Fatal glibc error: cannot get entropy for arc4random

[update-freak]

Describe the bug
I tried to setup Unbound in Docker on Synology NAS with Portainer. After using a docker compose file I got the error "Fatal glibc error: cannot get entropy for arc4random" in the logs.

To Reproduce
Steps to reproduce the behavior:

1. Docker compose in Portainer:
   `version: "3"
   services:
   unbound:
   container_name: unbound
   image: mvance/unbound:latest
   network_mode: "host"
   restart: always
   volumes:

   • /volume1/docker/unbound/data:/opt/unbound/etc/unbound`

2. Using this config file:
   `server:
   do-ip6: no
   local-zone: ip6.arpa. refuse
   prefer-ip6: no

   cache-max-ttl: 86400
   cache-min-ttl: 300

   directory: "/opt/unbound/etc/unbound"

   aggressive-nsec: yes

   harden-dnssec-stripped: yes

   edns-buffer-size: 1232

   rrset-roundrobin: yes

   interface: 127.0.0.1@5355

   delay-close: 10000

   neg-cache-size: 4M

   deny-any: yes
   access-control: 127.0.0.1/32 allow
   access-control: 192.168.0.0/16 allow
   access-control: 172.16.0.0/12 allow
   access-control: 10.0.0.0/8 allow
   access-control: 169.254.0.0/16 allow
   access-control: fc00::/7 allow
   access-control: ::1/128 allow
   access-control: fd00::/8 allow
   access-control: fe80::/10 allow

   auto-trust-anchor-file: "var/root.key"

   chroot: "/opt/unbound/etc/unbound"

   harden-algo-downgrade: yes

   harden-large-queries: yes

   hide-http-user-agent: no

   hide-identity: yes

   hide-version: yes

   http-user-agent: "DNS"

   identity: "DNS"

   These private network addresses are not allowed to be returned for public

   internet names. Any occurrence of such addresses are removed from DNS

   answers. Additionally, the DNSSEC validator may mark the answers bogus.

   This protects against DNS Rebinding

   private-address: 10.0.0.0/8
   private-address: 172.16.0.0/12
   private-address: 192.168.0.0/16
   private-address: 169.254.0.0/16
   private-address: fd00::/8
   private-address: fe80::/10
   private-address: ::ffff:0:0/96

   ratelimit: 1000

   tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

   unwanted-reply-threshold: 10000

   use-caps-for-id: no

   ###########################################################################

   PERFORMANCE SETTINGS

   ###########################################################################

   infra-cache-slabs: 2

   key-cache-slabs: 2

   msg-cache-size: 100M

   msg-cache-slabs: 2

   num-queries-per-thread: 4096

   num-threads: 2

   outgoing-range: 8192

   rrset-cache-size: 200M

   rrset-cache-slabs: 2

   prefetch: yes

   prefetch-key: yes

   serve-expired: yes

   root-hints: "/opt/unbound/etc/unbound/root.hints"

   ###########################################################################

   LOCAL ZONE

   ###########################################################################

   include: /opt/unbound/etc/unbound/a-records.conf
   include: /opt/unbound/etc/unbound/srv-records.conf

   ###########################################################################

   FORWARD ZONE

   ###########################################################################

   include: /opt/unbound/etc/unbound/forward-records.conf

   auth-zone:
   name: "."
   master: "b.root-servers.net"
   master: "c.root-servers.net"
   master: "d.root-servers.net"
   master: "f.root-servers.net"
   master: "g.root-servers.net"
   master: "k.root-servers.net"
   url: https://www.internic.net/domain/root.zone
   fallback-enabled: yes
   for-downstream: no
   for-upstream: yes
   zonefile: "/opt/unbound/etc/unbound/auth-zone/root.zone"

   #forward-zone:
   #name: "."
   #forward-tls-upstream: yes

   SecureDNS.eu

   #forward-addr: 146.185.167.43@853#dot.securedns.eu
   #forward-addr: 2a03:b0c0:0:1010:e9a:3001@853#dot.securedns.eu

   Quad9

   #forward-addr: 9.9.9.9@853#dns.quad9.net
   #forward-addr: 149.112.112.112@853#dns.quad9.net
   #forward-addr: 2620:fe::fe@853#dns.quad9.net
   #forward-addr: 2620:fe::9@853#dns.quad9.net

remote-control:
control-enable: no`

3. In the logs there is the error message: Fatal glibc error: cannot get entropy for arc4random

Expected behavior
No error message

Error messages
Fatal glibc error: cannot get entropy for arc4random

Additional context
OS: DSM 7.2.1 (Synology)
Kernel version: Linux NAS 3.10.108 #64570 -> With FreeFileSync Docker I had also a problem with entropy that the kernel was too old (jlesage/docker-freefilesync#8), but I'm not fully sure if this is here also the case.

[sanastasiou]

I have the exact same issue. DSM 7.1.1-42962 Update 6....

[mj084]

Same here on Linux Kernel 3.10.108 #42962 :/

Is there a possibilty to remove the usage of getentropy(). like here?

jlesage/docker-freefilesync#8 (comment)

[247no2]

Hi everyone, I have the same problem (I think).

The logs of unbound say:
[1713362055] unbound[1:0] warning: unbound is already running as pid 1.
Fatal glibc error: cannot get entropy for arc4random

With nslookup I always get a "timed out"

My unbound.conf file:

server:
###########################################################################
# BASIC SETTINGS
###########################################################################
# Time to live maximum for RRsets and messages in the cache. If the maximum
# kicks in, responses to clients still get decrementing TTLs based on the
# original (larger) values. When the internal TTL expires, the cache item
# has expired. Can be set lower to force the resolver to query for data
# often, and not trust (very large) TTL values.
cache-max-ttl: 86400

# Time to live minimum for RRsets and messages in the cache. If the minimum
# kicks in, the data is cached for longer than the domain owner intended,
# and thus less queries are made to look up the data. Zero makes sure the
# data in the cache is as the domain owner intended, higher values,
# especially more than an hour or so, can lead to trouble as the data in
# the cache does not match up with the actual data any more.
cache-min-ttl: 300

# Set the working directory for the program.
directory: "/opt/unbound/etc/unbound"

# Enable or disable whether IPv4 queries are answered or issued.
# Default: yes
do-ip4: yes

# Enable or disable whether IPv6 queries are answered or issued.
# If disabled, queries are not answered on IPv6, and queries are not sent
# on IPv6 to the internet nameservers. With this option you can disable the
# IPv6 transport for sending DNS traffic, it does not impact the contents
# of the DNS traffic, which may have IPv4 (A) and IPv6 (AAAA) addresses in
# it.
# Default: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: yes

# Enable or disable whether TCP queries are answered or issued.
# Default: yes
do-tcp: yes

# Enable or disable whether UDP queries are answered or issued.
# Default: yes
do-udp: yes

# RFC 6891. Number  of bytes size to advertise as the EDNS reassembly buffer
# size. This is the value put into  datagrams over UDP towards peers.
# The actual buffer size is determined by msg-buffer-size (both for TCP and
# UDP). Do not set higher than that value.
# Default  is  1232 which is the DNS Flag Day 2020 recommendation.
# Setting to 512 bypasses even the most stringent path MTU problems, but
# is seen as extreme, since the amount of TCP fallback generated is
# excessive (probably also for this resolver, consider tuning the outgoing
# tcp number).
edns-buffer-size: 1232

# Listen to for queries from clients and answer from this network interface
# and port.
interface: 0.0.0.0@53
# interface: ::0
port: 53

# If enabled, prefer IPv6 transport for sending DNS queries to internet
# nameservers.
# Default: yes
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Rotates RRSet order in response (the pseudo-random number is taken from
# the query ID, for speed and thread safety).
rrset-roundrobin: yes

# Drop user  privileges after  binding the port.
username: "_unbound"

###########################################################################
# LOGGING
###########################################################################

# Do not print log lines to inform about local zone actions
log-local-actions: no

# Do not print one line per query to the log
log-queries: no

# Do not print one line per reply to the log
log-replies: no

# Do not print log lines that say why queries return SERVFAIL to clients
log-servfail: no

# If you want to log to a file, use:
logfile: /opt/unbound/etc/unbound/unbound.log
# Set log location (using /dev/null further limits logging)
# logfile: /dev/null

# Set logging level
# Level 0: No verbosity, only errors.
# Level 1: Gives operational information.
# Level 2: Gives detailed operational information including short information per query.
# Level 3: Gives query level information, output per query.
# Level 4:  Gives algorithm level information.
# Level 5: Logs client identification for cache misses.
verbosity: 0

###########################################################################
# PERFORMANCE SETTINGS
###########################################################################
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/
# https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/

# Number of slabs in the infrastructure cache. Slabs reduce lock contention
# by threads. Must be set to a power of 2.
infra-cache-slabs: 4

# Number of incoming TCP buffers to allocate per thread. Default
# is 10. If set to 0, or if do-tcp is "no", no  TCP  queries  from
# clients  are  accepted. For larger installations increasing this
# value is a good idea.
incoming-num-tcp: 10

# Number of slabs in the key cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2. Setting (close) to the number
# of cpus is a reasonable guess.
key-cache-slabs: 4

# Number  of  bytes  size  of  the  message  cache.
# Unbound recommendation is to Use roughly twice as much rrset cache memory
# as you use msg cache memory.
msg-cache-size: 142768128

# Number of slabs in the message cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2. Setting (close) to the number of
# cpus is a reasonable guess.
msg-cache-slabs: 4

# The number of queries that every thread will service simultaneously. If
# more queries arrive that need servicing, and no queries can be jostled
# out (see jostle-timeout), then the queries are dropped.
# This is best set at half the number of the outgoing-range.
# This Unbound instance was compiled with libevent so it can efficiently
# use more than 1024 file descriptors.
num-queries-per-thread: 4096

# The number of threads to create to serve clients.
# This is set dynamically at run time to effectively use available CPUs
# resources
num-threads: 3

# Number of ports to open. This number of file descriptors can be opened
# per thread.
# This Unbound instance was compiled with libevent so it can efficiently
# use more than 1024 file descriptors.
outgoing-range: 8192

# Number of bytes size of the RRset cache.
# Use roughly twice as much rrset cache memory as msg cache memory
rrset-cache-size: 285536256

# Number of slabs in the RRset cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2.
rrset-cache-slabs: 4

# Do no insert authority/additional sections into response messages when
# those sections are not required. This reduces response size
# significantly, and may avoid TCP fallback for some responses. This may
# cause a slight speedup.
minimal-responses: yes

# # Fetch the DNSKEYs earlier in the validation process, when a DS record
# is encountered. This lowers the latency of requests at the expense of
# little more CPU usage.
prefetch: yes

# Fetch the DNSKEYs earlier in the validation process, when a DS record is
# encountered. This lowers the latency of requests at the expense of little
# more CPU usage.
prefetch-key: yes

# Have unbound attempt to serve old responses from cache with a TTL of 0 in
# the response without waiting for the actual resolution to finish. The
# actual resolution answer ends up in the cache later on.
serve-expired: yes

# If not 0, then set the SO_RCVBUF socket option to get more buffer space on 
# UDP port 53 incoming queries. So that short spikes on busy servers do not
# drop packets (see counter in netstat -su). Otherwise, the number of bytes
# to ask for, try “4m” on a busy server.
# The OS caps it at a maximum, on linux Unbound needs root permission to 
# bypass the limit, or the admin can use sysctl net.core.rmem_max.
# Default: 0 (use system value)
# For example: sysctl -w net.core.rmem_max=4194304
# To persist reboots, edit /etc/sysctl.conf to include:
# net.core.rmem_max=4194304
# Larger socket buffer. OS may need config.
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 4m 

# Open dedicated listening sockets for incoming queries for each thread and
# try to set the SO_REUSEPORT socket option on each socket. May distribute
# incoming queries to threads more evenly.
so-reuseport: yes

# If not 0, then set the SO_SNDBUF socket option to get more buffer space
# on UDP port 53 outgoing queries.
# Specify the number of bytes to ask for, try “4m” on a very busy server.
# The OS caps it at a maximum, on linux Unbound needs root permission to 
# bypass the limit, or the admin can use sysctl net.core.wmem_max.
# For example: sysctl -w net.core.wmem_max=4194304
# To persist reboots, edit /etc/sysctl.conf to include:
# net.core.wmem_max=4194304
# Default: 0 (use system value)
# Larger socket buffer. OS may need config.
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-sndbuf: 4m

###########################################################################
# PRIVACY SETTINGS
###########################################################################

# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
# denials, using information from previous NXDO-MAINs answers. In other
# words, use cached NSEC records to generate negative answers within a
# range and positive answers from wildcards. This increases performance,
# decreases latency and resource utilization on both authoritative and
# recursive servers, and increases privacy. Also, it may help increase
# resilience to certain DoS attacks in some circumstances.
aggressive-nsec: yes

# Extra delay for timeouted UDP ports before they are closed, in msec.
# This prevents very delayed answer packets from the upstream (recursive)
# servers from bouncing against closed ports and setting off all sort of
# close-port counters, with eg. 1500 msec. When timeouts happen you need
# extra sockets, it checks the ID and remote IP of packets, and unwanted
# packets are added to the unwanted packet counter.
delay-close: 10000

# Prevent the unbound server from forking into the background as a daemon
do-daemonize: no

# Add localhost to the do-not-query-address list.
do-not-query-localhost: no

# Number  of  bytes size of the aggressive negative cache.
neg-cache-size: 4M

# Send minimum amount of information to upstream servers to enhance
# privacy (best privacy).
qname-minimisation: yes

###########################################################################
# SECURITY SETTINGS
###########################################################################
# Only give access to recursion clients from LAN IPs
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: fc00::/7 allow
access-control: ::1/128 allow

# File with trust anchor for  one  zone, which is tracked with RFC5011
# probes.
auto-trust-anchor-file: "var/root.key"

# Enable chroot (i.e, change apparent root directory for the current
# running process and its children)
chroot: "/opt/unbound/etc/unbound"

# Deny queries of type ANY with an empty response.
deny-any: yes

# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record.
harden-algo-downgrade: yes

# RFC 8020. returns nxdomain to queries for a name below another name that
# is already known to be nxdomain.
harden-below-nxdomain: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. If turned off you run the risk of a downgrade attack
# that disables security for a zone.
harden-dnssec-stripped: yes

# Only trust glue if it is within the servers authority.
harden-glue: yes

# Ignore very large queries.
harden-large-queries: yes

# Perform additional queries for infrastructure data to harden the referral
# path. Validates the replies if trust anchors are configured and the zones
# are signed. This enforces DNSSEC validation on nameserver NS sets and the
# nameserver addresses that are encountered on the referral path to the
# answer. Experimental option.
harden-referral-path: no

# Ignore very small EDNS buffer sizes from queries.
harden-short-bufsize: yes

# If enabled the HTTP header User-Agent is not set. Use with  caution
# as some webserver configurations may reject HTTP requests lacking
# this header. If needed, it is better to explicitly set the
# the http-user-agent.
hide-http-user-agent: no

# Refuse id.server and hostname.bind queries
hide-identity: yes

# Refuse version.server and version.bind queries
hide-version: yes

# Set the HTTP User-Agent header for outgoing HTTP requests. If
# set to "", the default, then the package name  and  version  are
#  used.
http-user-agent: "DNS"

# Report this identity rather than the hostname of the server.
identity: "DNS"

# These private network addresses are not allowed to be returned for public
# internet names. Any  occurrence of such addresses are removed from DNS
# answers. Additionally, the DNSSEC validator may mark the  answers  bogus.
# This  protects  against DNS  Rebinding
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96

# Enable ratelimiting of queries (per second) sent to nameserver for
# performing recursion. More queries are turned away with an error
# (servfail). This stops recursive floods (e.g., random query names), but
# not spoofed reflection floods. Cached responses are not rate limited by
# this setting. Experimental option.
ratelimit: 1000

# Use this certificate bundle for authenticating connections made to
# outside peers (e.g., auth-zone urls, DNS over TLS connections).
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

# Set the total number of unwanted replies to eep track of in every thread.
# When it reaches the threshold, a defensive action of clearing the rrset
# and message caches is taken, hopefully flushing away any poison.
# Unbound suggests a value of 10 million.
unwanted-reply-threshold: 10000

# Use 0x20-encoded random bits in the query to foil spoof attempts. This
# perturbs the lowercase and uppercase of query names sent to authority
# servers and checks if the reply still has the correct casing.
# This feature is an experimental implementation of draft dns-0x20.
# Experimental option.
# Don't use Capitalization randomization as it known to cause DNSSEC issues
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378
use-caps-for-id: yes

# Help protect users that rely on this validator for authentication from
# potentially bad data in the additional section. Instruct the validator to
# remove data from the additional section of secure messages that are not
# signed properly. Messages that are insecure, bogus, indeterminate or
# unchecked are not affected.
val-clean-additional: yes

###########################################################################
# FORWARD ZONE
###########################################################################

# include: /opt/unbound/etc/unbound/forward-records.conf

###########################################################################
# LOCAL ZONE
###########################################################################

# Include file for local-data and local-data-ptr
include: /opt/unbound/etc/unbound/a-records.conf
include: /opt/unbound/etc/unbound/srv-records.conf

###########################################################################
# WILDCARD INCLUDE
###########################################################################
#include: "/opt/unbound/etc/unbound/*.conf"

remote-control:
control-enable: no

[247no2]

Hi everyone, I have the same problem (I think).

The logs of unbound say: [1713362055] unbound[1:0] warning: unbound is already running as pid 1. Fatal glibc error: cannot get entropy for arc4random

With nslookup I always get a "timed out"

My unbound.conf file:

server: ########################################################################### # BASIC SETTINGS ########################################################################### # Time to live maximum for RRsets and messages in the cache. If the maximum # kicks in, responses to clients still get decrementing TTLs based on the # original (larger) values. When the internal TTL expires, the cache item # has expired. Can be set lower to force the resolver to query for data # often, and not trust (very large) TTL values. cache-max-ttl: 86400

# Time to live minimum for RRsets and messages in the cache. If the minimum
# kicks in, the data is cached for longer than the domain owner intended,
# and thus less queries are made to look up the data. Zero makes sure the
# data in the cache is as the domain owner intended, higher values,
# especially more than an hour or so, can lead to trouble as the data in
# the cache does not match up with the actual data any more.
cache-min-ttl: 300

# Set the working directory for the program.
directory: "/opt/unbound/etc/unbound"

# Enable or disable whether IPv4 queries are answered or issued.
# Default: yes
do-ip4: yes

# Enable or disable whether IPv6 queries are answered or issued.
# If disabled, queries are not answered on IPv6, and queries are not sent
# on IPv6 to the internet nameservers. With this option you can disable the
# IPv6 transport for sending DNS traffic, it does not impact the contents
# of the DNS traffic, which may have IPv4 (A) and IPv6 (AAAA) addresses in
# it.
# Default: yes
# May be set to yes if you have IPv6 connectivity
do-ip6: yes

# Enable or disable whether TCP queries are answered or issued.
# Default: yes
do-tcp: yes

# Enable or disable whether UDP queries are answered or issued.
# Default: yes
do-udp: yes

# RFC 6891. Number  of bytes size to advertise as the EDNS reassembly buffer
# size. This is the value put into  datagrams over UDP towards peers.
# The actual buffer size is determined by msg-buffer-size (both for TCP and
# UDP). Do not set higher than that value.
# Default  is  1232 which is the DNS Flag Day 2020 recommendation.
# Setting to 512 bypasses even the most stringent path MTU problems, but
# is seen as extreme, since the amount of TCP fallback generated is
# excessive (probably also for this resolver, consider tuning the outgoing
# tcp number).
edns-buffer-size: 1232

# Listen to for queries from clients and answer from this network interface
# and port.
interface: 0.0.0.0@53
# interface: ::0
port: 53

# If enabled, prefer IPv6 transport for sending DNS queries to internet
# nameservers.
# Default: yes
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
# Terredo tunnels your web browser should favor IPv4 for the same reasons
prefer-ip6: no

# Rotates RRSet order in response (the pseudo-random number is taken from
# the query ID, for speed and thread safety).
rrset-roundrobin: yes

# Drop user  privileges after  binding the port.
username: "_unbound"

###########################################################################
# LOGGING
###########################################################################

# Do not print log lines to inform about local zone actions
log-local-actions: no

# Do not print one line per query to the log
log-queries: no

# Do not print one line per reply to the log
log-replies: no

# Do not print log lines that say why queries return SERVFAIL to clients
log-servfail: no

# If you want to log to a file, use:
logfile: /opt/unbound/etc/unbound/unbound.log
# Set log location (using /dev/null further limits logging)
# logfile: /dev/null

# Set logging level
# Level 0: No verbosity, only errors.
# Level 1: Gives operational information.
# Level 2: Gives detailed operational information including short information per query.
# Level 3: Gives query level information, output per query.
# Level 4:  Gives algorithm level information.
# Level 5: Logs client identification for cache misses.
verbosity: 0

###########################################################################
# PERFORMANCE SETTINGS
###########################################################################
# https://nlnetlabs.nl/documentation/unbound/howto-optimise/
# https://nlnetlabs.nl/news/2019/Feb/05/unbound-1.9.0-released/

# Number of slabs in the infrastructure cache. Slabs reduce lock contention
# by threads. Must be set to a power of 2.
infra-cache-slabs: 4

# Number of incoming TCP buffers to allocate per thread. Default
# is 10. If set to 0, or if do-tcp is "no", no  TCP  queries  from
# clients  are  accepted. For larger installations increasing this
# value is a good idea.
incoming-num-tcp: 10

# Number of slabs in the key cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2. Setting (close) to the number
# of cpus is a reasonable guess.
key-cache-slabs: 4

# Number  of  bytes  size  of  the  message  cache.
# Unbound recommendation is to Use roughly twice as much rrset cache memory
# as you use msg cache memory.
msg-cache-size: 142768128

# Number of slabs in the message cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2. Setting (close) to the number of
# cpus is a reasonable guess.
msg-cache-slabs: 4

# The number of queries that every thread will service simultaneously. If
# more queries arrive that need servicing, and no queries can be jostled
# out (see jostle-timeout), then the queries are dropped.
# This is best set at half the number of the outgoing-range.
# This Unbound instance was compiled with libevent so it can efficiently
# use more than 1024 file descriptors.
num-queries-per-thread: 4096

# The number of threads to create to serve clients.
# This is set dynamically at run time to effectively use available CPUs
# resources
num-threads: 3

# Number of ports to open. This number of file descriptors can be opened
# per thread.
# This Unbound instance was compiled with libevent so it can efficiently
# use more than 1024 file descriptors.
outgoing-range: 8192

# Number of bytes size of the RRset cache.
# Use roughly twice as much rrset cache memory as msg cache memory
rrset-cache-size: 285536256

# Number of slabs in the RRset cache. Slabs reduce lock contention by
# threads. Must be set to a power of 2.
rrset-cache-slabs: 4

# Do no insert authority/additional sections into response messages when
# those sections are not required. This reduces response size
# significantly, and may avoid TCP fallback for some responses. This may
# cause a slight speedup.
minimal-responses: yes

# # Fetch the DNSKEYs earlier in the validation process, when a DS record
# is encountered. This lowers the latency of requests at the expense of
# little more CPU usage.
prefetch: yes

# Fetch the DNSKEYs earlier in the validation process, when a DS record is
# encountered. This lowers the latency of requests at the expense of little
# more CPU usage.
prefetch-key: yes

# Have unbound attempt to serve old responses from cache with a TTL of 0 in
# the response without waiting for the actual resolution to finish. The
# actual resolution answer ends up in the cache later on.
serve-expired: yes

# If not 0, then set the SO_RCVBUF socket option to get more buffer space on 
# UDP port 53 incoming queries. So that short spikes on busy servers do not
# drop packets (see counter in netstat -su). Otherwise, the number of bytes
# to ask for, try “4m” on a busy server.
# The OS caps it at a maximum, on linux Unbound needs root permission to 
# bypass the limit, or the admin can use sysctl net.core.rmem_max.
# Default: 0 (use system value)
# For example: sysctl -w net.core.rmem_max=4194304
# To persist reboots, edit /etc/sysctl.conf to include:
# net.core.rmem_max=4194304
# Larger socket buffer. OS may need config.
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-rcvbuf: 4m 

# Open dedicated listening sockets for incoming queries for each thread and
# try to set the SO_REUSEPORT socket option on each socket. May distribute
# incoming queries to threads more evenly.
so-reuseport: yes

# If not 0, then set the SO_SNDBUF socket option to get more buffer space
# on UDP port 53 outgoing queries.
# Specify the number of bytes to ask for, try “4m” on a very busy server.
# The OS caps it at a maximum, on linux Unbound needs root permission to 
# bypass the limit, or the admin can use sysctl net.core.wmem_max.
# For example: sysctl -w net.core.wmem_max=4194304
# To persist reboots, edit /etc/sysctl.conf to include:
# net.core.wmem_max=4194304
# Default: 0 (use system value)
# Larger socket buffer. OS may need config.
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
#so-sndbuf: 4m

###########################################################################
# PRIVACY SETTINGS
###########################################################################

# RFC 8198. Use the DNSSEC NSEC chain to synthesize NXDO-MAIN and other
# denials, using information from previous NXDO-MAINs answers. In other
# words, use cached NSEC records to generate negative answers within a
# range and positive answers from wildcards. This increases performance,
# decreases latency and resource utilization on both authoritative and
# recursive servers, and increases privacy. Also, it may help increase
# resilience to certain DoS attacks in some circumstances.
aggressive-nsec: yes

# Extra delay for timeouted UDP ports before they are closed, in msec.
# This prevents very delayed answer packets from the upstream (recursive)
# servers from bouncing against closed ports and setting off all sort of
# close-port counters, with eg. 1500 msec. When timeouts happen you need
# extra sockets, it checks the ID and remote IP of packets, and unwanted
# packets are added to the unwanted packet counter.
delay-close: 10000

# Prevent the unbound server from forking into the background as a daemon
do-daemonize: no

# Add localhost to the do-not-query-address list.
do-not-query-localhost: no

# Number  of  bytes size of the aggressive negative cache.
neg-cache-size: 4M

# Send minimum amount of information to upstream servers to enhance
# privacy (best privacy).
qname-minimisation: yes

###########################################################################
# SECURITY SETTINGS
###########################################################################
# Only give access to recursion clients from LAN IPs
access-control: 127.0.0.1/32 allow
access-control: 192.168.0.0/16 allow
access-control: 172.16.0.0/12 allow
access-control: 10.0.0.0/8 allow
access-control: fc00::/7 allow
access-control: ::1/128 allow

# File with trust anchor for  one  zone, which is tracked with RFC5011
# probes.
auto-trust-anchor-file: "var/root.key"

# Enable chroot (i.e, change apparent root directory for the current
# running process and its children)
chroot: "/opt/unbound/etc/unbound"

# Deny queries of type ANY with an empty response.
deny-any: yes

# Harden against algorithm downgrade when multiple algorithms are
# advertised in the DS record.
harden-algo-downgrade: yes

# RFC 8020. returns nxdomain to queries for a name below another name that
# is already known to be nxdomain.
harden-below-nxdomain: yes

# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. If turned off you run the risk of a downgrade attack
# that disables security for a zone.
harden-dnssec-stripped: yes

# Only trust glue if it is within the servers authority.
harden-glue: yes

# Ignore very large queries.
harden-large-queries: yes

# Perform additional queries for infrastructure data to harden the referral
# path. Validates the replies if trust anchors are configured and the zones
# are signed. This enforces DNSSEC validation on nameserver NS sets and the
# nameserver addresses that are encountered on the referral path to the
# answer. Experimental option.
harden-referral-path: no

# Ignore very small EDNS buffer sizes from queries.
harden-short-bufsize: yes

# If enabled the HTTP header User-Agent is not set. Use with  caution
# as some webserver configurations may reject HTTP requests lacking
# this header. If needed, it is better to explicitly set the
# the http-user-agent.
hide-http-user-agent: no

# Refuse id.server and hostname.bind queries
hide-identity: yes

# Refuse version.server and version.bind queries
hide-version: yes

# Set the HTTP User-Agent header for outgoing HTTP requests. If
# set to "", the default, then the package name  and  version  are
#  used.
http-user-agent: "DNS"

# Report this identity rather than the hostname of the server.
identity: "DNS"

# These private network addresses are not allowed to be returned for public
# internet names. Any  occurrence of such addresses are removed from DNS
# answers. Additionally, the DNSSEC validator may mark the  answers  bogus.
# This  protects  against DNS  Rebinding
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
private-address: ::ffff:0:0/96

# Enable ratelimiting of queries (per second) sent to nameserver for
# performing recursion. More queries are turned away with an error
# (servfail). This stops recursive floods (e.g., random query names), but
# not spoofed reflection floods. Cached responses are not rate limited by
# this setting. Experimental option.
ratelimit: 1000

# Use this certificate bundle for authenticating connections made to
# outside peers (e.g., auth-zone urls, DNS over TLS connections).
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt

# Set the total number of unwanted replies to eep track of in every thread.
# When it reaches the threshold, a defensive action of clearing the rrset
# and message caches is taken, hopefully flushing away any poison.
# Unbound suggests a value of 10 million.
unwanted-reply-threshold: 10000

# Use 0x20-encoded random bits in the query to foil spoof attempts. This
# perturbs the lowercase and uppercase of query names sent to authority
# servers and checks if the reply still has the correct casing.
# This feature is an experimental implementation of draft dns-0x20.
# Experimental option.
# Don't use Capitalization randomization as it known to cause DNSSEC issues
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378
use-caps-for-id: yes

# Help protect users that rely on this validator for authentication from
# potentially bad data in the additional section. Instruct the validator to
# remove data from the additional section of secure messages that are not
# signed properly. Messages that are insecure, bogus, indeterminate or
# unchecked are not affected.
val-clean-additional: yes

###########################################################################
# FORWARD ZONE
###########################################################################

# include: /opt/unbound/etc/unbound/forward-records.conf

###########################################################################
# LOCAL ZONE
###########################################################################

# Include file for local-data and local-data-ptr
include: /opt/unbound/etc/unbound/a-records.conf
include: /opt/unbound/etc/unbound/srv-records.conf

###########################################################################
# WILDCARD INCLUDE
###########################################################################
#include: "/opt/unbound/etc/unbound/*.conf"

remote-control: control-enable: no

My problem has been solved, I have used the 1.18 version.

[nillebor]

The current unbound version 1.19.3 also works on older devices. Your error occurs with devices up to model year xx16. So that the error does not lead to any problems, you just do not have to mount the /unbound folder, but the files themselves.

For unbound in hyperlocal-mode, I only need the unbound.conf ;). The whole thing runs on a 1513+ without any problems.

Maybe the "best practice" guide is not the best yet ;)

If you are using an older version, this can only help you in the short term. The problem is not solved by this!

[mj084]

@nillebor

With the Image from madnuttah it's possible to mount folders too on older Synology devices:

https://github.com/madnuttah/unbound-docker

[nillebor]

Not every docker image is the same. Not every DiskStation has the same software (DSM) and kernel.
Not every docker container has the same paths, folder and configs.
But here we are at the image of mvance and its problems and their solution!

[mj084]

@nillebor

Yes, and a possible solution is here:

jlesage/docker-freefilesync#8 (comment)

[nillebor]

Your link is about an older version, so the statement is no longer true or is included in the current version (latest) of mvance.

[247no2]

The current unbound version 1.19.3 also works on older devices. Your error occurs with devices up to model year xx16. So that the error does not lead to any problems, you just do not have to mount the /unbound folder, but the files themselves.

For unbound in hyperlocal-mode, I only need the unbound.conf ;). The whole thing runs on a 1513+ without any problems.

Maybe the "best practice" guide is not the best yet ;)

If you are using an older version, this can only help you in the short term. The problem is not solved by this!

You are absolutely right, the problem is only postponed, not solved.
I have a DS1515+ the folder unbound I have given all rights to everyone.

The file unbound.conf is located in the "unbound" folder, how do you mean that I should mount the file myself?

[nillebor]

Do not specify the folder "unbound" in the container, but the config directly. Rights do not have to be adapted or released to "everyone".

You can see an example here:

docker run \
--name my-unbound \
--detach=true \
--publish=53:53/tcp \
--publish=53:53/udp \
--restart=unless-stopped \
--volume $(pwd)/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro \
mvance/unbound:latest

If you need several ports, files or subfolders, please adjust accordingly.

The latest version works without any problems and can be easily updated automatically with Watchtower at my place.

My Synology installation:

docker run -d --name unbound \
-v /volume1/docker/unbound/unbound.conf:/opt/unbound/etc/unbound/unbound.conf \
-p 3553:53/udp \
-p 3553:53/tcp \
--restart always \
mvance/unbound:latest

I use default unbound.conf, but commented out:
prefetch > see here
serve-expired > see here
a-records.conf
srv-records.conf

Corresponding files can of course be adapted or added. However, this is not necessary for my queries to the root servers. Maybe it is still necessary to disable IPv6 (if not available)?

Test hyperlocal-mode: (see your own external IP)

My Synology-unbound-files:
Unbound Synology.zip

I hope it helps you. :)

[247no2]

Geben Sie im Container nicht den Ordner "unbound" an, sondern direkt die Config. Rechte müssen nicht angepasst oder an "alle" freigegeben werden.

Ein Beispiel sehen Sie hier:

docker run \
--name my-unbound \
--detach=true \
--publish=53:53/tcp \
--publish=53:53/udp \
--restart=unless-stopped \
--volume $(pwd)/forward-records.conf:/opt/unbound/etc/unbound/forward-records.conf:ro \
mvance/unbound:latest

Wenn Sie mehrere Ports, Dateien oder Unterordner benötigen, passen Sie diese bitte entsprechend an.

Die neueste Version funktioniert ohne Probleme und kann ganz einfach automatisch mit Watchtower bei mir vor Ort aktualisiert werden.

Meine Synology-Installation:

docker run -d --name unbound \
-v /volume1/docker/unbound/unbound.conf:/opt/unbound/etc/unbound/unbound.conf \
-p 3553:53/udp \
-p 3553:53/tcp \
--restart always \
mvance/unbound:latest

Ich verwende die Standarddatei unbound.conf, aber auskommentiert: > siehe hier > siehe hierprefetch``serve-expired a-records.conf srv-records.conf

Entsprechende Dateien können selbstverständlich angepasst oder hinzugefügt werden. Für meine Rückfragen an die Root-Server ist dies jedoch nicht notwendig. Vielleicht ist es noch notwendig, IPv6 zu deaktivieren (falls nicht verfügbar)?

Hyperlocal-Mode testen: (siehe eigene externe IP-Adresse)

Meine ungebundenen Synology-Dateien: Ungebundene Synology.zip

Ich hoffe, es hilft Ihnen. :)

Great, thank you very much, I will test this tonight and give you feedback.