Unbound not working even with extra steps

DL6ER · December 31, 2022, 6:39am

Oh, I'm suspecting AppArmor protection here.

Edit

/etc/apparmor.d/local/usr.sbin.unbound

and append

/var/log/unbound/unbound.log rw,

to the end (or, /tmp/unbound.log whatever you want to use - just make sure the value is the same in the unbound config). Then reload AppArmor using

sudo apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound 
sudo service unbound restart

and then we shall see if this helped... If it did, we will add this to the documentation, too. AppArmor might simply be deployed much wider by now than it was when we initially wrote the unbound guide.

alecStewart1 · December 31, 2022, 6:44am

Yup, that worked!

Here's what's in the log file:

[1672468980] unbound[29165:0] notice: init module 0: subnet
[1672468980] unbound[29165:0] notice: init module 1: validator
[1672468980] unbound[29165:0] notice: init module 2: iterator
[1672468980] unbound[29165:0] info: start of service (unbound 1.13.1).
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: generate keytag query _ta-4f66. NULL IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672469056] unbound[29165:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

DL6ER · December 31, 2022, 6:46am

Okay, so this is still here, did you check this?

another question: Do you have any other files in /etc/unbound/unbound.conf.d/ ? If so, what's their content?

alecStewart1 · December 31, 2022, 6:48am

Here's what's in the /var/lib/unbound/root.hints:

;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:     December 01, 2022
;       related version of root zone:     2022120101
;
; FORMERLY NS.INTERNIC.NET
;
.                        3600000      NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     199.9.14.201
B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:200::b
;
; FORMERLY C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
E.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:a8::e
;
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
G.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:12::d0d
;
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
;
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
;
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35

alecStewart1 · December 31, 2022, 6:49am

There's is one other file in /etc/unbound/unbound.conf.d/. It's called root-auto-trust-anchor-file.conf and here's what's in it:

server:
    # The following line will configure unbound to perform cryptographic
    # DNSSEC validation using the root trust anchor.
    auto-trust-anchor-file: "/var/lib/unbound/root.key"

To clarify, I never put this file there.

DL6ER · December 31, 2022, 6:59am

That's fine, I do have the same file, it is installed alongside unbound by the operating system. I just realized that I have the root-hints: line commented out in my pi-hole.conf as it is already contained in the other file.

Please increase verbosity of the unbound logging.

alecStewart1 · December 31, 2022, 7:04am

I increased the verbosity to 2 and this is what I get now:

[1672470141] unbound[30234:0] notice: init module 2: iterator
[1672470142] unbound[30234:0] info: start of service (unbound 1.13.1).
[1672470164] unbound[30234:0] info: resolving pi-hole.net. A IN
[1672470164] unbound[30234:0] info: priming . IN NS
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 192.5.5.241#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 199.7.83.42#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 198.41.0.4#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 202.12.27.33#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 193.0.14.129#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 199.9.14.201#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470164] unbound[30234:0] info: response for . NS IN
[1672470164] unbound[30234:0] info: reply from <.> 192.203.230.10#53
[1672470164] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470164] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.33.4.12#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 198.97.190.53#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.112.36.4#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.36.148.17#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 199.7.91.13#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 192.58.128.30#53
[1672470165] unbound[30234:0] info: query response REC_LAME: recursive but not authoritative server
[1672470165] unbound[30234:0] info: mark as REC_LAME
[1672470165] unbound[30234:0] info: response for . NS IN
[1672470165] unbound[30234:0] info: reply from <.> 198.97.190.53#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: priming successful for . NS IN
[1672470165] unbound[30234:0] info: resolving a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: response for a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 192.5.5.241#53
[1672470165] unbound[30234:0] info: query response was nodata ANSWER
[1672470165] unbound[30234:0] info: response for a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 192.36.148.17#53
[1672470165] unbound[30234:0] info: query response was nodata ANSWER
[1672470165] unbound[30234:0] info: response for a.root-servers.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 192.203.230.10#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: response for pi-hole.net. A IN
[1672470165] unbound[30234:0] info: reply from <.> 199.7.83.42#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 202.12.27.33#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 199.9.14.201#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 199.7.91.13#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. A IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 199.9.14.201#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 192.36.148.17#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 202.12.27.33#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 192.112.36.4#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 198.41.0.4#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: generate keytag query _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: resolving _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: prime trust anchor
[1672470165] unbound[30234:0] info: resolving . DNSKEY IN
[1672470165] unbound[30234:0] info: response for _ta-4f66. NULL IN
[1672470165] unbound[30234:0] info: reply from <.> 198.97.190.53#53
[1672470165] unbound[30234:0] info: query response was NXDOMAIN ANSWER
[1672470165] unbound[30234:0] info: response for . DNSKEY IN
[1672470165] unbound[30234:0] info: reply from <.> 192.58.128.30#53
[1672470165] unbound[30234:0] info: query response was ANSWER
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: validate keys with anchor(DS): sec_status_bogus
[1672470165] unbound[30234:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN
[1672470165] unbound[30234:0] info: Could not establish a chain of trust to keys for . DNSKEY IN

chrislph · December 31, 2022, 7:12am

Just watching this from the sidelines, thought I'd mention this is also a handy logging option:

val-log-level: <number>
Have the validator print validation failures to the log. Regardless of the verbosity setting. Default is 0, off. At 1, for every user query that fails a line is printed to the logs. This way you can monitor what happens with validation. Use a diagnosis tool, such as dig or drill, to find out why validation is failing for these queries. At 2, not only the query that failed is printed but also the reason why unbound thought it was wrong and which server sent the faulty data.

alecStewart1 · December 31, 2022, 7:15am

Something of note that's...odd, I can't ping anything outside of my pi-hole. If I try ping -c 3 pi-hole.net the command is just stuck perpetually.

DL6ER · December 31, 2022, 7:15am

192.5.5.241 is indeed f.root-servers.net, the others are root server, too, so this is fine, however,

is really bad.

It makes me suspicious that anything in your house (router, firewall) is intercepting DNS queries and reroutes them to somewhere else. Can this be the case? If not, your ISP might be doing this for you.

Please run the following commands on your Pi-hole:

dig CHAOS TXT version.bind @192.33.4.12 +short
dig CHAOS TXT version.bind @198.97.190.53 +short

the expected replies are:

"c-root"
"NSD 4.5.0"

alecStewart1 · December 31, 2022, 7:17am

I got

"dnsmasq-2.57-OpenDNS-1"

for both. As of note, the pi-hole is not the DNS server. The router doesn't let me configure my own DNS server. I had to do this.

So it's quite possible my ISP is doing this. I have ufw enabled but it's pretty basic.

DL6ER · December 31, 2022, 7:29am

Okay, so this confirmed what I was afraid of:

As you are not able to contact the root servers - or, in fact, any DNS server on the Internet, you cannot use unbound as your own resolver as it won't be able to do the recursion for you.

I'd suggest contacting your ISP and asking them if/why they are doing this. Typically, they are helpful (after all you pay them). In my case, for instance, my ISP blocked all inward traffic and I could only use Wireguard once I contacted them and they removed this "extra protection" for me.
In some sense, the DNS rerouting can be understood as a similar mean of "extra security" as it will enforce devices with hard-coded DNS server addresses to go through their servers so they can apply by-law DNS filtering (depending on the country you live in this may or not be a thing).

alecStewart1 · December 31, 2022, 7:33am

Well, dang. I'll have to figure out who to contact another day. It's late where I am in America and it's a holiday for a lot of people until Tuesday.

DL6ER · December 31, 2022, 7:35am

I wish you all the best with you endeavor of getting the full-featured version of the Internet Sun is just getting up in Germany right now (8:30 AM). Take care!

You can use the commands above

DL6ER:

Please run the following commands on your Pi-hole:
dig CHAOS TXT version.bind @192.33.4.12 +short
dig CHAOS TXT version.bind @198.97.190.53 +short
the expected replies are:
"c-root"
"NSD 4.5.0"

to check if it worked. And in case you need further assistance, we are here!

alecStewart1 · December 31, 2022, 7:37am

The only question I have at the moment is what exactly to say to whomever I contact?

"Hey, I want to use my own DNS servers." ?

DL6ER · December 31, 2022, 7:41am

Heh, you are the native speaker here I'd imagine something along the lines of

Hey, I want to set up my own recursive DNS resolver for private use. However, I realized that all my requests on port 53 get rerouted to one and the same server identifying itself as "dnsmasq-2.57-OpenDNS-1". Please disable this rule for me so I can contact DNS servers in the Internet directly.

Just FYI: dnsmasq-2.57 has been released back in 2011 ...

chrislph · December 31, 2022, 7:48am

Please do post an update once you have done so, I'm very intrigued as to how they handle it and seeing if they fix it for you!

Also @DL6ER, loving this CHAOS trick, it's like a new superpower!

system · January 21, 2023, 7:49am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

DL6ER · May 19, 2023, 1:00pm

This topic was automatically closed after 19 hours. New replies are no longer allowed.