This topic needs a title

Unbound
1

Hi people,

According to the RFC 7706 [1], I can configure my Unbound to query to
my local NSD about root-servers.

When I add this in my config file, unbound ignores it:

# Configuration for Unbound
   server:
       do-not-query-localhost: no
   stub-zone:
       name: "."
       stub-prime: no
       stub-addr: 127.12.12.12

# unbound-checkconf
[1463430134] unbound-checkconf[64497:0] error: second hints for zone . ignored.
unbound-checkconf: no errors in /etc/unbound/unbound.conf

Why is this?

Thank you.

References:
[1] https://tools.ietf.org/html/rfc7706#appendix-B.2

Regards,

2

Hello Unbound community,

Is there a way to run Unbound on a different local address?

like on 127.0.0.1 or 127.0.0.2
127.0.0.1
I would like to run Unbound and maybe stubby or dnscrypt-proxy as my main resolver and would like to Unbound as a local home-lan resolver.

Thank you,

Whohasmorebandwith

3

Hello there,

From the unbound.conf man page:

interface: <ip address[@port]>
  Interface to use to connect to the network. This interface is
listened to for queries from clients, and answers to clients are given
from it. Can be given multiple times to work on several interfaces. If
none are given the default is to listen to localhost. The interfaces
are not changed on a reload (kill -HUP) but only on restart. A port
number can be specified with @port (without spaces between interface and
port number), if not specified the default port (from port) is used.

So something like:
  interface: 127.0.0.30
should work.

Best regards,
-- George

4

server:
   interface: 127.53.53.1
   interface: 10.20.0.33
   port: 53
# interface: 127.52.52.52
# port: 52

5

Thanks, I’ll check it out.

6

Hello, unbound-users.

I'm using Unbound 1.8.1 on FreeBSD 12.0-RELEASE. It works fine with
the majority of domains, but it can't resolve one particular domain,
FreeBSD.org. Everything else works perfectly. I'm able to resolve the
FreeBSD.org domain when using another nameserver (8.8.8.8 for example).

~ # cat /etc/resolv.conf
nameserver 127.0.0.1

7

Hi there,

i recently noticed that i get an error thrown by unbound which says it cant verify the certificate (possibly the root ca?) for cloudflare. Quad9 works like a charm.

[1063:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
[1063:0] notice: ssl handshake failed 1.1.1.1 port 853

i verified over at cloudflare community forum that my certs look good etc. So now i try to verify that unbound works correctly.

My unbound.conf looks like this:

server:
use-syslog: yes
do-daemonize: no
username: “unbound”
directory: “/etc/unbound”

tls-cert-bundle: “/etc/ssl/certs/ca-certificates.crt”
trust-anchor-file: trusted-key.key
root-hints: root.hints

interface: 127.0.0.1
interface: 172.16.0.254
interface: 172.17.0.254

access-control: 127.0.0.1/32 allow
access-control: 172.16.0.0/16 allow
access-control: 172.17.0.0/16 allow

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

verbosity: 1

hide-identity: yes
hide-version: yes

harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes

prefetch: yes

unwanted-reply-threshold: 10000

private-address: 192.168.0.0/16
private-address: 172.16.0.0/12
private-address: 10.0.0.0/8

private-domain: “local”
local-zone: “local” static

forward-zone:
name: “.”
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 1.0.0.1@853#cloudflare
forward-addr: 146.185.167.43@853#SecureDNS.eu

this is the thread at cloudflare:
https://community.cloudflare.com/t/dns-over-tls-cant-verify-certificate/139530

Thank you for your help. I really appreciate it.

Greetings

Bastian

8

Hi Bastian,

The name after the "#" in your forward-addr should match the name on the
certificate returned by the configured forwarder. That is not the case
in your configuration. This should do the trick:

forward-addr: 1.1.1.1@853#one.one.one.one

-- Ralph

9

Dear Unbound-Users,

I am trying to do with Unbound what NextDNS calls “CNAME Flattening”:

  • when a request is made for a public host I want an A record for that name, even if
    strictly speaking it is a CNAME. Is that possible with the available settings?

To avoid confusion, Unbound may chase the CNAME chain properly (to avoid
poisoning etc) but it must reply to the original requestor only with an A
record.

Thank you.

10

Dear Unbound-Users,

I am trying to do with Unbound what NextDNS calls "CNAME Flattening":

- when a request is made for a public host I want an A record for that name, even if
strictly speaking it is a CNAME. Is that possible with the available settings?

To avoid confusion, Unbound may chase the CNAME chain properly (to avoid
poisoning etc) but it must reply to the original requestor only with an A
record.

CNAME flattening is how libunbound always works, as far as I can tell: when you request an A record, Unbound will internally resolve all CNAME records.

For example, “www.felipegasper.com”’s CNAME is “felipegasper.com”. When I query for CNAMEs, I get the CNAME:

perl -MDNS::Unbound -E'say join ".", unpack "(C/a)*" for DNS::Unbound->new()->resolve("www.felipegasper.com", "CNAME")->data()->@*'

felipegasper.com.

When I query for A records, though, I just get IPs:

perl -MDNS::Unbound -E'say join ".", unpack "C*" for DNS::Unbound->new()->resolve("www.felipegasper.com", "A")->data()->@*'

172.241.25.87

-FG

11

BTW, sorry for posting without a subject, it was by accident…

Let me illustrate by an example, comparing what I get now and what I want to get (what NextDNS does with “CNAME flattening”):

normally, I query for “gravityzone.bitdefender.com” and I get a reply that:

  • gravityzone.bitdefender.com” is a CNAME for “someserver.on.amazon.aws”, AND
  • “someserver.on.amazon.aws” has A record “212.216.124.1”, AND
  • “someserver.on.amazon.aws” has A record “212.216.124.33”

what I need is to query for “gravityzone.bitdefender.com” and get a reply:

When querying NextDNS, with CNAME Flattening enabled in Settings (far right tab of setup WebGUI) the second scenario occurs. The reason I ask here is that I understand NextDNS use Unbound.

The DNS replies from Unbound will be used in my router to create dynamic firewall rules. If I get regular DNS replies, I have to figure out the CNAME chain myself with scripting on my router, which is too slow. (Often, the CNAME chain is longer, and I need to recursively check a tree of CNAME records and A records.)

If I get DNS replies like the second scenario, it is reasonably fast to run a few statements for every entry in the router’s DNS cache (for A records only). In other words, I want to offload some processing from the router to Unbound. Hope this clarifies.

Thank you.

With Best Regards,

Dimitris Chryssanthakopoulos

T Manager

logokassian.jpg1000×316 69.8 KB

As Agents Only

367, Syngrou Av. | 175 64 Athens | Greece

tel: +30 210 9402001 | fax: +30 210 9402430

Website: www.kassian.gr

12

BTW, sorry for posting without a subject, it was by accident...

Let me illustrate by an example, comparing what I get now and what I want to get (what NextDNS does with "CNAME flattening"):

normally, I query for "gravityzone.bitdefender.com" and I get a reply that:

- "gravityzone.bitdefender.com" is a CNAME for "someserver.on.amazon.aws", AND
- "someserver.on.amazon.aws" has A record "212.216.124.1", AND
- "someserver.on.amazon.aws" has A record "212.216.124.33"

what I need is to query for "gravityzone.bitdefender.com" and get a reply:

- "gravityzone.bitdefender.com" has A record "212.216.124.1", AND
- "gravityzone.bitdefender.com" has A record "212.216.124.33"

When querying NextDNS, with CNAME Flattening enabled in Settings (far right tab of setup WebGUI) the second scenario occurs. The reason I ask here is that I understand NextDNS use Unbound.

The DNS replies from Unbound will be used in my router to create dynamic firewall rules. If I get regular DNS replies, I have to figure out the CNAME chain myself with scripting on my router, which is too slow. (Often, the CNAME chain is longer, and I need to recursively check a tree of CNAME records and A records.)

If I get DNS replies like the second scenario, it is reasonably fast to run a few statements for every entry in the router's DNS cache (for A records only). In other words, I want to offload some processing from the router to Unbound. Hope this clarifies.

I’m not sure how you’re running queries, but the following Perl seems to do what you want:

perl -MDNS::Unbound -E'say join ".", unpack "C*" for DNS::Unbound->new()->resolve("gravityzone.bitdefender.com", "A")->data()->@*'

54.208.231.228
54.85.28.21

If you need IPv6 instead, tweak it to:

perl -MDNS::Unbound -E'say join ":", unpack "(H4)*" for DNS::Unbound->new()->resolve("facebook.com", "AAAA")->data()->@*'

2a03:2880:f111:0083:face:b00c:0000:25de

-FG

13

Hi Dimitris,

Let me illustrate by an example, comparing what I get now and what I want

to get (what NextDNS does with "CNAME flattening"):

"CNAME flattening" is a feature that is part of some authoritative server products. It is not part of the DNS protocol, and it is nothing that a DNS resolver such as Unbound can do.

normally, I query for "gravityzone.bitdefender.com" and I get a reply that:

\- "gravityzone.bitdefender.com" is a CNAME for "someserver.on.amazon.aws",

AND

\- "someserver.on.amazon.aws" has A record "212.216.124.1", AND

\- "someserver.on.amazon.aws" has A record "212.216.124.33"

what I need is to query for "gravityzone.bitdefender.com" and get a reply:

\- "gravityzone.bitdefender.com" has A record "212.216.124.1", AND

\- "gravityzone.bitdefender.com" has A record "212.216.124.33"

When querying NextDNS, with CNAME Flattening enabled in Settings (far right

tab of setup WebGUI) the second scenario occurs. The reason I ask here is

that I understand NextDNS use Unbound.

The DNS replies from Unbound will be used in my router to create dynamic

firewall rules. If I get regular DNS replies, I have to figure out the

CNAME chain myself with scripting on my router, which is too slow. (Often,

the CNAME chain is longer, and I need to recursively check a tree of CNAME

records and A records.)

If I get DNS replies like the second scenario, it is reasonably fast to run

a few statements for every entry in the router's DNS cache (for A records

only). In other words, I want to offload some processing from the router to

Unbound. Hope this clarifies.

To reach your goal, I recommend to filter out all the CNAME responses and only process the A/AAAA Record responses.

A DNS resolver (such as Unbound) will return all CNAME entries in the chain, as well as the final address records (if they exist).

A (simple/naive) scripting solution could be

dig gravityzone.bitdefender.com +short | grep -E '([0-9]{1,3}[\.]){3}[0-9]{1,3}'

Greetings

Carsten

14

Thank you all for your suggestions

I’ll try to work with messages instead of cache tables and see where this gets me

15

Hi Dimitris,

Since I see you mention firewall together with DNS maybe the contributed ipset module could be useful in your case (unbound/doc/README.ipset.md at master · NLnetLabs/unbound · GitHub).

Best regards,
-- George