@Tntdruid Check if you have additional files in /etc/unbound/unbound.conf.d as has been mentioned by @jfb .

I have

$ ls /etc/unbound/unbound.conf.d
recursive.conf  root-auto-trust-anchor-file.conf

whereas

$ cat /etc/unbound/unbound.conf.d/root-auto-trust-anchor-file.conf
server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

Tntdruid · 2018-06-03T13:36:00.422Z

ls /etc/unbound/unbound.conf.d
pi-hole.conf qname-minimisation.conf root-auto-trust-anchor-file.conf

No idea where qname-minimisation.conf is from, I did not add that one

Thanos_L · 2018-06-03T15:20:49.997Z

And for me the same...

~ $ ls /etc/unbound/unbound.conf.d
pi-hole.conf qname-minimisation.conf root-auto-trust-anchor-file.conf

~ $ dig txt qnamemintest.internet.nl +short
a.b.qnamemin-test.internet.nl.
"HOORAY - QNAME minimisation is enabled on your resolver :)!"

DanSchaper · 2018-06-03T15:39:24.988Z

Is everyone that is seeing the extra qname-minimisation.conf file running Raspbian?

Thanos_L · 2018-06-03T15:58:37.695Z

For me yes. Clean install before 2 weeks. (raspbian stretch)

Tntdruid · 2018-06-03T15:58:44.250Z

DanSchaper:

Raspbian

Yeah im running that

glenw · 2018-06-03T19:21:45.712Z

I also have the same config files after following the guide precisely.
Installed unbound on Stretch from the repository and it is version 1.6.0

I did try at one point to compile the latest stable version (1.7.1) but failed

In /etc/unbound/unbound.conf.d I have:

pi-hole.conf
qname-minimisation.conf
root-auto-trust-anchor-file.conf

I do not have:

recursive.conf